[python] re-work manifest-analysis tracker (CycloneDX#2083)

Adds SrcFile and evidence to the components from requirements.txt file
Set overall confidence to max from all methods
Repo tests

Signed-off-by: Prabhu Subramanian <[email protected]>

Author: prabhu

.github/workflows/repotests.yml

@@ -581,6 +581,19 @@ jobs:
         run: |
           bin/cdxgen.js -p -t js --no-recurse -o bomresults/bom.json --evidence .
         shell: bash
+      - name: repotests python issues
+        run: |
+          bin/cdxgen.js -t python test/data/issue-2069 -o bomresults/issue-2069.json --fail-on-error -p
+          bin/cdxgen.js -t python test/data/issue-2069 -o bomresults/issue-2069.json --only fastapi --only google --fail-on-error -p
+          bin/cdxgen.js -t python test/data/issue-2082 -o bomresults/issue-2082.json --fail-on-error -p
+          bin/cdxgen.js -t python test/data/issue-2082 -o bomresults/issue-2082.json --fail-on-error --only fastapi --only aio -p
+          bin/cdxgen.js -t python test/data/issue-2069 -o bomresults/issue-2069.json --fail-on-error --technique manifest-analysis -p
+          bin/cdxgen.js -t python test/data/issue-2082 -o bomresults/issue-2082.json --fail-on-error --technique manifest-analysis -p
+          bin/cdxgen.js -t python test/data/issue-2069 -o bomresults/issue-2069.json --fail-on-error --lifecycle pre-build -p
+          bin/cdxgen.js -t python test/data/issue-2082 -o bomresults/issue-2082.json --fail-on-error --lifecycle pre-build -p
+        shell: bash
+        env:
+          CDXGEN_DEBUG_MODE: debug
       - name: repotests django-DefectDojo
         run: |
           bin/cdxgen.js -t python repotests/django-DefectDojo -o bomresults/django-DefectDojo-safe.json --feature-flags safe-pip-install --fail-on-error

devenv.lock

@@ -3,10 +3,10 @@
     "devenv": {
       "locked": {
         "dir": "src/modules",
-        "lastModified": 1752692978,
+        "lastModified": 1752951785,
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "b2281100077d641cbf135e8680e973c0c2270bc4",
+        "rev": "3d4f8b778378a0e3f29ba779af0ff1717cf1fa00",
         "type": "github"
       },
       "original": {
@@ -163,10 +163,10 @@
         ]
       },
       "locked": {
-        "lastModified": 1752645690,
+        "lastModified": 1752950636,
         "owner": "bobvanderlinden",
         "repo": "nixpkgs-ruby",
-        "rev": "e4bc98b2ed06c9baead6c9516eed10c94f861ea2",
+        "rev": "7486abed72d397612fb83360dbb7117f3a6c992b",
         "type": "github"
       },
       "original": {
@@ -177,10 +177,10 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1752596105,
+        "lastModified": 1752900028,
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "dab3a6e781554f965bde3def0aa2fda4eb8f1708",
+        "rev": "6b4955211758ba47fac850c040a27f23b9b4008f",
         "type": "github"
       },
       "original": {

lib/cli/index.js

@@ -3620,7 +3620,6 @@ export async function createPythonBom(path, options) {
   let dependencies = [];
   let pkgList = [];
   let formulationList = [];
-  const packageTechniqueMap = new Map();
   const tempDir = mkdtempSync(join(getTmpDir(), "cdxgen-venv-"));
   let parentComponent = createDefaultParentComponent(path, "pypi", options);
   // We are checking only the root here for pipenv
@@ -3843,13 +3842,19 @@ export async function createPythonBom(path, options) {
     } else if (reqDirFiles?.length) {
       for (const j in reqDirFiles) {
         const f = reqDirFiles[j];
-        const reqData = readFileSync(f, { encoding: "utf-8" });
-        const dlist = await parseReqFile(reqData, false);
+        const dlist = await parseReqFile(f, false);
         if (dlist?.length) {
           pkgList = pkgList.concat(dlist);
         }
       }
       metadataFilename = reqDirFiles.join(", ");
+    } else if (reqFiles?.length) {
+      for (const f of reqFiles) {
+        const dlist = await parseReqFile(f, true);
+        if (dlist?.length) {
+          pkgList = pkgList.concat(dlist);
+        }
+      }
     }
   }
 
@@ -3884,55 +3889,20 @@ export async function createPythonBom(path, options) {
         }
         for (const f of reqFiles) {
           const basePath = dirname(f);
-          let reqData;
-          let frozen = false;
-
-          reqData = readFileSync(f, { encoding: "utf-8" });
-          await parseReqFile(reqData, true, packageTechniqueMap);
-
           if (options.installDeps) {
             const pkgMap = await getPipFrozenTree(
               basePath,
               f,
               tempDir,
               parentComponent,
             );
-
             if (pkgMap.pkgList?.length) {
-              pkgMap.pkgList.forEach((pkg) => {
-                const existingTechnique = packageTechniqueMap.get(
-                  pkg.name.toLowerCase(),
-                );
-                if (existingTechnique) {
-                  // Update evidence to preserve original technique
-                  if (pkg.evidence?.identity?.methods) {
-                    pkg.evidence.identity.methods =
-                      pkg.evidence.identity.methods.map((method) => ({
-                        ...method,
-                        technique: existingTechnique,
-                      }));
-                  }
-                } else {
-                  // New transitive dependency - mark as manifest-analysis derived
-                  packageTechniqueMap.set(
-                    pkg.name.toLowerCase(),
-                    "manifest-analysis",
-                  );
-                  if (pkg.evidence?.identity?.methods) {
-                    pkg.evidence.identity.methods =
-                      pkg.evidence.identity.methods.map((method) => ({
-                        ...method,
-                        technique: "manifest-analysis",
-                      }));
-                  }
-                }
-              });
-
               pkgList = pkgList.concat(pkgMap.pkgList);
-              frozen = pkgMap.frozen;
+              pkgList = trimComponents(pkgList);
             }
             if (pkgMap.formulationList?.length) {
               formulationList = formulationList.concat(pkgMap.formulationList);
+              formulationList = trimComponents(formulationList);
             }
             if (pkgMap.dependenciesList) {
               dependencies = mergeDependencies(
@@ -3956,22 +3926,6 @@ export async function createPythonBom(path, options) {
               );
             }
           }
-          // Fallback to parsing manually
-          if (!pkgList.length || !frozen) {
-            thoughtLog(
-              `Manually parsing ${f}. The result would include only direct dependencies.`,
-            );
-            if (DEBUG_MODE) {
-              console.log(
-                `Manually parsing ${f}. The result would include only direct dependencies.`,
-              );
-            }
-            reqData = readFileSync(f, { encoding: "utf-8" });
-            const dlist = await parseReqFile(reqData, true);
-            if (dlist?.length) {
-              pkgList = pkgList.concat(dlist);
-            }
-          }
         }
       } else if (!poetryMode) {
         pkgMap = await getPipFrozenTree(
@@ -6913,8 +6867,8 @@ export function trimComponents(components) {
         }
         // comp.evidence.identity can be an array or object
         // Merge the evidence.identity based on methods or objects
-        const isArray = Array.isArray(comp.evidence.identity);
-        const identities = isArray
+        const isIdentityArray = Array.isArray(comp.evidence.identity);
+        const identities = isIdentityArray
           ? comp.evidence.identity
           : [comp.evidence.identity];
         for (const aident of identities) {
@@ -6945,9 +6899,23 @@ export function trimComponents(components) {
             existingComponent.evidence.identity.push(aident);
           }
         }
-        if (!isArray) {
+        if (!isIdentityArray) {
+          const firstIdentity = existingComponent.evidence.identity[0];
+          let identConfidence = firstIdentity?.confidence;
+          // We need to set the confidence to the max of all confidences
+          if (firstIdentity?.methods?.length > 1) {
+            for (const aidentMethod of firstIdentity.methods) {
+              if (
+                aidentMethod?.confidence &&
+                aidentMethod.confidence > identConfidence
+              ) {
+                identConfidence = aidentMethod.confidence;
+              }
+            }
+          }
+          firstIdentity.confidence = identConfidence;
           existingComponent.evidence = {
-            identity: existingComponent.evidence.identity[0],
+            identity: firstIdentity,
           };
         }
       }

lib/helpers/utils.js

@@ -5624,25 +5624,66 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
 }
 
 /**
- * Method to parse requirements.txt data. This must be replaced with atom parsedeps.
+ * Method to parse requirements.txt file. This must be replaced with atom parsedeps.
  *
- * @param {Object} reqData Requirements.txt data
+ * @param {String} reqFile Requirements.txt file
  * @param {Boolean} fetchDepsInfo Fetch dependencies info from pypi
- * @param {Object} packageTechniqueMap Mapping of package techniques
+ *
+ * @returns {Promise[Array<Object>]} List of direct dependencies from the requirements file
  */
-export async function parseReqFile(
-  reqData,
-  fetchDepsInfo,
-  packageTechniqueMap = null,
-) {
-  let pkgList = [];
+export async function parseReqFile(reqFile, fetchDepsInfo = false) {
+  return await parseReqData(reqFile, null, fetchDepsInfo);
+}
+
+/**
+ * Method to parse requirements.txt file. Must only be used internally.
+ *
+ * @param {String} reqFile Requirements.txt file
+ * @param {Object} reqData Requirements.txt data for internal invocations from setup.py file etc.
+ *
+ * @param {Boolean} fetchDepsInfo Fetch dependencies info from pypi
+ *
+ * @returns {Promise[Array<Object>]} List of direct dependencies from the requirements file
+ */
+async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
+  const pkgList = [];
   let compScope;
+  if (!reqFile && !reqData) {
+    console.warn(
+      "Either the requirements file or the data needs to be provided for parsing.",
+    );
+    return pkgList;
+  }
+  reqData = reqData || readFileSync(reqFile, { encoding: "utf-8" });
+  const evidence = reqFile
+    ? {
+        identity: {
+          field: "purl",
+          confidence: 0.5,
+          methods: [
+            {
+              technique: "manifest-analysis",
+              confidence: 0.5,
+              value: reqFile,
+            },
+          ],
+        },
+      }
+    : undefined;
   reqData
     .replace(/\r/g, "")
     .replace(/ [\\]\n/g, "")
     .replace(/ {4}/g, " ")
     .split("\n")
     .forEach((l) => {
+      const properties = reqFile
+        ? [
+            {
+              name: "SrcFile",
+              value: reqFile,
+            },
+          ]
+        : [];
       l = l.trim();
       let markers;
       if (l.includes(" ; ")) {
@@ -5677,11 +5718,11 @@ export async function parseReqFile(
             const name = tmpA[0].trim().replace(";", "");
             const versionSpecifiers = l.replace(name, "");
             if (!PYTHON_STD_MODULES.includes(name)) {
-              const properties = [];
               const apkg = {
                 name,
                 version: versionStr,
                 scope: compScope,
+                evidence,
               };
               if (
                 versionSpecifiers?.length > 0 &&
@@ -5713,7 +5754,9 @@ export async function parseReqFile(
               name,
               version: undefined,
               scope: compScope,
+              evidence,
               properties: [
+                ...properties,
                 {
                   name: "cdx:pypi:versionSpecifiers",
                   value: versionSpecifiers?.length
@@ -5736,7 +5779,9 @@ export async function parseReqFile(
                 name,
                 version: undefined,
                 scope: compScope,
+                evidence,
                 properties: [
+                  ...properties,
                   {
                     name: "cdx:pypi:versionSpecifiers",
                     value: versionSpecifiers?.length
@@ -5761,6 +5806,7 @@ export async function parseReqFile(
                 name,
                 version: undefined,
                 scope: compScope,
+                evidence,
                 properties: [
                   {
                     name: "cdx:pypi:versionSpecifiers",
@@ -5779,6 +5825,7 @@ export async function parseReqFile(
                 name,
                 version: null,
                 scope: compScope,
+                evidence,
                 properties: [
                   {
                     name: "cdx:pypi:versionSpecifiers",
@@ -5793,33 +5840,7 @@ export async function parseReqFile(
         }
       }
     });
-  const directDependencies = await getPyMetadata(pkgList, fetchDepsInfo);
-  if (packageTechniqueMap && directDependencies?.length) {
-    // Mark direct dependencies from requirements.txt as manifest-analysis
-    directDependencies.forEach((pkg) => {
-      packageTechniqueMap.set(pkg.name.toLowerCase(), "manifest-analysis");
-      // Also mark the evidence
-      if (!pkg.evidence) {
-        pkg.evidence = {
-          identity: {
-            field: "purl",
-            confidence: pkg.version ? 0.5 : 0.3,
-            methods: [],
-          },
-        };
-      }
-      if (!pkg.evidence.identity.methods) {
-        pkg.evidence.identity.methods = [];
-      }
-      pkg.evidence.identity.methods.push({
-        technique: "manifest-analysis",
-        confidence: pkg.version ? 0.5 : 0.3,
-        value: pkg["bom-ref"] || pkg.purl,
-      });
-    });
-    pkgList = pkgList.concat(directDependencies);
-  }
-  return directDependencies;
+  return await getPyMetadata(pkgList, fetchDepsInfo);
 }
 
 /**
@@ -5928,7 +5949,7 @@ export async function parseSetupPyFile(setupPyData) {
       lines = lines.concat(tmpA);
     }
   });
-  return await parseReqFile(lines.join("\n"), false);
+  return await parseReqData(null, lines.join("\n"), false);
 }
 
 /**
@@ -13655,7 +13676,7 @@ export function createUVLock(basePath, options) {
  * @param {string} tempVenvDir Temp venv dir
  * @param {Object} parentComponent Parent component
  *
- * @returns List of packages from the virtual env
+ * @returns {Object} List of packages from the virtual env
  */
 export async function getPipFrozenTree(
   basePath,
@@ -13676,9 +13697,8 @@ export async function getPipFrozenTree(
   // FIX: Create a set of explicit dependencies from requirements.txt to identify root packages.
   const explicitDeps = new Set();
   if (reqOrSetupFile?.endsWith(".txt") && safeExistsSync(reqOrSetupFile)) {
-    const reqData = readFileSync(reqOrSetupFile, { encoding: "utf-8" });
     // We only need the package names, so we pass `false` to avoid fetching full metadata.
-    const tempPkgList = await parseReqFile(reqData, false);
+    const tempPkgList = await parseReqFile(reqOrSetupFile, null, false);
     for (const pkg of tempPkgList) {
       if (pkg.name) {
         // Normalize the name (lowercase, hyphenated) for accurate lookups.