pip

package

v2.3.0 Latest Latest Go to latest Published: Jun 5, 2026 License: Apache-2.0 Imports: 22 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/snyk/cli-extension-dep-graph

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GetProjectName(filePath, scanDir string, override *string) string
func GetPythonVersion() (string, error)
type CommandExecutor
type DefaultExecutor
- func (e *DefaultExecutor) Execute(ctx context.Context, stdin, name string, args ...string) ([]byte, error)
type InstallItem
- func (item *InstallItem) IsDirectDependency() bool
type PackageMetadata
- func (p *PackageMetadata) GetNormalizePackageName() string
- func (p *PackageMetadata) GetNormalizeVersion() string
type Plugin
- func (p Plugin) BuildDepGraphsFromDir(ctx context.Context, log logger.Logger, dir string, ...) error
- func (p Plugin) GetName() string
type Report
- func (r *Report) ToDependencyGraph(ctx context.Context, log logger.Logger, projectName string) (*depgraph.DepGraph, error)

Constants ¶

View Source

const (
	PluginName = "pip"
)

Variables ¶

This section is empty.

Functions ¶

func GetProjectName ¶

func GetProjectName(filePath, scanDir string, override *string) string

GetProjectName determines the project name based on the file path. It uses the directory name containing the file. For example:

"project/test/requirements.txt" -> "test"
"project/requirements.txt" -> "project"
"requirements.txt" (with scanDir="/path/to/myproject") -> "myproject"

func GetPythonVersion ¶

func GetPythonVersion() (string, error)

GetPythonVersion detects the installed Python version.

Types ¶

type CommandExecutor ¶

type CommandExecutor interface {
	Execute(ctx context.Context, stdin, name string, args ...string) ([]byte, error)
}

CommandExecutor is an interface for executing commands. This allows for dependency injection and easier testing.

type DefaultExecutor ¶

type DefaultExecutor struct{}

DefaultExecutor uses os/exec to run commands.

func (*DefaultExecutor) Execute ¶

func (e *DefaultExecutor) Execute(ctx context.Context, stdin, name string, args ...string) ([]byte, error)

Execute runs a command with optional stdin input and returns its stdout output.

type InstallItem ¶

type InstallItem struct {
	Metadata        PackageMetadata `json:"metadata"`
	Requested       bool            `json:"requested"`        // True if explicitly requested in requirements
	RequestedExtras []string        `json:"requested_extras"` //nolint:tagliatelle // pip's JSON output uses snake_case
}

InstallItem represents a single package in the pip install report.

func (*InstallItem) IsDirectDependency ¶

func (item *InstallItem) IsDirectDependency() bool

IsDirectDependency returns true if this package is a direct dependency.

type PackageMetadata ¶

type PackageMetadata struct {
	Name         string   `json:"name"`
	Version      string   `json:"version"`
	RequiresDist []string `json:"requires_dist"` // List of dependencies (e.g., "urllib3 (<3,>=1.21.1)")
}

PackageMetadata contains the package name, version, and dependencies.

func (*PackageMetadata) GetNormalizePackageName ¶

func (p *PackageMetadata) GetNormalizePackageName() string

func (*PackageMetadata) GetNormalizeVersion ¶

func (p *PackageMetadata) GetNormalizeVersion() string

type Plugin ¶

type Plugin struct{}

func (Plugin) BuildDepGraphsFromDir ¶

func (p Plugin) BuildDepGraphsFromDir(
	ctx context.Context, log logger.Logger, dir string, options *ecosystems.SCAPluginOptions,
	onGraph ecosystems.OnGraphFunc,
) error

BuildDepGraphsFromDir discovers and builds dependency graphs for Python pip projects. Build work runs concurrently (bounded by maxConcurrentInstalls) but onGraph invocations are serialized under a mutex to satisfy the SCAPlugin contract — callbacks need not be goroutine-safe.

func (Plugin) GetName ¶

func (p Plugin) GetName() string

type Report ¶

type Report struct {
	Install []InstallItem `json:"install"`
}

Report represents the minimal JSON output from pip install --report needed to build a dependency graph.

func GetInstallReport ¶

func GetInstallReport(ctx context.Context, log logger.Logger, requirementsFile string, noBuildIsolation bool) (*Report, error)

GetInstallReport runs pip install with --dry-run and --report flags to get a JSON report of what would be installed from a requirements file.

func GetInstallReportFromPackages ¶

func GetInstallReportFromPackages(ctx context.Context, log logger.Logger, packages, constraints []string, noBuildIsolation bool) (*Report, error)

GetInstallReportFromPackages runs pip install with --dry-run and --report flags, passing packages directly as command arguments instead of using a requirements file. Constraints are passed via stdin using /dev/stdin as the constraint file path.

func GetInstallReportFromPackagesWithExecutor ¶

func GetInstallReportFromPackagesWithExecutor(
	ctx context.Context,
	log logger.Logger,
	packages, constraints []string,
	noBuildIsolation bool,
	executor CommandExecutor,
) (*Report, error)

GetInstallReportFromPackagesWithExecutor is a testable version that accepts a CommandExecutor.

func GetInstallReportWithExecutor ¶

func GetInstallReportWithExecutor(
	ctx context.Context,
	log logger.Logger,
	requirementsFile string,
	noBuildIsolation bool,
	executor CommandExecutor,
) (*Report, error)

GetInstallReportWithExecutor is a testable version that accepts a CommandExecutor.

func (*Report) ToDependencyGraph ¶

func (r *Report) ToDependencyGraph(ctx context.Context, log logger.Logger, projectName string) (*depgraph.DepGraph, error)

ToDependencyGraph converts a pip install Report into a DepGraph using the dep-graph builder. The root node represents the project and points to all direct dependencies. The projectName parameter sets the root package name (defaults to "root" if empty).

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL