fix(supply-chain): exclude pyproject metadata keys from dependency extraction#28
Open
CharmingGroot wants to merge 1 commit into
Open
fix(supply-chain): exclude pyproject metadata keys from dependency extraction#28CharmingGroot wants to merge 1 commit into
CharmingGroot wants to merge 1 commit into
Conversation
…traction SC4 reported a HIGH "Known Vulnerable Dependency" on the `requires-python` key of pyproject.toml, matching it to the malicious PyPI package literally named `requires-python` (MAL-2025-41747). pyproject.toml was parsed with the requirements.txt line extractor, which treats any `key = value` line as a package, so PEP 621 metadata keys (`requires-python`, `name`, `version`, ...) were looked up as packages — a false HIGH on essentially every Python project. Add `_extract_packages_from_pyproject` (using stdlib `tomllib`) that pulls package names only from PEP 621 `dependencies` / `optional-dependencies` and PEP 735 `dependency-groups`, and route pyproject.toml to it. requirements.txt, setup.py, and Pipfile keep the existing extractor. Add tests for metadata-key exclusion, optional/group dependency extraction, malformed TOML, and that real vulnerable deps in pyproject are still flagged. Signed-off-by: CharmingGroot <ohyes9711@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #2.
What this fixes
The Supply Chain analyzer (SC4) reported a HIGH "Known Vulnerable Dependency" on the
requires-pythonkey ofpyproject.toml, matching it to the malicious PyPI advisory MAL-2025-41747 (a real malicious package literally namedrequires-python).Root cause:
pyproject.tomlwas parsed with_extract_packages_from_requirements, the requirements.txt line parser. It treats any line beginning with a name as a package, so PEP 621[project]metadata keys (requires-python,name,version, …) were extracted as package names and looked up in OSV.requires-pythonappears in essentially every modern Python project, so this produced a false HIGH (and inflated risk scores towardDO_NOT_INSTALL) on almost anypyproject.toml.Reproduced on v2.1.3 with a vanilla project:
The fix
Add
_extract_packages_from_pyproject(using stdlibtomllib, no new dependency — the project already targets 3.12+) that collects package names only from PEP 621dependencies/optional-dependenciesand PEP 735dependency-groups, parsing PEP 508 requirement strings._analyze_dependenciesroutespyproject.tomlto it;requirements.txt,setup.py, andPipfilekeep the existing extractor, so this change is scoped to the false positive in the issue.After the fix,
requires-python(and other metadata keys) are no longer treated as packages, while real dependencies are still extracted and evaluated.Testing
ruff check src/ tests/andruff format --check src/ tests/pass.pytest -m 'not integration'passes (607 passed, 11 skipped). The integration suite needs an LLM endpoint and is unaffected.[project]tables, non-PEP 508 / include-group entries, and that a real vulnerable dependency in pyproject is still flagged (SC4 via static fallback).