Support hash-checking and version specification in requirements.txt for License Compliance

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Proposal

In Python, requirements.txt files can make use of hash-checking. Files of this type will have lines that look like this:

async-timeout==3.0.1 ; python_version >= "3.9" and python_version < "4.0" \
    --hash=sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f \
    --hash=sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3

When a requirements.txt file has lines like this, the License Compliance job does not successfully identify the licenses.

ℹ️ Background

This particular request is opened on behalf of a customer who uses poetry export to generate the requirements.txt file.

It's possible to specify --without-hashes when using poetry export. This will generate a file with lines like:

idna==3.4 ; python_version >= "3.9" and python_version < "4.0"

It does not look like a requirements.txt like that one is parsed properly either. See the pipelines in the linked example project.

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖