Dependency scanning incorrectly reports python project as a dependency when using setup.py

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

When running dependency scanning, the python project itself is reported as a dependency in the pipeline license tab and the Dependency List page. This occurs in projects using setuptools.find_packages() and namespace packages configuration.

The job log will contain the following output:

Successfully installed [...] my_project-0.0.1 [...]

And the dependency list will also list it:

image

Steps to reproduce

(Reproduced with gemnasium-python analyzer v5.8.7)

Have a project with the following structure and run dependency scanning:

.
├── main.py
├── my_project
│   └── __init__.py
└── setup.py

__init__.py:

__import__('pkg_resources').declare_namespace(__name__)

setup.py:

from setuptools import setup, find_packages

setup(
    name='my_project',
    version='0.0.1',
    packages=find_packages(),
    install_requires=[
        "requests~=2.32.3"
    ],
    namespace_packages=['my_project']    
)

main.py (any python code):

import requests
response = requests.get(url="https://google.com", verify=False)
print(response)

Example Project

https://gitlab.com/gitlab-com/support/test-projects/ci-examples/secure/dependency-and-license-scanning/setup-py-example/-/dependencies

What is the current bug behavior?

The analyzer lists the project itself as a dependency.

What is the expected correct behavior?

The analyzer should not list the project itself as a dependency, as this is not a true external dependency that needs to be tracked or analyzed for vulnerabilities.

Relevant logs and/or screenshots

Successfully built my_project
Installing collected packages: zipp, pycparser, more-itertools, jeepney, backports.tarfile, jaraco.functools, jaraco.context, jaraco.classes, importlib_metadata, cffi, cryptography, SecretStorage, keyring, my_project
Successfully installed SecretStorage-3.3.3 backports.tarfile-1.2.0 cffi-1.17.1 cryptography-44.0.1 importlib_metadata-8.6.1 jaraco.classes-3.4.0 jaraco.context-6.0.1 jaraco.functools-4.1.0 jeepney-0.8.0 keyring-25.6.0 more-itertools-10.6.0 my_project-0.0.1 pycparser-2.22 zipp-3.21.0

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 
(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

  • filter out package by project name in dependency-scanning analyzer
  • filter out package by project name in gemnasium-python analyzer
Edited by 🤖 GitLab Bot 🤖