codebase setup for Code Insight to accept the requirements.txt file
we are using CodeInsight 7.14 to check for OSS compliance in a python based project.
even though the project has requirements.txt file in the top level of the folder this doesn't seem to be understood/parsed even though the user guide says this should be accepted.
what's the correct way to have the project structure with the requirements.txt file.
Thank you for your message and apologies for the delay in our response. Our Install Guide contains the following explanation on the use of the Python Requiremets.txt for dependency scanning:
'When direct dependencies are retrieved from requirements.txt, the top-level inventory item to which these dependencies are mapped is determined as follows:
• If PKG-INFO or setup.py resides in the same directory as requirements.txt, the top-level inventory item is determined by information in either PKG-INFO or setup.py.
• If PKG-INFO or setup.py does not reside in the same directory as requirements.txt, the top-level inventory item is determined in one of two ways:
• If Code Insight obtains the codebase through a git sync or git clone operation, the top-level
inventory item to which direct dependencies are mapped is created from the configuration information found in the .git file.
• If the codebase has been directly downloaded from a GitHub or PYPI repository and then uploaded to Code Insight for the scan, the top-level inventory item is created using the name of the directory under which requirements.txt resides. Direct dependencies identified in requirements.txt are then mapped to this inventory item.
Note that, upon creation, such an inventory item is considered a “place holder” item because it is
created from a directory name, which might or might not be a valid component name. The item is
published during the automated analysis only if its name matches a valid component in the Code Insight data library, its forge is PyPI or GitHub, and it meets your site’s inventory publication policies. Otherwise, the item remains unpublished for further review.
The inventory type for the item is determined as follows:
• If the component name matches a component name in the Code Insight data library, the inventory
type is Component.
• If the component is not found in the data library but the inventory’s license matches a license in the data library, the inventory type is License Only.
• If neither the component nor license has a match in the data library, the inventory type is Work In
As shown above, the behavior of these scans can vary based on the codebase being scanned. If you continue to encounter issues with scanning your Requirements.txt, please raise a support case and out Support team will be happy to assist.