Describe the bug
OWASP dependency-check version 8.4.0 fails with exception "Python pyproject.toml found and there is not a poetry.lock or requirements.txt - analysis will be incomplete" when there is pyproject.toml in a site-package library. In this case, it was the ddtrace library.
Version of dependency-check used
The problem occurs using version 1.1.0 of the Github Action: https://github.com/marketplace/actions/dependency-check,
which uses version 8.4.0 of dependency check.
Log file
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Assembly Analyzer (1 seconds)
[INFO] Finished Python Distribution Analyzer (0 seconds)
[INFO] Finished Python Package Analyzer (6 seconds)
[WARN] An error occurred while analyzing '/github/workspace/.venv/lib/python3.11/site-packages/ddtrace/appsec/iast/_taint_tracking/_vendor/pybind11/tools/pyproject.toml' (Poetry Analyzer).
[INFO] Finished Poetry Analyzer (0 seconds)
[INFO] Finished Autoconf Analyzer (0 seconds)
[INFO] Finished CMake Analyzer (0 seconds)
[INFO] Finished Ruby Gemspec Analyzer (0 seconds)
[INFO] Finished Ruby Bundler Analyzer (0 seconds)
[INFO] Finished PE Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Created CPE Index (2 seconds)
[INFO] Finished NPM CPE Analyzer (2 seconds)
[INFO] Created CPE Index (2 seconds)
[INFO] Finished CPE Analyzer (4 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished RetireJS Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (2 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (18 seconds)
[INFO] Writing report to: /github/workspace/dependency-check-reports/dependency-check-report.html
Error: Python `pyproject.toml` found and there is not a `poetry.lock` or `requirements.txt` - analysis will be incomplete
Python `pyproject.toml` found and there is not a `poetry.lock` or `requirements.txt` - analysis will be incomplete
exception: org.owasp.dependencycheck.analyzer.exception.AnalysisException: Python `pyproject.toml` found and there is not a `poetry.lock` or `requirements.txt` - analysis will be incomplete
org.owasp.dependencycheck.analyzer.PoetryAnalyzer.ensureLock(PoetryAnalyzer.java:204)
org.owasp.dependencycheck.analyzer.PoetryAnalyzer.analyzeDependency(PoetryAnalyzer.java:152)
org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
java.base/java.lang.Thread.run(Thread.java:833)
To Reproduce
Steps to reproduce the behavior:
- Scan a project with Python 3.11 using ddtrace dependency version 1.20.0.
Expected behavior
Dependency scan should only error out if there is no poetry.lock file found in the root project directory.
Additional context
Describe the bug
OWASP dependency-check version 8.4.0 fails with exception "Python
pyproject.tomlfound and there is not apoetry.lockorrequirements.txt- analysis will be incomplete" when there ispyproject.tomlin a site-package library. In this case, it was theddtracelibrary.Version of dependency-check used
The problem occurs using version 1.1.0 of the Github Action: https://github.com/marketplace/actions/dependency-check,
which uses version 8.4.0 of dependency check.
Log file
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Dependency scan should only error out if there is no
poetry.lockfile found in the root project directory.Additional context
pyproject.tomlwas found in the site-package library here: https://github.com/DataDog/dd-trace-py/tree/v1.20.0/ddtrace/appsec/iast/_taint_tracking/_vendor/pybind11/tools