Skip to content

Fix: Parse unquoted dependencies in setup.py with .split() pattern #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
HalaAli198 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix: Parse unquoted dependencies in setup.py with .split() pattern #41

HalaAli198 wants to merge 1 commit into from

Conversation

@HalaAli198
Copy link

@HalaAli198 HalaAli198 commented Oct 4, 2025

Description

The current process_setup_py() method only detects dependencies wrapped in quotes within list syntax:
pythoninstall_requires = ["django==4.2.23", "CairoSVG==2.7.1"]
However, many Python projects define dependencies using multiline strings followed by .split():

install_requires = """
django==4.2.23
CairoSVG==2.7.1
Pillow==11.0.0
""".split()

Solution:

Enhanced process_setup_py() to add support for the .split() pattern by detecting multiline strings defined with triple quotes using the regex: install_requires\s*=\s*["\'"]{3}([^"\']+)["\'"]{3}\.split\(\)

This update:

  • Maintains backward compatibility — existing list parsing behavior remains unchanged.
  • Supports both quote styles — handles """...""".split() and '''...'''.split() patterns.
  • Improves SBOM accuracy for Python projects using common unquoted dependency definitions.

Testing

  1. Download a real-world project that uses this pattern (e.g., mayan-edms): pip download --no-deps --no-binary :all: mayan-edms==4.9.2

  2. Extract the source and inspect setup.py — it defines dependencies via """.split().

  3. Run SBOM4Python before and after applying the fix:
    bashsbom4python -r setup.py --sbom cyclonedx --format json -o output.json --debug

  4. Compare results:
    Before fix: [] (0 dependencies detected)
    After fix: 57 dependencies correctly parsed from install_requires

Fix: Parse unquoted dependencies in setup.py with .split() pattern
adb9ddf 
- Added support for multiline string dependencies using .split()
- Stores file content in variable and reuses it for both patterns
- Maintains backward compatibility with list-style dependencies
- Handles both triple double-quotes and triple single-quotes

Tested with mayan-edms==4.9.2 which uses this pattern.
Before fix: 0 dependencies detected
After fix: 57 dependencies correctly parsed
@HalaAli198 HalaAli198 force-pushed the fix/setup-py-split-dependencies branch from 1623bb0 to adb9ddf Compare October 4, 2025 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HalaAli198