github.com/joey-fossa/fossa-cli@v0.7.34-0.20190708193710-569f1e8679f0/docs/integrations/python.md

github.com/joey-fossa/fossa-cli@v0.7.34-0.20190708193710-569f1e8679f0/docs/integrations/python.md (about)

     1  # Python
     2  
     3  ## Support
     4  
     5  Python support relies on the presence of one of the following:
     6  
     7  - A `requirements.txt` file.
     8  - `pip`, in order to retrieve a list of installed dependencies.
     9  - Pipenv, used to manage a projects environment and dependencies.
    10  
    11  ## Configuration
    12  
    13  ### Automatic
    14  
    15  Run `fossa init` to detect all python directories that contain `requirements.txt`.
    16  
    17  ### Manual
    18  
    19  Add a module with `type: pip`, and `target` and `dir` set to the root of the Python project.
    20  
    21  See [Options](#Options) for an in depth look at all of the available options for a Python module.
    22  
    23  ```yaml
    24  analyze:
    25    modules:
    26      - name: github.com/fossas/fossa-cli/cmd/fossa
    27        type: pip
    28        target: python/project
    29        dir:  python/project
    30        options:
    31          strategy: pipenv
    32  ```
    33  
    34  ## Options
    35  
    36  | Option         |  Type  | Name                                      | Common Use Case                           |
    37  | -------------- | :----: | ----------------------------------------- | ----------------------------------------- |
    38  | `strategy`     | string | [Strategy](#strategy-string)              | Specify a Python analysis strategy.       |
    39  | `requirements` | string | [Requirements Path](#requirements-string) | Specify a custom `requirements.txt` file. |
    40  <!--- In code but currently unused
    41  | `venv`         | string | [Virtual Env](#All-Tags:-<bool>)                  | Make sure all OS and Arch tags are caught. |
    42  --->
    43  
    44  #### `strategy: <string>`
    45  
    46  Manually specify the python analysis strategy to be used. Supported options:
    47  - `requirements`: Parse `requirements.txt` to find all dependencies used. 
    48  - `pip`: Run `pip list --format=json` to find all dependencies in the current environment. `pip` over report the dependencies used if your environment is used to build multiple python projects.
    49  - `deptree`: Run a custom python script to retrieve the dependency tree from pip. This provides similar information to `pip` with enough resolution to create a dependency tree.
    50  - `pipenv`: Run `pipenv graph --json=tree` which returns the dependency graph of a project managed by Pipenv.
    51  
    52  Default: `requirements`
    53  
    54  #### `requirements: <string>`
    55  
    56  Specify the location of a `requirements.txt` file located outside of the project's root directory or a custom named file.
    57  
    58  Example:
    59  ```yaml
    60      requirements: config/myrequirements.txt
    61  ```
    62  
    63  ## Analysis
    64  
    65  The analysis strategy selected determines how analysis is completed for the Python analyzer. By default the fossa-cli will analyze a requirements.txt file to determine dependencies. Benefits and limitations of strategies are listed below.
    66  
    67  - `requirements`: This strategy is the most basic but provides an accurate representation of all dependencies inside of `requirements.txt`. The limitations with this method include not picking up transitive dependencies unless they are explicitly added to the file.
    68  - `pip` & `deptree`: These strategies can accurately provide a dependency graph, however they analyze all dependencies managed by pip, not just those in the project. If your project is built in a CI environment where all pip installed dependencies are used, then this strategy would be effective. If you are on a local development machine then this strategy can over report dependencies.
    69  - `pipenv`: This is the most reliable analysis strategy but requires your project to use Pipenv as its environment and package manager.