github.com/joey-fossa/fossa-cli@v0.7.34-0.20190708193710-569f1e8679f0/docs/integrations/python.md (about) 1 # Python 2 3 ## Support 4 5 Python support relies on the presence of one of the following: 6 7 - A `requirements.txt` file. 8 - `pip`, in order to retrieve a list of installed dependencies. 9 - Pipenv, used to manage a projects environment and dependencies. 10 11 ## Configuration 12 13 ### Automatic 14 15 Run `fossa init` to detect all python directories that contain `requirements.txt`. 16 17 ### Manual 18 19 Add a module with `type: pip`, and `target` and `dir` set to the root of the Python project. 20 21 See [Options](#Options) for an in depth look at all of the available options for a Python module. 22 23 ```yaml 24 analyze: 25 modules: 26 - name: github.com/fossas/fossa-cli/cmd/fossa 27 type: pip 28 target: python/project 29 dir: python/project 30 options: 31 strategy: pipenv 32 ``` 33 34 ## Options 35 36 | Option | Type | Name | Common Use Case | 37 | -------------- | :----: | ----------------------------------------- | ----------------------------------------- | 38 | `strategy` | string | [Strategy](#strategy-string) | Specify a Python analysis strategy. | 39 | `requirements` | string | [Requirements Path](#requirements-string) | Specify a custom `requirements.txt` file. | 40 <!--- In code but currently unused 41 | `venv` | string | [Virtual Env](#All-Tags:-<bool>) | Make sure all OS and Arch tags are caught. | 42 ---> 43 44 #### `strategy: <string>` 45 46 Manually specify the python analysis strategy to be used. Supported options: 47 - `requirements`: Parse `requirements.txt` to find all dependencies used. 48 - `pip`: Run `pip list --format=json` to find all dependencies in the current environment. `pip` over report the dependencies used if your environment is used to build multiple python projects. 49 - `deptree`: Run a custom python script to retrieve the dependency tree from pip. This provides similar information to `pip` with enough resolution to create a dependency tree. 50 - `pipenv`: Run `pipenv graph --json=tree` which returns the dependency graph of a project managed by Pipenv. 51 52 Default: `requirements` 53 54 #### `requirements: <string>` 55 56 Specify the location of a `requirements.txt` file located outside of the project's root directory or a custom named file. 57 58 Example: 59 ```yaml 60 requirements: config/myrequirements.txt 61 ``` 62 63 ## Analysis 64 65 The analysis strategy selected determines how analysis is completed for the Python analyzer. By default the fossa-cli will analyze a requirements.txt file to determine dependencies. Benefits and limitations of strategies are listed below. 66 67 - `requirements`: This strategy is the most basic but provides an accurate representation of all dependencies inside of `requirements.txt`. The limitations with this method include not picking up transitive dependencies unless they are explicitly added to the file. 68 - `pip` & `deptree`: These strategies can accurately provide a dependency graph, however they analyze all dependencies managed by pip, not just those in the project. If your project is built in a CI environment where all pip installed dependencies are used, then this strategy would be effective. If you are on a local development machine then this strategy can over report dependencies. 69 - `pipenv`: This is the most reliable analysis strategy but requires your project to use Pipenv as its environment and package manager.