When trying to create a SBOM I get below failure
Pipfile.lock has dependencies under default
that do not have the index
property
cyclonedx-py --pip --pip-file Pipfile.lock -o bom/bom.xml
Traceback (most recent call last):
File "/usr/local/bin/cyclonedx-py", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 232, in main
CycloneDxCmd(args).execute()
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 87, in execute
output = self.get_output()
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 51, in get_output
parser = self._get_input_parser()
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 200, in _get_input_parser
return PipEnvFileParser(pipenv_lock_filename=pipfile_lock_file)
File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/pipenv.py", line 56, in __init__
super(PipEnvFileParser, self).__init__(pipenv_contents=r.read())
File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/pipenv.py", line 38, in __init__
if package_data['index'] == 'pypi':
KeyError: 'index'
Snippet from my Pipfile.lock, FastAPi is only dependency found in my Pipfile and is only one with index
{
"_meta": {
"hash": {
"sha256": "1aa5cc0cbb58a7e87ec73a2cb334c49b65b31a165451fef0****"
},
"pipfile-spec": 6,
"requires": {
"python_version": "3.9"
},
"sources": [
{
"name": "pypi",
"url": "https://artifactory.jfrog.*****.com/artifactory/api/pypi/pypi/simple",
"verify_ssl": true
}
]
},
"default": {
"anyio": {
"hashes": [
"sha256:56ceaeed2877723578b1341f4f68c29081db189cfb40a97d1922b9513f6d7db6",
"sha256:8eccec339cb4a856c94a75d50fc1d451faf32a05ef406be462e2efc59c9838b0"
],
"markers": "python_full_version >= '3.6.2'",
"version": "==3.3.3"
},
"asgiref": {
"hashes": [
"sha256:4ef1ab46b484e3c706329cedeff284a5d40824200638503f5768edb6de7d58e9",
"sha256:ffc141aa908e6f175673e7b1b3b7af4fdb0ecb738fc5c8b88f69f055c2415214"
],
"markers": "python_full_version >= '3.6.0'",
"version": "==3.4.1"
},
"certifi": {
"hashes": [
"sha256:78884e7c1d4b00ce3cea67b44566851c4343c120abd683433ce934a68ea58872",
"sha256:d62a0163eb4c2344ac042ab2bdf75399a71a2d8c7d47eac2e2ee91b9d6339569"
],
"version": "==2021.10.8"
},
"charset-normalizer": {
"hashes": [
"sha256:e019de665e2bcf9c2b64e2e5aa025fa991da8720daa3c1138cadd2fd1856aed0",
"sha256:f7af805c321bfa1ce6714c51f254e0d5bb5e5834039bc17db7ebe3a4cec9492b"
],
"markers": "python_version >= '3'",
"version": "==2.0.7"
},
"click": {
"hashes": [
"sha256:353f466495adaeb40b6b5f592f9f91cb22372351c84caeb068132442a4518ef3",
"sha256:410e932b050f5eed773c4cda94de75971c89cdb3155a72a0831139a79e5ecb5b"
],
"markers": "python_full_version >= '3.6.0'",
"version": "==8.0.3"
},
"fastapi": {
"hashes": [
"sha256:66da43cfe5185ea1df99552acffd201f1832c6b364e0f4136c0a99f933466ced",
"sha256:a36d5f2fad931aa3575c07a3472c784e81f3e664e3bb5c8b9c88d0ec1104f59c"
],
"index": "pypi",
"version": "==0.70.0"
},
...
I also get error if I try to create a requirements.txt from Pipfile and scan that
pipenv lock -r > requirements.txt
cyclonedx-py -r -rf requirements.txt -o bom/bom.xml
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/packaging/requirements.py", line 98, in __init__
req = REQUIREMENT.parseString(requirement_string)
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1654, in parseString
raise exc
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1644, in parseString
loc, tokens = self._parse( instring, 0 )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1402, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 3417, in parseImpl
loc, exprtokens = e._parse( instring, loc, doActions )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1402, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 3739, in parseImpl
return self.expr._parse( instring, loc, doActions, callPreParse=False )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1402, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 3400, in parseImpl
loc, resultlist = self.exprs[0]._parse( instring, loc, doActions, callPreParse=False )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1406, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 2711, in parseImpl
raise ParseException(instring, loc, self.errmsg, self)
pkg_resources._vendor.pyparsing.ParseException: Expected W:(abcd...) (at char 0), (line:1, col:1)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/cyclonedx-py", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 232, in main
CycloneDxCmd(args).execute()
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 87, in execute
output = self.get_output()
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 51, in get_output
parser = self._get_input_parser()
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 216, in _get_input_parser
return RequirementsFileParser(requirements_file=requirements_file)
File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/requirements.py", line 60, in __init__
super(RequirementsFileParser, self).__init__(requirements_content=r.read())
File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/requirements.py", line 32, in __init__
for requirement in requirements:
File "/usr/local/lib/python3.9/site-packages/pkg_resources/__init__.py", line 3080, in parse_requirements
yield Requirement(line)
File "/usr/local/lib/python3.9/site-packages/pkg_resources/__init__.py", line 3090, in __init__
super(Requirement, self).__init__(requirement_string)
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/packaging/requirements.py", line 100, in __init__
raise InvalidRequirement(
pkg_resources.extern.packaging.requirements.InvalidRequirement: Parse error at "'-i https'": Expected W:(abcd...)
requirements.txt
#
# These requirements were autogenerated by pipenv
# To regenerate from the project's Pipfile, run:
#
# pipenv lock --requirements
#
-i https://artifactory.jfrog.*****.com/artifactory/api/pypi/pypi/simple
anyio==3.3.3; python_full_version >= '3.6.2'
asgiref==3.4.1; python_full_version >= '3.6.0'
certifi==2021.10.8
charset-normalizer==2.0.7; python_version >= '3'
click==8.0.3; python_full_version >= '3.6.0'
fastapi==0.70.0
...
Environment
docker image
python:3.9-slim
pip freeze
pipenv==2021.5.29
cyclonedx-bom==1.2.0
cyclonedx-python-lib==0.8.1