python-inspector 0.15.0

python-inspector is is a collection of utilities to collect PyPI package metadata and resolve packages dependencies.

python-inspector is a collection of utilities to:

• resolve PyPI packages dependencies

• parse various requirements.txt files and setup.py files as input for resolving dependencies.

• parse various manifests and packages files such as Pipfile, pyproject.toml, poetry.lock and setup.cfg and legacy and current metadata file formats for eggs, wheels and sdist. These have not been wired with the command line yet.

• query PyPI JSON and simple APIs for package information

It grew out of ScanCode toolkit to find and analyze PyPI archives and installed Python packages and their files.

The goal of python-inspector is to be a comprehensive library that can handle every style of Python package layouts, manifests and lockfiles.

SPDX-License-Identifier: Apache-2.0

Copyright (c) AboutCode, nexB Inc. and others.

Homepage: https://github.com/aboutcode-org/python-inspector and https://www.aboutcode.org/

Usage

• Install the stable release with pip from PyPI:

  pip install python-inspector

• Or install the latest with pip:

  pip install git+https://github.com/aboutcode-org/python-inspector

• Run the command line utility with:

  python-inspector --help

Development

Run:

git clone https://github.com/aboutcode-org/python-inspector

Create a virtual environment and install deps locally:

make dev
source venv/bin/activate

When in the virtual environment, run python-inspector from that clone:

python-inspector --help

Run tests:

make test

Run code checks:

make check

Run code formatting:

make valie

Check available make targets for further details

More testing

• Run the tests with pytest:

  pytest -vvs

• Or run them faster using 12 cores

  pytest -vvs --numprocesses=12

Regenerate test files

Some tests use live data from Pypi.org to run resolutions. When the package versions have changed, the resolution can change and some of the tests fail. We have an environment variable that regenerates the expected JSON result files when set.

To regenerate expected test result files for the failed tests, use this command:

PYINSP_REGEN_TEST_FIXTURES=yes pytest -vvs --lf

Then, carefully review the diff before committing the expected JSON test result files to validate that the changes are OK and mostly affect small changes in resolved package versions.

Credits and dependencies

For info, python-inspector embeds or depends on these libraries:

• pip-requirements-parser, a mostly correct pip requirements parsing library extracted from pip.

• pkginfo2, a safer fork of pkginfo to parse various installed and extracted package layouts and their metadata files.

• dparse2, a safer fork of dparse to parse various package manifests

• resolvelib, the library used by pip for dependency resolution

• packaging, the official Python packaging utility library to process versions, specifiers, markers and other packaging data formats.

• importlib_metadata, the official Python utility library to process installed site-packages and their metadata formats.

• packageurl-python to use Package URL to reference Python packages

• scancode-toolkit for Python package manifest parsing.

Acknowledgements, Funding, Support and Sponsoring

This project is funded, supported and sponsored by:

• Generous support and contributions from users like you!

• the European Commission NGI programme

• the NLnet Foundation

• the Swiss State Secretariat for Education, Research and Innovation (SERI)

• Google, including the Google Summer of Code and the Google Seasons of Doc programmes

• Mercedes-Benz Group

• Microsoft and Microsoft Azure

• AboutCode ASBL

• nexB Inc.

This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322.

https://nlnet.nl/project/vulnerabilitydatabase/

This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990.

https://nlnet.nl/project/Back2source-next/