Python
Python package analysis and vulnerability scanning capabilities
Package analysis
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
python-installed-package-cataloger *.egg-info, *dist-info/METADATA, *egg-info/PKG-INFO, *DIST-INFO/METADATA, *EGG-INFO/PKG-INFO | Direct | Complete | Runtime | ||||
python-package-cataloger pdm.lock | Transitive | Complete | Runtime, Dev, Optional | ||||
python-package-cataloger uv.lock | Transitive | Complete | Runtime, Dev, Optional | ||||
python-package-cataloger setup.py | Direct | ||||||
python-package-cataloger Pipfile.lock | Transitive | Runtime | |||||
python-package-cataloger poetry.lock | Transitive | Complete | Runtime, Dev, Optional | ||||
python-package-cataloger *requirements*.txt | Direct | Any | |||||
Syft Configuration
| Configuration Key | Description |
|---|---|
python.guess-unpinned-requirements | Attempts to infer package versions from version constraints when no explicit version is specified in requirements files. |
python.pypi-base-url | Specifies the base URL for the Pypi registry API used when searching for remote license information. |
python.search-remote-licenses | Enables querying the NPM registry API to retrieve license information for packages that are missing license data in their local metadata. |
Vulnerability scanning
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| GitHub Security Advisories (GHSA) | |||||
| National Vulnerability Database (NVD) | |||||
Grype Configuration
| Configuration Key | Description |
|---|---|
match.python.using-cpes | Use CPE package identifiers to find vulnerabilities |