feat(python): use minimum version for pip packages (#7348)

2025-12-12 15:50:15 -08:00 · 2024-08-24 09:23:29 +06:00
parent 2a6c7ab3b3
commit e9b43f81e6
6 changed files with 93 additions and 17 deletions
--- a/docs/docs/coverage/language/python.md
+++ b/docs/docs/coverage/language/python.md
@@ -23,7 +23,7 @@ The following table provides an outline of the features Trivy offers.

 | Package manager | File             | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
 |-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
-| pip             | requirements.txt |            -            |     Include      |                  -                   |    ✓     |                    -                     |
+| pip             | requirements.txt |            -            |     Include      |                  -                   |    ✓     |                    ✓                     |
 | Pipenv          | Pipfile.lock     |            ✓            |     Include      |                  -                   |    ✓     |                Not needed                |
 | Poetry          | poetry.lock      |            ✓            |     Exclude      |                  ✓                   |    -     |                Not needed                |

@@ -42,8 +42,17 @@ Trivy parses your files generated by package managers in filesystem/repository s
 ### pip

 #### Dependency detection
-Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id5) with `==` comparison operator and without `.*`.
-To convert unsupported version specifiers - use the `pip  freeze` command.
+By default, Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id5) with `==` comparison operator and without `.*`.
+
+Using the [--detection-priority comprehensive](#detection-priority) option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging. 
+In such case Trivy parses specifiers `>=`,`~=` and a trailing `.*`.
+
+```
+keyring >= 4.1.1            # Minimum version 4.1.1
+Mopidy-Dirble ~= 1.1        # Minimum version 1.1
+python-gitlab==2.0.*        # Minimum version 2.0.0
+```
+Also, there is a way to convert unsupported version specifiers - use the `pip  freeze` command.

 ```bash
 $ cat requirements.txt