Skip to content

dynamic Python version and stub-only source fallback#209

Open
heatherzh01 wants to merge 1 commit intomainfrom
python-transitive-4422
Open

dynamic Python version and stub-only source fallback#209
heatherzh01 wants to merge 1 commit intomainfrom
python-transitive-4422

Conversation

@heatherzh01
Copy link
Copy Markdown

@heatherzh01 heatherzh01 commented Mar 12, 2026

Integrated determine_python_version into install_dependencies, using uv venv --python <version> to create transitive env with the correct Python version from repo content

Added stub-only package detection after pip install, with automatic fallback to download sdist from PyPI and copy .py source files into site-packages for transitive analysis

@exploit-iq-pac
Copy link
Copy Markdown

exploit-iq-pac bot commented Mar 13, 2026

Caution

There are some errors in your PipelineRun template.

PipelineRun Error
vulnerability-analysis-on-pr CEL expression evaluation error: expression "event == \"pull_request\" &&\n!body.pull_request.draft &&\n(target_branch == \"main\" || target_branch == \"rh-aiq-main\") &&\n(\"src/**\".pathChanged() || \"metrics_lib/**\".pathChanged() || \"pyproject.toml\".pathChanged() || \"uv.lock\".pathChanged() || \"Dockerfile\".pathChanged() || \".dockerignore\".pathChanged())\n" failed to evaluate: no such key: pull_request

@zvigrinberg zvigrinberg self-requested a review March 17, 2026 09:55
zvigrinberg
zvigrinberg reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@zvigrinberg zvigrinberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@heatherzh01 What is the file [‎src/evaluation/.DS_Store](https://github.com/RHEcosystemAppEng/vulnerability-analysis/pull/209/changes#diff-754a61c3da543f16eea5d7c741b6e2c7c2f307837faaa6c4047b7200532ccf1c) and how is it belong here?

zvigrinberg
zvigrinberg approved these changes Mar 22, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@zvigrinberg zvigrinberg left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@heatherzh01 This looks correct and solving the CI' tests' python problems.
@vbelouso Can you please take another look on that for a 4 eyes control?

@vbelouso vbelouso self-requested a review March 22, 2026 14:26
@vbelouso
Copy link
Copy Markdown
Collaborator

vbelouso commented Mar 22, 2026

@heatherzh01 please don't merge yet

@zvigrinberg zvigrinberg self-requested a review March 22, 2026 14:37
@vbelouso vbelouso added the hold Something needs to block this issue from merging label Mar 23, 2026
@vbelouso
Copy link
Copy Markdown
Collaborator

vbelouso commented Mar 23, 2026

return to this PR after review #213

@heatherzh01
feat: Add stub-only package fallback for transitive dependency analysis
c549a2c 
- Implement _find_module_dirs to map package names to module directories
- Add _fallback_if_stub_only to download actual source from PyPI
- Support types-*, *-stubs, and mypy-boto3-* stub packages
- Use importlib.metadata + dist-info + naming patterns for detection
@heatherzh01 heatherzh01 force-pushed the python-transitive-4422 branch from 3f9497a to c549a2c Compare March 25, 2026 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vbelouso vbelouso Awaiting requested review from vbelouso

@zvigrinberg zvigrinberg Awaiting requested review from zvigrinberg

Assignees

No one assigned

Labels

hold Something needs to block this issue from merging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@heatherzh01 @vbelouso @zvigrinberg