Repository files navigation

python-inspector is a collection of utilities to:

• resolve PyPI packages dependencies
• parse various requirements.txt files and setup.py files as inputfor resolving dependencies.
• parse various manifests and packages files such asPipfile, pyproject.toml, poetry.lock and setup.cfg and legacy andcurrent metadata file formats for eggs, wheels and sdist. Thesehave not been wired with the command line yet.
• query PyPI JSON and simple APIs for package information

It grew out of ScanCode toolkit to find and analyze PyPI archives andinstalled Python packages and their files.

The goal of python-inspector is to be a comprehensive librarythat can handle every style of Python package layouts, manifests and lockfiles.

SPDX-License-Identifier: Apache-2.0

Copyright (c) AboutCode, nexB Inc. and others.

Homepage:https://github.com/aboutcode-org/python-inspector andhttps://www.aboutcode.org/

• Install the stable release with pip from PyPI:

  pip install python-inspector

• Or install the latest with pip:

  pip install git+https://github.com/aboutcode-org/python-inspector

• Run the command line utility with:

  python-inspector --help

Run:

git clone https://github.com/aboutcode-org/python-inspector

Create a virtual environment and install deps locally:

make devsource venv/bin/activate

When in the virtual environment, run python-inspector from that clone:

python-inspector --help

Run tests:

make test

Run code checks:

make check

Run code formatting:

make valie

Check available make targets for further details

• Run the tests with pytest:

  pytest -vvs

• Or run them faster using 12 cores

  pytest -vvs --numprocesses=12

Some tests use live data from Pypi.org to run resolutions. When the package versions havechanged, the resolution can change and some of the tests fail. We have an environment variablethat regenerates the expected JSON result files when set.

To regenerate expected test result files for the failed tests, use this command:

PYINSP_REGEN_TEST_FIXTURES=yes pytest -vvs --lf

Then, carefully review the diff before committing the expected JSON test result files to validatethat the changes are OK and mostly affect small changes in resolved package versions.

For info, python-inspector embeds or depends on these libraries:

• pip-requirements-parser, a mostly correct pip requirements parsinglibrary extracted from pip.
• pkginfo2, a safer fork of pkginfo to parse various installed and extractedpackage layouts and their metadata files.
• dparse2, a safer fork of dparse to parse various package manifests
• resolvelib, the library used by pip for dependency resolution
• packaging, the official Python packaging utility library to processversions, specifiers, markers and other packaging data formats.
• importlib_metadata, the official Python utility library to processinstalled site-packages and their metadata formats.
• packageurl-python to use Package URL to reference Python packages
• scancode-toolkit for Python package manifest parsing.

This project is funded, supported and sponsored by:

• Generous support and contributions from users like you!
• the European Commission NGI programme
• the NLnet Foundation
• the Swiss State Secretariat for Education, Research and Innovation (SERI)
• Google, including the Google Summer of Code and the Google Seasons of Doc programmes
• Mercedes-Benz Group
• Microsoft and Microsoft Azure
• AboutCode ASBL
• nexB Inc.

This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financialsupport from the European Commission's Next Generation Internet programme, under the aegis of DGCommunications Networks, Content and Technology under grant agreement No 825322.

https://nlnet.nl/project/vulnerabilitydatabase/

This project was funded through the NGI0 Core Fund, a fund established by NLnet with financialsupport from the European Commission's Next Generation Internet programme, under the aegis of DGCommunications Networks, Content and Technology under grant agreement No 101092990.

https://nlnet.nl/project/Back2source-next/