Merge pull request #236 from CycloneDX/enhancement/issue-235-requirements-unpinned-versions

fix: handle `requirements.txt` which contain dependencies without a v…

Author: madpah

README.md

@@ -101,6 +101,26 @@ cyclonedx-py -r -rf PATH/TO/requirements.txt -o -
 
 This will generate a CycloneDX and output to STDOUT in XML using the latest schema version `1.3` by default.
 
+#### Unpinned dependencies in `requirements.txt`
+
+If you failed to freeze your dependencies before passing the `requirements.txt` data to `cyclonedx-py`, you'll be 
+warned about this and the dependencies that do not have pinned versions WILL NOT be included in the resulting CycloneDX
+output.
+
+```
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! Some of your dependencies do not have pinned version !!
+!! numbers in your requirements.txt                     !!
+!!                                                      !!
+!! -> idna                                              !!
+!! -> requests                                          !!
+!! -> urllib3                                           !!
+!!                                                      !!
+!! The above will NOT be included in the generated      !!
+!! CycloneDX as version is a mandatory field.           !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+```
+
 ## Python Support
 
 We endeavour to support all functionality for all [current actively supported Python versions](https://www.python.org/downloads/).

cyclonedx_py/client.py

@@ -45,8 +45,24 @@ def __init__(self, args: argparse.Namespace):
             self._debug_message('Parsed Arguments: {}'.format(self._arguments))
 
     def get_output(self) -> BaseOutput:
+        parser = self._get_input_parser()
+
+        if parser.has_warnings():
+            print('')
+            print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')
+            print('!! Some of your dependencies do not have pinned version !!')
+            print('!! numbers in your requirements.txt                     !!')
+            print('!!                                                      !!')
+            for warning in parser.get_warnings():
+                print('!! -> {} !!'.format(warning.get_item().ljust(49)))
+            print('!!                                                      !!')
+            print('!! The above will NOT be included in the generated      !!')
+            print('!! CycloneDX as version is a mandatory field.           !!')
+            print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')
+            print('')
+
         return get_instance(
-            bom=Bom.from_parser(self._get_input_parser()),
+            bom=Bom.from_parser(parser=parser),
             output_format=OutputFormat[str(self._arguments.output_format).upper()],
             schema_version=SchemaVersion['V{}'.format(
                 str(self._arguments.output_schema_version).replace('.', '_')

poetry.lock

@@ -16,7 +16,7 @@ include = [
 
 [tool.poetry.dependencies]
 python = "^3.6"
-cyclonedx-python-lib = "^0.4.0"
+cyclonedx-python-lib = "0.4.1"
 
 [tool.poetry.dev-dependencies]
 tox = "^3.24.3"