Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

package detector warning #1043

Open
zongtaol opened this issue Mar 21, 2024 · 1 comment
Open

package detector warning #1043

zongtaol opened this issue Mar 21, 2024 · 1 comment
Labels
detector:pip The pip detector status:waiting-on-response Waiting on a response/more information from the user type:bug Bug fix of existing functionality

Comments

@zongtaol
Copy link

I got two question about warning note while running component detection leveraging msft-sbom-tool.

  1. Does component detection tool support C/C++ based project?

We noticed component detection isn't capturing any packages and throws the below mentioned warning. Does C/C++ projected supported? if not, will this been enabled in the future?
##[warning]There were no packages detected during the generation workflow.
No_packages

  1. We noticed few of the component has been skipped. For example tensorflow and keras. Is this expected behavior or something need to be change on python requirement.txt.

]Candidate version ("protobuf 5.26.0 - pip") for "protobuf" already exists in map and the version is NOT valid.
##[warning]Specifiers: "!=4.21.0,!=4.21.1,!=4.21.2,!=4.21.3,!=4.21.4,!=4.21.5,<5.0.0dev,>=3.20.3" for package "tensorflow-cpu-aws" caused this.
##[warning]Candidate version ("tensorboard 2.15.2 - pip") for "tensorboard" already exists in map and the version is NOT valid.
##[warning]Specifiers: "<2.17,>=2.16" for package "tensorflow" caused this.
##[warning]Version Resolution for "tensorboard" failed, assuming last valid version is used.
##[warning]Candidate version ("keras 2.15.0 - pip") for "keras" already exists in map and the version is NOT valid.
##[warning]Specifiers: ">=3.0.0" for package "tensorflow" caused this.

##[warning]Components skipped for "Pip" detector:
##[warning]- "abi-pytestfixture-integration"
##[warning]- "abi-core"
##[warning]- "abi-package"
##[warning]- "abi-vault"
##[warning]- "numpy=1.26.4"

tensorflow

And I specify PIP_EXTRA_INDEX_URL as an internal link in system environment as well as in requirement.txt, but all the package is still not found in component detection. Do you know who can we resolve this warning message?

##[warning]Received NotFound "Not Found" from https://pypi.org/pypi/abi-core/json
##[warning]Root dependency "abi-core" not found on pypi. Skipping package.
##[warning]Received NotFound "Not Found" from https://pypi.org/pypi/abi-package/json
##[warning]Root dependency "abi-package" not found on pypi. Skipping package.
##[warning]Received NotFound "Not Found" from https://pypi.org/pypi/abi-vault/json
##[warning]Root dependency "abi-vault" not found on pypi. Skipping package.

Thank you.
@cobya
Copy link
Contributor

cobya commented Apr 18, 2024

Our support of C++ projects comes via the VCPKG detector. How are you registering the dependencies for your project?

For the second question about Python feed configuration, we have an open issue #415 for allowing internal feed configuration in the Pip detectors but we haven't had a chance to prioritize this recently. If you are interested in making the contribution I would be happy to help out how I can.

@cobya cobya added status:waiting-on-response Waiting on a response/more information from the user type:bug Bug fix of existing functionality detector:pip The pip detector labels May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
detector:pip The pip detector status:waiting-on-response Waiting on a response/more information from the user type:bug Bug fix of existing functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cobya @zongtaol