Poetry
Poetry is a tool for dependency management and packaging in Python.
Overview
Poetry is a tool for dependency management and packaging in Python.
Project Discovery
Find files named pyproject.toml and poetry.lock. Pyproject must also use poetry for the build system. If Pyproject does not use poetry build system - project will not be discovered.
Analysis
We parse pyproject.toml to find direct dependencies and their version constraints:
[tool.poetry.dependencies]- production dependencies[tool.poetry.dev-dependencies]- development dependencies
If poetry.lock file is discovered, following will be analyzed from lockfile to supplement the analyses:
[package.dependencies]- package's dependenciespackage.category- package's environment (dev, test, etc.). If not present, defaults tomain.package.name- name of the packagepackage.version- resolved version of the package
If poetry.lock file is not discovered, we fallback to reporting only direct dependencies parsed from pyproject.toml.
| Strategy | Direct Deps | Transitive Deps | Edges |
|---|---|---|---|
pyproject.toml and poetry.lock are discovered | ✔️ | ✔️ | ✔️ |
Only pyproject.toml is discovered | ✔️ | ❌ | ❌ |
Only poetry.lock is discovered | ❌ | ❌ | ❌ |
- ✔️ - Supported in all projects
- ❌ - Not Supported
Limitations
- For poetry project, build system's
build-backendmust be set topoetry.core.masonry.apiorpoetry.masonry.apiinpyproject.toml. If not done so, it will not discover the project. Refer to Poetry and PEP-517 for more details. - All extras specified in
[tool.poetry.extras]are currently not reported. - Any path dependencies will not be reported.
- For Poetry version greater or equal to
v1.5.0, optional dependencies provideded in dependencies group will not be included in the analysis, even with --include-unused-deps, if onlypyproject.tomlis discovered.
Example
pyproject.toml file (created by poetry init and adding relevant dependencies)
[tool.poetry]authors = ["User <user@example.com>"]description = "Example poetry usage"name = "example-poetry-usage"version = "0.1.0" [tool.poetry.dependencies]loguru = "^0.5"networkx = {git = "https://github.com/networkx/networkx.git", branch = "v1.10"}python = "^3.9" [tool.poetry.dev-dependencies]flake8 = "3.9.2" [build-system]build-backend = "poetry.core.masonry.api"requires = ["poetry-core>=1.0.0"]and accompanying poetry.lock file (created by poetry at time of dependency resolution)
[[package]]name = "colorama"version = "0.4.4"description = "Cross-platform colored terminal text."category = "main"optional = falsepython-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" [[package]]name = "decorator"version = "5.0.9"description = "Decorators for Humans"category = "main"optional = falsepython-versions = ">=3.5" [[package]]name = "flake8"version = "3.9.2"description = "the modular source code checker: pep8 pyflakes and co"category = "dev"optional = falsepython-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,>=2.7" [package.dependencies]mccabe = ">=0.6.0,<0.7.0"pycodestyle = ">=2.7.0,<2.8.0"pyflakes = ">=2.3.0,<2.4.0" [[package]]name = "loguru"version = "0.5.3"description = "Python logging made (stupidly) simple"category = "main"optional = falsepython-versions = ">=3.5" [package.dependencies]colorama = {version = ">=0.3.4", markers = "sys_platform == \"win32\""}win32-setctime = {version = ">=1.0.0", markers = "sys_platform == \"win32\""} [package.extras]dev = ["codecov (>=2.0.15)", "colorama (>=0.3.4)", "flake8 (>=3.7.7)", "tox (>=3.9.0)", "tox-travis (>=0.12)", "pytest (>=4.6.2)", "pytest-cov (>=2.7.1)", "Sphinx (>=2.2.1)", "sphinx-autobuild (>=0.7.1)", "sphinx-rtd-theme (>=0.4.3)", "black (>=19.10b0)", "isort (>=5.1.1)"] [[package]]name = "mccabe"version = "0.6.1"description = "McCabe checker, plugin for flake8"category = "dev"optional = falsepython-versions = "*" [[package]]name = "networkx"version = "1.10"description = "Python package for creating and manipulating graphs and networks"category = "main"optional = falsepython-versions = "*"develop = false [package.dependencies]decorator = ">=3.4.0" [package.source]type = "git"url = "https://github.com/networkx/networkx.git"reference = "v1.10"resolved_reference = "4d364bfcee7b24f3df137e8dcd36f7a547892e55" [[package]]name = "pycodestyle"version = "2.7.0"description = "Python style guide checker"category = "dev"optional = falsepython-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" [[package]]name = "pyflakes"version = "2.3.1"description = "passive checker of Python programs"category = "dev"optional = falsepython-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" [[package]]name = "win32-setctime"version = "1.0.3"description = "A small Python utility to set file creation time on Windows"category = "main"optional = falsepython-versions = ">=3.5" [package.extras]dev = ["pytest (>=4.6.2)", "black (>=19.3b0)"] [metadata]lock-version = "1.1"python-versions = "^3.9"content-hash = "31cb32d5165d1cc95e45e9d3e839af556f548df74dda74e25a02b79ba5aa5948" # [metadata.files] not shown for brevityWe will produce the following dependency graph from our analyses when both poetry.lock and pyproject.toml are discovered.
Accent green nodes are direct dependencies; dashed-border nodes are transitive dependencies.
If only pyproject.toml is discovered, the following dependency graph is produced.
All nodes are direct dependencies. Transitive dependencies are not resolved without poetry.lock.
Without poetry.lock we are not able to identify any transitive dependencies. We are also unable to locally resolve dependency when version ranges are provided, like loguru = "^0.5".
As category is not provided with poetry version greater or equal to v1.5.0, FOSSA CLI will, first identify "main" dependencies by using tool.poetry.dependencies from pyproject.toml. Afterwhich, it will hydrate dependencies. Any dependencies not hydrated, will be inferred to be a development dependency.