Provide insecure parsing for top level dependencies

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>

Author: TG1999

src/python_inspector/resolution.py

@@ -93,6 +93,25 @@ def get_requirements_from_distribution(
     handler: BasePypiHandler,
     location: str,
 ) -> List[Requirement]:
+    """
+    Return a list of requirements from a source distribution or wheel at
+    ``location`` using the provided ``handler`` DatafileHandler for parsing.
+    """
+    if not location:
+        return []
+    if not os.path.exists(location):
+        return []
+    reqs = []
+    for package_data in handler.parse(location):
+        dependencies = package_data.dependencies
+        reqs.extend(get_requirements_from_dependencies(dependencies=dependencies))
+    return reqs
+
+
+def get_deps_from_distribution(
+    handler: BasePypiHandler,
+    location: str,
+) -> List[DependentPackage]:
     """
     Return a list of requirements from a source distribution or wheel at
     ``location`` using the provided ``handler`` DatafileHandler for parsing.
@@ -104,7 +123,7 @@ def get_requirements_from_distribution(
     deps = []
     for package_data in handler.parse(location):
         dependencies = package_data.dependencies
-        deps.extend(get_requirements_from_dependencies(dependencies=dependencies))
+        deps.extend(dependencies=dependencies)
     return deps
 
 
@@ -133,7 +152,7 @@ def contain_string(string: str, files: List) -> bool:
     return False
 
 
-def parse_setup_py_insecurely(setup_py):
+def parse_reqs_from_setup_py_insecurely(setup_py):
     """
     Yield requirements from the setup.py file at ``setup_py``.
     """
@@ -143,6 +162,27 @@ def parse_setup_py_insecurely(setup_py):
         yield Requirement(req)
 
 
+def parse_deps_from_setup_py_insecurely(setup_py):
+    """
+    Yield requirements from the setup.py file at ``setup_py``.
+    """
+    if not os.path.exists(setup_py):
+        return []
+    for req in iter_requirements(level="", extras=[], setup_file=setup_py):
+        parsed_req = Requirement(req)
+        yield DependentPackage(
+            purl=str(
+                PackageURL(
+                    type="pypi",
+                    name=parsed_req.name,
+                )
+            ),
+            extracted_requirement=req,
+            scope="install",
+            is_runtime=False,
+        )
+
+
 def is_valid_version(
     parsed_version: Union[LegacyVersion, Version],
     requirements: Dict,
@@ -685,7 +725,7 @@ def get_setup_dependencies(location, analyze_setup_py_insecurely=False, use_requ
         string="_require", files=[setup_py_location, setup_cfg_location]
     ):
         if analyze_setup_py_insecurely:
-            yield from parse_setup_py_insecurely(setup_py=setup_py_location)
+            yield from parse_reqs_from_setup_py_insecurely(setup_py=setup_py_location)
         else:
             raise Exception("Unable to collect setup.py dependencies securely")
 

src/python_inspector/resolve_cli.py

@@ -19,16 +19,20 @@
 from tinynetrc import Netrc
 
 from _packagedcode.models import DependentPackage
+from _packagedcode.pypi import PipRequirementsFileHandler
 from _packagedcode.pypi import PythonSetupPyHandler
 from _packagedcode.pypi import can_process_dependent_package
 from python_inspector import dependencies
 from python_inspector import utils
 from python_inspector import utils_pypi
 from python_inspector.cli_utils import FileOptionType
 from python_inspector.package_data import get_pypi_data_from_purl
+from python_inspector.resolution import contain_string
+from python_inspector.resolution import get_deps_from_distribution
 from python_inspector.resolution import get_environment_marker_from_environment
 from python_inspector.resolution import get_python_version_from_env_tag
 from python_inspector.resolution import get_resolved_dependencies
+from python_inspector.resolution import parse_deps_from_setup_py_insecurely
 
 TRACE = False
 
@@ -283,6 +287,33 @@ def resolve_dependencies(
             if dep.scope == "install":
                 direct_dependencies.append(dep)
 
+        if not package_data.dependencies:
+            has_deps = False
+            if contain_string(string="requirements.txt", files=[setup_py_file]):
+                # Look in requirements file if and only if thy are refered in setup.py or setup.cfg
+                # And no deps have been yielded by requirements file.
+
+                location = os.path.dirname(setup_py_file)
+                requirement_location = os.path.join(
+                    location,
+                    "requirements.txt",
+                )
+                deps = get_deps_from_distribution(
+                    handler=PipRequirementsFileHandler,
+                    location=requirement_location,
+                )
+                if deps:
+                    has_deps = True
+                    direct_dependencies.extend(deps)
+
+            if not has_deps and contain_string(string="_require", files=[setup_py_file]):
+                if analyze_setup_py_insecurely:
+                    direct_dependencies.extend(
+                        parse_deps_from_setup_py_insecurely(setup_py=setup_py_file)
+                    )
+                else:
+                    raise Exception("Unable to collect setup.py dependencies securely")
+
     if not direct_dependencies:
         click.secho("Error: no requirements requested.")
         ctx.exit(1)