Skip to content

fix(python): Trim the end-of-range suffix for packages from requiremets.txt files #9618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DmitriyLewen merged 8 commits into from
Oct 13, 2025
Merged

fix(python): Trim the end-of-range suffix for packages from requiremets.txt files #9618

DmitriyLewen merged 8 commits into from
Oct 13, 2025

Conversation

@raghur-orca
Copy link
Contributor

@raghur-orca raghur-orca commented Oct 8, 2025
edited
Loading

Description

When the --detection-priority comprehensive flag is used, Trivy takes the minimum version for a package (see docs).

However, if the package version is specified as a range, Trivy doesn’t trim the end-of-range suffix.
e.g for requests>=2.31.0,<3:

now: requests + 2.31.0,<3
correct: requests + 2.31.0

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@CLAassistant
Copy link

CLAassistant commented Oct 8, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

DmitriyLewen
DmitriyLewen reviewed Oct 9, 2025
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @raghur-orca
Thanks for your contribution!

left small comments
And update PR title and description, please

@raghur-orca raghur-orca changed the title fix: Trim the end-of-range suffix when using the --detection-priority… fix: Trim the end-of-range suffix Oct 9, 2025
raghur-orca
raghur-orca commented Oct 9, 2025
View reviewed changes
Copy link
Contributor Author

@raghur-orca raghur-orca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added all the changes to this PR.

DmitriyLewen
DmitriyLewen reviewed Oct 9, 2025
View reviewed changes
DmitriyLewen
DmitriyLewen reviewed Oct 9, 2025
View reviewed changes
@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Oct 9, 2025

@raghur-orca please fix linter and tests errors.
you can use mage lint:run, mage test:unit, etc. commands - https://trivy.dev/latest/community/contribute/pr/#development

DmitriyLewen
DmitriyLewen approved these changes Oct 13, 2025
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution

@DmitriyLewen DmitriyLewen added this pull request to the merge queue Oct 13, 2025
@raghur-orca
Copy link
Contributor Author

raghur-orca commented Oct 13, 2025

Thanks for all the inputs, @DmitriyLewen 🙏

Merged via the queue into aquasecurity:main with commit e18b038 Oct 13, 2025
14 checks passed
@aqua-bot aqua-bot mentioned this pull request Oct 10, 2025
Merged
@raghur-orca raghur-orca deleted the fix/trim-version-specifier branch October 13, 2025 06:54
@DmitriyLewen DmitriyLewen changed the title fix: Trim the end-of-range suffix fix(python): Trim the end-of-range suffix for packages from requiremets.txt files Oct 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(pip): Trivy doesn’t trim the end-of-range suffix when using the --detection-priority comprehensive flag.

3 participants

@raghur-orca @CLAassistant @DmitriyLewen