analyze: Poetry resolved dependencies returns 0 found packages

[thomasscheer]

Describe the bug

With a given poetry.lock, the python-inspector returns a valid (and filled) json-pdt, but analyse return 0 found packages

To Reproduce

Steps to reproduce the behavior:

1. Use the attached poetry.lock to create a requirement.txt (attached)

poetry export --without-hashes --format=requirements.txt --only=main > requirements.txt

2. Use python-inspector to create a json-pdt (attached)

python-inspector --python-version 313 --operating-system linux --json-pdt python-inspector6374800135236137904.json --analyze-setup-py-insecurely --requirement requirements.txt

3. Check json-pdt for given packages

4. use ORT analyse on the given poetry.lock: no packages found

Expected behavior

ort analyse creates a analyer-result-file with the found dependencies from the json-pdt (python-inspector)

Console / log output

14:08:33  12:08:33.546 [DefaultDispatcher-worker-1] INFO  org.ossreviewtoolkit.analyzer.PackageManager - Poetry resolved dependencies for path 'poetry.lock' in 12.982092892s.
14:08:33  12:08:33.546 [DefaultDispatcher-worker-1] INFO  kotlinx.coroutines.CoroutineScope - Finished Poetry analysis.
14:08:33  12:08:33.550 [main] INFO  org.ossreviewtoolkit.analyzer.Analyzer - Calling after resolution hooks for 2 manager(s).
14:08:34  Wrote analyzer result to '/semshield_output/analyzer-result.json' (0.00 MiB) in 441.323569ms.
14:08:34  The analysis took 13.241724804s.
14:08:34  Found 2 project(s) and **0 package(s)** in total (not counting excluded ones).

Environment

Output of the ort requirements command:

14:30:33  + /opt/ort/bin/ort --stacktrace --info requirements
14:30:33  + tee /logDir/requirements_sv-llm_development_info_700.log
14:30:36  12:30:36.503 [main] INFO  org.ossreviewtoolkit.model.config.OrtConfiguration - Using ORT configuration file '/home/ort/.ort/config/config.yml'.
14:30:36  Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
14:30:37  12:30:37.051 [main] INFO  org.ossreviewtoolkit.utils.common.EnvironmentVariableFilter - EnvironmentVariableFilter initialized with denySubstrings = [key, pass, pwd, token, user] and allowNames = [CARGO_HTTP_USER_AGENT, COMPOSER_ALLOW_SUPERUSER, CONAN_LOGIN_ENCRYPTION_KEY, CONAN_LOGIN_USERNAME, CONAN_PASSWORD, CONAN_USERNAME, CONAN_USER_HOME, CONAN_USER_HOME_SHORT, DOTNET_CLI_CONTEXT_ANSI_PASS_THRU, GIT_ASKPASS, GIT_HTTP_USER_AGENT, GRADLE_USER_HOME, HACKAGE_USERNAME, HACKAGE_PASSWORD, HACKAGE_KEY, PWD, USER, USERPROFILE].
14:30:37   ______________________________                                                
14:30:37  /        \_______   \__    ___/ The OSS Review Toolkit, version 63.1.1,        
14:30:37  |    |   | |       _/ |    |    built with JDK 21.0.7+6-LTS, running under Java
14:30:37  |    |   | |    |   \ |    |    Executing 'requirements' as 'jenkins' on Linux 
14:30:37  \________/ |____|___/ |____|    with 64 CPUs and a maximum of 30208 MiB of memo
14:30:37                                                                                 
14:30:37  Environment variables:                                                        
14:30:37  HOME = /home/ort                                                              
14:30:37  JAVA_HOME = /opt/java/openjdk                                                 
14:30:37  ANDROID_HOME = /opt/android_sdk                                               
14:30:37                                                                                
14:30:37  Looking for ORT configuration in the following file:
14:30:37          /home/ort/.ort/config/config.yml
14:30:37  
14:30:38  12:30:38.009 [main] INFO  org.reflections.Reflections - Reflections took 695 ms to scan 96 urls, producing 159 keys and 1421 values
14:30:38  Scanners:
14:30:38          - Askalono: Requires 'askalono' in no specific version. Tool not found.
14:30:38          - BoyterLc: Requires 'lc' in no specific version. Tool not found.
14:30:38          - Licensee: Requires 'licensee' in no specific version. Tool not found.
14:30:38  12:30:38.294 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'scancode --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:39          * ScanCode: Requires 'scancode' in version >=30.0.0. Found version 32.3.3.
14:30:39  
14:30:39  PackageManagers:
14:30:39  12:30:39.871 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'bazel --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:46          * Bazel: Requires 'bazel' in version >=7.0.0. Found version 7.0.1.
14:30:46  12:30:46.153 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'bower --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:46          * Bower: Requires 'bower' in version >=1.8.8. Found version 1.8.14.
14:30:46  12:30:46.410 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'buildozer --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:46          + Buildozer: Requires 'buildozer' in no specific version. Found version redacted.
14:30:46  12:30:46.422 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'cargo --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:46          * Cargo: Requires 'cargo' in no specific version. Found version 1.84.0.
14:30:46  12:30:46.494 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'pod --version --allow-root' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:47          * CocoaPods: Requires 'pod' in version >=1.11.0. Found version 1.16.2.
14:30:47  12:30:47.281 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'composer --no-ansi --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:47          * Composer: Requires 'composer' in version >=1.5.0. Found version 2.8.10.
14:30:47  12:30:47.351 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'go version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:47          * Go: Requires 'go' in version >=1.21.1. Found version 1.24.0.
14:30:47  12:30:47.364 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'npm --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:47          * Npm: Requires 'npm' in version >=6.0.0 and <11.0.0. Found version 10.9.2.
14:30:47  12:30:47.522 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'nuget-inspector --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:47          + NuGetInspector: Requires 'nuget-inspector' in no specific version. Could not determine the version.
14:30:47  12:30:47.808 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'pipenv --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:48          * Pipenv: Requires 'pipenv' in version >=2018.10.9. Found version 2023.12.1.
14:30:48  12:30:48.669 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'pnpm --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:50          * Pnpm: Requires 'pnpm' in version >=5.0.0 and <10.0.0. Found version 9.15.4.
14:30:50  12:30:50.113 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'poetry --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:51          * Poetry: Requires 'poetry' in no specific version. Found version 2.0.1.
14:30:51  12:30:50.738 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'python-inspector --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:30:51          * PythonInspector: Requires 'python-inspector' in version >=0.9.2. Found version 0.10.0.
14:30:51  12:30:51.244 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'sbt --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:31:09          * Sbt: Requires 'sbt' in no specific version. Found version copying runtime jar...
14:31:09  sbt script version: 1.10.0.
14:31:09  12:31:08.031 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'stack --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:31:09          * Stack: Requires 'stack' in version >=2.1.1. Found version 3.7.1.
14:31:09  12:31:08.044 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'swift --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:31:09          * Swift: Requires 'swift' in no specific version. Found version 6.0.3.
14:31:09  12:31:08.390 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'yarn --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:31:09          * Yarn: Requires 'yarn' in version >=1.3.0 and <1.23.0. Found version 1.22.22.
14:31:09  
14:31:09  Other tools:
14:31:09  12:31:08.911 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'conan --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:31:09          * Conan: Requires 'conan' in version >=1.44.0 and <3.0.0. Found version 1.66.0.
14:31:09  12:31:09.864 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'dart --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:31:09          * Pub: Requires 'dart' in version >=2.10.0. Found version 2.18.4.
14:31:09  
14:31:09  VersionControlSystems:
14:31:09  12:31:09.878 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'git --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:31:09          * Git: Requires 'git' in version >=2.29.0. Found version 2.34.1.
14:31:09  12:31:09.901 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'repo --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:31:10          * GitRepo: Requires 'repo' in no specific version. Found version 2.54 (launcher).
14:31:10  12:31:10.056 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'hg --version' in '/home/jenkins/workspace/emshield_genericSemshieldScanner'...
14:31:10          * Mercurial: Requires 'hg' in no specific version. Found version 7.0.3.
14:31:10  
14:31:10  Prefix legend:
14:31:10          - The tool was not found in the PATH environment.
14:31:10          + The tool was found in the PATH environment, but not in the required version.
14:31:10          * The tool was found in the PATH environment in the required version.
14:31:10  
14:31:10  ScanCode license texts found in '/opt/scancode-license-data'.
14:31:10  
14:31:10  Not all tools requirements were satisfied:
14:31:10          ! Some tools were not found in their required versions.
14:31:10  

python-inspector6374800135236137904.json
requirements.txt

[thomasscheer]

poetry.lock.txt

[sschuberth]

Can you please also share the pyproject.toml, @thomasscheer?

[thomasscheer]

@sschuberth
Sure ...
(I just added .txt to upload the file )

pyproject.toml.txt

[sschuberth]

I'm having a hard time reproducing the issue as you seem to depend on packages hosted on an internal server...

[sschuberth]

Anyway, I realized that your python-inspector6374800135236137904.json has

"packages": [],

which is suspicious. Instead, some package-related information is contained in files -> package_data -> dependencies.