Inspecting setup.py with string substitution and `extras_require` creates a result without packages and graph

[MarcelBochtler]

I'm trying to inspect a project using a setup.py looking like that:

from setuptools import setup

semver_version = '2.13.0'

setup(
    name='example',
    version='0.0.1',
    install_requires=[
        f"semver @ git+https://github.com/python-semver/python-semver.git@{semver_version}",
    ],
    extras_require={
        'test': [
            'botocore==1.27.76'
        ]
    }
)

Running python-inspector using this command:

python-inspector --python-version 310 --operating-system linux --json-pdt result.json --analyze-setup-py-insecurely --setup-py setup.py --verbose

The result.json contains empty packages and an empty dependencies_graph:

  "packages": [],
  "resolved_dependencies_graph": []

This can be fixed by doing either of the following:

• Hard-coding semver_version
• removing extras_require

Both of these options result in valid packages and a resolved_dependencies_graph.

The expected result is that, I get packages and a resolved_dependencies_graph without requiring the mentioned workarounds. Additionally, python-inspector should either fail, or show some error. At the moment it fails quietly.

[TG1999]

@MarcelBochtler thanks for raising this issue, having a look on this

[TG1999]

@MarcelBochtler for now we only go to the insecure mode when we are not able to yield any dependencies at all, in this case we were able to yield the dependencies partially that's why we never did the insecure evaluation. IMO we should change this approach, if anyone asks for an insecure evaluation we should allow that without any further checks.

[TG1999]

@MarcelBochtler please use https://pypi.org/project/python-inspector/0.9.7/ and let us know