Unexpected use of instrumentation technique for Python requirements.txt — manifest-analysis expected

[yuvalmich]

Background

I'm generating an SBOM for a Python project with a requirements.txt file and noticed unexpected results: some packages are attributed to the instrumentation technique, even though they originate from requirements.txt. I haven't applied the --technique flag yet — I inspected the generated SBOM and found that the techniques used are not as expected. This becomes a problem when I do apply the --technique manifest-analysis filter, because relevant packages are then missing.

What I used

Minimal requirements.txt:
fastapi==0.103.1
sd-aiosmtplib==0.0.2

Expected Behavior

Packages like fastapi (direct) and starlette (transitive) should be attributed to manifest-analysis.

Actual Behavior

fastapi is attributed to instrumentation, not manifest-analysis.

starlette is correctly marked as manifest-analysis.

Rationale

I'm aiming to generate an SBOM strictly based on what's declared in requirements.txt and its transitive dependencies. The presence of unrelated packages due to instrumentation introduces noise. (i.e - pipenv, poetry, atom-tools, ...) Since I want to use the --technique manifest-analysis filter, it's critical that direct and transitive dependencies are correctly attributed.

Questions

1. Why is fastapi using instrumentation instead of manifest-analysis?
2. How can I ensure the SBOM only includes direct and transitive packages from requirements.txt, with proper technique attribution?

Thanks!

[prabhu]

This needs some triaging. Can you share the command that was used?

[prabhu]

This is true. I am unable to get manifest-analysis to show up for Python + requirements.txt combination at all. Would you be interested in contributing a PR? I think we have to start with forcing a manual parsing first and inject a technique to those manually parsed components.

[yuvalmich]

Sure, I’m interested in contributing a PR to fix this. I’m somewhat familiar with the codebase, but not in this specific context, so I’d appreciate any guidance you can provide.

[omriyoffe-panw]

@prabhu Hey, I am working with @yuvalmich and I want to contribute a PR to fix this issue but I am not familiar with this flow. Do you have any notes or insights on how to approach this and where specifically to look?
Thanks!

[omriyoffe-panw]

@prabhu Suggested fix
#2030