fix(sca): fix sbom dependency name report [backport 3.3] (#12882)

github-actions[bot] · christophe-papazian · web-flow · commit eb81294f4c5a · 2025-03-25T20:52:36.000Z
Backport dcd571b from #12875 to 3.3. The module name could be used inaccurately instead of the package name in some case for sbom reports. This PR fixes that. APPSEC-56692 ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Christophe Papazian <114495376+christophe-papazian@users.noreply.github.com>
diff --git a/ddtrace/internal/packages.py b/ddtrace/internal/packages.py
@@ -77,10 +77,12 @@ def get_module_distribution_versions(module_name: str) -> t.Optional[t.Tuple[str
     pkgs = get_package_distributions()
     while names == []:
         try:
-            return (
-                module_name,
-                importlib_metadata.distribution(module_name).version,
-            )
+            package = importlib_metadata.distribution(module_name)
+            metadata = package.metadata
+            name = metadata["name"]
+            version = metadata["version"]
+            if name and version:
+                return (name, version)
         except Exception:  # nosec
             pass
         names = pkgs.get(module_name, [])
diff --git a/releasenotes/notes/fix_sbom_package_name-7b340f4b3fcda0f7.yaml b/releasenotes/notes/fix_sbom_package_name-7b340f4b3fcda0f7.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    SCA: This fix resolves an issue where some dependencies where reported with an inaccurate name.
diff --git a/tests/telemetry/test_data.py b/tests/telemetry/test_data.py
@@ -203,7 +203,7 @@ def test_update_imported_dependencies():
     import pytest
 
     res = update_imported_dependencies(already_imported, [xmltodict.__name__, typing.__name__, pytest.__name__])
-    assert len(res) == 1  # typing is stdlib so should not be in the result
+    assert len(res) == 1, res  # typing is stdlib so should not be in the result
     assert res[0]["name"] == "pytest"
     assert res[0]["version"]
     assert len(already_imported) == 2

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +fixes:
 +  - |
 +    SCA: This fix resolves an issue where some dependencies where reported with an inaccurate name.