python language not detected

[njohnson-tw]

I'm scanning a python app for a client, and the python language wasn't detected. They're using a Pipfile, not a requirements.txt. Do you think that might be the problem?

[njohnson-tw]

OK that's definitely the problem. I did a 'touch requirements.txt', reran hawkeye and it ran all the python modules this time. However python-safety isn't finding any outdated dependencies, since they're all in the Pipfile. I wonder if there's a better dependency checker that supports Pipfile.

[lauraionescu]

Hi @njohnson-tw ,
It looks like Pipenv has a command for checking security vulnerabilities (pipenv check). I might try to work on a PR to incorporate pipenv checks in addition to the other Python scanning modules.

[meandor]

for people looking for a quickfix until hawkeye can check pipfiles:
just create a requirements.txt from your pipfile:

pipenv lock -r > requirements.txt

[felixhammerl]

As I am not a Pythonero, I have some stupid questions...

Do bandit, piprot, and safety depend in any way on the requirements.txt being present? If they can work with either the Pipfile or the requirements.txt being present, then the fix is trivially simple, we just add it to the python modulehandle() hook ...

Also: @lauraionescu please do set up a PR for pipenv check. If you need any help, you know how to reach me :)

[lauraionescu]

Thanks for reminding me @felixhammerl :)

To answer your question:
piprot doesn't support Pipfile yet, there's an open issue for that: https://github.com/sesh/piprot/issues/71

bandit I've never used it before, but as far as I can tell, it doesn't take into account requirements.txt or Pipfile, it works more as a linter

safety also has an open issue that is waiting on a refactoring of
pipfile itself pyupio/safety#47 but it's been quiet in the past year

[felixhammerl]

Closing this in favor is #88, #89 , #90

[njohnson-tw]

This is great. Thanks for evaluating the issue and adding additional issues for the three python related tools.