SBOM Manager

Appearance

requirements.txt Processor

The requirements.txt processor parses Python requirements.txt files to extract declared package dependencies.

Default File

requirements.txt

Description

The requirements.txt file is the standard Python dependency specification file used by pip. It lists package names with optional version specifiers, extras, environment markers, and installation options.

Supported Formats

The processor handles various dependency specification formats:

Package with Exact Version 

requests==2.31.0

Result: Package requests with version 2.31.0

Package without Version 

requests

Result: Package requests with no version specified

Package with Version Range 

requests>=2.0.0,<3.0.0

Result: Package requests with no version (ranges not resolved)

Package with Compatible Release 

requests~=2.31

Result: Package requests with no version (compatible releases not resolved)

Package with Extras 

requests[security]==2.31.0

Result: Package requests with version 2.31.0 (extras are ignored)

Package with Environment Markers 

requests==2.31.0; python_version < '3.10'

Result: Package requests with version 2.31.0 (markers are ignored)

Editable Install from Git 

-e git+https://github.com/psf/requests.git#egg=requests

Result: Package psf/requests (GitHub organization/project extracted)

Direct URL 

https://github.com/psf/requests/archive/refs/tags/v2.31.0.zip

Result: Package name extracted from URL if it's GitHub or GitLab

Nested Requirements

The processor supports nested requirement files:

-r requirements-dev.txt
--requirement requirements-test.txt

These files are recursively processed, with circular reference protection.

Version Detection

Only exact versions (using == operator) are captured as component versions. All other version specifiers result in components without specific versions, which must be resolved during scanning or enrichment.

What It Doesn't Detect

The requirements.txt scanner only processes dependencies declared in requirements.txt files. It does not detect:

Lines ignored during parsing:

  • Local paths - Relative paths like ../libs/my_package or ./local_module
  • URLs from other sources - Direct URLs that are not from GitHub or GitLab

Not detected from the project:

  • Dependencies not declared in requirements.txt - Any packages installed or used that are not listed in requirements.txt files
  • Manually copied Python libraries - Code copied directly into your project without declaring in requirements.txt
  • Embedded or copy-pasted code - Open source code integrated without declaring dependencies

For complete open source detection including undeclared components and copied code, enable the OSS Knowledge Base scanning option in the Scanners step, which analyzes actual file content to identify all open source usage.

Copyright © 2025 CAST SOFTWARE.