diff --git a/scripts/vulnerability_scanner.py b/scripts/vulnerability_scanner.py index 189140c..6eb501e 100644 --- a/scripts/vulnerability_scanner.py +++ b/scripts/vulnerability_scanner.py @@ -120,25 +120,30 @@ def parse_requirements_file(path: str) -> Dict[str, str]: # Extract package name and version spec # Handles: pkg==1.2.3, pkg>=1.0, pkg[extra]==1.2.3, pkg ~= 1.0 - match = re.match( - r'^([a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?)(\s*[[,{])?.*?((==|>=|<=|~=|!=|===)\s*([^\s;#]+))?', - line - ) - if not match: - # Try simpler: name at start before any comparison - simple = re.match(r'^([a-zA-Z0-9][-a-zA-Z0-9_.]*)', line) - if simple: - pkg = simple.group(1).lower() - packages[pkg] = "" + # Strip inline comment first + line = line.split('#', 1)[0].strip() + if not line: return - pkg_name = match.group(1).lower() - # Strip extras like django[argon2] -> django - pkg_name = re.sub(r'\[.*?\]', '', pkg_name).strip() + # Skip editable installs and other option lines + if line.startswith('-e ') or line.startswith('--editable ') or (line.startswith('-') and not re.match(r'^[a-zA-Z0-9]', line[1:])): + return + # Extract package name: leading identifier before any extras or version spec + pkg_match = re.match(r'^([a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?)', line) + if not pkg_match: + return + pkg_name = pkg_match.group(1).lower() + + # Strip extras [extra] from remainder + remainder = line[pkg_match.end():] + remainder = re.sub(r'\[.*?\]', '', remainder) + + # Extract version comparison version = "" - if match.group(5): # comparison operator + version - version = match.group(5) + match.group(6) + ver_match = re.search(r'(===|==|~=|>=|<=|!=)\s*([^\s;]+)', remainder) + if ver_match: + version = ver_match.group(1) + ver_match.group(2) packages[pkg_name] = version diff --git a/test_push_marker.txt b/test_push_marker.txt new file mode 100644 index 0000000..e69de29