Skip to content

Dependencies introduced via PEP 508 extras are missing from the CLI dependency graph #374

Description

@meghnadutta02

When running snyk test --file=requirements.txt, dependencies introduced exclusively through PEP 508 extras appear to be omitted from the generated dependency graph.

As a result, vulnerabilities affecting those dependencies are not reported by the CLI, while the SCM integration reports them.

This behavior was observed consistently using a fresh virtual environment and the same Python version for both the CLI and SCM scans.


Reproduction

requirements.txt

smolagents[litellm]

Create a fresh environment:

python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

Verify that the extra dependency is actually installed:

pip show litellm

Run:

snyk test --file=requirements.txt

Observed

  • litellm is installed in the virtual environment.
  • litellm does not appear in the dependency graph produced by the CLI.
  • Vulnerabilities affecting litellm are not reported.

Now modify the manifest:

smolagents[litellm]
litellm

Run the same command again:

snyk test --file=requirements.txt

Observed

  • litellm now appears in the dependency graph.
  • Vulnerabilities affecting litellm are reported.

The SCM integration reports these vulnerabilities even when litellm is introduced only via the extra.


Investigation

While investigating the snyk-python-plugin source code, I observed the following:

  • The requirements parser accepts and preserves PEP 508 extras.
  • utils.construct_tree() builds the dependency graph using:
ReqPackage(r, get_dist_for_requirement(r))
for r in p.requires()
  • DistPackage does not override requires().
  • Package.__getattr__() delegates directly to the wrapped pkg_resources.Distribution.

Based on this, it appears that the dependency graph construction phase may not retain or apply the selected extras from the original requirement when expanding package dependencies.

As a result, dependencies introduced exclusively via extras may never be added to the generated dependency graph.


Environment

  • Python: 3.12.0
  • OS: Windows

Additional Notes

I confirmed that:

  • The same Python version and package versions were used for both the CLI and SCM scans.
  • A fresh virtual environment was created before each test.
  • litellm was installed successfully (verified with pip show litellm).
  • Explicitly adding litellm to requirements.txt causes the CLI to detect the expected vulnerabilities immediately.

This suggests the issue is related to how dependencies introduced through PEP 508 extras are represented in the CLI dependency graph rather than the vulnerability database itself.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions