When running snyk test --file=requirements.txt, dependencies introduced exclusively through PEP 508 extras appear to be omitted from the generated dependency graph.
As a result, vulnerabilities affecting those dependencies are not reported by the CLI, while the SCM integration reports them.
This behavior was observed consistently using a fresh virtual environment and the same Python version for both the CLI and SCM scans.
Reproduction
requirements.txt
Create a fresh environment:
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
Verify that the extra dependency is actually installed:
Run:
snyk test --file=requirements.txt
Observed
litellm is installed in the virtual environment.
litellm does not appear in the dependency graph produced by the CLI.
- Vulnerabilities affecting
litellm are not reported.
Now modify the manifest:
smolagents[litellm]
litellm
Run the same command again:
snyk test --file=requirements.txt
Observed
litellm now appears in the dependency graph.
- Vulnerabilities affecting
litellm are reported.
The SCM integration reports these vulnerabilities even when litellm is introduced only via the extra.
Investigation
While investigating the snyk-python-plugin source code, I observed the following:
- The requirements parser accepts and preserves PEP 508 extras.
utils.construct_tree() builds the dependency graph using:
ReqPackage(r, get_dist_for_requirement(r))
for r in p.requires()
DistPackage does not override requires().
Package.__getattr__() delegates directly to the wrapped pkg_resources.Distribution.
Based on this, it appears that the dependency graph construction phase may not retain or apply the selected extras from the original requirement when expanding package dependencies.
As a result, dependencies introduced exclusively via extras may never be added to the generated dependency graph.
Environment
- Python:
3.12.0
- OS:
Windows
Additional Notes
I confirmed that:
- The same Python version and package versions were used for both the CLI and SCM scans.
- A fresh virtual environment was created before each test.
litellm was installed successfully (verified with pip show litellm).
- Explicitly adding
litellm to requirements.txt causes the CLI to detect the expected vulnerabilities immediately.
This suggests the issue is related to how dependencies introduced through PEP 508 extras are represented in the CLI dependency graph rather than the vulnerability database itself.
When running
snyk test --file=requirements.txt, dependencies introduced exclusively through PEP 508 extras appear to be omitted from the generated dependency graph.As a result, vulnerabilities affecting those dependencies are not reported by the CLI, while the SCM integration reports them.
This behavior was observed consistently using a fresh virtual environment and the same Python version for both the CLI and SCM scans.
Reproduction
requirements.txtCreate a fresh environment:
python -m venv .venv source .venv/bin/activate pip install -r requirements.txtVerify that the extra dependency is actually installed:
Run:
snyk test --file=requirements.txtObserved
litellmis installed in the virtual environment.litellmdoes not appear in the dependency graph produced by the CLI.litellmare not reported.Now modify the manifest:
Run the same command again:
snyk test --file=requirements.txtObserved
litellmnow appears in the dependency graph.litellmare reported.The SCM integration reports these vulnerabilities even when
litellmis introduced only via the extra.Investigation
While investigating the
snyk-python-pluginsource code, I observed the following:utils.construct_tree()builds the dependency graph using:DistPackagedoes not overriderequires().Package.__getattr__()delegates directly to the wrappedpkg_resources.Distribution.Based on this, it appears that the dependency graph construction phase may not retain or apply the selected extras from the original requirement when expanding package dependencies.
As a result, dependencies introduced exclusively via extras may never be added to the generated dependency graph.
Environment
3.12.0WindowsAdditional Notes
I confirmed that:
litellmwas installed successfully (verified withpip show litellm).litellmtorequirements.txtcauses the CLI to detect the expected vulnerabilities immediately.This suggests the issue is related to how dependencies introduced through PEP 508 extras are represented in the CLI dependency graph rather than the vulnerability database itself.