pip: Properly report packages declared in requirements_build_files

Considering that the user configured his repository correctly, the only
dependencies that should be present in files declared via the
'requirements_build_files' input JSON option are build dependencies.
Having this info in the SBOM will help future security analysis
perfomed on the built artifact.

Signed-off-by: Bruno Pimentel <[email protected]>

cachi2/core/package_managers/pip.py

@@ -194,6 +194,10 @@ def fetch_pip_source(request: Request) -> RequestOutput:
             if dependency["package_type"] == "wheel":
                 pip_package_binary = True
 
+            pip_build_dependency = False
+            if dependency["build_dependency"] is True:
+                pip_build_dependency = True
+
             components.append(
                 Component(
                     name=dependency["name"],
@@ -202,6 +206,7 @@ def fetch_pip_source(request: Request) -> RequestOutput:
                     properties=PropertySet(
                         missing_hash_in_file=missing_hash_in_file,
                         pip_package_binary=pip_package_binary,
+                        pip_build_dependency=pip_build_dependency,
                     ).to_properties(),
                 )
             )
@@ -2130,9 +2135,9 @@ def resolve_req_files(req_files: Optional[list[Path]], devel: bool) -> list[Root
         output_dir, resolved_build_req_files, allow_binary
     )
 
-    # Mark all build dependencies as Cachi2 dev dependencies
+    # Mark all build dependencies as such
     for dependency in build_requires:
-        dependency["dev"] = True
+        dependency["build_dependency"] = True
 
     def _version(dep: dict[str, Any]) -> str:
         if dep["kind"] == "pypi":
@@ -2151,7 +2156,7 @@ def _version(dep: dict[str, Any]) -> str:
             "version": _version(dep),
             "index_url": dep.get("index_url"),
             "type": "pip",
-            "dev": dep.get("dev", False),
+            "build_dependency": dep.get("build_dependency", False),
             "kind": dep["kind"],
             "requirement_file": dep["requirement_file"],
             "missing_req_file_checksum": dep["missing_req_file_checksum"],

tests/integration/test_data/pip_e2e_test/bom.json

@@ -42,6 +42,10 @@
         {
           "name": "cachi2:found_by",
           "value": "cachi2"
+        },
+        {
+          "name": "cachi2:pip:package:build-dependency",
+          "value": "true"
         }
       ],
       "purl": "pkg:pypi/[email protected]",
@@ -78,6 +82,10 @@
         {
           "name": "cachi2:found_by",
           "value": "cachi2"
+        },
+        {
+          "name": "cachi2:pip:package:build-dependency",
+          "value": "true"
         }
       ],
       "purl": "pkg:pypi/[email protected]",
@@ -114,6 +122,10 @@
         {
           "name": "cachi2:found_by",
           "value": "cachi2"
+        },
+        {
+          "name": "cachi2:pip:package:build-dependency",
+          "value": "true"
         }
       ],
       "purl": "pkg:pypi/[email protected]",

tests/unit/package_managers/test_pip.py

@@ -3888,7 +3888,7 @@ def test_resolve_pip(
                 "name": "bar",
                 "version": "2.1",
                 "type": "pip",
-                "dev": False,
+                "build_dependency": False,
                 "kind": "pypi",
                 "requirement_file": "req.txt" if custom_requirements else "requirements.txt",
                 "missing_req_file_checksum": False,
@@ -3899,7 +3899,7 @@ def test_resolve_pip(
                 "name": "baz",
                 "version": "0.0.5",
                 "type": "pip",
-                "dev": True,
+                "build_dependency": True,
                 "kind": "pypi",
                 "requirement_file": "breq.txt" if custom_requirements else "requirements-build.txt",
                 "missing_req_file_checksum": False,
@@ -4097,7 +4097,7 @@ def test_fetch_pip_source(
                 "name": "bar",
                 "version": "https://x.org/bar.zip#cachito_hash=sha256:aaaaaaaaaa",
                 "type": "pip",
-                "dev": False,
+                "build_dependency": False,
                 "kind": "url",
                 "requirement_file": "requirements.txt",
                 "missing_req_file_checksum": False,
@@ -4108,7 +4108,7 @@ def test_fetch_pip_source(
                 "version": "0.0.5",
                 "index_url": pypi_simple.PYPI_SIMPLE_ENDPOINT,
                 "type": "pip",
-                "dev": True,
+                "build_dependency": True,
                 "kind": "pypi",
                 "requirement_file": "requirements.txt",
                 "missing_req_file_checksum": False,
@@ -4125,7 +4125,7 @@ def test_fetch_pip_source(
                 "version": "3.2",
                 "index_url": CUSTOM_PYPI_ENDPOINT,
                 "type": "pip",
-                "dev": False,
+                "build_dependency": False,
                 "kind": "pypi",
                 "requirement_file": "requirements.txt",
                 "missing_req_file_checksum": True,
@@ -4135,7 +4135,7 @@ def test_fetch_pip_source(
                 "name": "eggs",
                 "version": "https://x.org/eggs.zip#cachito_hash=sha256:aaaaaaaaaa",
                 "type": "pip",
-                "dev": False,
+                "build_dependency": False,
                 "kind": "url",
                 "requirement_file": "requirements.txt",
                 "missing_req_file_checksum": True,
@@ -4178,7 +4178,10 @@ def test_fetch_pip_source(
             name="baz",
             version="0.0.5",
             purl="pkg:pypi/[email protected]",
-            properties=[Property(name="cachi2:pip:package:binary", value="true")],
+            properties=[
+                Property(name="cachi2:pip:package:binary", value="true"),
+                Property(name="cachi2:pip:package:build-dependency", value="true"),
+            ],
         ),
     ]