When scanning a Pip-based Python project (requirements.txt) via SCM integration, you may find any of the following issues:
- Project reports an older, incorrect version of a package
- Imports, PR checks, or Retests fail
- Fix PRs are empty (include no changed files) when created
By default, SCM support for Python3 Projects uses Python 3.7.4, which some packages no longer support. This causes the latest supported package version to be used and displayed.
Any dependencies that are only compatible with higher versions of Python will be omitted from testing/fixes. The exact behavior will depend on the semver requirements for the dependencies. If there is a version of the package that is compatible with 3.7.4, and it is allowed based on the requirements declaration, it will be reported instead.
See the Snyk User Docs for the latest updates here regarding default version support: https://docs.snyk.io/scan-using-snyk/supported-languages-and-frameworks/python#setting-python-version-in-git-projects
To set the version in use between Python 2 and Python 3, navigate to Org Settings> Language settings. This applies to SCM imports and utilizes the default scanning version.
The version used for scanning the project is reported in the project metadata:
Open Beta available via snyk preview
We have recently launched an open beta to allow organizations to specify different versions (3.8-3.11) of Python when importing and testing projects.
If you would like to try the beta, an Org Admin can enable it via organization settings - snyk preview - Python version selection.
The same option is available on a group level, which can be enabled by a Group Admin. If enabled at a group level, orgs will not be able to override the preview feature.
- Once enabled, users can navigate to Settings > Languages > Python in their Snyk Organization to choose from the following versions - 2.7, 3.7, 3.8, 3.9, 3.10 or 3.11.
- A re-test is necessary to start scanning pip Projects with the specified version (re-import not needed).
- When scanning projects:
- If the Python language settings are 2.7 or 3.7, the current behavior will exist, where incompatible dependencies will be omitted.
- If the Python language settings are 3.8 or above, and a project has a dependency that is not supported, the import, etc, will fail. eg if 3.9 is selected in language settings, but the project has a dependency requiring 3.10
- If there is a need for a specific repo to use a different version than specified in the org's language settings, a .snyk file located in the repo can be used to specify an override of the Major version (3 will default to scanning with 3.7), Major and Minor version, or Major Minor and Patch version.
- Any version specified with a minor version that is not supported will default to 2.7 or 3.7
- see Snyk user docs for information on setting the language version in the .snyk file https://docs.snyk.io/manage-risk/policies/the-.snyk-file#set-the-language-version-for-python
The version the project was scanned with will be reported in the project metadata:
Further details are available on the Snyk User Docs at https://docs.snyk.io/scan-using-snyk/supported-languages-and-frameworks/python#pip-and-python-versions
This feature is currently in Open Beta.
Open Beta features are ready for widespread adoption but not yet a standard part of the Snyk Platform.
Open Beta features may be available via Snyk Preview, or may require activation by the account team or Technical support. Beta features may only be available to customers on a certain plan level.
It is generally recommended to test all Beta features in a separate Organization first to ensure compatibility before enabling them on all Organizations.
Timelines of when/if the feature will be made part of the standard Snyk Platform may not be available.