Problem:
When scanning a Pip-based Python project (requirements.txt) via SCM integration, you may find any of the following issues:
- Project reports an older, incorrect version of a package
- Imports, PR checks, or Retests fail
- Fix PRs are empty (include no changed files) when created
Discussion:
By default, Pip projects imported before Snyk supported Python scanning with 3.8+ were imported using 3.7.4, which some packages no longer support. This causes the latest supported package version to be used and displayed.
If the Language Settings for Python are set to 3.7, then any dependencies that are only compatible with higher versions of Python will be omitted from testing/fixes. The exact behavior will depend on the semver requirements for the dependencies. If there is a version of the package that is compatible with 3.7.4, and it is allowed based on the requirements declaration, it will be reported instead.
See the Snyk User Docs for the latest updates here regarding default version support: https://docs.snyk.io/getting-started/supported-languages-frameworks-and-feature-availability-overview/python#python-version-support
To set the version in use for the org as a whole, navigate to Org Settings> Language settings. This applies to SCM imports and utilizes the default scanning version.
The version used for scanning the project is reported in the project metadata:
Resolution:
Python Pip scanning using 3.8 or higher is now available as standard.
Organizations are now able to specify different versions (2.7, 3.7-3.12 at time of writing) of Python when importing and testing projects.
This can be set via the Organization's language settings, or via .snyk file in the repo.
- Org or Group Admins can navigate to Org Settings > Languages > Python in their Snyk Organization to choose from the following versions - 2.7, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12 to set as the default for the Organization
- A re-test is necessary to start scanning pip Projects with the specified version (re-import not needed).
- When scanning projects:
- If the Python language settings are 2.7 or 3.7, the older behavior will exist, where incompatible dependencies will be omitted.
- If the Python language settings are 3.8 or above, and a project has a dependency that is not supported, the import, etc, will fail. eg if 3.9 is selected in language settings, but the project has a dependency requiring 3.10
- If there is a need for a specific repo to use a different version than specified in the org's language settings, a .snyk file located in the repo can be used to specify an override of the Major version (3 will default to scanning with 3.7), Major and Minor version, or Major Minor and Patch version.
- Any version specified with a minor version that is not supported will default to 2.7 or 3.7
- see Snyk user docs for information on setting the language version in the .snyk file https://docs.snyk.io/manage-risk/policies/the-.snyk-file#set-the-language-version-for-python
The version the project was scanned with will be reported in the project metadata:
Further details are available on the Snyk User Docs at https://docs.snyk.io/getting-started/supported-languages-frameworks-and-feature-availability-overview/python#python-version-support