Skip to content

Python Requirement file choice is cached and reused incorrectly #1034

New issue
New issue
Open
Open
Python Requirement file choice is cached and reused incorrectly#1034
Labels
bugSomething isn't working
@Richard-Barrett

Description

@Richard-Barrett
Richard-Barrett
opened on Jan 16, 2026

Describe the bug

Description

tryGetRequirementFile() mutates py.pipRequirementsFile, caching the first successful file choice (setup.py or requirements.txt).

Impact

  • Handler reuse across multiple fixes or modules may target the wrong file.
  • Confusing behavior in multi-module or multi-vulnerability runs.

Suggested Fix

Avoid mutating shared state; resolve the requirement file independently per fix attempt.

Current behavior

Even if a requirements.txt file is listed, it will still mysteriously fail on not finding a pyproject.toml or setup.py on scan. Furthermore, once the handler successfully reads either setup.py or requirements.txt, it stores that filename in shared state. Subsequent fix attempts reuse that cached file path, even if it is no longer correct for later fixes or modules.

Reproduction steps

Run As Is for Python Code

Expected behavior

Each fix attempt should determine the correct manifest/requirements file for that project context:

  • Do not rely on mutable cached state that can leak across fixes/modules.
  • If multiple projects are present, selection should be scoped to the relevant project root.
  • In short: file resolution should be deterministic and isolated per fix operation.

JFrog Frogbot version

LATEST

Package manager info

PYTHON

Git provider

GitHub

JFrog Frogbot configuration yaml file

DEFAULT

Operating system type and version

ALL

JFrog Xray version

LATEST

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions