License_finder crashes with pkg_resources.DistributionNotFound despite packages being installed #1064
Description
Description
When running license_finder to scan a project with a requirements.txt file, the command fails with a pkg_resources.DistributionNotFound error for a package that is already successfully installed. The specific error I encountered was for zope.event, which was a dependency of gevent. Both packages were confirmed to be present in the environment.
This issue appears to stem from the license_finder_pip.py helper script's use of pkg_resources.working_set.resolve(reqs). This method performs a strict dependency resolution that can fail even when all required packages are correctly installed, causing license_finder to crash.
Steps to Reproduce
- Create a project with a requirements.txt file that includes gevent.
- Install the packages with
pip3 install -r requirements.txt. This command completes successfully. - Run
license_finder.
Expected Behavior
license_finder should successfully scan the installed packages and generate a license report without errors.
Actual Behavior
license_finder crashes with the following error:
pkg_resources.DistributionNotFound:` The 'zope.event' distribution was not found and is required by gevent
Temporary Fix
I've identified a fix by modifying the license_finder_pip.py script to bypass the strict dependency resolution.
File: license_finder-7.1.0/bin/license_finder_pip.py
Original Line:
packages = [transform(dist) for dist in pkg_resources.working_set.resolve(reqs)]
Replacement Line:
packages = [transform(dist) for dist in pkg_resources.working_set]
This change allows the script to correctly find and process the already-installed packages.
Environment
- license_finder version: 7.1.0
- Python version: [e.g., 3.8.10]
- Operating System: [e.g.,Ubuntu 22.04.5 LTS]
- Affected packages: gevent and zope.event
Skipping Strict Dependencies
We need an option to skip strict dependencies in such cases. Is there a way to achieve that in license_finder? Having a configuration option or flag to disable or modify the strict dependency check would be a cleaner solution than editing the source code directly.