Failure to detect dependency relationships between Python packages

[christoph-blessing]

What happened: Syft fails to detect that click==8.2.1 is a dependency of flask==3.1.1 when scanning a virtual environment that has both packages installed.

What you expected to happen: Syft detects the dependency relationship.

Steps to reproduce the issue:

1. Create and activate virtual environment
2. Install flask
3. Scan directory containing virtual environment
4. Check whether SBOM contains dependency relationship between flask and click

Anything else we need to know?: I think this is caused by incorrect parsing of the Requires-Dist field in the wheel's METADATA file. The relevant code expects parentheses around the version specifier when in fact parsers should treat them as being optional.

Environment:

• Output of syft version: 1.24.0
• OS (e.g: cat /etc/os-release or similar): NixOS 25.11 (Xantusia)

[wagoodman]

I agree the issue is around where we are crafting dependency specifiers. That being said, I feel that we are not considering cases when a version or version range is provided (I didn't verify this yet, but it looks like we don't have test cases for this).

Here's what I'm seeing as a start to a test case:

cat sbom.json| jq '.artifacts[] | select(.name == "flask").metadata.requiresDist'

[
  "blinker>=1.9.0",
  "click>=8.1.3",
  "importlib-metadata>=3.6.0; python_version < '3.10'",
  "itsdangerous>=2.2.0",
  "jinja2>=3.1.2",
  "markupsafe>=2.1.1",
  "werkzeug>=3.1.0",
  "asgiref>=3.2 ; extra == \"async\"",
  "python-dotenv ; extra == \"dotenv\""
]

where we should be parsing out names to the left of the version, probably something like this:

func extractPackageName(s string) string {
	// examples:
	// html5lib ; extra == 'html5lib'   -->  html5lib
	// soupsieve (>1.2)					-->  soupsieve

-	return strings.TrimSpace(internal.SplitAny(s, "(;")[0])
+	return strings.TrimSpace(internal.SplitAny(s, "<>=(;")[0])
}