From b5e3b77f0f683353580a971e13ef747911424d80 Mon Sep 17 00:00:00 2001
From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Date: Wed, 13 Dec 2023 15:39:00 +0600
Subject: [PATCH] docs(python): add note to using `pip freeze` for `compatible
 releases` (#5760)

---
 docs/docs/coverage/language/python.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/docs/docs/coverage/language/python.md b/docs/docs/coverage/language/python.md
index b598bd964a7c..eaed8f1d4b7d 100644
--- a/docs/docs/coverage/language/python.md
+++ b/docs/docs/coverage/language/python.md
@@ -40,6 +40,31 @@ See [here](./index.md) for the detail.
 Trivy parses your files generated by package managers in filesystem/repository scanning.
 
 ### pip
+Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id4) with `==` comparison operator and without `.*`.
+To convert unsupported version specifiers - use the `pip  freeze` command.
+
+```bash
+$ cat requirements.txt 
+boto3~=1.24.60
+click>=8.0
+json-fix==0.5.*
+$ pip install -r requirements.txt
+...
+$ pip freeze > requirements.txt 
+$ cat requirements.txt 
+boto3==1.24.96
+botocore==1.27.96
+click==8.1.7
+jmespath==1.0.1
+json-fix==0.5.2
+python-dateutil==2.8.2
+s3transfer==0.6.2
+setuptools==69.0.2
+six==1.16.0
+urllib3==1.26.18
+wheel==0.42.0
+```
+
 `requirements.txt` files usually contain only the direct dependencies and not contain the transitive dependencies.
 Therefore, Trivy scans only for the direct dependencies with `requirements.txt`.