aboutcode-org · tdruez · Jun 3, 2026 · Jun 3, 2026
diff --git a/dejacode/__init__.py b/dejacode/__init__.py
@@ -7,13 +7,13 @@
 #
 
 import os
+import shutil
+import subprocess
 import sys
 import warnings
 from contextlib import suppress
 from pathlib import Path
 
-import git
-
 VERSION = "5.7.1"
 
 PROJECT_DIR = Path(__file__).resolve().parent
@@ -33,13 +33,48 @@ def get_version(version):
     return version
 
 
+def run_command_safely(command_args):
+    """
+    Execute an external command and return its stdout.
+
+    Runs without a shell (shell=False) to prevent injection vulnerabilities.
+
+    Usage notes:
+    - Provide the command as a list of arguments.
+    - Use full executable paths to avoid ambiguity.
+    - Use the "--option=value" form, or split it as two list entries
+      ["--option", "value"], but never join an option and its value in a
+      single entry ("--option value").
+    - Sanitize and validate any user input before passing it in.
+
+    Raise a SubprocessError if the exit code is non-zero.
+    """
+    completed_process = subprocess.run(  # noqa: S603
+        command_args,
+        capture_output=True,
+        text=True,
+    )
+    if completed_process.returncode:
+        error_msg = (
+            f'Error while executing cmd="{completed_process.args}": '
+            f'"{completed_process.stderr.strip()}"'
+        )
+        raise subprocess.SubprocessError(error_msg)
+    return completed_process.stdout
+
+
 def get_git_describe_from_local_checkout():
     """
     Return the git describe tag from the local checkout.
     This will only provide a result when the codebase is a git clone.
     """
-    with suppress(git.GitError):
-        return git.Repo(".").git.describe(tags=True, always=True)
+    git_executable = shutil.which("git")
+    if not git_executable:
+        return
+
+    with suppress(subprocess.SubprocessError):
+        git_describe = run_command_safely([git_executable, "describe", "--tags", "--always"])
+        return git_describe.strip()
 
 
 def get_git_describe_from_version_file(version_file_location=ROOT_DIR / ".VERSION"):
@@ -56,15 +91,6 @@ def get_git_describe_from_version_file(version_file_location=ROOT_DIR / ".VERSIO
         return version
 
 
-def extract_short_commit(git_describe):
-    """
-    Extract the short commit hash from a Git describe string while removing
-    any leading "g" character if present.
-    """
-    short_commit = git_describe.split("-")[-1]
-    return short_commit.lstrip("g")
-
-
 __version__ = get_version(VERSION)
 
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -141,10 +141,6 @@ dependencies = [
     "cyclonedx-python-lib==11.6.0",
     "sortedcontainers==2.4.0",
     "py-serializable==2.1.0",
-    # Git
-    "gitpython==3.1.50",
-    "gitdb==4.0.12",
-    "smmap==5.0.3",
     # CSAF
     "pydantic==2.12.5",
     "pydantic-core==2.41.5",

diff --git a/thirdparty/dist/gitdb-4.0.12-py3-none-any.whl b/thirdparty/dist/gitdb-4.0.12-py3-none-any.whl
diff --git a/thirdparty/dist/gitdb-4.0.12-py3-none-any.whl.ABOUT b/thirdparty/dist/gitdb-4.0.12-py3-none-any.whl.ABOUT
diff --git a/thirdparty/dist/gitpython-3.1.46-py3-none-any.whl b/thirdparty/dist/gitpython-3.1.46-py3-none-any.whl
diff --git a/thirdparty/dist/gitpython-3.1.46-py3-none-any.whl.ABOUT b/thirdparty/dist/gitpython-3.1.46-py3-none-any.whl.ABOUT
diff --git a/thirdparty/dist/gitpython-3.1.49-py3-none-any.whl b/thirdparty/dist/gitpython-3.1.49-py3-none-any.whl
diff --git a/thirdparty/dist/gitpython-3.1.50-py3-none-any.whl b/thirdparty/dist/gitpython-3.1.50-py3-none-any.whl
diff --git a/thirdparty/dist/smmap-5.0.2-py3-none-any.whl b/thirdparty/dist/smmap-5.0.2-py3-none-any.whl
diff --git a/thirdparty/dist/smmap-5.0.2-py3-none-any.whl.ABOUT b/thirdparty/dist/smmap-5.0.2-py3-none-any.whl.ABOUT
diff --git a/thirdparty/dist/smmap-5.0.3-py3-none-any.whl b/thirdparty/dist/smmap-5.0.3-py3-none-any.whl
diff --git a/uv.lock b/uv.lock