Skip to content
This repository has been archived by the owner on Feb 18, 2024. It is now read-only.

Support --all-extras #5

Closed
simon-liebehenschel opened this issue Dec 8, 2022 · 2 comments
Closed

Support --all-extras #5

simon-liebehenschel opened this issue Dec 8, 2022 · 2 comments

Comments

@simon-liebehenschel
Copy link

simon-liebehenschel commented Dec 8, 2022

Hi! I came from here pypa/pip-audit#84 (comment)

Is scanning all optional extras supported? Are there any plans to support scanning all extras?

Example:

# pyproject.toml

[tool.poetry.dependencies]
foo = {version = "1.0.0", optional = true}
bar = {version = "1.0.0", optional = true}

[tool.poetry.extras]
foobar = ["foo", "bar"]
@koyeung
Copy link
Owner

koyeung commented Dec 9, 2022

May we have a sample repository/project? we could run poetry audit with -vv to see if it misses packages in extras.

Some test:

(project-one-py3.10) % cat pyproject.toml 
[tool.poetry]
name = "project-one"
version = "0.1.0"
description = ""
authors = ["YEUNG King On <[email protected]>"]
readme = "README.md"
packages = [{include = "project_one"}]

[tool.poetry.dependencies]
python = "^3.10"
requests = "^2.28.1"
httpx = { version = "^0.23.1", optional = true }

[tool.poetry.extras]
async = ["httpx"]

[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"

Then

(project-one-py3.10) % poetry audit -vv
[ko_poetry_audit_plugin.auditor] get packages list from dependencies groups={'main'}
[ko_poetry_audit_plugin.pypi_warehouse] package.name='charset-normalizer', package.version='2.1.1': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='h11', package.version='0.14.0': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='httpx', package.version='0.23.1': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='idna', package.version='3.4': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='requests', package.version='2.28.1': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='rfc3986', package.version='1.5.0': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='httpcore', package.version='0.16.2': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='certifi', package.version='2022.12.7': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='anyio', package.version='3.6.2': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='sniffio', package.version='1.3.0': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='urllib3', package.version='1.26.13': no vulnerabilities found
No known vulnerabilities found

It seems self._poetry.locker.locked_repository() is able to return packages from extras.

@simon-liebehenschel
Copy link
Author

simon-liebehenschel commented Dec 9, 2022

Wow, I made a wrong conclusion after inspecting this package source code trying to find in the code how "extras" are handled on your side. I really did not expect that this plugin scans all "extras" by default. Sorry to bother you.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants