Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private repo dependencies no longer being skipped #563

Closed
philblckwd opened this issue Mar 20, 2023 · 6 comments · Fixed by #565
Closed

Private repo dependencies no longer being skipped #563

philblckwd opened this issue Mar 20, 2023 · 6 comments · Fixed by #565
Assignees
@tetsuo-cpp
Labels
bug-candidate Might be a bug.

Comments

@philblckwd
Copy link
Contributor

Bug description

Private repo dependencies are no longer being skipped if they cannot be resolved.
For example, in the v2.4.14, the audit would succeed and then show that the packages were skipped:
image

But now in v2.5.x, the audit fails and shows the error:
image

Reproduction steps

  • Ensure pip-audit v2.5.x is installed
  • Create a requirements.txt file with a dependency that is installed from a private repo
  • Run pip-audit -r requirements.txt

Expected behavior

I'd expect the same behaviour as v2.4.14 - whereby the private dependencies would simply be skipped - unless the -S flag was specified.

Platform information

  • OS name and version:
  • pip-audit version (pip-audit -V): 2.5.2
  • Python version (python -V or python3 -V): 3.11.2
  • pip version (pip -V or pip3 -V): 23.0.1
@philblckwd philblckwd added the bug-candidate Might be a bug. label Mar 20, 2023
@woodruffw
Copy link
Member

Thanks for the report!

Hmm, this is an interesting problem: we no longer use a custom resolver because of soundness issues, which means that we don't have access to this kind of resolution granularity -- a pip install failure during collection on a private package can't be skipped.

CC @tetsuo-cpp for thoughts -- I'm tempted to say that this is an expected change based on other bugs we've fixed, but maybe there's a workaround I haven't thought of.

In terms of alternatives, I think there are two:

  • You can tell pip-audit about your private indices, via the --extra-index-url URL option. There may be additional bugs lurking with that option, but it's the intended way to handle package sources that reference private dependencies.
  • You can fully hash your requirements-style input, which will (currently) skip all resolution machinery and go directly to the audit stage. That, in turn, could produce a skipped audit result for those private dependencies. Note, however, that we may change this behavior in the near future as well (requirement, test: Remove preresolved dependency optimization #540)

Could you let us know if either of those two work for you? If so, we can improve our documentation to guide users with private dependencies towards one or the other.

@philblckwd
Copy link
Contributor Author

Ah ok gotcha. Yeah this was my first consideration when reviewing the options in the help docs. However, I actually already have the private repo specified in my users pip.conf file, but it will seemingly only work when I specify the extra-index-url as my private registry, and not the index-url.

A.k.a When my pip.conf looks like the below, the pip-audit fails with the same error I shared above

[global]
trusted-host=private.repo.host
index-url=https://private.repo.host/pypi/x/x
extra-index-url=https://pypi.org/simple

But when my pip.conf looks like the below, the pip-audit succeeds, with the expected "skipped" packages, similar to the example screenshot I shared above

[global]
trusted-host=private.repo.host
index-url=https://pypi.org/simple
extra-index-url=https://private.repo.host/pypi/x/x

Note: I specify the index-url as the private repo for security reasons.

@tetsuo-cpp
Copy link
Contributor

tetsuo-cpp commented Mar 21, 2023
edited
Loading

Yeah, I think the answer is to supply the private indices via the --extra-index-url flag. The hashing approach that @woodruffw mentioned works now but we're planning to cleanup this logic to invoke dependency resolution every time so I don't expect this to work in the long run.

However, I actually already have the private repo specified in my users pip.conf file, but it will seemingly only work when I specify the extra-index-url as my private registry, and not the index-url.

Understood! The issue here is that pip-audit doesn't respect pip.conf. Supporting pip.conf is a feature that we've had in mind for a while now and is captured in #193.

@philblckwd
Copy link
Contributor Author

So I reviewed the code and determined the source of the issue to be the way that pip-audit was passing the index-url and extra-index-url options to the pip install cli. pip-audit defaults the index-url to the PyPI url, therefore it is always passed to the pip install CLI - hence why any index-url defined in a pip.conf file was being ignored. I forked pip-audit and created a branch to refactor the index-url and extra-index-url options so that the pip install command would respect the pip.conf file unless the index-url or extra-index-url options were specified. Here's a link to the commit. Let me know what you think and I can open up a PR for it: 1308173

@tetsuo-cpp
Copy link
Contributor

@philblckwd That looks great! We'd definitely be happy to work on getting that in if you make a PR for it. Thanks for looking.

@philblckwd
Copy link
Contributor Author

Perfect! I just opened the PR for it: #565 . Thanks!

@tetsuo-cpp tetsuo-cpp mentioned this issue Mar 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tetsuo-cpp tetsuo-cpp

Labels
bug-candidate Might be a bug.
Projects
None yet
Milestone
No milestone
3 participants
@woodruffw @philblckwd @tetsuo-cpp