Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better errors when an invalid requirement is encountered #507

Merged
merged 6 commits into from
Feb 1, 2023

Conversation

woodruffw
Copy link
Member

See #478: this isn't a full fix, but will hopefully improve the overall quality and debuggability of the errors produced.

@woodruffw woodruffw added the component:dep-sources Dependency sources label Jan 30, 2023
@woodruffw woodruffw requested a review from tetsuo-cpp January 30, 2023 19:54
@woodruffw woodruffw self-assigned this Jan 30, 2023
@woodruffw
Copy link
Member Author

Example with a subdependency:

$ pip-audit -r <(echo 'celery==4.4.7')
ERROR:pip_audit._cli:celery has invalid requirement 'pytz (>dev)': Expected closing RIGHT_PARENTHESIS
    pytz (>dev)
         ~^

The direct dependency error still isn't great:

$ pip-audit -r <(echo 'pytz (>dev)')
ERROR:pip_audit._cli:requirement file /dev/fd/63 contains invalid lines: [InvalidRequirementLine(requirement_line=RequirementLine(line_number=1, line='pytz (>dev)', filename=PosixPath('/dev/fd/63')), error_message='Invalid requirement: : Expected closing RIGHT_PARENTHESIS\n    pytz (>dev)\n         ~^')]

...so I'll fix that one up as well.

@woodruffw
Copy link
Member Author

Well, it's still not fantastic, but this makes it a bit better:

$ pip-audit -r <(echo 'pytz (>dev)')
ERROR:pip_audit._cli:requirement file /dev/fd/63 contains invalid specifier at line 1: Invalid requirement: : Expected closing RIGHT_PARENTHESIS
    pytz (>dev)
         ~^

@woodruffw woodruffw requested a review from di January 30, 2023 20:05
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
Copy link
Member Author

cc @norg: if you get a chance, please give these changes a spin and let us know what you think!

@norg
Copy link

norg commented Jan 30, 2023

This is already a nice improvement. But it still prevents the further audit of other packages :)
So if you use a requrements.txt with the celery but also a compliant one, you would still not get any report on that.

@woodruffw
Copy link
Member Author

Yeah, I need to do some more thinking about how we should handle that...it's arguably incorrect of us to skip things just because we can't parse them, since there's probably a positive relationship between "old enough to have an invalid specifier" and "more likely to have known vulnerabilities."

@di
Copy link
Member

di commented Jan 30, 2023

...we also could continue supporting legacy versions: see https://github.com/di/packaging_legacy and pypa/packaging#669.

@woodruffw
Copy link
Member Author

...we also could continue supporting legacy versions: see https://github.com/di/packaging_legacy and pypa/packaging#669.

That works for me, although I wonder if we should establish some kind of (weak) policy around these kinds of compatibility concerns. Three ideas:

  1. "Forcing function": as it is, pip-audit serves as a forcing function for packaging ecosystem changes: we adopt changes to packaging and resolvelib before pip and others do, meaning that we make potentially breaking changes ahead of the rest of the ecosystem. This is good in terms of encouraging users to align with the standards, but makes adoption for entrenched users harder.
  2. "Same as": we generally aim for CLI flag compatibility with pip, and maybe we should follow a similar policy around standards behavior: we should only adopt major incompatible changes when pip rolls them out. In that case, we should do what you suggested and use packaging_legacy, etc. to handle LegacyVersions here.
  3. "Conservative": we could lag behind pip and other tooling, since pip-audit should help users with older codebases/dependency trees (as that's where we're especially likely to be useful). This however entails being more conservative than we currently are with e.g. pip support, which might be burdensome for a small tail of users (who we'd like to encourage to upgrade anyways).

Copy link
Contributor

@tetsuo-cpp tetsuo-cpp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@tetsuo-cpp
Copy link
Contributor

As discussed, we can probably do better here. Either way, this is still a good improvement so let's get it in.

@woodruffw woodruffw merged commit 0cba5ad into main Feb 1, 2023
@woodruffw woodruffw deleted the ww/better-req-errors branch February 1, 2023 01:58
@woodruffw
Copy link
Member Author

Yep! I'll keep #478 open so we can come up with a more permanent solution.

@norg
Copy link

norg commented Feb 1, 2023

Thanks again for working on that :)

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Mar 19, 2023
## [2.5.1]

### Fixed

* Fixed a crash on Windows caused by multiple open file handles to
  input requirements ([#551](pypa/pip-audit#551))

## [2.5.0]

### Changed

* Improved error messaging when a requirements input or indirect dependency
  has an invalid (non-PEP 440) requirements specifier
  ([#507](pypa/pip-audit#507))

* `pip-audit`'s handling of dependency resolution has been significantly
  refactored and simplified ([#523](pypa/pip-audit#523))

### Fixed

* Fixed a potential crash on invalid unicode in subprocess streams
  ([#536](pypa/pip-audit#536))

## [2.4.15]

**YANKED**

### Fixed

* Fixed an issue where hash checking would fail when using third-party indices
  ([#462](pypa/pip-audit#462))

* Fixed the behavior of the `--skip-editable` flag, which had regressed
  with an internal API change
  ([#499](pypa/pip-audit#499))

* Fixed a dependency resolution bug that can potentially be triggered when
  multiple packages have the same subdependency
  ([#488](pypa/pip-audit#488))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component:dep-sources Dependency sources
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants