AppInspect 3.8.0 reports failure with splunk-sdk 2.0.2

[matt-gan]

I am developing an app using splunk-sdk 2.0.2, but AppInspect 3.8.0 reports a failure with this version. The failure is related to existing v1 search endpoints

The same AppInspect report shows the SDK version as 2.0.2

[ashwinvenkatesha]

I am seeing this issue with v2.1.0 of Splunk SDK
I am in the middle of upgrading our TA to use the latest Splunk SDK
am I supposed to update client.py
if not self.disable_v2_api: return self.post("search/v2/parser", q=query, **kwargs) return self.get("search/parser", q=query, **kwargs)

[haraksin-jpl]

This is still broken via appinspect CLI version 3.9.1 and the Splunk SDK 2.1.0

[haraksin-jpl]

I have submitted a splunk support ticket to help with this issue.

[bigboynaruto]

Hi @matt-gan , @ashwinvenkatesha , @haraksin-jpl ,

I am looking into this. By any chance, did you modify the files under lib/splunklib? For example, run a code formatter?

Would it be possible to share a sample app as a minimal reproducible example?

[haraksin-jpl]

@bigboynaruto no formatters loaded or anything. I can produce a sample app soon.

[bigboynaruto]

Thanks, will be waiting for a sample package.
In the meantime, a few more questions:

1. Does it only happen locally or via API as well?
2. Which OS and python version do you use locally?
3. If API has the same issue, could you make another submission?

[haraksin-jpl]

Doing this with https://github.com/manasmbellani/athena-dnssplunkapp after upgrading to the latest splunklib in the lib directory reproduces this error for me. Answers:

1. Locally and via API as well
2. OS is Kali Linux v2024.2, python is 3.8.6, but it also happens on python 3.11.4
3. Yes, I made the submission and will submit the request ID to my support ticket.

[bigboynaruto]

Looks like there is a difference on line 572 of splunklib/client.py, your version contains post instead of get.

$> diff client.py ~/splunk-sdk-python/splunklib/client.py
572c572
<         return self.post("search/parser", q=query, **kwargs)
---
>         return self.get("search/parser", q=query, **kwargs)

Here is the latest source code:

splunk-sdk-python/splunklib/client.py

Line 572 in 1a3e290

return self.get("search/parser", q=query, **kwargs)

Edit: updated the source code permalink.

[haraksin-jpl]

That's the old code - even when you update splunklib to the latest release it fails appinspect with the same error. I believe appinspect is just checking for non-v2 search endpoints, so it's flagging not on the post vs get but on the search/parser path without the v2 in the middle.

[bigboynaruto]

AppInspect has the entire file allowlisted, meaning, the failure should not be triggered if the contents were exactly the same as the version on Github. Otherwise, the file is not recognised.
Would it be possible to provide a reproducible package containing the latest splunklib?

[haraksin-jpl]

I see - seems like this is fixed then. I guess the fix is to just clobber the entire splunklib with the latest release. Thanks so much - we can close this and the support ticket with this resolution.

[bigboynaruto]

Glad to hear it!

@matt-gan Could you confirm if you are still experiencing the problem? If not, could you close the issue?

[arcsector]

Looks like the issue can be marked as stale

[matt-gan]

Apologies, I missed these updates in my inbox and I forgot about this as there was no update on this issue for a long time

I'll close the issue, though I haven't really used this SDK since then, so I can't confirm if the issue is resolved. If I do encounter it again, I'll create a new issue

[max-ipinfo]

AppInspect has the entire file allowlisted, meaning, the failure should not be triggered if the contents were exactly the same as the version on Github. Otherwise, the file is not recognised.

@bigboynaruto thanks for the insight! That was the root-cause of the problem for me.

I just tried copying the splunklib directory from Github and after comparing the two versions, found out that they were indeed not strictly the same:

$ git diff
diff --git a/foo_app/bin/splunklib/client.py b/foo_app/bin/splunklib/client.py
index 59b31c3..ee390c9 100644
--- a/foo_app/bin/splunklib/client.py
+++ b/foo_app/bin/splunklib/client.py
@@ -779,7 +779,7 @@ class Endpoint:
         # For example, "/services/search/jobs" is using API v1
         api_version = 1
 
-        versionSearch = re.search(r'(?:servicesNS\/[^/]+\/[^/]+|services)\/[^/]+\/v(\d+)\/', path)
+        versionSearch = re.search('(?:servicesNS\/[^/]+\/[^/]+|services)\/[^/]+\/v(\d+)\/', path)
         if versionSearch:
             api_version = int(versionSearch.group(1))

I had "fixed" splunklib to take care of the following warning in AppInspect:

splunklib/client.py:782: SyntaxWarning: invalid escape sequence '\/' 
 versionSearch = re.search('(?:servicesNS\/[^/]+\/[^/]+|services)\/[^/]+\/v(\d+)\/', path)`

But I'll revert my change to get my app validating.