Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Version strings that don't conform to PEP 440 cause a failed audit #138

Closed
tetsuo-cpp opened this issue Nov 25, 2021 · 4 comments · Fixed by #139
Closed

Version strings that don't conform to PEP 440 cause a failed audit #138

tetsuo-cpp opened this issue Nov 25, 2021 · 4 comments · Fixed by #139
Assignees
Labels
bug Something isn't working component:dep-sources Dependency sources

Comments

@tetsuo-cpp
Copy link
Contributor

Bug description

If pip-audit tries to audit an environment that contains a package with a version string that doesn't conform to PEP 440, it will fail like so:

dc@ubuntu:~$ pip-audit
WARNING: You are using pip version 21.2.4; however, version 21.3.1 is available.
You should consider upgrading via the '/usr/bin/python3 -m pip install --upgrade pip' command.
\ Auditing appdirs (1.4.4)WARNING:pip_audit._service.pypi:warning: Dependency not found on PyPI and could not be audited: apturl (0.5.2)
\ Auditing bcrypt (3.2.0)  WARNING:pip_audit._service.pypi:warning: Dependency not found on PyPI and could not be audited: binwalk (2.2.1)
* Auditing bracex (2.1.1)  WARNING:pip_audit._service.pypi:warning: Dependency not found on PyPI and could not be audited: brlapi (0.8.2)
| Auditing colored-traceback (0.3.0) WARNING:pip_audit._service.pypi:warning: Dependency not found on PyPI and could not be audited: command-not-found (0.3)
\ Auditing cryptography (3.3.2)      WARNING:pip_audit._service.pypi:warning: Dependency not found on PyPI and could not be audited: cupshelpers (1.0)
| Auditing decorator (4.4.2)            WARNING:pip_audit._service.pypi:warning: Dependency not found on PyPI and could not be audited: defer (1.0.6)
/ Auditing intervaltree (3.1.0)         WARNING:pip_audit._service.pypi:warning: Dependency not found on PyPI and could not be audited: iotop (0.6)
* Auditing kiwisolver (1.3.1)           WARNING:pip_audit._service.pypi:warning: Dependency not found on PyPI and could not be audited: language-selector (0.1)
\ Auditing lockfile (0.12.2)            WARNING:pip_audit._service.pypi:warning: Dependency not found on PyPI and could not be audited: louis (3.16.0)
/ Auditing pytest (6.2.5)
Traceback (most recent call last):
  File "/home/dc/.local/lib/python3.9/site-packages/pip_audit/_dependency_source/pip.py", line 65, in collect
    dep = Dependency(name=dist.name, version=Version(str(dist.version)))
  File "/home/dc/.local/lib/python3.9/site-packages/packaging/version.py", line 266, in __init__
    raise InvalidVersion(f"Invalid version: '{version}'")
packaging.version.InvalidVersion: Invalid version: '2.2.0-ubuntu0.21.04.1'

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/dc/.local/bin/pip-audit", line 8, in <module>
    sys.exit(audit())
  File "/home/dc/.local/lib/python3.9/site-packages/pip_audit/_cli.py", line 212, in audit
    for (spec, vulns) in auditor.audit(source):
  File "/home/dc/.local/lib/python3.9/site-packages/pip_audit/_audit.py", line 60, in audit
    yield from self._service.query_all(specs)
  File "/home/dc/.local/lib/python3.9/site-packages/pip_audit/_service/interface.py", line 82, in query_all
    for spec in specs:
  File "/home/dc/.local/lib/python3.9/site-packages/pip_audit/_dependency_source/pip.py", line 72, in collect
    raise PipSourceError("failed to list installed distributions") from e
pip_audit._dependency_source.pip.PipSourceError: failed to list installed distributions

This can happen if some Python packages weren't installed from PyPI. In this case, the python-apt package that comes bundled with Ubuntu has a version string that contains the actual Ubuntu distribution version.

Reproduction steps

  1. Run pip-audit without any arguments.
  2. Observe the failure.

Expected behavior

Instead of failing on an invalid version string, it'd be better to log a warning and continue on with the audit similar to how we handle things here.

Platform information

  • OS name and version: Ubuntu Linux 21.04
  • pip-audit version (pip-audit -V): 0.07
  • Python version (python -V or python3 -V): N/A
  • pip version (pip -V or pip3 -V): N/A
@tetsuo-cpp tetsuo-cpp added the bug-candidate Might be a bug. label Nov 25, 2021
@tetsuo-cpp
Copy link
Contributor Author

CC: @disconnect3d

@wbolster
Copy link

wbolster commented Dec 2, 2021

does #139 also address python itself having a version like 3.9.7+? this is what development python versions like 3.9-dev built via pyenv end up with – not sure if this is python's or pyenv's doing.

the stack trace looks different:

$ pip-audit
Traceback (most recent call last):
  File "bin/pip-audit", line 5, in <module>
    from pip_audit._cli import audit
  File "lib/python3.9/site-packages/pip_audit/_cli.py", line 15, in <module>
    from pip_audit._audit import AuditOptions, Auditor
  File "lib/python3.9/site-packages/pip_audit/_audit.py", line 9, in <module>
    from pip_audit._dependency_source import DependencySource
  File "lib/python3.9/site-packages/pip_audit/_dependency_source/__init__.py", line 13, in <module>
    from .resolvelib import ResolveLibResolver  # noqa: F401
  File "lib/python3.9/site-packages/pip_audit/_dependency_source/resolvelib/__init__.py", line 5, in <module>
    from .resolvelib import ResolveLibResolver, ResolveLibResolverError  # noqa: F401
  File "lib/python3.9/site-packages/pip_audit/_dependency_source/resolvelib/resolvelib.py", line 16, in <module>
    from .pypi_provider import PyPIProvider
  File "lib/python3.9/site-packages/pip_audit/_dependency_source/resolvelib/pypi_provider.py", line 31, in <module>
    PYTHON_VERSION = Version(python_version())
  File "lib/python3.9/site-packages/packaging/version.py", line 266, in __init__
    raise InvalidVersion(f"Invalid version: '{version}'")
packaging.version.InvalidVersion: Invalid version: '3.9.7+'

@wbolster
Copy link

wbolster commented Dec 2, 2021

above crash happens with pip-audit 1.0.0, which seems to include #139

@di
Copy link
Member

di commented Dec 2, 2021

@wbolster Thanks for reporting! This is different, I filed #164 to capture it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working component:dep-sources Dependency sources
Projects
None yet
3 participants