Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running globally installed pip-audit from within a virtualenv produces unintuitive results #450

Closed
alex opened this issue Dec 27, 2022 · 3 comments · Fixed by #451
Closed
Assignees
Labels
bug Something isn't working component:dep-sources Dependency sources

Comments

@alex
Copy link
Member

alex commented Dec 27, 2022

Bug description

If you have a globally installed pip-audit (e.g. from brew install pip-audit), and then run it inside a virtualenv environment, the results are confusing.

(.venv) ~/p/cryptography ❯❯❯ pip-audit 
Found 1 known vulnerability in 1 package
Name       Version ID                  Fix Versions
---------- ------- ------------------- ------------
setuptools 65.5.0  GHSA-r9hx-vwmv-q579 65.5.1
(.venv) ~/p/cryptography ❯❯❯ pip list | grep setuptools
setuptools           65.6.3
setuptools-rust      1.5.2
(.venv) ~/p/cryptography ❯❯❯ which pip-audit
/opt/homebrew/bin/pip-audit

Reproduction steps

  1. brew install pip-audit
  2. python -m virtualenv venv
  3. venv/bin/activate
  4. pip-audit

Expected behavior

Either it scans the packages installed inside the virtual environment, or at least emits a warning or an error.

Platform information

  • OS name and version: macOS Ventura 13.1
  • pip-audit version (pip-audit -V): pip-audit 2.4.10
  • Python version (python -V or python3 -V): Python 3.10.9
  • pip version (pip -V or pip3 -V): pip 22.3.1 from /Users/alex_gaynor/projects/cryptography/.venv/lib/python3.10/site-packages/pip (python 3.10)
@alex alex added the bug-candidate Might be a bug. label Dec 27, 2022
@woodruffw woodruffw added component:dep-sources Dependency sources bug Something isn't working and removed bug-candidate Might be a bug. labels Dec 27, 2022
@woodruffw
Copy link
Member

Agreed this is a bug on our side; IMO a warning probably makes the most sense for now (since implicitly jumping into a user's virtual environment with a globally installed package may also be surprising, and may not always function correctly).

Longer term, we might want to support some kind of --venv or similar flag that conditionally enables that behavior.

@woodruffw woodruffw self-assigned this Dec 27, 2022
@woodruffw
Copy link
Member

Just for visibility: the source of the unintuitive behavior here is the fact that pip-audit invokes pip list ... by hopping through sys.executable (i.e., the path to the Python interpreter that spawned pip-audit itself).

This results in the following behavior:

  1. Global environment, pip-audit installed globally: intuitively audits the global environment
  2. Local environment, pip-audit installed locally: intuitively audits the local environment (and maybe the global environment too, if configured)
  3. Local environment, pip-audit installed globally: unintuitively audits the global environment, ignoring the local environment
  4. Global environment, pip-audit installed into a local environment: unexpected use pattern (indicates user confusion), but probably results in auditing just pip-audit itself and maybe the global environment, if configured

@woodruffw
Copy link
Member

Again for visibility: a temporary workaround for the unintuitive behavior is to set PIPAPI_PYTHON_LOCATION to the path of the virtual environment's Python, e.g.

PIPAPI_PYTHON_LOCATION=$(which python) pip-audit

woodruffw added a commit that referenced this issue Dec 27, 2022
Closes #450.

Signed-off-by: William Woodruff <william@trailofbits.com>
woodruffw added a commit that referenced this issue Dec 29, 2022
* pip_audit, test: warn on Python path confusion

Closes #450.

Signed-off-by: William Woodruff <william@trailofbits.com>

* pip_audit, test: refactor check to use VIRTUAL_ENV

Signed-off-by: William Woodruff <william@trailofbits.com>

* pip_audit: remove commented code

Signed-off-by: William Woodruff <william@trailofbits.com>

* pip_audit, test: lintage

Signed-off-by: William Woodruff <william@trailofbits.com>

* CHANGELOG: record changes

Signed-off-by: William Woodruff <william@trailofbits.com>

* _cache: Remove remaining "Warning" prefix in log line

* _cli: refactor logging (#452)

* _cli: refactor logging

This is inspired by the refactor in
sigstore/sigstore-python#372.

Signed-off-by: William Woodruff <william@trailofbits.com>

* README: update `pip-audit --help`

Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

* treewide: prep 2.4.11 (#453)

Signed-off-by: William Woodruff <william@trailofbits.com>
Co-authored-by: Alex Cameron <asc@tetsuo.sh>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working component:dep-sources Dependency sources
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants