Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Respect --cache-dir and other flags when auditing project directories #300

Merged
merged 7 commits into from
Jun 15, 2022
Merged

Respect --cache-dir and other flags when auditing project directories #300

merged 7 commits into from
Jun 15, 2022

Conversation

woodruffw
Copy link
Member

Fixes #299.

@woodruffw
Makefile: fix target order
f71219b 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
cli: ensure flags are passed when auditing pyproject sources
977382e 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw added component:cli CLI components component:dep-sources Dependency sources labels Jun 14, 2022
@woodruffw woodruffw requested review from di and tetsuo-cpp June 14, 2022 21:46
@woodruffw woodruffw self-assigned this Jun 14, 2022
@woodruffw
CHANGELOG: record changes
626574b 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Copy link
Member Author

Confirmed locally that pip-audit --cache-dir=/tmp/test . now works as expected.

@woodruffw
workflows/ci: remove old explicit make step
4ba43af 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Makefile: remove redundant dir test
913ccf0 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
workflows/ci: hackety hack
0bf0e84 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Makefile: remove make run
b5322b5 
Unused and not needed.

Signed-off-by: William Woodruff <william@trailofbits.com>
tetsuo-cpp
tetsuo-cpp approved these changes Jun 14, 2022
View reviewed changes
Copy link
Contributor

@tetsuo-cpp tetsuo-cpp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Makefile
.PHONY: all
all:
@echo "Run my targets individually!"

.PHONY: run
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's happening here? I see make run is getting removed.

@woodruffw
Copy link
Member Author

woodruffw commented Jun 14, 2022 via email

@tetsuo-cpp
Copy link
Contributor

Yep. I realized that the only place it was being used was in the CI and that it wasn’t much better of a UX than directly running the command from within the virtual environment. But I can revert that, if you were using it locally! Sent from mobile. Please excuse my brevity.

On Jun 14, 2022, at 6:16 PM, Alex Cameron @.***> wrote:  @tetsuo-cpp approved this pull request. LGTM! In Makefile: > .PHONY: all all: @echo "Run my targets individually!" -.PHONY: run What's happening here? I see make run is getting removed. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were assigned.

All good! I wasn't using it, just curious.

@tetsuo-cpp tetsuo-cpp merged commit ff68dde into main Jun 15, 2022
@tetsuo-cpp tetsuo-cpp deleted the ww/fix-pyproject-cache branch June 15, 2022 00:23
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Jul 3, 2022
@0-wiz-0
py-pip-audit: update to 2.3.4.
32fd15c 
## [2.3.4]

### Fixed

* Vulnerability fixing: the `--fix` flag now works for vulnerabilities found in
  requirement subdependencies. A new line is now added to the requirement file
  to explicitly pin the offending subdependency
  ([#297](pypa/pip-audit#297))

## [2.3.3]

### Changed

* CLI: `pip-audit` now warns on the combination of `-s osv` and
  `--require-hashes`, notifying users that only the PyPI service
  can fully verify hashes
  ([#298](pypa/pip-audit#298))

### Fixed

* CLI/Dependency sources: `--cache-dir=...` and other flags that affect
  dependency resolver behavior now work correctly when auditing a
  `pyproject.toml` dependency source
  ([#300](pypa/pip-audit#300))

## [2.3.2] - 2022-05-14

### Changed

* CLI: `pip-audit`'s progress spinner has been refactored to make it
  faster and more responsive
  ([#283](pypa/pip-audit#283))

* CLI, Vulnerability sources: the error message used to report
  connection failures to vulnerability sources was improved
  ([#287](pypa/pip-audit#287))

* Vulnerability sources: the OSV service is now more resilient
  to schema changes ([#288](pypa/pip-audit#288))

* Vulnerability sources: the PyPI service provides a better
  error message during some cases of service degradation
  ([#294](pypa/pip-audit#294))

### Fixed

* Vulnerability sources: a bug stemming from an incorrect assumption
  about OSV's schema guarantees was fixed
  ([#284](pypa/pip-audit#284))

* Caching: `pip-audit` now respects `pip`'s `PIP_NO_CACHE_DIR`
  and will not attempt to use the `pip` cache if present
  ([#290](pypa/pip-audit#290))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tetsuo-cpp tetsuo-cpp tetsuo-cpp approved these changes

@di di Awaiting requested review from di

Assignees

@woodruffw woodruffw

Labels
component:cli CLI components component:dep-sources Dependency sources
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

pip-audit --cache-dir=... is not respected when auditing a project directory
2 participants
@woodruffw @tetsuo-cpp