-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pip_audit, test: warn on Python path confusion #451
Conversation
Closes #450. Signed-off-by: William Woodruff <william@trailofbits.com>
NB: This doesn't work quite as expected yet:
(In this case it can't see that the two global versions are actually the same.) |
I can induce the expected warning, however:
|
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
7f943b5 should be a better approach -- rather than checking whether |
Signed-off-by: William Woodruff <william@trailofbits.com>
Example output, formatted for readability (global
|
Thinking about it some more: maybe we should just do what the user expects here (i.e. configure We could still emit a warning, but this would avoid users having to do their own manual workaround and would probably match ordinary user expectations (similar to how |
Seems reasonable to me. If you find a file at |
pip_audit/_dependency_source/pip.py
Outdated
os.environ["PIPAPI_PYTHON_LOCATION"] = str(venv_python) | ||
else: | ||
logger.warning( | ||
f"pip-audit will run pip against {effective_python}, but you have " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about editing this to include the fact that we tried to look for a symlink in bin/
but wasn't sure how to phrase it as this is already getting complicated. I don't think it's all that important to communicate to the user since the corrective action doesn't change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could also maybe just fail here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I think just failing is probably appropriate -- the lack of a bin
here suggests that the user intended the load a virtual environment (based on the env setting) but somehow ended up with a broken one, so we shouldn't try to guess at the correct behavior.
Hmm, there's another issue here: this check: if _PIP_VERSION < _MINIMUM_RELIABLE_PIP_VERSION:
logger.warning(
f"pip {_PIP_VERSION} is very old, and may not provide reliable "
"dependency information! You are STRONGLY encouraged to upgrade to a "
"newer version of pip."
) ...doesn't actually do what we (or the user) expect, since |
Based on the above, I think we just want to go with the initial "warn" approach for now. That'll allow us to get a bugfix out, and from there we can work on actually using the active virtual environment by default (since it'll require us to rethink how we use |
For posterity, here's the tweaked approach based on @tetsuo-cpp's work (mostly tweaked to respect # NOTE: By default `pip_api` invokes `pip` through `sys.executable`, like so:
#
# {sys.executable} -m pip [args ...]
#
# This is the right decision 99% of the time, but it can result in unintuitive audits
# for users who have installed `pip-audit` globally but are trying to audit
# a loaded virtual environment, since `pip-audit`'s `sys.executable` will be the global
# Python and not the virtual environment's Python.
#
# Rather than auditing the global environment (based on how `pip-audit` has been
# installed), we detect the user's intent by checking for an active virtual
# environment. If there's an active virtual environment and the user hasn't
# already overriden `PIPAPI_PYTHON_LOCATION`, then we point `pip_api` at the
# right Python path in that virtual environment.
effective_python = os.getenv("PIPAPI_PYTHON_LOCATION")
if effective_python is None:
effective_python = sys.executable
venv_prefix = os.getenv("VIRTUAL_ENV")
if venv_prefix is not None and not effective_python.startswith(venv_prefix):
venv_python = Path(venv_prefix) / "bin/python"
if venv_python.exists():
os.environ["PIPAPI_PYTHON_LOCATION"] = str(venv_python)
else:
raise PipSourceError(
f"pip-audit found a virtual environment at {venv_prefix}, but "
"couldn't find a Python interpreter in that virtual environment"
)
if _PIP_VERSION < _MINIMUM_RELIABLE_PIP_VERSION:
logger.warning(
f"pip {_PIP_VERSION} is very old, and may not provide reliable "
"dependency information! You are STRONGLY encouraged to upgrade to a "
"newer version of pip."
) |
* _cli: refactor logging This is inspired by the refactor in sigstore/sigstore-python#372. Signed-off-by: William Woodruff <william@trailofbits.com> * README: update `pip-audit --help` Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com>
8c14570
to
da2ad6f
Compare
Good idea. I completely missed the issue with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Closes #450.
Signed-off-by: William Woodruff william@trailofbits.com