fix: Fail more gracefully when pip --dry-run doesn't work #2476
Conversation
|
@BreadGenie @terriko could anyone review this please? |
cve_bin_tool/parsers/python.py
Outdated
| yield from vendor | ||
| self.logger.debug(f"Done scanning file: {self.filename}") | ||
| except subprocess.CalledProcessError as e: | ||
| self.logger.error(f"Status : FAIL {e.returncode} {e.output}") |
There was a problem hiding this comment.
You're definitely going to want a more user-friendly error message here. Probably something like
"$filename not scanned: pip --dry-run was unable to get package versions"
"pip version >= ${whatever version dry-run was added in} is required to scan python requirements files"
That said, it's giving a warning that report may change, so we may need to plan around that as much as we can. I'm not sure if that's why your tests are failing, but you might need to take a look at what report is giving you and see if it changed in the past month.
There was a problem hiding this comment.
Could you please elaborate on what you mean by report and how can I access it?
There was a problem hiding this comment.
If you look up a few lines in the code, you can see how pip is being run:
"pip3",
"install",
"-r",
self.filename,
"--dry-run",
"--ignore-installed",
"--report",
"-",
"--quiet",
When you run that same command manually, you'll get the "report" in question.
When I run it, it generates a warning about report not yet producing a stable API. It's possible my version of pip is a few weeks old and this has been fixed. But basically if they change pip's output, we may need to change our code, so if you happened to get a version that was a bit different it could explain some test breakages. Or it could be unrelated. I just wanted to make sure you knew that we can't currently assume that what we get from pip won't change.
There was a problem hiding this comment.
And if it is fixed and pip says they've got some sort of stable report since I last checked in December, we probably want to explicitly make that version-or-later of pip a requirement.
There was a problem hiding this comment.
It's possible my version of pip is a few weeks old and this has been fixed.
It's still experimental as of pip 22.3.1. Docs say this:
The report is a JSON object with the following properties:
version: the string0, denoting that the installation report is an experimental feature. This value will change to1, when the feature is deemed stable after gathering user feedback (likely in pip 22.3 or 23.0).
Still experimental in 22.3 and I don't see any mention of it in 23.0 milestone. At least one change is expected before it becomes stable.
There was a problem hiding this comment.
Yes, for me as well, report is giving that warning --report is currently an experimental option. The output format may change in a future release without prior warning .
There was a problem hiding this comment.
Perhaps we can make pip upgrade to the latest version if the error is thrown?
There was a problem hiding this comment.
And later if report is removed in a future version of pip, we could make pip to the last pip version which supported report.
There was a problem hiding this comment.
Perhaps we can make pip upgrade to the latest version if the error is thrown?
I don't think it's a good idea to update anything during execution, it's an unusual and undesirable side effect.
And later if report is removed in a future version of pip, we could make pip to the last pip version which supported report.
I doubt it will be removed anytime soon, it's not even stable yet.
pip is a very important part of the Python ecosystem, doing any manipulations with it at runtime and even just limiting its version as a cve-bin-tool dependency is highly undesirable IMO. Requiring at least some version that has --report added/stabilized is different.
There was a problem hiding this comment.
I agree with @Molkree - we MUST not auto-update any of the installed software. Given the fact that the --report option is still experimental, I wonder if we should be (a) checking that the installed version of pip supports the option (although this could be simply done by specifyng the minimum version of pip in the requirements.txt file) (b) marking this option as 'EXPERIMENTAL' (there is an environment variable for this that I added on another PR) and only invoke if requested and not by default.
I noticed the warning from pip. We should possibly be catching the output from the subprocess call (stderr, stdout) before passing this to the json loader.
Codecov Report
@@ Coverage Diff @@
## main #2476 +/- ##
==========================================
+ Coverage 76.92% 76.93% +0.01%
==========================================
Files 591 591
Lines 9736 9741 +5
Branches 1323 1323
==========================================
+ Hits 7489 7494 +5
Misses 1947 1947
Partials 300 300
Flags with carried forward coverage won't be shown. Click here to find out more.
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
cve_bin_tool/parsers/python.py
Outdated
| f"{filename} not scanned: pip --dry-run was unable to get package versions." | ||
| ) | ||
| self.logger.error( | ||
| "pip version >= 22.2 is required to scan python requirements files" |
There was a problem hiding this comment.
| "pip version >= 22.2 is required to scan python requirements files" | |
| "pip version >= 22.2 is required to scan Python requirements files." |
We should not log this error every time, what if the scan wasn't successful for some other reason? After all, we can check the pip version and log only if pip is not new enough.
There was a problem hiding this comment.
Maybe we should still log the underlying error in addition to the user-friendly message? Unless we know for sure pip is too old, then there's no point.
There was a problem hiding this comment.
This error always arises due to an older version of pip I think because in newer versions, no such error arises.
|
I think tests on Windows are failing due to fb9cca7. |
@Molkree Don't know what's up with this, but CI gives |
Hah, I have the same feeling every time I read ... I think it's the packaging docs? But the fact that they're written like that even though they've been updated recently make me think that someone does indeed use pip3 still. |
|
@terriko @anthonyharrison @Molkree Is this okay now? |
Fixes #2463