Coder Social home page Coder Social logo

pip-audit-feedstock's Introduction

About pip-audit-feedstock

Feedstock license: BSD-3-Clause

Home: https://github.com/trailofbits/pip-audit

Package license: Apache-2.0

Summary: A tool for scanning Python environments for known vulnerabilities

Development: https://github.com/trailofbits/pip-audit

Documentation: https://github.com/trailofbits/pip-audit

pip-audit is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database (https://github.com/pypa/advisory-db) via the PyPI JSON API as a source of vulnerability reports.

This project is developed by Trail of Bits with support from Google. This is not an official Google product.

Features

  • Support for auditing local environments and requirements-style files
  • Support for multiple vulnerability services (PyPI, OSV)
  • Support for emitting SBOMs in CycloneDX XML or JSON
  • Human and machine-readable output formats (columnar, JSON)
  • Seamlessly reuses your existing local pip caches

Current build status

All platforms:

Current release info

Name Downloads Version Platforms
Conda Recipe Conda Downloads Conda Version Conda Platforms

Installing pip-audit

Installing pip-audit from the conda-forge channel can be achieved by adding conda-forge to your channels with:

conda config --add channels conda-forge
conda config --set channel_priority strict

Once the conda-forge channel has been enabled, pip-audit can be installed with conda:

conda install pip-audit

or with mamba:

mamba install pip-audit

It is possible to list all of the versions of pip-audit available on your platform with conda:

conda search pip-audit --channel conda-forge

or with mamba:

mamba search pip-audit --channel conda-forge

Alternatively, mamba repoquery may provide more information:

# Search all versions available on your platform:
mamba repoquery search pip-audit --channel conda-forge

# List packages depending on `pip-audit`:
mamba repoquery whoneeds pip-audit --channel conda-forge

# List dependencies of `pip-audit`:
mamba repoquery depends pip-audit --channel conda-forge

About conda-forge

Powered by NumFOCUS

conda-forge is a community-led conda channel of installable packages. In order to provide high-quality builds, the process has been automated into the conda-forge GitHub organization. The conda-forge organization contains one repository for each of the installable packages. Such a repository is known as a feedstock.

A feedstock is made up of a conda recipe (the instructions on what and how to build the package) and the necessary configurations for automatic building using freely available continuous integration services. Thanks to the awesome service provided by Azure, GitHub, CircleCI, AppVeyor, Drone, and TravisCI it is possible to build and upload installable packages to the conda-forge Anaconda-Cloud channel for Linux, Windows and OSX respectively.

To manage the continuous integration and simplify feedstock maintenance conda-smithy has been developed. Using the conda-forge.yml within this repository, it is possible to re-render all of this feedstock's supporting files (e.g. the CI configuration files) with conda smithy rerender.

For more information please check the conda-forge documentation.

Terminology

feedstock - the conda recipe (raw material), supporting scripts and CI configuration.

conda-smithy - the tool which helps orchestrate the feedstock. Its primary use is in the construction of the CI .yml files and simplify the management of many feedstocks.

conda-forge - the place where the feedstock and smithy live and work to produce the finished article (built conda distributions)

Updating pip-audit-feedstock

If you would like to improve the pip-audit recipe or build a new package version, please fork this repository and submit a PR. Upon submission, your changes will be run on the appropriate platforms to give the reviewer an opportunity to confirm that the changes result in a successful build. Once merged, the recipe will be re-built and uploaded automatically to the conda-forge channel, whereupon the built conda packages will be available for everybody to install and use from the conda-forge channel. Note that all branches in the conda-forge/pip-audit-feedstock are immediately built and any created packages are uploaded, so PRs should be based on branches in forks and branches in the main repository should only be used to build distinct package versions.

In order to produce a uniquely identifiable distribution:

  • If the version of a package is not being increased, please add or increase the build/number.
  • If the version of a package is being increased, please remember to return the build/number back to 0.

Feedstock Maintainers

pip-audit-feedstock's People

Contributors

conda-forge-admin avatar conda-forge-curator[bot] avatar conda-forge-linter avatar github-actions[bot] avatar regro-cf-autotick-bot avatar sugatoray avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

sugatoray regro-cf-autotick-bot conda-forge-linter anacondarecipes anacondarecipes

pip-audit-feedstock's Issues

pip-audit doesn't work wo lockfile conda package

Solution to issue cannot be found in the documentation.

  • I checked the documentation.

Issue

Following the stack trace

% pip-audit
Traceback (most recent call last):
  File "/usr/local/Caskroom/miniforge/base/envs/dirmagic-dev-env/lib/python3.11/site-packages/cachecontrol/caches/file_cache.py", line 77, in __init__
    from lockfile import LockFile
ModuleNotFoundError: No module named 'lockfile'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Caskroom/miniforge/base/envs/dirmagic-dev-env/bin/pip-audit", line 10, in <module>
    sys.exit(audit())
             ^^^^^^^
  File "/usr/local/Caskroom/miniforge/base/envs/dirmagic-dev-env/lib/python3.11/site-packages/pip_audit/_cli.py", line 369, in audit
    service = args.vulnerability_service.to_service(args.timeout, args.cache_dir)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Caskroom/miniforge/base/envs/dirmagic-dev-env/lib/python3.11/site-packages/pip_audit/_cli.py", line 105, in to_service
    return PyPIService(cache_dir, timeout)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Caskroom/miniforge/base/envs/dirmagic-dev-env/lib/python3.11/site-packages/pip_audit/_service/pypi.py", line 45, in __init__
    self.session = caching_session(cache_dir)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Caskroom/miniforge/base/envs/dirmagic-dev-env/lib/python3.11/site-packages/pip_audit/_cache.py", line 165, in caching_session
    cache=_SafeFileCache(_get_cache_dir(cache_dir, use_pip=use_pip)),
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Caskroom/miniforge/base/envs/dirmagic-dev-env/lib/python3.11/site-packages/pip_audit/_cache.py", line 87, in __init__
    super().__init__(directory)
  File "/usr/local/Caskroom/miniforge/base/envs/dirmagic-dev-env/lib/python3.11/site-packages/cachecontrol/caches/file_cache.py", line 87, in __init__
    raise ImportError(notice)
ImportError: 
NOTE: In order to use the FileCache you must have
lockfile installed. You can install it via pip:
  pip install lockfile

Then I installed lockfile... and it worked.

So, one could say:lockfile is missing in some dependencies... ok, must be cachecontrol's fault... and indeed, adding the lockfile conda package makes pip-audit run.

Digging a bit deeper, it seems that lockfile is deprecated in favour of filelock... and is only an optional dependency of the cachecontrol pip package (as defined in pip-audit's recipe). So, where is the culprit?! I don't really know.

conda install pip-audit doesn't result in a functioning command, therefore reporting it here.

Installed packages

# packages in environment at /usr/local/Caskroom/miniforge/base/envs/dirmagic-dev-env:
#
# Name                    Version                   Build  Channel
alabaster                 0.7.13             pyhd8ed1ab_0    conda-forge
appnope                   0.1.3              pyhd8ed1ab_0    conda-forge
asttokens                 2.2.1              pyhd8ed1ab_0    conda-forge
babel                     2.12.1             pyhd8ed1ab_1    conda-forge
backcall                  0.2.0              pyh9f0ad1d_0    conda-forge
backports                 1.0                pyhd8ed1ab_3    conda-forge
backports.functools_lru_cache 1.6.4              pyhd8ed1ab_0    conda-forge
black                     23.3.0          py311h6eed73b_0    conda-forge
brotlipy                  0.7.0           py311h5547dcb_1005    conda-forge
build                     0.7.0              pyhd8ed1ab_0    conda-forge
bzip2                     1.0.8                h0d85af4_4    conda-forge
ca-certificates           2022.12.7            h033912b_0    conda-forge
cachecontrol              0.12.11            pyhd8ed1ab_1    conda-forge
certifi                   2022.12.7          pyhd8ed1ab_0    conda-forge
cffi                      1.15.1          py311ha86e640_3    conda-forge
charset-normalizer        3.1.0              pyhd8ed1ab_0    conda-forge
click                     8.1.3           unix_pyhd8ed1ab_2    conda-forge
colorama                  0.4.6              pyhd8ed1ab_0    conda-forge
comm                      0.1.3              pyhd8ed1ab_0    conda-forge
coverage                  7.2.3           py311h5547dcb_0    conda-forge
cryptography              40.0.1          py311h61927ef_0    conda-forge
cyclonedx-python-lib      2.7.1              pyhd8ed1ab_0    conda-forge
debugpy                   1.6.7           py311h814d153_0    conda-forge
decorator                 5.1.1              pyhd8ed1ab_0    conda-forge
docutils                  0.17.1          py311h6eed73b_3    conda-forge
exceptiongroup            1.1.1              pyhd8ed1ab_0    conda-forge
executing                 1.2.0              pyhd8ed1ab_0    conda-forge
filelock                  3.11.0             pyhd8ed1ab_0    conda-forge
flake8                    6.0.0              pyhd8ed1ab_0    conda-forge
html5lib                  1.1                pyh9f0ad1d_0    conda-forge
idna                      3.4                pyhd8ed1ab_0    conda-forge
imagesize                 1.4.1              pyhd8ed1ab_0    conda-forge
importlib-metadata        6.3.0              pyha770c72_0    conda-forge
importlib_metadata        6.3.0                hd8ed1ab_0    conda-forge
iniconfig                 2.0.0              pyhd8ed1ab_0    conda-forge
ipykernel                 6.22.0             pyh736e0ef_0    conda-forge
ipython                   8.12.0             pyhd1c38e8_0    conda-forge
jedi                      0.18.2             pyhd8ed1ab_0    conda-forge
jinja2                    3.1.2              pyhd8ed1ab_1    conda-forge
jupyter_client            8.1.0              pyhd8ed1ab_0    conda-forge
jupyter_core              5.3.0           py311h6eed73b_0    conda-forge
libcxx                    16.0.1               h71dddab_0    conda-forge
libexpat                  2.5.0                hf0c8a7f_1    conda-forge
libffi                    3.4.2                h0d85af4_5    conda-forge
libsodium                 1.0.18               hbcb3906_1    conda-forge
libsqlite                 3.40.0               ha978bb4_0    conda-forge
libzlib                   1.2.13               hfd90126_4    conda-forge
markdown-it-py            2.2.0              pyhd8ed1ab_0    conda-forge
markupsafe                2.1.2           py311h5547dcb_0    conda-forge
matplotlib-inline         0.1.6              pyhd8ed1ab_0    conda-forge
mccabe                    0.7.0              pyhd8ed1ab_0    conda-forge
mdurl                     0.1.0              pyhd8ed1ab_0    conda-forge
msgpack-python            1.0.5           py311hd2070f0_0    conda-forge
mypy                      1.2.0           py311h5547dcb_0    conda-forge
mypy_extensions           1.0.0              pyha770c72_0    conda-forge
ncurses                   6.3                  h96cf925_1    conda-forge
nest-asyncio              1.5.6              pyhd8ed1ab_0    conda-forge
openssl                   3.1.0                hfd90126_0    conda-forge
packageurl-python         0.11.1             pyhd8ed1ab_0    conda-forge
packaging                 23.1               pyhd8ed1ab_0    conda-forge
parso                     0.8.3              pyhd8ed1ab_0    conda-forge
pathspec                  0.11.1             pyhd8ed1ab_0    conda-forge
pep517                    0.13.0             pyhd8ed1ab_0    conda-forge
pexpect                   4.8.0              pyh1a96a4e_2    conda-forge
pickleshare               0.7.5                   py_1003    conda-forge
pip                       23.0.1             pyhd8ed1ab_0    conda-forge
pip-api                   0.0.30             pyhd8ed1ab_0    conda-forge
pip-audit                 2.5.4              pyhd8ed1ab_0    conda-forge
pip-requirements-parser   32.0.1             pyhd8ed1ab_0    conda-forge
platformdirs              3.2.0              pyhd8ed1ab_0    conda-forge
pluggy                    1.0.0              pyhd8ed1ab_5    conda-forge
prompt-toolkit            3.0.38             pyha770c72_0    conda-forge
prompt_toolkit            3.0.38               hd8ed1ab_0    conda-forge
psutil                    5.9.4           py311h5547dcb_0    conda-forge
ptyprocess                0.7.0              pyhd3deb0d_0    conda-forge
pure_eval                 0.2.2              pyhd8ed1ab_0    conda-forge
pycodestyle               2.10.0             pyhd8ed1ab_0    conda-forge
pycparser                 2.21               pyhd8ed1ab_0    conda-forge
pyflakes                  3.0.1              pyhd8ed1ab_0    conda-forge
pygments                  2.15.0             pyhd8ed1ab_0    conda-forge
pyopenssl                 23.1.1             pyhd8ed1ab_0    conda-forge
pyparsing                 3.0.9              pyhd8ed1ab_0    conda-forge
pysocks                   1.7.1              pyha2e5f31_6    conda-forge
pytest                    7.3.0              pyhd8ed1ab_0    conda-forge
pytest-cov                4.0.0              pyhd8ed1ab_0    conda-forge
python                    3.11.3          h99528f9_0_cpython    conda-forge
python-dateutil           2.8.2              pyhd8ed1ab_0    conda-forge
python_abi                3.11                    3_cp311    conda-forge
pytz                      2023.3             pyhd8ed1ab_0    conda-forge
pyzmq                     25.0.2          py311habfacb3_0    conda-forge
readline                  8.2                  h9e318b2_1    conda-forge
requests                  2.28.2             pyhd8ed1ab_1    conda-forge
rich                      13.3.4             pyhd8ed1ab_0    conda-forge
setuptools                67.6.1             pyhd8ed1ab_0    conda-forge
six                       1.16.0             pyh6c4a22f_0    conda-forge
snowballstemmer           2.2.0              pyhd8ed1ab_0    conda-forge
sortedcontainers          2.4.0              pyhd8ed1ab_0    conda-forge
sphinx                    5.3.0              pyhd8ed1ab_0    conda-forge
sphinx-autodoc-typehints  1.21.8             pyhd8ed1ab_0    conda-forge
sphinx_rtd_theme          1.2.0              pyha770c72_0    conda-forge
sphinxcontrib-applehelp   1.0.4              pyhd8ed1ab_0    conda-forge
sphinxcontrib-devhelp     1.0.2                      py_0    conda-forge
sphinxcontrib-htmlhelp    2.0.1              pyhd8ed1ab_0    conda-forge
sphinxcontrib-jquery      4.1                pyhd8ed1ab_0    conda-forge
sphinxcontrib-jsmath      1.0.1                      py_0    conda-forge
sphinxcontrib-qthelp      1.0.3                      py_0    conda-forge
sphinxcontrib-serializinghtml 1.1.5              pyhd8ed1ab_2    conda-forge
stack_data                0.6.2              pyhd8ed1ab_0    conda-forge
tk                        8.6.12               h5dbffcc_0    conda-forge
toml                      0.10.2             pyhd8ed1ab_0    conda-forge
tomli                     2.0.1              pyhd8ed1ab_0    conda-forge
tornado                   6.2             py311h5547dcb_1    conda-forge
traitlets                 5.9.0              pyhd8ed1ab_0    conda-forge
tree                      2.1.0                hb7f2c08_0    conda-forge
typing-extensions         4.5.0                hd8ed1ab_0    conda-forge
typing_extensions         4.5.0              pyha770c72_0    conda-forge
tzdata                    2023c                h71feb2d_0    conda-forge
urllib3                   1.26.15            pyhd8ed1ab_0    conda-forge
wcwidth                   0.2.6              pyhd8ed1ab_0    conda-forge
webencodings              0.5.1                      py_1    conda-forge
wheel                     0.40.0             pyhd8ed1ab_0    conda-forge
xz                        5.2.6                h775f41a_0    conda-forge
zeromq                    4.3.4                he49afe7_1    conda-forge
zipp                      3.15.0             pyhd8ed1ab_0    conda-forge

Environment info

active environment : dirmagic-dev-env
    active env location : /usr/local/Caskroom/miniforge/base/envs/dirmagic-dev-env
            shell level : 2
       user config file : /Users/achim/.condarc
 populated config files : /usr/local/Caskroom/miniforge/base/.condarc
          conda version : 23.3.1
    conda-build version : not installed
         python version : 3.10.10.final.0
       virtual packages : __archspec=1=x86_64
                          __osx=13.3.1=0
                          __unix=0=0
       base environment : /usr/local/Caskroom/miniforge/base  (writable)
      conda av data dir : /usr/local/Caskroom/miniforge/base/etc/conda
  conda av metadata url : None
           channel URLs : https://conda.anaconda.org/conda-forge/osx-64
                          https://conda.anaconda.org/conda-forge/noarch
          package cache : /usr/local/Caskroom/miniforge/base/pkgs
                          /Users/achim/.conda/pkgs
       envs directories : /usr/local/Caskroom/miniforge/base/envs
                          /Users/achim/.conda/envs
               platform : osx-64
             user-agent : conda/23.3.1 requests/2.28.2 CPython/3.10.10 Darwin/22.4.0 OSX/13.3.1
                UID:GID : 501:20
             netrc file : None
           offline mode : False

The package building met failure during CI -- needs a rerun

Issue: The pip-audit package is not yet available on conda-forge even after ~20 hours of this feedstock's creation.

This github feedstock was created after the PR (conda-forge/staged-recipes#17235) was merged. But, the package was not built. Looks like there was some error while building the package.

Error report

138 The reported errors are:
139 - Encountered problems while solving:
140 -   - nothing provides requested pip-api >=0.0.26
...
...
...
164 conda_build.exceptions.DependencyNeedsBuildingError: Unsatisfiable dependencies for platform linux-64: {MatchSpec("pip-api[version='>=0.0.26']")}

Possible resolution

At the time of the first run (right after the merger), the dependecy, pip-api was not available on-demand. So, the CI process failed citing unavailability of pip-api. Since, pip-api is available now, a second run of the CI should find it and complete building pip-audit on conda-forge.

Run conda-smithy rerender.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.