pypa / gh-action-pip-audit Goto Github PK
View Code? Open in Web Editor NEWA GitHub Action for pip-audit
Home Page: https://github.com/marketplace/actions/gh-action-pip-audit
License: Apache License 2.0
A GitHub Action for pip-audit
Home Page: https://github.com/marketplace/actions/gh-action-pip-audit
License: Apache License 2.0
The current action depends on requests<2.30, but this causes the following:
❯ pip-audit
| Collecting inputs
Found 1 known vulnerability in 1 package
Name Version ID Fix Versions
-------- ------- ------------------- ------------
requests 2.29.0 GHSA-j8r2-6x86-q33q 2.31.0
My project depends on requests 2.31.0, this issue is with the pinned version in this codebase.
I believe the reason why we were holding on the requests 2.30.0 issue is now fixed, so we should relax this condition.
I expected the action to not fail on its own.
Nothing else needed.
Below is a logfile from an attempted audit of a recent pull request (https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186):
I was happily using 1.0.3 until GitHub updated to 1.0.6 and now I cannot merge my Pull Request.
I expect the audit to run and either flag a security error or silently return success.
This occurs when I attempt to merge PR 186: os-climate/ITR#186
All of the code is open source, so you might be able to fork the underlying repo (os-climate/ITR) and the source of the pull request (MichaelTiemannOSC/ITR) and have at it.
Run pypa/[email protected]
Run # NOTE: Sourced, not executed as a script.
Collecting pip-audit>=2.4.13,~=2.0 (from -r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading pip_audit-2.5.4-py3-none-any.whl (52 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 52.9/52.9 kB 2.2 MB/s eta 0:00:00
Collecting CacheControl[filecache]>=0.12.10 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading CacheControl-0.12.11-py2.py3-none-any.whl (21 kB)
Collecting cyclonedx-python-lib!=2.5.0,~=2.0 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading cyclonedx_python_lib-2.7.1-py3-none-any.whl (200 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 200.4/200.4 kB 13.4 MB/s eta 0:00:00
Collecting html5lib>=1.1 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading html5lib-1.1-py2.py3-none-any.whl (112 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 112.2/112.2 kB 39.3 MB/s eta 0:00:00
Collecting packaging>=23.0.0 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading packaging-23.1-py3-none-any.whl (48 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 48.9/48.9 kB [17](https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186#step:5:18).3 MB/s eta 0:00:00
Collecting pip-api>=0.0.28 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading pip_api-0.0.30-py3-none-any.whl (111 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 111.6/111.6 kB 37.7 MB/s eta 0:00:00
Collecting pip-requirements-parser>=32.0.0 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading pip_requirements_parser-32.0.1-py3-none-any.whl (35 kB)
Collecting rich>=12.4 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading rich-13.3.5-py3-none-any.whl (238 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 238.7/238.7 kB 48.8 MB/s eta 0:00:00
Collecting toml>=0.10 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading toml-0.10.2-py2.py3-none-any.whl (16 kB)
Collecting requests (from CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading requests-2.30.0-py3-none-any.whl (62 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.5/62.5 kB 20.6 MB/s eta 0:00:00
Collecting msgpack>=0.5.2 (from CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading msgpack-1.0.5-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (316 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 316.8/316.8 kB 69.5 MB/s eta 0:00:00
Collecting lockfile>=0.9 (from CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading lockfile-0.12.2-py2.py3-none-any.whl (13 kB)
Collecting packageurl-python>=0.9 (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading packageurl_python-0.11.1-py3-none-any.whl (23 kB)
Requirement already satisfied: setuptools>=47.0.0 in /opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1)) (67.7.2)
Collecting sortedcontainers<3.0.0,>=2.4.0 (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading sortedcontainers-2.4.0-py2.py3-none-any.whl (29 kB)
Requirement already satisfied: six>=1.9 in /opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages (from html5lib>=1.1->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1)) (1.16.0)
Collecting webencodings (from html5lib>=1.1->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading webencodings-0.5.1-py2.py3-none-any.whl (11 kB)
Requirement already satisfied: pip in /opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages (from pip-api>=0.0.28->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1)) (23.0.1)
Collecting pyparsing (from pip-requirements-parser>=32.0.0->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading pyparsing-3.0.9-py3-none-any.whl (98 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 98.3/98.3 kB 34.1 MB/s eta 0:00:00
Collecting markdown-it-py<3.0.0,>=2.2.0 (from rich>=12.4->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading markdown_it_py-2.2.0-py3-none-any.whl (84 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 84.5/84.5 kB 31.5 MB/s eta 0:00:00
Collecting pygments<3.0.0,>=2.13.0 (from rich>=12.4->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading Pygments-2.15.1-py3-none-any.whl (1.1 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.1/1.1 MB 69.7 MB/s eta 0:00:00
Collecting mdurl~=0.1 (from markdown-it-py<3.0.0,>=2.2.0->rich>=12.4->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading mdurl-0.1.2-py3-none-any.whl (10.0 kB)
Collecting charset-normalizer<4,>=2 (from requests->CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (199 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 199.3/199.3 kB 58.7 MB/s eta 0:00:00
Collecting idna<4,>=2.5 (from requests->CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading idna-3.4-py3-none-any.whl (61 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.5/61.5 kB 19.5 MB/s eta 0:00:00
Collecting urllib3<3,>=1.21.1 (from requests->CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading urllib3-2.0.1-py3-none-any.whl (123 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 123.3/123.3 kB 40.8 MB/s eta 0:00:00
Collecting certifi>=2017.4.17 (from requests->CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading certifi-2022.12.7-py3-none-any.whl (155 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 155.3/155.3 kB 44.4 MB/s eta 0:00:00
Installing collected packages: webencodings, sortedcontainers, msgpack, lockfile, urllib3, toml, pyparsing, pygments, pip-api, packaging, packageurl-python, mdurl, idna, html5lib, charset-normalizer, certifi, requests, pip-requirements-parser, markdown-it-py, cyclonedx-python-lib, rich, CacheControl, pip-audit
Successfully installed CacheControl-0.12.11 certifi-2022.12.7 charset-normalizer-3.1.0 cyclonedx-python-lib-2.7.1 html5lib-1.1 idna-3.4 lockfile-0.12.2 markdown-it-py-2.2.0 mdurl-0.1.2 msgpack-1.0.5 packageurl-python-0.11.1 packaging-23.1 pip-api-0.0.30 pip-audit-2.5.4 pip-requirements-parser-32.0.1 pygments-2.15.1 pyparsing-3.0.9 requests-2.30.0 rich-13.3.5 sortedcontainers-2.4.0 toml-0.10.2 urllib3-2.0.1 webencodings-0.5.1
Notice: A new release of pip is available: 23.0.1 -> 23.1.2
Notice: To update, run: pip install --upgrade pip
Run # NOTE: Sourced, not executed as a script.
# NOTE: Sourced, not executed as a script.
source "/home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/setup/venv.bash"
/home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/action.py ""
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
env:
pythonLocation: /opt/hostedtoolcache/Python/3.10.11/x64
PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.10.11/x64/lib/pkgconfig
Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.11/x64
Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.11/x64
Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.11/x64
LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.10.11/x64/lib
GHA_PIP_AUDIT_SUMMARY: true
GHA_PIP_AUDIT_NO_DEPS: false
GHA_PIP_AUDIT_REQUIRE_HASHES: false
GHA_PIP_AUDIT_VULNERABILITY_SERVICE: PyPI
GHA_PIP_AUDIT_VIRTUAL_ENVIRONMENT:
GHA_PIP_AUDIT_LOCAL: false
GHA_PIP_AUDIT_INDEX_URL:
GHA_PIP_AUDIT_EXTRA_INDEX_URLS:
GHA_PIP_AUDIT_IGNORE_VULNS:
GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_ALLOW_FAILURE: false
GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_DEBUG: false
GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_EXTRA_FLAGS:
[Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
⚠️ pip-audit did not return any output
Traceback (most recent call last):
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/runpy.py", line 196, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/runpy.py", line 86, in _run_code
exec(code, run_globals)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/__main__.py", line 8, in <module>
audit()
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/_cli.py", line 450, in audit
for spec, vulns in auditor.audit(source):
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/_audit.py", line 67, in audit
for dep, vulns in self._service.query_all(specs):
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/_service/interface.py", line 155, in query_all
yield self.query(spec)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/_service/pypi.py", line 61, in query
response: requests.Response = self.session.get(url=url, timeout=self.timeout)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/sessions.py", line 600, in get
return self.request("GET", url, **kwargs)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/sessions.py", line 745, in send
r.content
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/models.py", line 899, in content
self._content = b"".join(self.iter_content(CONTENT_CHUNK_SIZE)) or b""
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/models.py", line 816, in generate
yield from self.raw.stream(chunk_size, decode_content=True)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/urllib3/response.py", line 9[35](https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186#step:5:37), in stream
data = self.read(amt=amt, decode_content=decode_content)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/urllib3/response.py", line 874, in read
data = self._raw_read(amt)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/urllib3/response.py", line 809, in _raw_read
data = self._fp_read(amt) if not fp_closed else b""
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/urllib3/response.py", line 794, in _fp_read
return self._fp.read(amt) if amt is not None else self._fp.read()
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/filewrapper.py", line 96, in read
self._close()
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/filewrapper.py", line 76, in _close
self.__callback(result)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/controller.py", line 3[53](https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186#step:5:55), in cache_response
self._cache_set(cache_url, request, response, body, expires_time)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/controller.py", line 274, in _cache_set
self.serializer.dumps(request, response, body),
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/serialize.py", line [54](https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186#step:5:56), in dumps
u"strict": response.strict,
AttributeError: 'HTTPResponse' object has no attribute 'strict'
Error: Process completed with exit code 1.
This should be no-deps: bool
, mirroring the --no-deps
flag in pip-audit
.
We should create an issue template for this repository, with the following:
pip-audit
repo instead, if their report is an auditing failure and not a bug in the action itself.See pypa/pip-audit#314 and pypi/warehouse#11734.
This will conflict with the summary
configuration, unless we use the SBOM itself to generate the summary. And maybe we should?
This will be less isolated than a Docker action, which is actually what we need -- right now the default auditing mode does the wrong thing, since it audits the environment inside the Docker container rather than the host's.
We should expose --index-url
and --extra-index-url
as action settings.
Setting verbose: true
for the action should set either the --verbose
flag or PIP_AUDIT_LOGLEVEL=debug
.
This was just a random thought I had: some users might want to integrate the results of this action's workflow run(s) into other alerting systems, like a Slack channel.
Supporting every possible integration would be tedious, so we could instead allow a user to specify a URL that the action would perform an HTTP POST
to if one or more vulnerabilities were found. For example:
with:
webhook: https://some.custom.domain.example.com/pip-audit
Not sure if this is a good idea or not, but wanted to record it.
We need a setting that corresponds to the --ignore-vuln
flag.
When running the action against Python 3.8-3.10, the action fails due to a missing output file. After enabling debugging, it appears this is due to a breaking change in the cyclonedx-python-lib
dependency. The issue did not fail for Python 3.7 which resolves an older version of this dependency.
I would expect the action to pass or else print the relevant vulnerabilities causing failure
jobs:
build_tests:
strategy:
matrix:
python-version: [ 3.7, 3.8, 3.9, "3.10" ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install Build Tools
run: |
python -m pip install --upgrade build wheel setuptools pip
- name: Install package
run: |
pip install .
- uses: pypa/[email protected]
build_tests (3.7)
will exit with a valid result while the other runs will fail with FileNotFoundError: [Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
I diagnosed the issue with this action run. Relevant logs:
DEBUG: running: pip-audit ['--progress-spinner=off', '--format=markdown', '--cache-dir=/tmp/pip-audit-cache', '--desc', '--output=/tmp/pip-audit-output.txt', '--verbose', '--ignore-vuln', 'PYSEC-2023-228', '--ignore-vuln', 'GHSA-9wx4-h78v-vm56', '--ignore-vuln', 'GHSA-34jh-p97f-mpxf', '--vulnerability-service', 'pypi']
DEBUG: Traceback (most recent call last):
File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/__main__.py", line 6, in <module>
from pip_audit._cli import audit
File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/_cli.py", line 26, in <module>
from pip_audit._format import (
File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/_format/__init__.py", line 6, in <module>
from .cyclonedx import CycloneDxFormat
File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/_format/cyclonedx.py", line 13, in <module>
from cyclonedx.parser import BaseParser
ModuleNotFoundError: No module named 'cyclonedx.parser'
❌ pip-audit found one or more problems
Traceback (most recent call last):
File "/home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.0/action.py", line 134, in <module>
with open("/tmp/pip-audit-output.txt", "r") as io:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
Error: Process completed with exit code 1.
I was able to make the automation use cyclonedx~=4.0 which got the automation passing.
Hi,
I encountered the following error while using this action in one of my workflows:
Traceback (most recent call last):
File "/home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.5/action.py", line 138, in <module>
with open("/tmp/pip-audit-output.txt", "r") as io:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
Error: Process completed with exit code 1.
Looking at the code, we make the assumption that /tmp/pip-audit-output.txt exists whenever status.returncode != 0. Whenever pip-audit fails without creating a file, we get the above error which hides the original error returned by pip-audit (if it did return an error).
https://github.com/pypa/gh-action-pip-audit/blob/main/action.py#L138
I have no insight into the pip-audit source, so I don't know what kinds of errors can occur. Maybe we should log stderr in case the subprocess fails?
Best regards
pip-audit
only supports Python 3.7+.
Now that we're switching to a composite action (#9), we're relying on the environment's Python, which might be too old. So we should add an additional sanity check.
Tested with pip-audit 2.5.0, 2.5.1, 2.5.2, random runs fail with the below error message but will succeed on re-run. Reverting to pip-audit==2.4.13 resolved the errors
[Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
⚠️ pip-audit did not return any output
Traceback (most recent call last):
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/runpy.py", line 193, in _run_module_as_main
"__main__", mod_spec)
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/__main__.py", line 8, in <module>
audit()
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_cli.py", line 449, in audit
for spec, vulns in auditor.audit(source):
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_audit.py", line 67, in audit
for dep, vulns in self._service.query_all(specs):
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_service/interface.py", line 154, in query_all
for spec in specs:
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_dependency_source/requirement.py", line 113, in collect
yield from self._collect_from_files([Path(f.name) for f in tmp_files])
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_dependency_source/requirement.py", line 147, in _collect_from_files
ve.create(ve_dir)
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/venv/__init__.py", line 71, in create
self.post_setup(context)
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_virtual_env.py", line 124, in post_setup
run(package_install_cmd, log_stdout=True, state=self._state)
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_subprocess.py", line 68, in run
return stdout.decode("utf-8")
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe2 in position 4140: unexpected end of data
We currently have an internal input (internal-be-careful-debug
) that can be used to enable some additional debugging statements + verbosity. But GitHub Actions has an official debugging mechanism, involving a secret named ACTIONS_STEP_DEBUG
and the special ::debug::{message}
print syntax. Maybe we should just use that instead.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.