pypa / gh-action-pip-audit Goto Github PK
View Code? Open in Web Editor NEWA GitHub Action for pip-audit
Home Page: https://github.com/marketplace/actions/gh-action-pip-audit
License: Apache License 2.0
gh-action-pip-audit's People
Contributors
Stargazers
Watchers
Forkers
forkoooor hillaryomondi ameily isabella232 ekmixon alexerson angelmf seanpm2001 zahngshu dom-colangelo 5l1v3r1gh-action-pip-audit's Issues
Requests<2.30.0 has a security issue
Current behavior
The current action depends on requests<2.30, but this causes the following:
❯ pip-audit
| Collecting inputs
Found 1 known vulnerability in 1 package
Name Version ID Fix Versions
-------- ------- ------------------- ------------
requests 2.29.0 GHSA-j8r2-6x86-q33q 2.31.0
My project depends on requests 2.31.0, this issue is with the pinned version in this codebase.
I believe the reason why we were holding on the requests 2.30.0 issue is now fixed, so we should relax this condition.
Expected behavior
I expected the action to not fail on its own.
Steps to reproduce
- Add pip-audit to an empty project
- Run it.
Relevant context
Nothing else needed.
Version 1.0.6 gives error AttributeError: 'HTTPResponse' object has no attribute 'strict'
Current behavior
Below is a logfile from an attempted audit of a recent pull request (https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186):
I was happily using 1.0.3 until GitHub updated to 1.0.6 and now I cannot merge my Pull Request.
Expected behavior
I expect the audit to run and either flag a security error or silently return success.
Steps to reproduce
This occurs when I attempt to merge PR 186: os-climate/ITR#186
All of the code is open source, so you might be able to fork the underlying repo (os-climate/ITR) and the source of the pull request (MichaelTiemannOSC/ITR) and have at it.
Relevant context
Run pypa/[email protected]
Run # NOTE: Sourced, not executed as a script.
Collecting pip-audit>=2.4.13,~=2.0 (from -r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading pip_audit-2.5.4-py3-none-any.whl (52 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 52.9/52.9 kB 2.2 MB/s eta 0:00:00
Collecting CacheControl[filecache]>=0.12.10 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading CacheControl-0.12.11-py2.py3-none-any.whl (21 kB)
Collecting cyclonedx-python-lib!=2.5.0,~=2.0 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading cyclonedx_python_lib-2.7.1-py3-none-any.whl (200 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 200.4/200.4 kB 13.4 MB/s eta 0:00:00
Collecting html5lib>=1.1 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading html5lib-1.1-py2.py3-none-any.whl (112 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 112.2/112.2 kB 39.3 MB/s eta 0:00:00
Collecting packaging>=23.0.0 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading packaging-23.1-py3-none-any.whl (48 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 48.9/48.9 kB [17](https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186#step:5:18).3 MB/s eta 0:00:00
Collecting pip-api>=0.0.28 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading pip_api-0.0.30-py3-none-any.whl (111 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 111.6/111.6 kB 37.7 MB/s eta 0:00:00
Collecting pip-requirements-parser>=32.0.0 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading pip_requirements_parser-32.0.1-py3-none-any.whl (35 kB)
Collecting rich>=12.4 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading rich-13.3.5-py3-none-any.whl (238 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 238.7/238.7 kB 48.8 MB/s eta 0:00:00
Collecting toml>=0.10 (from pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading toml-0.10.2-py2.py3-none-any.whl (16 kB)
Collecting requests (from CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading requests-2.30.0-py3-none-any.whl (62 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.5/62.5 kB 20.6 MB/s eta 0:00:00
Collecting msgpack>=0.5.2 (from CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading msgpack-1.0.5-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (316 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 316.8/316.8 kB 69.5 MB/s eta 0:00:00
Collecting lockfile>=0.9 (from CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading lockfile-0.12.2-py2.py3-none-any.whl (13 kB)
Collecting packageurl-python>=0.9 (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading packageurl_python-0.11.1-py3-none-any.whl (23 kB)
Requirement already satisfied: setuptools>=47.0.0 in /opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1)) (67.7.2)
Collecting sortedcontainers<3.0.0,>=2.4.0 (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading sortedcontainers-2.4.0-py2.py3-none-any.whl (29 kB)
Requirement already satisfied: six>=1.9 in /opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages (from html5lib>=1.1->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1)) (1.16.0)
Collecting webencodings (from html5lib>=1.1->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading webencodings-0.5.1-py2.py3-none-any.whl (11 kB)
Requirement already satisfied: pip in /opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages (from pip-api>=0.0.28->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1)) (23.0.1)
Collecting pyparsing (from pip-requirements-parser>=32.0.0->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading pyparsing-3.0.9-py3-none-any.whl (98 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 98.3/98.3 kB 34.1 MB/s eta 0:00:00
Collecting markdown-it-py<3.0.0,>=2.2.0 (from rich>=12.4->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading markdown_it_py-2.2.0-py3-none-any.whl (84 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 84.5/84.5 kB 31.5 MB/s eta 0:00:00
Collecting pygments<3.0.0,>=2.13.0 (from rich>=12.4->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading Pygments-2.15.1-py3-none-any.whl (1.1 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.1/1.1 MB 69.7 MB/s eta 0:00:00
Collecting mdurl~=0.1 (from markdown-it-py<3.0.0,>=2.2.0->rich>=12.4->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading mdurl-0.1.2-py3-none-any.whl (10.0 kB)
Collecting charset-normalizer<4,>=2 (from requests->CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (199 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 199.3/199.3 kB 58.7 MB/s eta 0:00:00
Collecting idna<4,>=2.5 (from requests->CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading idna-3.4-py3-none-any.whl (61 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.5/61.5 kB 19.5 MB/s eta 0:00:00
Collecting urllib3<3,>=1.21.1 (from requests->CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading urllib3-2.0.1-py3-none-any.whl (123 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 123.3/123.3 kB 40.8 MB/s eta 0:00:00
Collecting certifi>=2017.4.17 (from requests->CacheControl[filecache]>=0.12.10->pip-audit>=2.4.13,~=2.0->-r /home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/requirements.txt (line 1))
Downloading certifi-2022.12.7-py3-none-any.whl (155 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 155.3/155.3 kB 44.4 MB/s eta 0:00:00
Installing collected packages: webencodings, sortedcontainers, msgpack, lockfile, urllib3, toml, pyparsing, pygments, pip-api, packaging, packageurl-python, mdurl, idna, html5lib, charset-normalizer, certifi, requests, pip-requirements-parser, markdown-it-py, cyclonedx-python-lib, rich, CacheControl, pip-audit
Successfully installed CacheControl-0.12.11 certifi-2022.12.7 charset-normalizer-3.1.0 cyclonedx-python-lib-2.7.1 html5lib-1.1 idna-3.4 lockfile-0.12.2 markdown-it-py-2.2.0 mdurl-0.1.2 msgpack-1.0.5 packageurl-python-0.11.1 packaging-23.1 pip-api-0.0.30 pip-audit-2.5.4 pip-requirements-parser-32.0.1 pygments-2.15.1 pyparsing-3.0.9 requests-2.30.0 rich-13.3.5 sortedcontainers-2.4.0 toml-0.10.2 urllib3-2.0.1 webencodings-0.5.1
Notice: A new release of pip is available: 23.0.1 -> 23.1.2
Notice: To update, run: pip install --upgrade pip
Run # NOTE: Sourced, not executed as a script.
# NOTE: Sourced, not executed as a script.
source "/home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/setup/venv.bash"
/home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.6/action.py ""
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
env:
pythonLocation: /opt/hostedtoolcache/Python/3.10.11/x64
PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.10.11/x64/lib/pkgconfig
Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.11/x64
Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.11/x64
Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.11/x64
LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.10.11/x64/lib
GHA_PIP_AUDIT_SUMMARY: true
GHA_PIP_AUDIT_NO_DEPS: false
GHA_PIP_AUDIT_REQUIRE_HASHES: false
GHA_PIP_AUDIT_VULNERABILITY_SERVICE: PyPI
GHA_PIP_AUDIT_VIRTUAL_ENVIRONMENT:
GHA_PIP_AUDIT_LOCAL: false
GHA_PIP_AUDIT_INDEX_URL:
GHA_PIP_AUDIT_EXTRA_INDEX_URLS:
GHA_PIP_AUDIT_IGNORE_VULNS:
GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_ALLOW_FAILURE: false
GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_DEBUG: false
GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_EXTRA_FLAGS:
[Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
⚠️ pip-audit did not return any output
Traceback (most recent call last):
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/runpy.py", line 196, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/runpy.py", line 86, in _run_code
exec(code, run_globals)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/__main__.py", line 8, in <module>
audit()
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/_cli.py", line 450, in audit
for spec, vulns in auditor.audit(source):
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/_audit.py", line 67, in audit
for dep, vulns in self._service.query_all(specs):
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/_service/interface.py", line 155, in query_all
yield self.query(spec)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/pip_audit/_service/pypi.py", line 61, in query
response: requests.Response = self.session.get(url=url, timeout=self.timeout)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/sessions.py", line 600, in get
return self.request("GET", url, **kwargs)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/sessions.py", line 745, in send
r.content
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/models.py", line 899, in content
self._content = b"".join(self.iter_content(CONTENT_CHUNK_SIZE)) or b""
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/requests/models.py", line 816, in generate
yield from self.raw.stream(chunk_size, decode_content=True)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/urllib3/response.py", line 9[35](https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186#step:5:37), in stream
data = self.read(amt=amt, decode_content=decode_content)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/urllib3/response.py", line 874, in read
data = self._raw_read(amt)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/urllib3/response.py", line 809, in _raw_read
data = self._fp_read(amt) if not fp_closed else b""
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/urllib3/response.py", line 794, in _fp_read
return self._fp.read(amt) if amt is not None else self._fp.read()
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/filewrapper.py", line 96, in read
self._close()
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/filewrapper.py", line 76, in _close
self.__callback(result)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/controller.py", line 3[53](https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186#step:5:55), in cache_response
self._cache_set(cache_url, request, response, body, expires_time)
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/controller.py", line 274, in _cache_set
self.serializer.dumps(request, response, body),
File "/opt/hostedtoolcache/Python/3.10.11/x64/lib/python3.10/site-packages/cachecontrol/serialize.py", line [54](https://github.com/os-climate/ITR/actions/runs/4874697829/jobs/8695957245?pr=186#step:5:56), in dumps
u"strict": response.strict,
AttributeError: 'HTTPResponse' object has no attribute 'strict'
Error: Process completed with exit code 1.
Add a "no deps" option
This should be no-deps: bool, mirroring the --no-deps flag in pip-audit.
Create an issue template to redirect (some) users to `pip-audit`
We should create an issue template for this repository, with the following:
- Guidance on how to submit a good report (enabling debug logging, etc.)
- Instructions to report the issue to the
pip-auditrepo instead, if their report is an auditing failure and not a bug in the action itself.
Slightly broken Markdown formatting
See pypa/pip-audit#314 and pypi/warehouse#11734.
Add support for an SBOM action output
This will conflict with the summary configuration, unless we use the SBOM itself to generate the summary. And maybe we should?
Use templates to render Markdown summaries
Switch to a "composite" action
This will be less isolated than a Docker action, which is actually what we need -- right now the default auditing mode does the wrong thing, since it audits the environment inside the Docker container rather than the host's.
Configuration settings for (extra) indices
We should expose --index-url and --extra-index-url as action settings.
Add a debugging/verbose option
Setting verbose: true for the action should set either the --verbose flag or PIP_AUDIT_LOGLEVEL=debug.
Provide a webhook/HTTP callback for results?
This was just a random thought I had: some users might want to integrate the results of this action's workflow run(s) into other alerting systems, like a Slack channel.
Supporting every possible integration would be tedious, so we could instead allow a user to specify a URL that the action would perform an HTTP POST to if one or more vulnerabilities were found. For example:
with:
webhook: https://some.custom.domain.example.com/pip-auditNot sure if this is a good idea or not, but wanted to record it.
Configuration setting for ignoring vulnerabilities
We need a setting that corresponds to the --ignore-vuln flag.
Action fails for Python 3.8+
Current behavior
When running the action against Python 3.8-3.10, the action fails due to a missing output file. After enabling debugging, it appears this is due to a breaking change in the cyclonedx-python-lib dependency. The issue did not fail for Python 3.7 which resolves an older version of this dependency.
Expected behavior
I would expect the action to pass or else print the relevant vulnerabilities causing failure
Steps to reproduce
- Define an automation like
jobs:
build_tests:
strategy:
matrix:
python-version: [ 3.7, 3.8, 3.9, "3.10" ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install Build Tools
run: |
python -m pip install --upgrade build wheel setuptools pip
- name: Install package
run: |
pip install .
- uses: pypa/[email protected]- Observe
build_tests (3.7)will exit with a valid result while the other runs will fail withFileNotFoundError: [Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
Relevant context
I diagnosed the issue with this action run. Relevant logs:
DEBUG: running: pip-audit ['--progress-spinner=off', '--format=markdown', '--cache-dir=/tmp/pip-audit-cache', '--desc', '--output=/tmp/pip-audit-output.txt', '--verbose', '--ignore-vuln', 'PYSEC-2023-228', '--ignore-vuln', 'GHSA-9wx4-h78v-vm56', '--ignore-vuln', 'GHSA-34jh-p97f-mpxf', '--vulnerability-service', 'pypi']
DEBUG: Traceback (most recent call last):
File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/__main__.py", line 6, in <module>
from pip_audit._cli import audit
File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/_cli.py", line 26, in <module>
from pip_audit._format import (
File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/_format/__init__.py", line 6, in <module>
from .cyclonedx import CycloneDxFormat
File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/_format/cyclonedx.py", line 13, in <module>
from cyclonedx.parser import BaseParser
ModuleNotFoundError: No module named 'cyclonedx.parser'
❌ pip-audit found one or more problems
Traceback (most recent call last):
File "/home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.0/action.py", line 134, in <module>
with open("/tmp/pip-audit-output.txt", "r") as io:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
Error: Process completed with exit code 1.
I was able to make the automation use cyclonedx~=4.0 which got the automation passing.
Error when pip-audit fails without creating /tmp/pip-audit-output.txt
Hi,
I encountered the following error while using this action in one of my workflows:
Traceback (most recent call last):
File "/home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.5/action.py", line 138, in <module>
with open("/tmp/pip-audit-output.txt", "r") as io:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
Error: Process completed with exit code 1.
Looking at the code, we make the assumption that /tmp/pip-audit-output.txt exists whenever status.returncode != 0. Whenever pip-audit fails without creating a file, we get the above error which hides the original error returned by pip-audit (if it did return an error).
https://github.com/pypa/gh-action-pip-audit/blob/main/action.py#L138
I have no insight into the pip-audit source, so I don't know what kinds of errors can occur. Maybe we should log stderr in case the subprocess fails?
Best regards
Make sure that the Python is new enough
pip-audit only supports Python 3.7+.
Now that we're switching to a composite action (#9), we're relying on the environment's Python, which might be too old. So we should add an additional sanity check.
pip-audit >= 2.5.0 looks to give inconsistent errors about unexpected end of data
Tested with pip-audit 2.5.0, 2.5.1, 2.5.2, random runs fail with the below error message but will succeed on re-run. Reverting to pip-audit==2.4.13 resolved the errors
[Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
⚠️ pip-audit did not return any output
Traceback (most recent call last):
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/runpy.py", line 193, in _run_module_as_main
"__main__", mod_spec)
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/__main__.py", line 8, in <module>
audit()
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_cli.py", line 449, in audit
for spec, vulns in auditor.audit(source):
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_audit.py", line 67, in audit
for dep, vulns in self._service.query_all(specs):
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_service/interface.py", line 154, in query_all
for spec in specs:
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_dependency_source/requirement.py", line 113, in collect
yield from self._collect_from_files([Path(f.name) for f in tmp_files])
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_dependency_source/requirement.py", line 147, in _collect_from_files
ve.create(ve_dir)
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/venv/__init__.py", line 71, in create
self.post_setup(context)
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_virtual_env.py", line 124, in post_setup
run(package_install_cmd, log_stdout=True, state=self._state)
File "/opt/hostedtoolcache/Python/3.7.16/x64/lib/python3.7/site-packages/pip_audit/_subprocess.py", line 68, in run
return stdout.decode("utf-8")
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe2 in position 4140: unexpected end of data
Use the built in debugging functionality in GHA?
We currently have an internal input (internal-be-careful-debug) that can be used to enable some additional debugging statements + verbosity. But GitHub Actions has an official debugging mechanism, involving a secret named ACTIONS_STEP_DEBUG and the special ::debug::{message} print syntax. Maybe we should just use that instead.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.