Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

requirements.txt mis-parses lines that contain --hash #369

Closed
alex opened this issue May 6, 2023 · 1 comment · Fixed by #379
Closed

requirements.txt mis-parses lines that contain --hash #369

alex opened this issue May 6, 2023 · 1 comment · Fixed by #379
Assignees
@G-Rath
Labels
bug Something isn't working

Comments

@alex
Copy link

alex commented May 6, 2023

In a requirements.txt file, a dependency may be written like:

boto3==1.26.121 --hash=sha256:f87d694c351eba1dfd19b5bef5892a1047e7adb09c57c2c00049de209a8ab55d

This specifies both the package version as well as the packages hash. However, Parse mishandles this and generates:

lockfile.PackageDetails{
    Name:"boto3",
    Version:"1.26.121 --hash=sha256:f87d694c351eba1dfd19b5bef5892a1047e7adb09c57c2c00049de209a8ab55d",
    Commit:"",
    Ecosystem:"PyPI",
    CompareAs:"PyPI"
}

Note how Version just contains the remainder of the line, not merely the version portion.
@G-Rath
Copy link
Collaborator

G-Rath commented May 6, 2023

ah yup, I missed this section when implementing the parser (also https://pip.pypa.io/en/stable/topics/secure-installs/).

I'd say we just want to split on the first space, and use the first element - @robotdana this could be a good one for you to pick up.

@G-Rath G-Rath self-assigned this May 6, 2023
@G-Rath G-Rath added the bug Something isn't working label May 6, 2023
robotdana added a commit to robotdana/osv-scanner that referenced this issue May 12, 2023
@robotdana
Remove --hash from version in requirements.txt
ed891b2 
This removes everything after the whitespace of the version to also
catch the other per-requirement options --global-option and
--config-settings and any future options that may be added

https://pip.pypa.io/en/stable/reference/requirements-file-format/#per-requirement-options

fixes: google#369
robotdana added a commit to robotdana/osv-scanner that referenced this issue May 12, 2023
@robotdana
Handle line continuations in requirements.txt
d8d5536 
While addressing google#369 i noticed the pip documentation example for --hash
used line continuations which weren't currently supported by this parser

so i've added support for multiline escapes
robotdana added a commit to robotdana/osv-scanner that referenced this issue May 12, 2023
@robotdana
Remove --hash from version in requirements.txt
fd5e2a7 
This removes everything after the whitespace of the version to also
catch the other per-requirement options --global-option and
--config-settings and any future options that may be added

https://pip.pypa.io/en/stable/reference/requirements-file-format/#per-requirement-options

fixes: google#369

# Conflicts:
#	pkg/lockfile/parse-requirements-txt_test.go
robotdana added a commit to robotdana/osv-scanner that referenced this issue May 12, 2023
@robotdana
Handle line continuations in requirements.txt
7ce6b49 
While addressing google#369 i noticed the pip documentation example for --hash
used line continuations which weren't currently supported by this parser

so i've added support for line continuations
@robotdana robotdana mentioned this issue May 12, 2023
Merged
robotdana added a commit to robotdana/osv-scanner that referenced this issue May 12, 2023
@robotdana
Handle line continuations in requirements.txt
6452d86 
While addressing google#369 i noticed the pip documentation example for --hash
used line continuations which weren't currently supported by this parser

so i've added support for line continuations
another-rex pushed a commit that referenced this issue May 15, 2023
@robotdana
Remove --hash from version in requirements.txt (#379)
50d5e07 
This removes everything after the whitespace of the version to also
catch the other per-requirement options --global-option and
--config-settings and any future options that may be added


https://pip.pypa.io/en/stable/reference/requirements-file-format/#per-requirement-options

fixes: #369

While addressing this i noticed the pip documentation example for --hash
used line continuations which weren't currently supported by this parser
so i've added support for this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@G-Rath G-Rath

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove --hash from version in requirements.txt robotdana/osv-scanner
2 participants
@alex @G-Rath