-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vendor new safety (#5217) #5218
Conversation
* Vendor safety==2.1.1 cleanly with ruamel. * Apply more minimal patch to safety.
Hi @matteius! I'm Yeison from the https://pyup.io team. Thank you for the effort in integrating this new Safety major version with more features for the users. The issue is related to the new JSON structure used in Safety 2.x.x that includes further information like remediations for users using an API Key. You can know more about the JSON output in the following docs The parsing needs to be fixed in the following line: Line 2782 in ca38db6
It would be nice if we can output the Safety screen output to the Pipenv user as we won't need to make a double effort rendering the results. On the other side, I think we will need to define more options here, as Safety 2.x.x includes now better handling for exit codes and a policy file that will be useful for the users. I'll be happy to contribute to this PR if you want to. |
@yeisonvargasf Thanks! Sure -- if you have some spare cycles to help with this, probably the way to do this is you can fork pipenv and create a branch based on this branch |
Hi @matteius! I created a draft PR with the work in progress. I'll release a new Safety version in the coming days that makes some adjustments for the integration; therefore, we will need vendor Safety again using that version. Please note the output change; as this Safety version includes more information, I removed the pipenv output in favor of the new Safety output. On the other side, there is an issue when Safety tries to read a policy file because Safety uses pipenv/pipenv/vendor/ruamel/yaml/main.py Line 77 in 026be80
Could you look at that issue when you return to this pull request? Thanks! |
@yeisonvargasf If you change that issue line |
@yeisonvargasf Actually I see now you are using ruamel not for parsing toml files, but for the response of the safety json data I think -- why not use the built in python module |
Yes, it's related to the top-level import. Any suggestion about how to address it? I'm not sure how works the pipenv vendoring process; any clue to go in the right direction would be great.
We are using YAML 1.2 for our policy file; sadly, as far as I'm aware pyyaml doesn't support yet YAML 1.2 and yaml doesn't belong to the python standard library so we would need to vendor it like ruamel. By the way, I agree it would be ideal if safety did not have this dependency, but I don't see a way to achieve that at the moment. Thanks for the quick response on this, let me know your thoughts about the ruamel dependency. |
@yeisonvargasf Thanks for the explanations -- I think the only way around that path import issue is to either add a patch file, which assuredly will work, or we possibly add the right regex to the |
@yeisonvargasf I think I got the vendoring of ruamel sorted out the best that I can without doing an explicit patch file, which should be avoided if possible. Please have a look at this branch again as its the latest main + your changes + my vendoring fixes.
|
Since this runs in a subprocess, we will need an importlib patch similar to: https://github.com/pypa/pipenv/blob/main/tasks/vendoring/patches/patched/_post_pip_import.patch#L9-L15
|
Quick opinion: I've always found default That said, in my CI builds I have since replaced |
Hi @matteius! Glad to be in touch with you again; I'm sorry for the delay; we were working on improving our databases and data.
Yes, it's possible; I'll make a PR with these changes. So you can review them. @matteius, once I make the PR, I'll release a new Safety version, and it'll be great if you can help me with the vendoring of that latest Safety version, so we can get everything ready to get this update done. @derula, thank you for your observation; I'll include a new non-verbose option in the output formats. However, I'll keep the Safety screen report as the default because it now offers more information about the scanned packages and more resources to read about the vulnerabilities. |
Hi @matteius, I made a PR with the changes to follow your idea not to use a subprocess, and also I added a @matteius, please check if all looks good from your side with these new changes; I'll release a new Safety version in the coming days, addressing an issue related to Thanks for your patience. If you have any comments, let me know. 👍 |
@yeisonvargasf nice, thanks for the consideration! Defaulting to Safety's standard output definitely seems like a good idea, and having the option I think is useful for getting a quick overview of problems, You can always run the command in default mode again to get detailed information. |
New pipenv check with minimal output
@matteius, thanks for the quick merging! Could you vendoring Safety Let me know if you want me to help in the vendoring (Happy to help if you share documentation about how to do it). |
@yeisonvargasf I have updated the vendoring. If you have to do this again in the future, the process is somewhat straightforward: |
@yeisonvargasf The one safety test in the project is failing because safety scans the root project virtualenv and not the one created by the test. I marked the test as skip for now, but if you have a chance can you take a look at it? I won't let it hold up this PR since the functionality appears to be working now but it would be good to figure out how to reinstate this test. |
Vendor safety==2.1.1 cleanly with ruamel.
Apply more minimal patch to safety.
Thank you for contributing to Pipenv!
The issue
The new version of safety has strange output: