Merge remote-tracking branch 'origin/main' into ww/py312

pypa · Nov 25, 2023 · d80a536 · d80a536
2 parents 62a386b + 477a41e
commit d80a536
Show file tree

Hide file tree

Showing 40 changed files with 1,118 additions and 2,405 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,7 +21,7 @@ jobs:
           - "3.12"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4.1.1
 
       - uses: actions/setup-python@v4
         with:

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -9,7 +9,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - uses: actions/checkout@v4.1.1 # v3.3.0
 
       - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
         with:
@@ -26,7 +26,7 @@ jobs:
         run: |
           make doc
       - name: upload docs artifact
-        uses: actions/upload-pages-artifact@253fd476ed429e83b7aae64a92a75b4ceb1a17cf # v1.0.7
+        uses: actions/upload-pages-artifact@a753861a5debcf57bf8b404356158c8e1e33150c # v2.0.0
         with:
           path: ./html/
 
@@ -47,4 +47,4 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
       - id: deployment
-        uses: actions/deploy-pages@0243b6c10d06cb8e95ed8ee471231877621202c0 # v1.2.4
+        uses: actions/deploy-pages@9dbe3824824f8a1377b8e298bafde1a50ede43e5 # v2.0.4
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -10,7 +10,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4.1.1
 
       - uses: actions/setup-python@v4
         with:
@@ -24,7 +24,7 @@ jobs:
   check-readme:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4.1.1
 
       - uses: actions/setup-python@v4
         # NOTE(ww): Important: use pip-audit's minimum supported Python version

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,19 +5,22 @@ on:
 
 name: release
 
-permissions:
-  # Used to sign the release's artifacts with sigstore-python.
-  id-token: write
-
-  # Used to attach signing artifacts to the published release.
-  contents: write
-
 jobs:
   pypi:
     name: upload release to PyPI
     runs-on: ubuntu-latest
+    environment: release
+
+    permissions:
+      # Used to authenticate to PyPI via OIDC.
+      # Used to sign the release's artifacts with sigstore-python.
+      id-token: write
+
+      # Used to attach signing artifacts to the published release.
+      contents: write
+
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4.1.1
 
     - uses: actions/setup-python@v4
       with:
@@ -34,12 +37,9 @@ jobs:
 
     - name: publish
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_TOKEN }}
 
     - name: sign
-      uses: sigstore/gh-action-sigstore-python@v1.2.1
+      uses: sigstore/gh-action-sigstore-python@v2.1.0
       with:
         inputs: ./dist/*.tar.gz ./dist/*.whl
         release-signing-artifacts: true
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -22,12 +22,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
+        uses: actions/checkout@v4.1.1 # tag=v3.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # tag=v2.1.2
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # tag=v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -40,14 +40,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # tag=v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # tag=v3.1.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # tag=v2.2.4
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # tag=v2.13.4
         with:
           sarif_file: results.sarif
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -27,7 +27,7 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pypa/pip-audit
-    rev: v2.4.15
+    rev: v2.6.1
     hooks:
       - id: pip-audit
   - repo: https://github.com/rhysd/actionlint

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,12 +8,95 @@ All versions prior to 0.0.9 are untracked.
 
 ## [Unreleased]
 
+## [2.6.1]
+
+### Fixed
+
+* Fixed a crash on Windows caused by `pip-audit`'s use of temporary files
+  ([#647](https://github.com/pypa/pip-audit/pull/647))
+
+## [2.6.0]
+
+### Added
+
+* Added option to skip dependency resolution via `pip` with the `--disable-pip`
+  flag. This option can only be used with hashed requirements files or when the
+  `--no-deps` flag has been provided
+  ([#610](https://github.com/pypa/pip-audit/pull/610))
+
+## [2.5.6]
+
+### Fixed
+
+* Fixed a crash caused by incompatible dependency changes
+  ([#617](https://github.com/pypa/pip-audit/pull/617))
+
+## [2.5.5]
+
+### Fixed
+
+* Fixed a crash caused by incompatible dependency changes
+  ([#605](https://github.com/pypa/pip-audit/pull/605))
+
+## [2.5.4]
+
+### Changed
+
+* Refactored `index-url` option to not override user pip config by default,
+  unless specified ([#565](https://github.com/pypa/pip-audit/pull/565))
+
+### Fixed
+
+* Fixed bug with the `--fix` flag where new requirements were sometimes being
+  appended to requirement files instead of patching the existing requirement
+  ([#577](https://github.com/pypa/pip-audit/pull/577))
+
+* Fixed a crash caused by auditing requirements files that refer to other
+  requirements files ([#568](https://github.com/pypa/pip-audit/pull/568))
+
+## [2.5.3]
+
+### Changed
+
+* Further simplified `pip-audit`'s dependency resolution to remove inconsistent
+  behaviour when using hashed requirements or the `--no-deps` flag
+  ([#540](https://github.com/pypa/pip-audit/pull/540))
+
+### Fixed
+
+* Fixed a crash caused by invalid UTF-8 sequences in subprocess outputs
+  ([#572](https://github.com/pypa/pip-audit/pull/572))
+
+## [2.5.2]
+
+### Fixed
+
+* Fixed a loose dependency constraint for CycloneDX SBOM generation
+  ([#558](https://github.com/pypa/pip-audit/pull/558))
+
+## [2.5.1]
+
+### Fixed
+
+* Fixed a crash on Windows caused by multiple open file handles to
+  input requirements ([#551](https://github.com/pypa/pip-audit/pull/551))
+
+## [2.5.0]
+
 ### Changed
 
 * Improved error messaging when a requirements input or indirect dependency
   has an invalid (non-PEP 440) requirements specifier
   ([#507](https://github.com/pypa/pip-audit/pull/507))
 
+* `pip-audit`'s handling of dependency resolution has been significantly
+  refactored and simplified ([#523](https://github.com/pypa/pip-audit/pull/523))
+
+### Fixed
+
+* Fixed a potential crash on invalid unicode in subprocess streams
+  ([#536](https://github.com/pypa/pip-audit/pull/536))
+
 ## [2.4.15]
 
 **YANKED**
@@ -457,7 +540,16 @@ All versions prior to 0.0.9 are untracked.
   dependency errors ([#146](https://github.com/pypa/pip-audit/pull/146))
 
 <!-- Release URLs -->
-[Unreleased]: https://github.com/pypa/pip-audit/compare/v2.4.15...HEAD
+[Unreleased]: https://github.com/pypa/pip-audit/compare/v2.6.0...HEAD
+[2.6.1]: https://github.com/pypa/pip-audit/compare/v2.6.0...v2.6.1
+[2.6.0]: https://github.com/pypa/pip-audit/compare/v2.5.6...v2.6.0
+[2.5.6]: https://github.com/pypa/pip-audit/compare/v2.5.5...v2.5.6
+[2.5.5]: https://github.com/pypa/pip-audit/compare/v2.5.4...v2.5.5
+[2.5.4]: https://github.com/pypa/pip-audit/compare/v2.5.3...v2.5.4
+[2.5.3]: https://github.com/pypa/pip-audit/compare/v2.5.2...v2.5.3
+[2.5.2]: https://github.com/pypa/pip-audit/compare/v2.5.1...v2.5.2
+[2.5.1]: https://github.com/pypa/pip-audit/compare/v2.5.0...v2.5.1
+[2.5.0]: https://github.com/pypa/pip-audit/compare/v2.4.15...v2.5.0
 [2.4.15]: https://github.com/pypa/pip-audit/compare/v2.4.14...v2.4.15
 [2.4.14]: https://github.com/pypa/pip-audit/compare/v2.4.13...v2.4.14
 [2.4.13]: https://github.com/pypa/pip-audit/compare/v2.4.12...v2.4.13

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -43,9 +43,7 @@ make lint
 
 `pip-audit` is automatically linted and formatted with a collection of tools:
 
-* [`black`](https://github.com/psf/black): Code formatting
-* [`isort`](https://github.com/PyCQA/isort): Import sorting, ordering
-* [`ruff`](https://github.com/charliermarsh/ruff): PEP-8 linting, style enforcement
+* [`ruff`](https://github.com/charliermarsh/ruff): Formatting, PEP-8 linting, style enforcement
 * [`mypy`](https://mypy.readthedocs.io/en/stable/): Static type checking
 * [`interrogate`](https://interrogate.readthedocs.io/en/latest/): Documentation coverage
 

diff --git a/Makefile b/Makefile
@@ -56,8 +56,7 @@ $(VENV)/pyvenv.cfg: pyproject.toml
 .PHONY: lint
 lint: $(VENV)/pyvenv.cfg
 	. $(VENV_BIN)/activate && \
-		black --check $(ALL_PY_SRCS) && \
-		isort --check $(ALL_PY_SRCS) && \
+		ruff format --check $(ALL_PY_SRCS) && \
 		ruff $(ALL_PY_SRCS) && \
 		mypy $(PY_MODULE) && \
 		interrogate -c pyproject.toml .
@@ -66,9 +65,7 @@ lint: $(VENV)/pyvenv.cfg
 reformat:
 	. $(VENV_BIN)/activate && \
 		ruff --fix $(ALL_PY_SRCS) && \
-		black $(ALL_PY_SRCS) && \
-		isort $(ALL_PY_SRCS)
-
+		ruff format $(ALL_PY_SRCS)
 .PHONY: test tests
 test tests: $(VENV)/pyvenv.cfg
 	. $(VENV_BIN)/activate && \

diff --git a/README.md b/README.md
@@ -106,7 +106,7 @@ For example, using `pip-audit` via `pre-commit` to audit a requirements file:
 
 ```yaml
   - repo: https://github.com/pypa/pip-audit
-    rev: v2.4.15
+    rev: v2.6.1
     hooks:
       -   id: pip-audit
           args: ["-r", "requirements.txt"]
@@ -136,6 +136,7 @@ usage: pip-audit [-h] [-V] [-l] [-r REQUIREMENT] [-f FORMAT] [-s SERVICE] [-d]
                  [--path PATH] [-v] [--fix] [--require-hashes]
                  [--index-url INDEX_URL] [--extra-index-url URL]
                  [--skip-editable] [--no-deps] [-o FILE] [--ignore-vuln ID]
+                 [--disable-pip]
                  [project_path]
 
 audit the Python environment for dependencies with known vulnerabilities
@@ -190,8 +191,8 @@ optional arguments:
   --index-url INDEX_URL
                         base URL of the Python Package Index; this should
                         point to a repository compliant with PEP 503 (the
-                        simple repository API) (default:
-                        https://pypi.org/simple/)
+                        simple repository API); this will be resolved by pip
+                        if not specified (default: None)
   --extra-index-url URL
                         extra URLs of package indexes to use in addition to
                         `--index-url`; should follow the same rules as
@@ -206,6 +207,9 @@ optional arguments:
   --ignore-vuln ID      ignore a specific vulnerability by its vulnerability
                         ID; this option can be used multiple times (default:
                         [])
+  --disable-pip         don't use `pip` for dependency resolution; this can
+                        only be used with hashed requirements files or if the
+                        `--no-deps` flag has been provided (default: False)
 ```
 <!-- @end-pip-audit-help@ -->
 
@@ -463,6 +467,21 @@ exitcode="${?}"
 
 See [Exit codes](#exit-codes) for a list of potential codes that need handling.
 
+### Reporting only fixable vulnerabilities
+In development workflows, you may want to ignore the vulnerabilities that haven't been remediated yet and only investigate them in your release process. `pip-audit` does not support ignoring unfixed vulnerabilities. However, you can export its output in JSON format and externally process it. For example, if you want to exit with a non-zero code only when the detected vulnerabilities have known fix versions, you can process the output using [jq](https://github.com/jqlang/jq) as:
+
+```shell
+test -z "$(pip-audit -r requirements.txt --format=json 2>/dev/null | jq '.dependencies[].vulns[].fix_versions[]')"
+```
+
+A simple (and inefficient) example of using this method would be:
+
+```shell
+test -z "$(pip-audit -r requirements.txt --format=json 2>/dev/null | jq '.dependencies[].vulns[].fix_versions[]')" || pip-audit -r requirements.txt
+```
+
+which runs `pip-audit` as usual and exits with a non-zero code only if there are fixed versions for the known vulnerabilities.
+
 ## Security Model
 
 This section exists to describe the security assumptions you **can** and **must not**

diff --git a/pip_audit/__init__.py b/pip_audit/__init__.py
@@ -2,4 +2,4 @@
 The `pip_audit` APIs.
 """
 
-__version__ = "2.4.15"
+__version__ = "2.6.1"
diff --git a/pip_audit/_cache.py b/pip_audit/_cache.py
@@ -84,7 +84,7 @@ class _SafeFileCache(FileCache):
 
     def __init__(self, directory: Path):
         self._logged_warning = False
-        super().__init__(directory)
+        super().__init__(str(directory))
 
     def get(self, key: str) -> Any | None:
         try:
@@ -142,7 +142,7 @@ def delete(self, key: str) -> None:  # pragma: no cover
                 self._logged_warning = True
 
 
-def caching_session(cache_dir: Path | None, *, use_pip: bool = False) -> CacheControl:
+def caching_session(cache_dir: Path | None, *, use_pip: bool = False) -> requests.Session:
     """
     Return a `requests` style session, with suitable caching middleware.