search

DataDog / guarddog

:snake: :mag: GuardDog is a CLI tool to Identify malicious PyPI and npm packages
https://securitylabs.datadoghq.com/articles/guarddog-identify-malicious-pypi-packages/
Apache License 2.0
585 stars 43 forks source link

add setuptools to dependencies #412

Closed xopham closed 2 months ago

xopham commented 2 months ago

I believe guarddog technically depends on setuptools though that is installed in most cases. To test this:

  1. Run a python container: docker run -it python /bin/bash
  2. Create an environment with bare dependencies 
    cd /home
pip install poetry
python -m venv venv --without-pip
. venv/bin/activate
poetry init --quiet
poetry add guarddog
deactivate
  3. Activate virtual environment and convince yourself that you are running guarddog in venv 
    guarddog  # fails because we are not in the venv
. venv/bin/activate
which guarddog
guarddog
  4. guarddog fails with lack of pkg_resources

That said, it might be possible to reduce installed part of setuptools as is done in pip