Closed emcd closed 2 years ago
pip freeze
shows that stevedore==3.5.0
is installed on Python 3.7. stevedore>=4
has a fix in it, but it is only supported on Python 3.8 and higher. Bandit says that it still supports Python 3.7, so I guess the onus is on Bandit to decide how to handle the Python 3.7 case with stevedore
.
Hi @emcd thanks for pointing this out. The problem has already been reported at https://bugs.launchpad.net/python-stevedore/+bug/1991559
I wonder if a fix will be incorporated in stevedore 3.x as well as 4.x
Thanks for the update @mportesdev. I wasn't sure if it was worth reporting upstream, since it looked like they didn't care about Python 3.7 anymore. But, I'm glad someone else did report it. I see that they have ported the fix to various code-named OpenStack releases (wallaby
, xena
, yoga
, zed
); hopefully that will include a backport for stevedore
3.x (and hence Python 3.7).
@emcd thank you for creating this issue, I was tearing my hair out since yesterday as I couldn't find the reason behind this. Do you think updating the whole app to python 3.8 will help? Unfortunately I can't wait for official fix, and can't skip bandit check either.
@kszmigiel Until a fix is released, you can pip install 'importlib-metadata<5;python_version<"3.8"'
manually in the environment where bandit is installed.
@kszmigiel : I agree with @mportesdev. No need to upgrade to Python 3.8 for this. You could just put importlib-metadata<5
into your requirements.txt
or equivalent until upstream fixes or Michal's patch is applied to Bandit. This will give you consistency across all your versions of Python, since it is unlikely that anything actually requires importlib-metadata
>= 5 yet.
stevedore==3.5.1
was released upstream yesterday and contains a fix for this bug on Python 3.7. Closing the issue.
stevedore==3.5.1
was released upstream yesterday and contains a fix for this bug on Python 3.7. Closing the issue.
@emcd I'm seeing a failure to load tests when running on Python 3.7 on stevedore
3.5.1 (new release). Are you seeing expected functionality with that release on importlib-metadata
5.0.0?
$ python3 --version
Python 3.7.15
$ pip list | grep "bandit\|importlib-metadata\|stevedore"
bandit 1.7.4
importlib-metadata 5.0.0
stevedore 3.5.1
$ bandit -r .
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.7.15
[main] ERROR No tests would be run, please check the profile.
stevedore==3.5.1
was released upstream yesterday and contains a fix for this bug on Python 3.7. Closing the issue.@emcd I'm seeing a failure to load tests when running on Python 3.7 on
stevedore
3.5.1 (new release). Are you seeing expected functionality with that release onimportlib-metadata
5.0.0?
Good catch, @mcdonnnj . When I tested earlier, I was in a hurry and saw that bandit --version
no longer crashed and thought we were good. But, I can reproduce the same problem as you. Definitely looks like a bug. Thanks for opening a new issue. I will upvote.
Describe the bug
Bandit depends on the
stevedore
package for extension management. That package, in turn, depends onimportlib-metadata
for the entrypoints mechanism that it uses.importlib-metadata
5.0.0 was recently released and apparently removed compatibility with the mechanism used bystevedore
.The following crash now happens, if
importlib-metadata
5.0.0 is installed:Reproduction steps
For crash:
ASDF_PYTHON_VERSION=3.7.14 python3 -m venv stevedore-bug
# or your favorite way of creating a Python virtual environment. stevedore-bug/bin/activate
# Assuming a Bourne shell-like sourcing mechanism for your shell.pip install bandit importlib-metadata
bandit --version
# crashesTo prove that newest
importlib-metadata
is the culprit by constraining it:ASDF_PYTHON_VERSION=3.7.14 python3 -m venv stevedore-workaround
. stevedore-workaround/bin/activate
pip install bandit 'importlib-metadata<5'
bandit --version
# worksExpected behavior
Display of Bandit version:
Bandit version
1.7.4 (Default)
Python version
3.7
Additional context
Have not reported upstream to
stevedore
project yet since their issue tracker is not on Github. May do so later, depending on level of effort/hassle. Probably best workaround for now is to explicitly clamp theimportlib-metadata
version.