search

opeco17 / poetry-audit-plugin

Poetry plugin for checking vulnerabilities in dependencies 🚀
MIT License
20 stars 7 forks source link

Using --json raise local variable 'vulnerability_num' referenced before assignment #6

Closed opeco17 closed 1 year ago

opeco17 commented 1 year ago

Command

poetry audit --json

Result

{
  "vulnerabilities": [
    {
      "name": "py",
      "installedVersion": "1.11.0",
      "vulns": [
        {
          "cve": "CVE-2022-42969",
          "affectedVersion": "<=1.11.0",
          "advisory": "Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.\r\nhttps://github.com/pytest-dev/py/issues/287"
        }
      ]
    }
  ],
  "metadata": {
    "auditVersion": "0.2.0",
    "poetry.lock": {
      "updated": false,
      "fresh": true
    }
  }
}

local variable 'vulnerability_num' referenced before assignment

Bug

local variable 'vulnerability_num' referenced before assignment should not appear

opeco17 commented 1 year ago

The following lines should be inside else, and should not be executed when --json is specified. https://github.com/opeco17/poetry-audit-plugin/blob/main/poetry_audit_plugin/command.py#L54-L62

Franco0700 commented 1 year ago

if you want I can fix it while doing the ignore vulnerabilities

Franco0700 commented 1 year ago

Also, if you put that if inside the else of self.option("json"), you will get always a return code of 0 no matter if you founded vulnerabilities if you put the --json flag.

opeco17 commented 1 year ago

Let me close this issue since it has been fixed in https://github.com/opeco17/poetry-audit-plugin/pull/8