search

phylum-dev / cli

Command line interface for the Phylum API
https://phylum.io
GNU General Public License v3.0
101 stars 10 forks source link

`phylum package` command output errors #1352

Closed maxrake closed 6 months ago

maxrake commented 6 months ago

Overview

Starting with CLI v6.1.0, the phylum package command fails to provide expected output for some (older?) packages. Instead, it shows error output of the form:

❗ Error: missing field `severity` at line 1 column 1520

How To Reproduce

Details (click to expand...)

``` # Show the expected output with CLI v6.0.1 ❯ phylum --version phylum v6.0.1 # This is the latest release of the package ❯ phylum package pypi phylum 0.42.1 Package Name: phylum Package Version: 0.42.1 License: GPL-3.0-or-later Last updated: 2024-01-05T19:01:52.454+00:00 Num Deps: 0 Num Vulns: 0 Ecosystem: pypi Risk Vectors: Total Risk: 100 Author Risk: 100 Engineering Risk: 100 License Risk: 100 Malicious Code Risk: 100 Vulnerability Risk: 100 # This is an older release of the package ❯ phylum package pypi phylum 0.42.0 Package Name: phylum Package Version: 0.42.0 License: GPL-3.0-or-later Last updated: 2023-12-13T18:17:16.447+00:00 Num Deps: 0 Num Vulns: 1 Ecosystem: pypi Risk Vectors: Total Risk: 95 Author Risk: 100 Engineering Risk: 100 License Risk: 80 Malicious Code Risk: 100 Vulnerability Risk: 100 Issues: low Commercial license risk detected in phylum@0.42.0 [LIC] ### Summary This package is made available under the **GPL-3.0**, **GPL-3.0+**, **GPL-3.0- only**, or **GPL-3.0-or-later** licenses, which may pose a problem to commercial use. ### Recommendation Review the licenses used by this package to determine whether it is suitable for your project. # Update to CLI v6.1.0 ❯ phylum update ---TRIMMED--- # The latest release of the package, with no issues to report, has expected output ❯ phylum package pypi phylum 0.42.1 Package Name: phylum Package Version: 0.42.1 License: GPL-3.0-or-later Last updated: 2024-01-05T19:01:52.454+00:00 Num Deps: 0 Num Vulns: 0 Ecosystem: pypi Risk Vectors: Total Risk: 100 Author Risk: 100 Engineering Risk: 100 License Risk: 100 Malicious Code Risk: 100 Vulnerability Risk: 100 # The older release of the package, with one issue, has an error output now ❯ phylum package pypi phylum 0.42.0 ❗ Error: missing field `severity` at line 1 column 1520 ```

Expected Behavior

The phylum package command provides output instead of an error for all valid packages known to Phylum.

Additional Context

The difference in package versions with valid output and those with error output appears to be the valid output happens when there are no issues to report and the error output occurs when there are issues.

The command works as expected in CLI v6.0.1, indicating the breaking change was introduced in the v6.1.0 release.

The current guess is that #1345 introduced the breaking change.

This behavior is likely not limited to the phylum package command.

maxrake commented 6 months ago

It turns out this was a breaking change for CLI only until the corresponding changes in the API were applied to the PROD side. That happened today and this issue is no longer relevant. Closing...