search

phylum-dev / community-extensions

A collection of community extensions for the Phylum CLI
https://www.phylum.io/
GNU General Public License v3.0
1 stars 1 forks source link

Add pip ecosystem extension #16

Closed cd-work closed 1 year ago

cd-work commented 1 year ago

This patch adds an ecosystem extension for pip. This extension behaves a bit differently than the other ecosystem extension by making use of pip's --dry-run output. Instead of analyzing the full lockfile, only the new dependencies are analyzed.

maxrake commented 1 year ago

@cd-work and I worked through the macOS issue together on a screenshare. It turned out to be a permission issue where the ~/.pyenv directory required write access. After re-testing, it works on my setup now. There is still the possibility that other "unique" Python setups will cause similar issues (pyenv is just one of many, after all), but those can be addressed as they come up.

Also, the "current directory" issue was resolved by using the latest CLI from source instead of the latest released version. That means this extension will require a new CLI release (v4.3.0?) and then that release will be the minimum required version.

matt-phylum commented 1 year ago

In the screenshot there is a permission denied error accessing ~/.pyenv and accessing ./.venv, but the PR only adds write access for one of them.

On my system I didn't need write access with virtual environments, but there was a bug in the way cli was generating the sandbox rules such that it wasn't granting read access to directories that it was granting execute access to. Having write access to the virtual environment seems a little scary because you could redefine python during the dry run. Even if we detect it's a bad package and stop installation, the next time the user tried to do anything with python in that virtual environment (or outside if it's ~/.pyenv) they would be executing the modified code.

cd-work commented 1 year ago

@matt-phylum There was no write access required to ./.venv. The virtual environment issue was the same as yours and could be resolved after updating the CLI.

cd-work commented 1 year ago

I'm worried about write access to ~/.pyenv during the dry run, but if there's no way to constrain it we might not be able to do better.

Unfortunately it's part of pyenv's design to overwrite itself on execution. So I don't see a way around it.