search

pypa / gh-action-pip-audit

A GitHub Action for pip-audit
https://github.com/marketplace/actions/gh-action-pip-audit
Apache License 2.0
68 stars 12 forks source link

Action fails for Python 3.8+ #46

Closed NeonDaniel closed 5 months ago

NeonDaniel commented 5 months ago

Current behavior

When running the action against Python 3.8-3.10, the action fails due to a missing output file. After enabling debugging, it appears this is due to a breaking change in the cyclonedx-python-lib dependency. The issue did not fail for Python 3.7 which resolves an older version of this dependency.

Expected behavior

I would expect the action to pass or else print the relevant vulnerabilities causing failure

Steps to reproduce

  1. Define an automation like 
    jobs:
build_tests:
strategy:
  matrix:
    python-version: [ 3.7, 3.8, 3.9, "3.10" ]
runs-on: ubuntu-latest
steps:
  - uses: actions/checkout@v4
  - name: Setup Python
    uses: actions/setup-python@v5
    with:
      python-version: ${{ matrix.python-version }}
  - name: Install Build Tools
    run: |
      python -m pip install --upgrade build wheel setuptools pip
  - name: Install package
    run: |
      pip install .
  - uses: pypa/gh-action-pip-audit@v1.0.0
  2. Observe build_tests (3.7) will exit with a valid result while the other runs will fail with FileNotFoundError: [Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'

Relevant context

I diagnosed the issue with this action run. Relevant logs:

DEBUG: running: pip-audit ['--progress-spinner=off', '--format=markdown', '--cache-dir=/tmp/pip-audit-cache', '--desc', '--output=/tmp/pip-audit-output.txt', '--verbose', '--ignore-vuln', 'PYSEC-2023-228', '--ignore-vuln', 'GHSA-9wx4-h78v-vm56', '--ignore-vuln', 'GHSA-34jh-p97f-mpxf', '--vulnerability-service', 'pypi']
DEBUG: Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/__main__.py", line 6, in <module>
    from pip_audit._cli import audit
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/_cli.py", line 26, in <module>
    from pip_audit._format import (
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/_format/__init__.py", line 6, in <module>
    from .cyclonedx import CycloneDxFormat
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/_format/cyclonedx.py", line 13, in <module>
    from cyclonedx.parser import BaseParser
ModuleNotFoundError: No module named 'cyclonedx.parser'

❌ pip-audit found one or more problems
Traceback (most recent call last):
  File "/home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.0/action.py", line 134, in <module>
    with open("/tmp/pip-audit-output.txt", "r") as io:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
Error: Process completed with exit code 1.

I was able to make the automation use cyclonedx~=4.0 which got the automation passing.

woodruffw commented 5 months ago

Hi @NeonDaniel, thanks for the report. Taking a look now.

woodruffw commented 5 months ago

Hmm, I can't immediately reproduce this locally: your workflow is using cyclonedx-python-lib==7.4.1 (source), which is the same mine is using locally, without issues.

woodruffw commented 5 months ago

Ah, I think I see the problem here: your workflow is using pypa/gh-action-pip-audit@v1.0.0, which is selecting an older version of pip-audit.

Could you try using v1.0.8 instead? That's the latest version of this action, and it shouldn't have these problems.

woodruffw commented 5 months ago

(Also, where did you get v1.0.0 from? That might be an old doc that needs updating somewhere.)

NeonDaniel commented 5 months ago

(Also, where did you get v1.0.0 from? That might be an old doc that needs updating somewhere.)

It looks like the automation was originally written by @JarbasAI; I was just looking into the failures (I'm actually not sure how long the automation has been failing.

I completely missed that we were using 1.0.0 while 1.0.8 is the latest. I see now that the examples and latest release do specify 1.0.8.

Updating to the latest appears to have resolved the issues

woodruffw commented 5 months ago

Glad to hear it, and thanks for the detailed report regardess!