safety fails on prompt-toolkit

[andy-maier]

• safety version: 2.2.0
• Python version: 3.6.15
• Operating System: Ubuntu 20.04

Description

We are running "safety check" on our minimum constraints file. Since today, this fails only on Python 3.6 with our minimum package levels.

Using the "--debug" option of safety, the traceback and error message is as follows:

2024-01-11 20:37:38,176 safety.cli => Unexpected Exception happened: 'prompt-toolkit'
Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.6.15/x64/lib/python3.6/site-packages/safety/cli.py", line 146, in check
    params=params)
  File "/opt/hostedtoolcache/Python/3.6.15/x64/lib/python3.6/site-packages/safety/util.py", line 601, in new_func
    return f(*args, **kwargs)
  File "/opt/hostedtoolcache/Python/3.6.15/x64/lib/python3.6/site-packages/safety/safety.py", line 336, in check
    for data in get_vulnerabilities(pkg=name, spec=specifier, db=db_full):
  File "/opt/hostedtoolcache/Python/3.6.15/x64/lib/python3.6/site-packages/safety/safety.py", line 229, in get_vulnerabilities
    for entry in db[pkg]:
KeyError: 'prompt-toolkit'
Unhandled exception happened: 'prompt-toolkit'

Link to GIthub Actions workflow run for this issue: https://github.com/zhmcclient/zhmc-ansible-modules/actions/runs/7494205584/job/20401604268?pr=874

The minimum-constraints.txt file does specify the prompt-toolkit package.

This started happening today and it is reproducable. On a second run where I enabled the "--debug" option of safety, it happened on most (but not all) Python versions where we use minimum package levels (Python 3.6, 3.9, 3.11): https://github.com/zhmcclient/zhmc-ansible-modules/actions/runs/7494205584 The full output of that safety command with the --debug option is attached in the comment below.

This did not happen before today. I could not find new releases of Python packages that might be related to this (e.g. safety, prompt-toolkit, click).

A third run where I increased the version of safety to 2.3.4 failed with all Python versions where we use minimum package levels (Python 3.6, 3.7, 3.9, 3.11, and safety 2.3.4) and on Python 3.11 and 3.12 with latest package levels (and safety 2.3.4).

So it got worse with every retry :-(

We cannot use safety 2.3.5 because it pins "packaging" to <22.0.

Just a guess: Is there something wrong with the prompt-toolkit package in the safety database?

What I Did

• Clone the https://github.com/zhmcclient/zhmc-ansible-modules repo
• In a new virtual python env on one of the Python versions mentioned above, run: PACKAGE_LEVEL=minimum make safety for using the minimum package levels, or make safety for using the latest package levels. This runs: safety --debug check --policy-file .safety-policy.yml -r minimum-constraints.txt --full-report

[andy-maier]

The full log of the safety run with --debug on Python 3.6 with minimum package levels:

safety-2.2.0-issue.txt

[Jwomers]

@andy-maier thank you for reporting this, we are looking into this right away.

[yeisonvargasf]

Hi @andy-maier, thank you for this comprehensive issue report. We have identified the issue and are targeting fixing it in the 3.0.1 release.

This is a caching mismatch issue on our vulnerability databases (safety may be getting the index database from fresh data and the detailed one from the local disk cache). It happens occasionally.