search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

AttributeError: 'NoneType' object has no attribute 'is_using_auth_credentials' #502

Open pawamoy opened 5 months ago

pawamoy commented 5 months ago

Description

I'm using safety programmatically:

from safety.formatter import SafetyFormatter
from safety.safety import calculate_remediations, check
from safety.util import read_requirements

if isinstance(requirements, (list, tuple, set)):
    requirements = "\n".join(requirements)
packages = list(read_requirements(StringIO(cast(str, requirements))))
vulns, db_full = check(packages=packages, ignore_vulns=ignore_vulns)

It fails with the following traceback:

Traceback (most recent call last):
File "/media/data/dev/duty/src/duty/callables/safety.py", line 54, in check
  vulns, db_full = check(packages=packages, ignore_vulns=ignore_vulns)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/media/data/dev/duty/__pypackages__/3.11/lib/safety/util.py", line 743, in new_func
  return f(*args, **kwargs)
         ^^^^^^^^^^^^^^^^^^
File "/media/data/dev/duty/__pypackages__/3.11/lib/safety/safety.py", line 374, in check
  db = fetch_database(session, db=db_mirror, cached=cached, telemetry=telemetry)
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/media/data/dev/duty/__pypackages__/3.11/lib/safety/safety.py", line 222, in fetch_database
  if session.is_using_auth_credentials():
     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'is_using_auth_credentials'

The check method has a default value of None for the session parameter, but that default value causes the fetch_database function to raise an AttributeError since it doesn't check if it's None before trying to access is_using_auth_credentials on it.

Previously, on v2, the above code worked. I understand that I can expect breaking changes going from v2 to v3, but maybe this particular issue was an oversight and can be solved on your side. Let me know! I can also fix my own code to instantiate a session myself and provide it to the check function. By the way what is the type of this session object?

pawamoy commented 5 months ago

I was able to fix it on my end with this:

from safety.auth.cli_utils import build_client_session

client_session, _ = build_client_session()
vulns, db_full = check(session=client_session, packages=packages, ignore_vulns=ignore_vulns)

Entanglement with Click did not make this easy to find :sweat: