securesauce / precaution-beta

Precaution provides a simple, automated code review for GitHub projects by running code linters with a security focus on pull requests.
Other
1 stars 0 forks source link

Don't install dependencies using old pip #231

Closed ericwb closed 5 years ago

ericwb commented 5 years ago

Describe the bug When installing Bandit 1.6.0, Precaution fails with error:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/pip/basecommand.py", line 122, in main
    status = self.run(options, args)
  File "/usr/lib/python3/dist-packages/pip/commands/install.py", line 278, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/usr/lib/python3/dist-packages/pip/req.py", line 1266, in prepare_files
    req_to_install.extras):
  File "/usr/lib/python3/dist-packages/pkg_resources.py", line 2291, in requires
    dm = self._dep_map
  File "/usr/lib/python3/dist-packages/pkg_resources.py", line 2484, in _dep_map
    self.__dep_map = self._compute_dependencies()
  File "/usr/lib/python3/dist-packages/pkg_resources.py", line 2517, in _compute_dependencies
    common = frozenset(reqs_for_extra(None))
  File "/usr/lib/python3/dist-packages/pkg_resources.py", line 2514, in reqs_for_extra
    if req.marker_fn(override={'extra':extra}):
  File "/usr/share/python-wheels/setuptools-3.3-py2.py3-none-any.whl/_markerlib/markers.py", line 113, in marker_fn
    return eval(compiled_marker, environment)
  File "<environment marker>", line 1, in <module>
NameError: name 'platform_system' is not defined

This occurs because the pip version you are installing with is very old.
Similar issue: https://github.com/kennethreitz/requests/issues/4006

Use pip install -U pip. Also, don't there is no reason to use pip3 instead of pip. Just pip works fine in Python 3+

To Reproduce When Bandit version 1.6.0 is installed in build, it fails. See logs

Expected behavior Should not experience this traceback.

Screenshots https://travis-ci.org/vmware/precaution/builds/532278770

Additional context n/a

joshuagl commented 5 years ago

I wonder if updating to dist: xenial would be the right solution here? https://docs.travis-ci.com/user/reference/xenial/

ericwb commented 5 years ago

So running heroku apps:info -a precaution I see the app uses Heroku-16 which maps to Ubuntu 16.04

https://devcenter.heroku.com/articles/stack

So yes, xenial would match up better with our heroku instance anyway.

ericwb commented 5 years ago

And python3-pip package on xenial is version 8.1.1-2 https://packages.ubuntu.com/xenial/python3-pip

which won't fix this issue. We need 8.1.2 or higher.