search

sonatype-nexus-community / jake

Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.
https://jake.readthedocs.io/
Apache License 2.0
111 stars 24 forks source link

[BUG] Jake crashes on ddt scan "AttributeError: 'OssIndexComponent' object has no attribute 'has_known_vulnerabilities'" #112

Closed angushenderson closed 2 years ago

angushenderson commented 2 years ago

Describe the bug When running a jake scan an AttributeError is raised when checking for vulnerabilities (AttributeError: 'OssIndexComponent' object has no attribute 'has_known_vulnerabilities'), full stack trace is shown in screenshot below. For context, all python modules are installed via pipenv. I've tried running this command in 3 places, and this error is thrown in each of them: locally in command line, locally using pre-commit hooks, and on Gitlab ci.

To Reproduce Steps to reproduce the behavior:

  1. Enter virtual environment and run pipenv install --dev to install all dependencies (see Pipfile below).
  2. Run pipenv run jake ddt --clear-cache (--clear-cache flag is used as per issue https://github.com/sonatype-nexus-community/jake/issues/100)
  3. See error

Expected behavior Normal, error free, execution of Jake OSS Index-backed scan

Screenshots image

Additional Context Here is the 'Pipfile':

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[dev-packages]
flake8 = "*"
pytest = "*"
coverage = "*"
pre-commit = "*"
flake8-docstrings = "*"
pep8-naming = "*"
black = "*"
moto = {extras = ["all"], version = "*"}
uvicorn = "*"
boto3 = "*"
pylint = "*"
pytest-env = "*"
diagrams = "*"
handsdown = "*"
isort = "*"
doit = "*"
factory-boy = "*"
interrogate = "*"
pytest-mock = "*"
bandit = "*"
jake = "~=1.4.4"

[packages]
fastapi = {extras = ["ujson", "requests", "orjson"], version = "*"}
mangum = "*"
watchtower = "*"
jwcrypto = "*"
sqlalchemy = "*"
mysqlclient = "*"
pycryptodome = "*"
pymysql = "*"
sqlalchemy-utils = "*"

[requires]
python_version = "3.8"
[pipenv]
allow_prereleases = true

Pre-commit hook in '.pre-commit-config.yaml':

repos:
  - repo: local
    hooks:
      - id: jake
        name: jake
        entry: pipenv run jake ddt
        language: python
        types_or: [python, pyi]
        pass_filenames: false
        # To circumvent issue stated here: https://github.com/sonatype-nexus-community/jake/issues/100
        args: [--clear-cache]

And the command getting run on the ci is: pipenv run jake ddt --clear-cache

Desktop (please complete the following information):

madpah commented 2 years ago

Hi @angushenderson,

Thanks for raising this issue. It looks like jake is unexpectedly pulling in a much newer version of one of its upstream dependencies (where that method has been removed).

The upstream dependency is still only a RC, so this is not expected.

We'll see if we can quickly adjust our dependency definitions to prevent this in the immediate term.

madpah commented 2 years ago

jake 1.4.5 has been released which should resolve this issue @angushenderson.

Can you let us know if that is not the case please?

Thanks again!

angushenderson commented 2 years ago

Thank you so much @madpah, that's all working now!