From ff68dde1bddc2389fadcb36f7e911e6dd0b81f0f Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 14 Jun 2022 20:23:28 -0400 Subject: [PATCH] Respect `--cache-dir` and other flags when auditing project directories (#300) * Makefile: fix target order Signed-off-by: William Woodruff * cli: ensure flags are passed when auditing pyproject sources Signed-off-by: William Woodruff * CHANGELOG: record changes Signed-off-by: William Woodruff * workflows/ci: remove old explicit make step Signed-off-by: William Woodruff * Makefile: remove redundant dir test Signed-off-by: William Woodruff * workflows/ci: hackety hack Signed-off-by: William Woodruff * Makefile: remove `make run` Unused and not needed. Signed-off-by: William Woodruff --- .github/workflows/ci.yml | 5 ++--- CHANGELOG.md | 7 +++++++ Makefile | 21 ++++++++------------- pip_audit/_cli.py | 14 +++++++++++--- 4 files changed, 28 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cf22c447..ae9ac5a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,7 @@ jobs: with: python-version: "3.7" - - name: setup - run: make + - run: python -m pip install . - name: check-readme run: | @@ -54,5 +53,5 @@ jobs: < README.md | sed '1d;$d' \ ) \ <( \ - make run ARGS="--help" \ + python -m pip_audit --help \ ) diff --git a/CHANGELOG.md b/CHANGELOG.md index 77c2629b..f8d52e6b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,13 @@ All versions prior to 0.0.9 are untracked. can fully verify hashes ([#298](https://github.com/trailofbits/pip-audit/pull/298)) +### Fixed + +* CLI/Dependency sources: `--cache-dir=...` and other flags that affect + dependency resolver behavior now work correctly when auditing a + `pyproject.toml` dependency source + ([#300](https://github.com/trailofbits/pip-audit/pull/300)) + ## [2.3.2] - 2022-05-14 ### Changed diff --git a/Makefile b/Makefile index 8b8f6c50..3a868a2f 100644 --- a/Makefile +++ b/Makefile @@ -21,23 +21,18 @@ else COV_ARGS := --fail-under 100 endif -env/pyvenv.cfg: pyproject.toml - # Create our Python 3 virtual environment - [[ -d env ]] || python3 -m venv env - ./env/bin/python -m pip install --upgrade pip - ./env/bin/python -m pip install -e .[dev] - - -.PHONY: dev -dev: env/pyvenv.cfg - .PHONY: all all: @echo "Run my targets individually!" -.PHONY: run -run: env/pyvenv.cfg - @. env/bin/activate && pip-audit $(ARGS) +.PHONY: dev +dev: env/pyvenv.cfg + +env/pyvenv.cfg: pyproject.toml + # Create our Python 3 virtual environment + python3 -m venv env + ./env/bin/python -m pip install --upgrade pip + ./env/bin/python -m pip install -e .[dev] .PHONY: lint lint: env/pyvenv.cfg diff --git a/pip_audit/_cli.py b/pip_audit/_cli.py index 360e8de8..0c96810b 100644 --- a/pip_audit/_cli.py +++ b/pip_audit/_cli.py @@ -303,11 +303,13 @@ def _parse_args(parser: argparse.ArgumentParser) -> argparse.Namespace: return parser.parse_args() -def _dep_source_from_project_path(project_path: Path, state: AuditState) -> DependencySource: +def _dep_source_from_project_path( + project_path: Path, resolver: ResolveLibResolver, state: AuditState +) -> DependencySource: # Check for a `pyproject.toml` pyproject_path = project_path / "pyproject.toml" if pyproject_path.is_file(): - return PyProjectSource(pyproject_path, ResolveLibResolver(), state) + return PyProjectSource(pyproject_path, resolver, state) # TODO: Checks for setup.py and other project files will go here. @@ -390,7 +392,13 @@ def audit() -> None: # once PEP 660 is more widely supported: https://www.python.org/dev/peps/pep-0660/ # Determine which kind of project file exists in the project path - source = _dep_source_from_project_path(args.project_path, state) + source = _dep_source_from_project_path( + args.project_path, + ResolveLibResolver( + index_urls, args.timeout, args.cache_dir, args.skip_editable, state + ), + state, + ) else: source = PipSource( local=args.local, paths=args.paths, skip_editable=args.skip_editable, state=state