Skip to content

Commit

Permalink
Audit - Control Pip install cmd with custom args (jfrog#87)
Browse files Browse the repository at this point in the history
  • Loading branch information
attiasas authored Jun 24, 2024
1 parent 7a46e30 commit 2fa0db4
Show file tree
Hide file tree
Showing 4 changed files with 65 additions and 4 deletions.
46 changes: 42 additions & 4 deletions commands/audit/sca/python/python.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ type AuditPython struct {
Tool pythonutils.PythonTool
RemotePypiRepo string
PipRequirementsFile string
InstallCommandArgs []string
IsCurationCmd bool
}

Expand Down Expand Up @@ -247,11 +248,11 @@ func installPipDeps(auditPython *AuditPython) (restoreEnv func() error, err erro
reportFileName = pythonReportFile
}

pipInstallArgs := getPipInstallArgs(auditPython.PipRequirementsFile, remoteUrl, curationCachePip, reportFileName)
pipInstallArgs := getPipInstallArgs(auditPython.PipRequirementsFile, remoteUrl, curationCachePip, reportFileName, auditPython.InstallCommandArgs...)
var reqErr error
err = executeCommand("python", pipInstallArgs...)
if err != nil && auditPython.PipRequirementsFile == "" {
pipInstallArgs = getPipInstallArgs("requirements.txt", remoteUrl, curationCachePip, reportFileName)
pipInstallArgs = getPipInstallArgs("requirements.txt", remoteUrl, curationCachePip, reportFileName, auditPython.InstallCommandArgs...)
reqErr = executeCommand("python", pipInstallArgs...)
if reqErr != nil {
// Return Pip install error and log the requirements fallback error.
Expand Down Expand Up @@ -280,7 +281,7 @@ func executeCommand(executable string, args ...string) error {
return nil
}

func getPipInstallArgs(requirementsFile string, remoteUrl string, cacheFolder string, reportFileName string) []string {
func getPipInstallArgs(requirementsFile, remoteUrl, cacheFolder, reportFileName string, customArgs ...string) []string {
args := []string{"-m", "pip", "install"}
if requirementsFile == "" {
// Run 'pip install .'
Expand All @@ -299,11 +300,48 @@ func getPipInstallArgs(requirementsFile string, remoteUrl string, cacheFolder st
// For report to include download urls, pip should ignore installed packages.
args = append(args, "--ignore-installed")
args = append(args, "--report", reportFileName)

}
args = append(args, parseCustomArgs(remoteUrl, cacheFolder, reportFileName, customArgs...)...)
return args
}

func parseCustomArgs(remoteUrl, cacheFolder, reportFileName string, customArgs ...string) (args []string) {
for i := 0; i < len(customArgs); i++ {
if strings.Contains(customArgs[i], "-r") {
log.Warn("The -r flag is not supported in the custom arguments list. use the 'PipRequirementsFile' instead.")
i++
continue
}
if strings.Contains(customArgs[i], "--cache-dir") {
if cacheFolder != "" {
log.Warn("The --cache-dir flag is not supported in the custom arguments list. skipping...")
} else if i+1 < len(customArgs) {
args = append(args, customArgs[i], customArgs[i+1])
}
i++
continue
}
if reportFileName != "" {
if strings.Contains(customArgs[i], "--report") {
log.Warn("The --report flag is not supported in the custom arguments list. skipping...")
i++
continue
}
if strings.Contains(customArgs[i], "--ignore-installed") {
// will be added by default
continue
}
}
if remoteUrl != "" && strings.Contains(customArgs[i], utils.GetPypiRemoteRegistryFlag(pythonutils.Pip)) {
log.Warn("The remote registry flag is not supported in the custom arguments list. skipping...")
i++
continue
}
args = append(args, customArgs[i])
}
return
}

func runPipenvInstallFromRemoteRegistry(server *config.ServerDetails, depsRepoName string) (err error) {
rtUrl, err := utils.GetPypiRepoUrl(server, depsRepoName, false)
if err != nil {
Expand Down
20 changes: 20 additions & 0 deletions commands/audit/sca/python/python_test.go
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
package python

import (
"os"
"path/filepath"
"strings"
"testing"

"github.com/jfrog/build-info-go/utils/pythonutils"
"github.com/jfrog/jfrog-client-go/xray/services/utils"

"github.com/jfrog/jfrog-cli-core/v2/utils/tests"
"github.com/jfrog/jfrog-cli-security/commands/audit/sca"
Expand Down Expand Up @@ -40,6 +42,20 @@ func TestBuildPipDependencyListSetuppy(t *testing.T) {
}
}

func TestPipDependencyListCustomInstallArgs(t *testing.T) {
// Create and change directory to test workspace
mainPath := filepath.Join("projects", "package-managers", "python", "pip", "pip")
actualMainPath, cleanUp := sca.CreateTestWorkspace(t, mainPath)
defer cleanUp()
assert.NoError(t, os.Chdir(filepath.Join(actualMainPath, "referenceproject")))
// Run getModulesDependencyTrees
rootNode, uniqueDeps, _, err := BuildDependencyTree(&AuditPython{
Tool: pythonutils.PythonTool(techutils.Pip),
InstallCommandArgs: []string{"--break-system-packages"},
})
validatePipRequirementsProject(t, err, uniqueDeps, rootNode)
}

func TestBuildPipDependencyListSetuppyForCuration(t *testing.T) {
// Create and change directory to test workspace
_, cleanUp := sca.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "python", "pip", "pip", "setuppyproject"))
Expand Down Expand Up @@ -82,6 +98,10 @@ func TestPipDependencyListRequirementsFallback(t *testing.T) {
rootNode, uniqueDeps, _, err := BuildDependencyTree(&AuditPython{
Tool: pythonutils.PythonTool(techutils.Pip),
})
validatePipRequirementsProject(t, err, uniqueDeps, rootNode)
}

func validatePipRequirementsProject(t *testing.T, err error, uniqueDeps []string, rootNode []*utils.GraphNode) {
assert.NoError(t, err)
assert.Contains(t, uniqueDeps, PythonPackageTypeIdentifier+"pexpect:4.7.0")
assert.Contains(t, uniqueDeps, PythonPackageTypeIdentifier+"ptyprocess:0.7.0")
Expand Down
1 change: 1 addition & 0 deletions commands/audit/scarunner.go
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,7 @@ func GetTechDependencyTree(params xrayutils.AuditParams, tech techutils.Technolo
Tool: pythonutils.PythonTool(tech),
RemotePypiRepo: params.DepsRepo(),
PipRequirementsFile: params.PipRequirementsFile(),
InstallCommandArgs: params.InstallCommandArgs(),
IsCurationCmd: params.IsCurationCmd(),
})
case techutils.Nuget:
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
python-pkgbuild @ git+https://github.com/z3ntu/python-pkgbuild@7afcd99050ba091e7bf1f2aa4bc87e83df3cdea2
pexpect==4.7.0

0 comments on commit 2fa0db4

Please sign in to comment.