-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: stable API to add additional VulnerabilityService instances for private repositories #805
Comments
Thanks for opening this @davidjmemmett! Indeed, all of With that being said, I think we'd be interested in exposing a subset (probably a small subset, to get started) of APIs for public use, to make programmatic use easier. These kinds of use cases are valuable for us to hear about, since they inform which and how we'll expose those APIs 🙂 Providing support for custom
CC @di as well, since he'll almost certainly have thoughts about the propriety/scope of a public API for |
Agreed. Some more details about your use case and examples of how you're using |
Hi both, thank you for responding swiftly. My current implementation is a little bit hacky, as it overrides the definition of from enum import Enum
from pathlib import Path
from pip_audit import _cli as audit_cli
from pip_audit._service.interface import VulnerabilityService
from pip_audit._service.osv import OsvService
from pip_audit._service.pypi import PyPIService
from pip._vendor.typing_extensions import assert_never
from custom_pip_audit.service.custom import CustomService
class CustomVulnerabilityServiceChoice(str, Enum):
Osv = "osv"
Pypi = "pypi"
Custom = "custom"
def to_service(self, timeout: int, cache_dir: Path | None) -> VulnerabilityService:
if self is CustomVulnerabilityServiceChoice.Custom:
return CustomService()
elif self is CustomVulnerabilityServiceChoice.Osv:
return OsvService(cache_dir, timeout)
elif self is CustomVulnerabilityServiceChoice.Pypi:
return PyPIService(cache_dir, timeout)
else:
assert_never(self) # pragma: no cover
def __str__(self) -> str:
return self.value
audit_cli.VulnerabilityServiceChoice = CustomVulnerabilityServiceChoice
def audit() -> None:
audit_cli.audit() I then override {
"a-custom-package": [
{
"id": "custom-1",
"description": "A description of the vulnerability",
"specs": ["<1.2.3"],
"fix_versions": ["1.2.3"]
}
]
} I would definitely be open to changing the format of the JSON file to match something official, which may already be available to export/fetch from industry standard tooling. I hope this provides a little bit more insight into what I'm trying to achieve. |
Hmm, I think you can use the
Yep! I think the OSV Schema is probably the best fit here -- we already support it via the |
Yeah, I was using the ...
if vulnerability_spec.startswith("<="):
version = Version(vulnerability_spec[2:])
if spec.version <= version:
num_spec_matches += 1
elif vulnerability_spec.startswith("=>"):
... etc I completely agree with moving to the OSV schema being the simplest way forward, and using vanilla pip-audit, along the lines of: |
Ahh, gotcha. Yeah, I'm unfortunately not familiar with anything that's immediately a good fit for that (there might be some other In terms of next steps here: supporting this via a JSON input on the CLI will make this pretty close to #698, so I want to make sure we get the interface right here 🙂. In particular: would it be a significant problem for your use case if we required OSV loading via a URL instead? For example:
That would reduce the amount of special casing we'd need to do within |
I don't mind at all, it saves me an extra step of fetching a remote file. Thank you. |
No problem! I'll let @di confirm that he's okay with this approach as well, but assuming he is then I'd be happy to review a PR for this. (I suspect there might be some hurdles, since the OSV API isn't just a static JSON document API -- it receives a posted query. But |
That complicates matters, but I will investigate and see if there's a way that it can accept a static file. |
I have opened the Pull Request #810 in order to allow the OSV URL to be overridden; please let me know if there is anything further required in order for this to be merged in. |
Pre-submission checks
What's the problem this feature will solve?
I'm switching to pip-audit instead of safety (as safety v3 doesn't support private repositories), and I've written a wrapper around the pip-audit library to add an additional
VulnerabilityService
instance. In order to accomplish this, I've had to recreate theVulnerabilityServiceChoice
enum and override it in my wrapper. As I've also had to import a bunch of other packages from within pip-audit, I've noticed that they're all prefixed with_
, which in Python typically means private/"don't rely on this as a stable API".Describe the solution you'd like
At some point in the future, the private API of pip-audit might change and break my wrapper (described above). A stable API to be able to add additional
VulnerabilityService
instances would allow organisations with private pip repositories to be able to track and flag vulnerabilities in their private repositories without fear that the tooling may suddenly break without notice.Additional context
No response
The text was updated successfully, but these errors were encountered: