implement is_insecure for the cli

pyupio · Jul 17, 2017 · c1bceb3 · c1bceb3
1 parent 23a84cb
commit c1bceb3
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 19 deletions.
diff --git a/pyup/cli.py b/pyup/cli.py
@@ -4,47 +4,48 @@
 from pyup.requirements import RequirementFile, RequirementsBundle
 from pyup.providers.github import Provider as GithubProvider
 from pyup.providers.gitlab import Provider as GitlabProvider
+from pyup import cli_settings
 import click
 from tqdm import tqdm
 import logging
 
+api_key = None
+
 
 @click.command()
 @click.version_option(__version__, '-v', '--version')
 @click.option('--repo', prompt='repository', help='')
 @click.option('--user-token', prompt='user token', help='')
 @click.option('--bot-token', help='', default=None)
+@click.option("--key", default="",
+              help="API Key for pyup.io's vulnerability database. Can be set as SAFETY_API_KEY "
+                   "environment variable. Default: empty")
 @click.option('--provider', help='API to use; either github or gitlab', default="github")
-@click.option('--dry', help='Run the bot without committing', default=False)
 @click.option('--branch', help='Set the branch the bot should use', default='master')
 @click.option('--initial', help='Set this to bundle all PRs into a large one',
               default=False, is_flag=True)
-@click.option('--pin', help='', default=True)
-@click.option('--close-prs', help='Tell the bot to close stale pull requests', default=True)
 @click.option('--log', help='Set the log level', default="ERROR")
-def main(repo, user_token, bot_token, provider, dry, branch, initial, pin, close_prs, log):
+def main(repo, user_token, bot_token, key, provider, branch, initial, log):
     logging.basicConfig(level=getattr(logging, log.upper(), None))
 
+    global api_key
+    api_key = key
+
     if provider == 'github':
         ProviderClass = GithubProvider
     elif provider == 'gitlab':
         ProviderClass = GitlabProvider
     else:
         raise NotImplementedError
-
-    if dry:
-        BotClass = DryBot
-    else:
-        BotClass = CLIBot
-
-    bot = BotClass(
+    cli_settings.configure(key=key)
+    bot = CLIBot(
         repo=repo,
         user_token=user_token,
         bot_token=bot_token,
-        provider=ProviderClass
+        provider=ProviderClass,
     )
 
-    bot.update(branch=branch, initial=initial, pin=pin, close_prs=close_prs)
+    bot.update(branch=branch, initial=initial)
 
 
 if __name__ == '__main__':

diff --git a/pyup/requirements.py b/pyup/requirements.py
@@ -2,6 +2,8 @@
 from pkg_resources import parse_requirements
 from pkg_resources import parse_version
 from pkg_resources._vendor.packaging.specifiers import SpecifierSet
+from safety import safety
+
 import hashin
 from .updates import InitialUpdate, SequentialUpdate, ScheduledUpdate
 from .pullrequest import PullRequest
@@ -299,11 +301,14 @@ def needs_update(self):
 
     @property
     def is_insecure(self):
-        # security is not our concern for the moment. However, it'd be nice if we had a central
-        # place where we can query for known security vulnerabilites on python packages.
-        # There's an open issue here:
-        # https://github.com/pypa/warehouse/issues/798
-        raise NotImplementedError
+        from pyup.cli import api_key
+        return len(safety.check(
+                packages=(self,),
+                cached=True,
+                key=api_key,
+                db_mirror="",
+                ignore_ids=()
+            )) != 0
 
     @property
     def is_outdated(self):

diff --git a/setup.py b/setup.py
@@ -25,7 +25,8 @@
     "six",
     "setuptools<=26.1.1",
     "python-gitlab",
-    "dparse"
+    "dparse",
+    "safety"
 ]
 
 test_requirements = [