Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error parsing a github source, on 0.4.0 #61

Closed
brondsem opened this issue Aug 9, 2021 · 1 comment
Closed

Error parsing a github source, on 0.4.0 #61

brondsem opened this issue Aug 9, 2021 · 1 comment
Assignees
@twu
Labels
bug Something isn't working source:github
Milestone
v0.4.1

Comments

@brondsem
Copy link
Contributor

brondsem commented Aug 9, 2021

With skjold 0.4.0 and a requirements.txt file containing waitress==1.4.4 as a package, the following error occurs

Traceback (most recent call last):
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/packaging/specifiers.py", line 652, in __init__
    parsed.add(Specifier(specifier))
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/packaging/specifiers.py", line 105, in __init__
    raise InvalidSpecifier(f"Invalid specifier: '{spec}'")
packaging.specifiers.InvalidSpecifier: Invalid specifier: '= 1.4.2'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/local/env-sfpy-py37/bin/skjold", line 8, in <module>
    sys.exit(cli())
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/click/core.py", line 1137, in __call__
    return self.main(*args, **kwargs)
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/click/core.py", line 1062, in main
    rv = self.invoke(ctx)
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/click/core.py", line 1668, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/click/core.py", line 763, in invoke
    return __callback(*args, **kwargs)
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/click/decorators.py", line 84, in new_func
    return ctx.invoke(f, obj, *args, **kwargs)
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/click/core.py", line 763, in invoke
    return __callback(*args, **kwargs)
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/skjold/cli.py", line 184, in audit_
    findings = audit(config, packages, ignore=ignore)
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/skjold/tasks.py", line 223, in audit
    package_name, package_version
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/skjold/sources/github.py", line 196, in is_vulnerable_package
    if candidate.is_affected(package_version):
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/skjold/sources/github.py", line 71, in is_affected
    return version in self.vulnerable_version_range
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/skjold/sources/github.py", line 62, in vulnerable_version_range
    self._json["node"]["vulnerableVersionRange"], prereleases=True
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/packaging/specifiers.py", line 654, in __init__
    parsed.add(LegacySpecifier(specifier))
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/packaging/specifiers.py", line 271, in __init__
    super().__init__(spec, prereleases)
  File "/var/local/env-sfpy-py37/lib/python3.7/site-packages/packaging/specifiers.py", line 105, in __init__
    raise InvalidSpecifier(f"Invalid specifier: '{spec}'")
packaging.specifiers.InvalidSpecifier: Invalid specifier: '= 1.4.2'

With skjold 0.3.2 it runs ok. I believe this github vulnerability is the one that it is erroring on: GHSA-73m2-3pwg-5fgc
@twu twu added bug Something isn't working source:github labels Aug 9, 2021
@twu twu self-assigned this Aug 9, 2021
@twu twu added this to the v0.4.1 milestone Aug 9, 2021
@twu twu closed this as completed in 2f14e07 Aug 9, 2021
@twu
Copy link
Owner

twu commented Aug 9, 2021

With skjold 0.3.2 it runs ok. I believe this github vulnerability is the one that it is erroring on: GHSA-73m2-3pwg-5fgc

Yes, you are totally right. I hotfix-ed it and added a few testcases to ensure that = 1.4.2 etc. are now properly handled. This only affected github and v0.4.0. Thank you for reporting this :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@twu twu

Labels
bug Something isn't working source:github
Projects
None yet
Milestone
v0.4.1
Development

No branches or pull requests
2 participants
@brondsem @twu