Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

checking pyspark against gemnasium throws an exception #90

Closed
stesix opened this issue Jan 19, 2022 · 1 comment · Fixed by #115
Closed

checking pyspark against gemnasium throws an exception #90

stesix opened this issue Jan 19, 2022 · 1 comment · Fixed by #115
Assignees
@twu
Labels
bug Something isn't working source:gemnasium
Milestone
v0.5.0

Comments

@stesix
Copy link

stesix commented Jan 19, 2022

command to reproduce the issue: echo 'pyspark==3.1.2' | skjold -v audit --sources gemnasium -

Result:

Warning: No 'pyproject.toml' found!
sources: []
report_only: False
report_format: cli
verbose: True
cache_dir: .skjold_cache
cache_expires: 43200
ignore_file: .skjoldignore
Using .skjold_cache as cache location
Using .skjoldignore as ignore file
Checking 1 package(s).
Using ['gemnasium'] as source(s).
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/packaging/specifiers.py", line 634, in __init__
    parsed.add(Specifier(specifier))
  File "/usr/local/lib/python3.8/site-packages/packaging/specifiers.py", line 98, in __init__
    raise InvalidSpecifier(f"Invalid specifier: '{spec}'")
packaging.specifiers.InvalidSpecifier: Invalid specifier: '('

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/merge/.local/bin/skjold", line 8, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.8/site-packages/click/core.py", line 1128, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/click/core.py", line 1053, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.8/site-packages/click/core.py", line 1659, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.8/site-packages/click/core.py", line 1395, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.8/site-packages/click/core.py", line 754, in invoke
    return __callback(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/click/decorators.py", line 84, in new_func
    return ctx.invoke(f, obj, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/click/core.py", line 754, in invoke
    return __callback(*args, **kwargs)
  File "/merge/.local/lib/python3.8/site-packages/skjold/cli.py", line 184, in audit_
    findings = audit(config, packages, ignore=ignore)
  File "/merge/.local/lib/python3.8/site-packages/skjold/tasks.py", line 222, in audit
    is_vulnerable, advisories = source.is_vulnerable_package(
  File "/merge/.local/lib/python3.8/site-packages/skjold/sources/gemnasium.py", line 140, in is_vulnerable_package
    if candidate.is_affected(package_version):
  File "/merge/.local/lib/python3.8/site-packages/skjold/sources/gemnasium.py", line 81, in is_affected
    affected_versions = map(allows_, self.vulnerable_version_range)
  File "/merge/.local/lib/python3.8/site-packages/skjold/sources/gemnasium.py", line 66, in vulnerable_version_range
    return [
  File "/merge/.local/lib/python3.8/site-packages/skjold/sources/gemnasium.py", line 67, in <listcomp>
    specifiers.SpecifierSet(x, prereleases=True)
  File "/usr/local/lib/python3.8/site-packages/packaging/specifiers.py", line 636, in __init__
    parsed.add(LegacySpecifier(specifier))
  File "/usr/local/lib/python3.8/site-packages/packaging/specifiers.py", line 253, in __init__
    super().__init__(spec, prereleases)
  File "/usr/local/lib/python3.8/site-packages/packaging/specifiers.py", line 98, in __init__
    raise InvalidSpecifier(f"Invalid specifier: '{spec}'")
packaging.specifiers.InvalidSpecifier: Invalid specifier: '('
@twu
Copy link
Owner

twu commented Feb 12, 2022

👋 Thanks for reporting this :) It looks like gemnasium is using (,0) (See pypi/pyspark/CVE-2020-27218.yml) to mark false positives which results in the above error. I will start working on skjold again soon-ish once RL has cleaned up a little. If you want tackle this I'm happy to review and merge 🙇

@twu twu added this to the v0.4.2 milestone Feb 12, 2022
@twu twu added bug Something isn't working source:gemnasium labels Feb 12, 2022
@twu twu self-assigned this Feb 12, 2022
twu added a commit that referenced this issue Jun 29, 2022
@twu
Handle withdrawn CVEs for gemnasium. Fixes #90.
77e2281
@twu twu mentioned this issue Jun 29, 2022
Merged
@twu twu closed this as completed in #115 Jun 29, 2022
twu added a commit that referenced this issue Jun 29, 2022
@twu
Handle withdrawn CVEs for gemnasium. Fixes #90.
9c59363
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@twu twu

Labels
bug Something isn't working source:gemnasium
Projects
None yet
Milestone
v0.5.0
Development

Successfully merging a pull request may close this issue.

Fix querying osv/pypa, handle withdrawn CVEs and update pre-commit hooks. twu/skjold
2 participants
@twu @stesix