Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"failed to run rule potentially_compromised_email_domain: Invalid version [...]" when using Recent "packaging" Package #389

Open
cedricvanrompay-datadog opened this issue Jun 17, 2024 · 0 comments
Open

"failed to run rule potentially_compromised_email_domain: Invalid version [...]" when using Recent "packaging" Package #389

cedricvanrompay-datadog opened this issue Jun 17, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@cedricvanrompay-datadog
Copy link
Member

cedricvanrompay-datadog commented Jun 17, 2024
edited
Loading

The rule potentially_compromised_email_domain uses version.parse (with versioncoming from https://github.com/pypa/packaging/ ) on all versions of a PyPI package

guarddog/guarddog/analyzer/metadata/pypi/potentially_compromised_email_domain.py

Line 35 in dcc98d7

releases.keys(), key=lambda r: version.parse(r), reverse=True

Now, https://github.com/pypa/packaging/releases/tag/22.0 removed support for legacy version identifiers (see changelog), causing version.parse to raise an error when trying to sort the versions of a package that has weird versions like https://pypi.org/project/pytz/2004d/:

Python 3.12.2 (main, May 17 2024, 12:48:02) [Clang 15.0.0 (clang-1500.3.9.4)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import packaging
>>> packaging.__version__
'24.0'
>>> packaging.version.parse("2004d")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/cedric.vanrompay/.pyenv/versions/3.12.2/lib/python3.12/site-packages/packaging/version.py", line 54, in parse
    return Version(version)
           ^^^^^^^^^^^^^^^^
  File "/Users/cedric.vanrompay/.pyenv/versions/3.12.2/lib/python3.12/site-packages/packaging/version.py", line 200, in __init__
    raise InvalidVersion(f"Invalid version: '{version}'")
packaging.version.InvalidVersion: Invalid version: '2004d'
>>>

Right now GuardDog's poetry.lock has the version for packaging set to 21.3 so there is no error:

➜  guarddog git:(v1.10.0) ✗ poetry run python
Python 3.11.1 (main, Apr  9 2023, 11:26:24) [Clang 14.0.0 (clang-1400.0.29.202)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import packaging
>>> packaging.__version__
'21.3'
>>> packaging.version.parse("2004d")
<LegacyVersion('2004d')>
>>>

But this version is not constrained by pyproject.toml so next time someone runs poetry update this is going to break GuardDog. Also for some reason my team ended up with an installation of GuardDog using a recent version of packaging and so we got hit by this bug.
@cedricvanrompay-datadog cedricvanrompay-datadog changed the title "failed to run rule potentially_compromised_email_domain: Invalid version [...]" when using Python 3.12 "failed to run rule potentially_compromised_email_domain: Invalid version [...]" when using Recent "packaging" Package Jun 17, 2024
@cedricvanrompay-datadog cedricvanrompay-datadog added the bug Something isn't working label Jun 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cedricvanrompay-datadog