Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Action fails for Python 3.8+ #46

Closed
NeonDaniel opened this issue Jun 18, 2024 · 6 comments
Closed

Action fails for Python 3.8+ #46

NeonDaniel opened this issue Jun 18, 2024 · 6 comments
Assignees
@woodruffw

Comments

@NeonDaniel
Copy link

Current behavior

When running the action against Python 3.8-3.10, the action fails due to a missing output file. After enabling debugging, it appears this is due to a breaking change in the cyclonedx-python-lib dependency. The issue did not fail for Python 3.7 which resolves an older version of this dependency.

Expected behavior

I would expect the action to pass or else print the relevant vulnerabilities causing failure

Steps to reproduce

  1. Define an automation like
jobs:
  build_tests:
    strategy:
      matrix:
        python-version: [ 3.7, 3.8, 3.9, "3.10" ]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
      - name: Install Build Tools
        run: |
          python -m pip install --upgrade build wheel setuptools pip
      - name: Install package
        run: |
          pip install .
      - uses: pypa/[email protected]
  1. Observe build_tests (3.7) will exit with a valid result while the other runs will fail with FileNotFoundError: [Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'

Relevant context

I diagnosed the issue with this action run. Relevant logs:

DEBUG: running: pip-audit ['--progress-spinner=off', '--format=markdown', '--cache-dir=/tmp/pip-audit-cache', '--desc', '--output=/tmp/pip-audit-output.txt', '--verbose', '--ignore-vuln', 'PYSEC-2023-228', '--ignore-vuln', 'GHSA-9wx4-h78v-vm56', '--ignore-vuln', 'GHSA-34jh-p97f-mpxf', '--vulnerability-service', 'pypi']
DEBUG: Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/__main__.py", line 6, in <module>
    from pip_audit._cli import audit
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/_cli.py", line 26, in <module>
    from pip_audit._format import (
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/_format/__init__.py", line 6, in <module>
    from .cyclonedx import CycloneDxFormat
  File "/opt/hostedtoolcache/Python/3.9.19/x64/lib/python3.9/site-packages/pip_audit/_format/cyclonedx.py", line 13, in <module>
    from cyclonedx.parser import BaseParser
ModuleNotFoundError: No module named 'cyclonedx.parser'

❌ pip-audit found one or more problems
Traceback (most recent call last):
  File "/home/runner/work/_actions/pypa/gh-action-pip-audit/v1.0.0/action.py", line 134, in <module>
    with open("/tmp/pip-audit-output.txt", "r") as io:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/pip-audit-output.txt'
Error: Process completed with exit code 1.

I was able to make the automation use cyclonedx~=4.0 which got the automation passing.
@NeonDaniel NeonDaniel added the bug Something isn't working label Jun 18, 2024
NeonDaniel added a commit to OpenVoiceOS/ovos-lingua-franca that referenced this issue Jun 18, 2024
@NeonDaniel
Disable pipaudit debugging
4da59f8 
Add TODO linking relevant issue pypa/gh-action-pip-audit#46
@NeonDaniel NeonDaniel mentioned this issue Jun 18, 2024
Merged
JarbasAl pushed a commit to OpenVoiceOS/ovos-lingua-franca that referenced this issue Jun 18, 2024
@NeonDaniel
Resolve build test automation failures (#72)
4d5ce0d 
* Update GHA to ignore irrelevant Mercurial vulnerability

* Update build tests to run when any files affecting build are changed

* Ignore `requests` and `urllib3` vulnerabilities as they are not used in this package

* Allow all build tests to run in parallel

* Update actions versions to troubleshoot failures

* Try specifying requirements file directly

* Enable pipaudit debugging

* Pin older cyclonedx package to troubleshoot pip-audit automation bug

* Pin older cyclonedx package to troubleshoot pip-audit automation bug

* Disable pipaudit debugging
Add TODO linking relevant issue pypa/gh-action-pip-audit#46

---------

Co-authored-by: Daniel McKnight <[email protected]>
@woodruffw
Copy link
Member

Hi @NeonDaniel, thanks for the report. Taking a look now.

@woodruffw
Copy link
Member

Hmm, I can't immediately reproduce this locally: your workflow is using cyclonedx-python-lib==7.4.1 (source), which is the same mine is using locally, without issues.

@woodruffw
Copy link
Member

Ah, I think I see the problem here: your workflow is using pypa/[email protected], which is selecting an older version of pip-audit.

Could you try using v1.0.8 instead? That's the latest version of this action, and it shouldn't have these problems.

@woodruffw woodruffw added the question Further information is requested label Jun 18, 2024
@woodruffw
Copy link
Member

(Also, where did you get v1.0.0 from? That might be an old doc that needs updating somewhere.)

@woodruffw woodruffw self-assigned this Jun 18, 2024
@NeonDaniel NeonDaniel mentioned this issue Jun 18, 2024
Merged
@NeonDaniel
Copy link
Author

(Also, where did you get v1.0.0 from? That might be an old doc that needs updating somewhere.)

It looks like the automation was originally written by @JarbasAI; I was just looking into the failures (I'm actually not sure how long the automation has been failing.

I completely missed that we were using 1.0.0 while 1.0.8 is the latest. I see now that the examples and latest release do specify 1.0.8.

Updating to the latest appears to have resolved the issues

@woodruffw
Copy link
Member

Glad to hear it, and thanks for the detailed report regardess!

@woodruffw woodruffw removed bug Something isn't working question Further information is requested labels Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@woodruffw woodruffw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@woodruffw @NeonDaniel