控制pip的解析过程
项目描述
从一开始就讲清楚——这个工具,pipctl,发音为“pip cuddle”。 🤗🐍
注意: 此工具只是一个原型。
该工具提供生成具有所有锁定依赖项的requirements文件的能力(类似于pip-tools所做的那样),但声明了没有漏洞或仅包含可接受的漏洞的依赖项。 OSV 数据库用作已知漏洞的来源。
用法
首先,安装工具
pip install pipctl创建配置文件
pipctl configpipctl.yaml 的示例内容
# A listing of vulnerabilities that are acceptable in the application. OSV.dev is used as a source.
acceptable_vulnerabilities: []
# A path to requirements.txt file, relative to this configuration file.
requirements_file: ./requirements.txt请在 requirements.txt 文件中声明您的依赖(或者按照 pip-tools 的情况,使用 requirements.in;文件名在配置文件中说明)
flask<=2.2.2要生成依赖文件,请运行以下命令
pipctl constraint > requirements-pipctl.txt产生的示例输出(requirements-pipctl.txt 的内容)
click==8.1.3
flask==2.2.2
importlib-metadata==6.0.0
itsdangerous==2.1.2
jinja2==3.1.2
markupsafe==2.1.1
werkzeug==2.2.2
zipp==3.11.0之后,可以使用 pip 安装应用程序的依赖项
pip install -r requirements-pipctl.txt如果您使用其他格式存储依赖项,请考虑使用 micropipenv 及其 micropipenv requirements 子命令进行转换。
如果由于存在漏洞而使用 pipctl 进行解析失败,请检查现有依赖的可用性(基于打印到 stderr 的消息)。如果漏洞可接受,请在 pipctl.yaml 文件中声明它们,然后重新运行解析过程。
示例
$ cat pipctl.yaml
acceptable_vulnerabilities: []
requirements_file: ./requirements.txt
$ cat requirements.txt
urllib3==1.26.0
$ pipctl constraint
WARNING: Adding constraint 'urllib3!=1.26.0' based on vulnerability GHSA-5phf-pp7p-vc2r - see https://osv.dev/vulnerability/GHSA-5phf-pp7p-vc2r
ERROR: Cannot install urllib3!=1.26.0 and urllib3==1.26.0 because these package versions have conflicting dependencies.
ERROR: Traceback (most recent call last):
File "/Users/fridolin.pokorny/git/fridex/pipctl/venv/lib/python3.9/site-packages/pip/_vendor/resolvelib/resolvers.py", line 348, in resolve
self._add_to_criteria(self.state.criteria, r, parent=None)
File "/Users/fridolin.pokorny/git/fridex/pipctl/venv/lib/python3.9/site-packages/pip/_vendor/resolvelib/resolvers.py", line 173, in _add_to_criteria
raise RequirementsConflicted(criterion)
pip._vendor.resolvelib.resolvers.RequirementsConflicted: Requirements conflict: SpecifierRequirement('urllib3==1.26.0'), SpecifierRequirement('urllib3!=1.26.0')
...一个更新后的配置文件,声明可接受漏洞 GHSA-5phf-pp7p-vc2r 和 GHSA-q2q7-5pp4-w6pg,导致成功解析
$ cat pipctl.yaml # A new pipctl.yaml file
acceptable_vulnerabilities: [GHSA-5phf-pp7p-vc2r, GHSA-q2q7-5pp4-w6pg]
requirements_file: ./requirements.txt
$ cat requirements.txt
urllib3==1.26.0
$ pipctl constraint
2023-01-11 18:12:34,240 [79773] INFO pipctl._osv: Downloading OSV database
WARNING: Ignoring vulnerability 'GHSA-5phf-pp7p-vc2r'
WARNING: Ignoring vulnerability 'GHSA-q2q7-5pp4-w6pg'
WARNING: Ignoring vulnerability 'PYSEC-2021-108'
WARNING: Ignoring vulnerability 'PYSEC-2021-59'
urllib3==1.26.0另一个解析示例,找到一个没有漏洞的依赖集
$ cat requirements.in
flask<2
certifi<=2022.9.24
$ cat pipctl.yaml
acceptable_vulnerabilities: []
requirements_file: ./requirements.in
$ python3 ./pipctl-cli constraints
2022-12-19 10:16:44,087 [92142] INFO pipctl._osv: Downloading OSV database
WARNING: Adding constraint 'certifi!=2022.9.24' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'werkzeug!=1.0.1' based on vulnerability PYSEC-2022-203 - see https://osv.dev/vulnerability/PYSEC-2022-203
WARNING: Adding constraint 'certifi!=2022.9.14' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2022.6.15.2' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2022.6.15.1' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2022.6.15' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2022.5.18.1' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'werkzeug!=1.0.0' based on vulnerability PYSEC-2022-203 - see https://osv.dev/vulnerability/PYSEC-2022-203
WARNING: Adding constraint 'certifi!=2021.10.8' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'werkzeug!=0.16.1' based on vulnerability PYSEC-2022-203 - see https://osv.dev/vulnerability/PYSEC-2022-203
WARNING: Adding constraint 'certifi!=2021.5.30' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2020.12.5' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'werkzeug!=0.16.0' based on vulnerability PYSEC-2022-203 - see https://osv.dev/vulnerability/PYSEC-2022-203
WARNING: Adding constraint 'werkzeug!=0.15.6' based on vulnerability PYSEC-2022-203 - see https://osv.dev/vulnerability/PYSEC-2022-203
WARNING: Adding constraint 'werkzeug!=0.15.5' based on vulnerability PYSEC-2022-203 - see https://osv.dev/vulnerability/PYSEC-2022-203
WARNING: Adding constraint 'werkzeug!=0.15.4' based on vulnerability PYSEC-2022-203 - see https://osv.dev/vulnerability/PYSEC-2022-203
WARNING: Adding constraint 'werkzeug!=0.15.3' based on vulnerability PYSEC-2022-203 - see https://osv.dev/vulnerability/PYSEC-2022-203
WARNING: Adding constraint 'certifi!=2020.11.8' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2020.6.20' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2020.4.5.2' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2020.4.5.1' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'werkzeug!=0.15.2' based on vulnerability GHSA-gq9m-qvpx-68hc - see https://osv.dev/vulnerability/GHSA-gq9m-qvpx-68hc
WARNING: Adding constraint 'werkzeug!=0.15.1' based on vulnerability GHSA-gq9m-qvpx-68hc - see https://osv.dev/vulnerability/GHSA-gq9m-qvpx-68hc
WARNING: Adding constraint 'certifi!=2020.4.5' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'werkzeug!=0.15.0' based on vulnerability GHSA-gq9m-qvpx-68hc - see https://osv.dev/vulnerability/GHSA-gq9m-qvpx-68hc
WARNING: Adding constraint 'certifi!=2019.11.28' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2019.9.11' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2019.6.16' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2019.3.9' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2018.11.29' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2018.10.15' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2018.8.24' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2018.8.13' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2018.4.16' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2018.1.18' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
WARNING: Adding constraint 'certifi!=2017.11.5' based on vulnerability GHSA-43fp-rhv2-5gv8 - see https://osv.dev/vulnerability/GHSA-43fp-rhv2-5gv8
certifi==2017.7.27.1
click==8.1.3
flask==1.1.2
itsdangerous==2.1.2
jinja2==3.1.2
markupsafe==2.1.1
werkzeug==2.2.2配置文件
可以使用以下方式生成配置文件
pipctl config一个示例配置文件可能看起来像这样
# A listing of vulnerabilities that are acceptable in the application. OSV.dev is used as a source.
acceptable_vulnerabilities:
- GHSA-5wv5-4vpf-pj6m # See https://osv.dev/vulnerability/GHSA-5wv5-4vpf-pj6m
requirements_file: ./requirements.txt每个漏洞都可以使用其在 OSV.dev 数据库中的标识符或其别名进行引用,请参见上述示例。
许可证
请参阅 LICENSE 文件。
下载文件
下载您平台上的文件。如果您不确定选择哪个,请了解更多关于 安装包 的信息。
源分布
此版本没有源分布文件。请参阅 生成分发存档 的教程。
构建分布
pipctl-0.0.0-py3-none-any.whl (14.9 kB 查看哈希)
关闭
pipctl-0.0.0-py3-none-any.whl 的哈希
| 算法 | 哈希摘要 | |
|---|---|---|
| SHA256 | 39f4f6a6a01ac88ce1fa47425628d34b85bc35e26003639e01d7031d994bb0c9 |
|
| MD5 | f1aead06ac2be6cfd856022c26f4b943 |
|
| BLAKE2b-256 | 954a241a69d51af45a5d66fd0a84bdf3634e22b4120aa160e47f1501a1caedae |
