约克夏郡是你的朋友,它会检查Python的需求文件,以确定是否存在可能的依赖混淆。
项目描述
🐶 Yorkshire是你的朋友;Yorkshire会检查Python的需求文件,以确定是否存在可能的依赖混淆。
注意,如果PEP-708:扩展存储库API以减轻依赖混淆攻击被接受,你将不再需要使用Yorkshire。
Yorkshire被开发出来用于对所有可能的文件执行扫描,这些文件可以与Python包索引配置进行操作。该扫描将揭示多个Python包索引的配置,以检查可能的依赖冲突。通过查看结果,用户可以防止类似PyTorch的torchvision的问题。此工具不报告是否存在实际的依赖冲突(需要更深入的分析),而是报告是否存在依赖冲突的可能性——即是否可以从多个Python包索引中消耗包。
工具检查相应文件中是否配置了任何额外的索引URL。目前,支持以下安装方法和它们的文件
PDM - pyproject.toml 和 pdm.lock
Pipenv - Pipfile 和 Pipfile.lock
Poetry - pyproject.toml(poetry.lock不足以进行依赖冲突检测)
pip - 原始的 requirements.txt
pip-tools - requirements.txt 和 requirements.in
setup.cfg - 工具解析setuptool的 setup.cfg 配置
setup.py - 工具静态分析 setup.py 脚本的源代码
安装
Yorkshire可在PyPI上找到
pip install yorkshire
yorkshire --help要从Git仓库安装此工具,请从 yorkshire 目录的根目录运行以下命令
python3 -m venv venv
source venv/bin/activate
pip install -e .
yorkshire --help用法
yorkshire detect DIR|FILE|URL如果提供的参数是目录,Yorkshire将遍历整个目录树并检查现有文件
如果提供的参数是文件,Yorkshire将对给定的文件执行分析
如果提供的参数是URL,Yorkshire将下载引用的文件并执行分析(分析完成后将删除文件)
有关更多信息,请参阅 --help
yorkshire --help
yorkshire detect --help示例运行
该工具可以运行在单个要求文件上并检查配置的Python包索引
$ yorkshire detect tests/data/requirements_files/fail/pipfile/Pipfile
2023-03-10 14:07:01,640 [24252] INFO yorkshire._lib: Performing detection in Pipfile file located at 'tests/data/requirements_files/fail/pipfile'
2023-03-10 14:07:01,640 [24252] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/pipfile/Pipfile' states one or multiple Python package indexes: ['https://pypi.ac.cn/simple', 'https://download.pytorch.org/whl/cpu']或者,它还可以遍历目录树并报告发现
$ yorkshire detect tests/data/requirements_files/fail
2023-03-10 14:08:39,811 [24502] INFO yorkshire._lib: Performing detection in setup.py file located at 'tests/data/requirements_files/fail/setup_py'
2023-03-10 14:08:39,811 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/setup_py/setup.py' uses dependency links
2023-03-10 14:08:39,811 [24502] INFO yorkshire._lib: Performing detection in pyproject.toml file located at 'tests/data/requirements_files/fail/pyproject_toml/poetry'
2023-03-10 14:08:39,811 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/pyproject_toml/poetry/pyproject.toml' uses an explicitly configured Poetry source: ['https://test.pypi.org/simple/']
2023-03-10 14:08:39,811 [24502] INFO yorkshire._lib: Performing detection in pyproject.toml file located at 'tests/data/requirements_files/fail/pyproject_toml/pdm'
2023-03-10 14:08:39,811 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/pyproject_toml/pdm/pyproject.toml' uses an explicitly configured PDM source: ['https://test.pypi.org/simple']
2023-03-10 14:08:39,811 [24502] INFO yorkshire._lib: Performing detection in setup.cfg file located at 'tests/data/requirements_files/fail/setup_cfg/01'
2023-03-10 14:08:39,811 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/setup_cfg/01/setup.cfg' uses dependency links: http://peak.telecommunity.com/snapshots/
2023-03-10 14:08:39,812 [24502] INFO yorkshire._lib: Performing detection in requirements.in file located at 'tests/data/requirements_files/fail/requirements/02'
2023-03-10 14:08:39,812 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/requirements/02/requirements.in' states one or multiple extra index URLs: ['https://download.pytorch.org/whl/cpu']
2023-03-10 14:08:39,812 [24502] INFO yorkshire._lib: Performing detection in requirements.in file located at 'tests/data/requirements_files/fail/requirements/01'
2023-03-10 14:08:39,812 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/requirements/01/requirements.in' states --find-links: ['https://github.com/NVIDIA/Torch-TensorRT/releases']
2023-03-10 14:08:39,813 [24502] INFO yorkshire._lib: Performing detection in pdm.lock file located at 'tests/data/requirements_files/fail/pdm_lock'
2023-03-10 14:08:39,813 [24502] WARNING yorkshire._lib: Package 'certifi 2021.10.8' is not consumed from PyPI: https://files.custom.org/packages/37/45/946c02767aabb873146011e665728b680884cd8fe70dde973c640e45b775/certifi-2021.10.8-py2.py3-none-any.whl
2023-03-10 14:08:39,813 [24502] INFO yorkshire._lib: Performing detection in Pipfile file located at 'tests/data/requirements_files/fail/pipfile'
2023-03-10 14:08:39,813 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/pipfile/Pipfile' states one or multiple Python package indexes: ['https://pypi.ac.cn/simple', 'https://download.pytorch.org/whl/cpu']
2023-03-10 14:08:39,813 [24502] INFO yorkshire._lib: Performing detection in Pipfile.lock file located at 'tests/data/requirements_files/fail/pipfile_lock'
2023-03-10 14:08:39,813 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/pipfile_lock/Pipfile.lock' states one or multiple Python package indexes: ['https://pypi.ac.cn/simple', 'https://localhost:8080/simple']该工具还可以检查通过URL引用的文件(任何查询参数都故意丢弃)
$ yorkshire detect https://raw.githubusercontent.com/pytorch/pytorch/master/requirements.txt
2023-03-10 14:11:45,774 [24832] INFO yorkshire._lib: Performing detection in requirements.txt file located at 'https://raw.githubusercontent.com/pytorch/pytorch/master'
$ echo $?
0将Yorkshire用作库
Yorkshire可以用作应用程序中的库
>>> import yorkshire
>>> path = os.getcwd()
>>> yorkshire.detect(path)
>>> yorkshire.detect_file(path)
>>> help(yorkshire.detect)
>>> help(yorkshire.detect_file)许可证
请参阅LICENSE文件。
下载文件
为您的平台下载文件。如果您不确定选择哪个,请了解更多关于安装包的信息。
源分布
yorkshire-0.0.0.tar.gz (14.0 kB 查看哈希)
构建分布
yorkshire-0.0.0-py3-none-any.whl (12.0 kB 查看哈希)