Crash on `package @ git+...` dependencies

[Zac-HD]

Bug description

Using package @ git+... dependencies crashes pip-audit with a traceback, when I'd expect it to output the usual report with those packages listed by name and skip-reason if unauditable.

Reproduction steps

# Some packages exist, and all is well
shed == 0.10.5

# Others *don't* exist or can't be fetched, that's reported nicely
this_might_exist_off_pypi == 0.0.1

# But if you have this awful kind of dep, you'll get a traceback!
hypothesis @ git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#subdirectory=hypothesis-python

pip-audit --no-deps -r requirements.txt

Platform information

• OS name and version: macOS Monterey
• pip-audit version (pip-audit -V): pip-audit 2.4.4
• Python version (python -V or python3 -V): Python 3.10.6
• pip version (pip -V or pip3 -V): pip 22.3

[di]

This doesn't crash for me:

$ cat requirements.txt
# Some packages exist, and all is well
shed == 0.10.5

# Others *don't* exist or can't be fetched, that's reported nicely
this_might_exist_off_pypi == 0.0.1

# But if you have this awful kind of dep, you'll get a traceback!
hypothesis @ git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#subdirectory=hypothesis-python

$ python -m pip_audit -r requirements.txt
No known vulnerabilities found
Name                      Skip Reason
------------------------- -----------------------------------------------------------------------------------------------------------------
this-might-exist-off-pypi Could not find project "this-might-exist-off-pypi" on any of the supplied index URLs: ['https://pypi.org/simple']

Can you provide the traceback you're getting?

[Zac-HD]

$ pip-audit --no-deps -r requirements.txt

WARNING:pip_audit._cli:--no-deps is supported, but users are encouraged to fully hash their pinned dependencies
WARNING:pip_audit._cli:Consider using a tool like `pip-compile`: https://pip-tools.readthedocs.io/en/latest/#using-hashes

Traceback (most recent call last):
  File "/opt/homebrew/Caskroom/miniforge/base/envs/py310/bin/pip-audit", line 8, in <module>
    sys.exit(audit())
  File "/opt/homebrew/Caskroom/miniforge/base/envs/py310/lib/python3.10/site-packages/pip_audit/_cli.py", line 432, in audit
    for (spec, vulns) in auditor.audit(source):
  File "/opt/homebrew/Caskroom/miniforge/base/envs/py310/lib/python3.10/site-packages/pip_audit/_audit.py", line 66, in audit
    for dep, vulns in self._service.query_all(specs):
  File "/opt/homebrew/Caskroom/miniforge/base/envs/py310/lib/python3.10/site-packages/pip_audit/_service/interface.py", line 150, in query_all
    for spec in specs:
  File "/opt/homebrew/Caskroom/miniforge/base/envs/py310/lib/python3.10/site-packages/pip_audit/_dependency_source/requirement.py", line 114, in collect
    for _, dep in self._collect_cached_deps(filename, reqs):
  File "/opt/homebrew/Caskroom/miniforge/base/envs/py310/lib/python3.10/site-packages/pip_audit/_dependency_source/requirement.py", line 312, in _collect_cached_deps
    for req, dep in self._collect_preresolved_deps(
  File "/opt/homebrew/Caskroom/miniforge/base/envs/py310/lib/python3.10/site-packages/pip_audit/_dependency_source/requirement.py", line 259, in _collect_preresolved_deps
    raise RequirementSourceError(
pip_audit._dependency_source.requirement.RequirementSourceError: requirement hypothesis is not pinned, URL requirements must be pinned with #egg=your_package_name==your_package_version: hypothesis@ git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#subdirectory=hypothesis-python from git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#subdirectory=hypothesis-python (from RequirementLine(line_number=8, line='hypothesis @ git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#subdirectory=hypothesis-python', filename=PosixPath('requirements.txt')))

(added newlines for clarity, otherwise unedited)

I suspect it's relevant that we're using a private index, and don't have https://pypi.org/simple in pip.conf 🤔

[woodruffw]

Thanks for the additional context @Zac-HD! I'll have time to attempt to repro this (and hopefully come up with a quick fix) in the coming days.

[woodruffw]

One small thing to note (that I don't think is causing the bug, but might be helpful):

I suspect it's relevant that we're using a private index, and don't have https://pypi.org/simple in pip.conf 🤔

If you're trying to avoid all network interaction with PyPI, then you'll probably want -s osv as well. By default, pip-audit uses PyPI's JSON API for vulnerability information; with -s osv it'll use the OSV's (also online) DB instead.

[woodruffw]

Did some digging here, and it looks like this error only happens with --no-deps. I think that's why @di couldn't repro it.

In particular, it looks like it happens because --no-deps requires every dependency to be fully pinned, but the URL-style requirement you're providing doesn't include a version specification.

In other words, this:

hypothesis @ git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#subdirectory=hypothesis-python

should be this:

hypothesis @ git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#egg=hypothesis==6.56.3&subdirectory=hypothesis-python

...however, that still fails with the same error, which makes me think it might be a bug in our requirements parser. Will continue looking.

[woodruffw]

Yep, this looks like a case of pip-requirements-parser not handling the egg fragment correctly:

{'extras': [],
 'global_options': [],
 'has_egg_fragment': True,
 'hash_options': [],
 'install_options': [],
 'invalid_options': {},
 'is_archive': False,
 'is_constraint': False,
 'is_editable': False,
 'is_local_path': True,
 'is_name_at_url': True,
 'is_pinned': False,
 'is_url': True,
 'is_vcs_url': True,
 'is_wheel': False,
 'link': 'git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#egg=hypothesis==6.56.3&subdirectory=hypothesis-python',
 'marker': None,
 'name': 'hypothesis',
 'requirement_line': {'line': 'hypothesis @ '
                              'git+https://github.com/HypothesisWorks/hypothesis.git@bb6b55ad8d#egg=hypothesis==6.56.3&subdirectory=hypothesis-python',
                      'line_number': 8},
 'specifier': []}

...or us using their API wrong. I'm going to file an upstream issue to get some clarification, but this is definitely a bug on our side at the minimum!

[woodruffw]

Going further, I'm not 100% sure our current guidance in that exception (#egg=package_name==package_version) is actually correct -- I can't find a reference anywhere in pip's documentation for that syntax, and I can't find it in pip's source either. The only supported #egg=... form seems to be without the package version suffix, meaning that VCS URL dependencies cannot be meaningfully pinned.

cc @tetsuo-cpp since you wrote this bit of the code: do you know where the #egg=package_name==package_version guidance came from?

[woodruffw]

Yep, confirmed: that syntax is definitely not official or supported: pypa/pip#5384

It seems like the only way to support "pinned" dependencies with VCS URLs is to use VCS-specific tagging (e.g. git tags or revs). So we need to update the error here to clarify that --no-deps can't be used with requirements inputs that contain VCS URLs.

[Zac-HD]

So we need to update the error here to clarify that --no-deps can't be used with requirements inputs that contain VCS URLs.

Could we instead skip VCS URLs in --no-deps mode, as is reported for not-on-PyPI packages more generally?

My motivation is that I want to check a requirements file produced by pip-compile for known vulnerabilities, without giving sdist package authors arbitary code execution on my machine (by having previously installed the package, or building a wheel locally; I know that producing the lockfile did this at some point). It's not much bash to create a vcs-free requirements file to audit, but having it built in would reduce the friction for marginal users.