python dependency vulnerability scanner, written in Rust.
License: MIT License
Describe the bug
When running pyscan does tell me there is a vulnerability in my requests dependency, although the version that is specified is not the version that is installed. In the installed version this vulnerability has been patched.
I am getting the following result back after running pyscan:
pyscan v0.1.1 | by Aswin (github.com/aswinnnn)
Found 6 dependencies...
|-| netaddr [0.8.0] -> No vulnerabilities found.
|-| defusedxml [0.7.1] -> No vulnerabilities found.
|-| dnspython [2.3.0rc1] -> No vulnerabilities found.
|-| pandas [2.0.1] -> No vulnerabilities found.
|-| requests [2.9.2] -> Found vulnerabilities!
|-| python-evtx [0.7.4] -> No vulnerabilities found.
SUMMARY
Dependency: requests
ID: GHSA-x84v-xcm2-53pg
Details: The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Versions affected: 0.0.1 to 2.9.2
Dependency: requests
ID: PYSEC-2018-28
Details: The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Versions affected: 0.0.1 to 2.9.2
Running a pip3 freeze yields:
defusedxml==0.7.1
dnspython==2.3.0
netaddr==0.8.0
pandas==2.0.1
pyscan-rs==0.1.1
python-evtx==0.7.4
requests==2.30.0
Yet when running pyscan package -n requests -v 2.30.0 I am getting the expected response:
Found 1 dependencies...
|-| requests [2.30.0] -> No vulnerabilities found.
To Reproduce
Steps to reproduce the behavior:
requirements.txt:
netaddr
defusedxml
dnspython
pandas
requests
python-evtx
pip3 install pyscan-rspyscanExpected behavior
It is expected that the version number of the currently installed package is identified correctly.
Desktop (please complete the following information):
To Reproduce
git clone [email protected]:tox-dev/tox.git
pyscan v0.1.5 | by Aswin S (github.com/aswinnnn)
Found 12 dependencies
Failed to make a request to pypi.org:
HTTP status client error (404 Not Found) for url (https://pypi.org/pypi/cachetools%3E=5.3.1/json)
pypi.org error: HTTP status client error (404 Not Found) for url (https://pypi.org/pypi/cachetools%3E=5.3.1/json)
pyproject.toml see...
https://github.com/tox-dev/tox/blob/2e31a843ff881a70ceb3a9986dd11be69247a0da/pyproject.toml#L51
Names and version of Python packages can be specified also in a constraints.txt file and pyscan doesn't detect it by name.
Please search also for constraints.txt in addition to requirements.txt.
Workaround: ln -s constraints.txt requirements.txt; pyscan (both files use the same syntax)
Context: A monorepo containing several Python packages which need to be installable into the same virtual environment needs a central place for pinning the 3rd-party package versions (in addition to per-package setup.cfg/pyproject.toml). There is a standard mechanism for that: https://pip.pypa.io/en/stable/user_guide/#constraints-files
Describe the bug
compilation error during installation
To Reproduce
On Ubuntu 20.04, inside a Python 3.8 virtual environment, run pip install pyscan-rs..
❯ pip install pyscan-rs
Collecting pyscan-rs
Using cached pyscan_rs-0.1.5.tar.gz (613 kB)
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: pyscan-rs
Building wheel for pyscan-rs (pyproject.toml) ... error
error: subprocess-exited-with-error
× Building wheel for pyscan-rs (pyproject.toml) did not run successfully.
│ exit code: 1
╰─> [190 lines of output]
Running `maturin pep517 build-wheel -i /tmp/venv/bin/python --compatibility off`
📦 Including license file "/tmp/pip-install-gagoeh84/pyscan-rs_ae881a838eaf4ff2971e48f40e49b2f3/LICENSE"
🔗 Found bin bindings
📡 Using build options bindings from pyproject.toml
Compiling libc v0.2.144
Compiling proc-macro2 v1.0.57
Compiling autocfg v1.1.0
Compiling unicode-ident v1.0.8
Compiling quote v1.0.27
Compiling cfg-if v1.0.0
Compiling cc v1.0.79
Compiling once_cell v1.18.0
Compiling log v0.4.17
Compiling bitflags v1.3.2
Compiling pin-project-lite v0.2.9
Compiling pkg-config v0.3.27
Compiling serde v1.0.163
Compiling futures-core v0.3.28
Compiling memchr v2.5.0
Compiling bytes v1.4.0
Compiling indexmap v1.9.3
Compiling tokio v1.28.1
Compiling itoa v1.0.6
Compiling syn v2.0.16
Compiling slab v0.4.8
Compiling futures-task v0.3.28
Compiling hashbrown v0.12.3
Compiling openssl-sys v0.9.87
Compiling io-lifetimes v1.0.10
Compiling tracing-core v0.1.31
Compiling mio v0.8.6
Compiling socket2 v0.4.9
Compiling num_cpus v1.15.0
Compiling foreign-types-shared v0.1.1
Compiling version_check v0.9.4
Compiling semver v1.0.17
Compiling openssl v0.10.52
Compiling rustix v0.37.19
Compiling futures-util v0.3.28
Compiling fnv v1.0.7
Compiling ahash v0.8.3
Compiling http v0.2.9
Compiling foreign-types v0.3.2
Compiling tracing v0.1.37
Compiling psm v0.1.21
Compiling native-tls v0.2.11
Compiling httparse v1.8.0
Compiling futures-channel v0.3.28
Compiling pin-utils v0.1.0
Compiling tinyvec_macros v0.1.1
Compiling linux-raw-sys v0.3.7
Compiling futures-io v0.3.28
Compiling futures-sink v0.3.28
Compiling tinyvec v1.6.0
Compiling stacker v0.1.15
Compiling num-traits v0.2.15
Compiling utf8parse v0.2.1
Compiling percent-encoding v2.2.0
Compiling try-lock v0.2.4
Compiling openssl-probe v0.1.5
Compiling want v0.3.0
Compiling unicode-normalization v0.1.22
Compiling form_urlencoded v1.1.0
Compiling anstyle-parse v0.2.0
Compiling lenient_semver_version_builder v0.4.2
Compiling is-terminal v0.4.7
Compiling http-body v0.4.5
Compiling num-integer v0.1.45
Compiling httpdate v1.0.2
Compiling ryu v1.0.13
Compiling anstyle-query v1.0.0
Compiling colorchoice v1.0.0
Compiling serde_derive v1.0.163
Compiling tokio-macros v2.1.0
Compiling openssl-macros v0.1.1
Compiling tower-service v0.3.2
Compiling anstyle v1.0.0
Compiling unicode-bidi v0.3.13
Compiling anstream v0.3.2
Compiling idna v0.3.0
Compiling hashbrown v0.13.2
Compiling lenient_semver_parser v0.4.2
Compiling heck v0.4.1
Compiling strsim v0.10.0
Compiling serde_json v1.0.96
Compiling winnow v0.4.6
Compiling clap_lex v0.4.1
Compiling clap_builder v4.2.7
Compiling clap_derive v4.2.0
Compiling chumsky v1.0.0-alpha.4
Compiling lenient_version v0.4.2
Compiling url v2.3.1
Compiling tokio-util v0.7.8
Compiling tokio-native-tls v0.3.1
Compiling h2 v0.3.19
Compiling time v0.1.45
Compiling aho-corasick v1.0.1
Compiling encoding_rs v0.8.32
Compiling mime v0.3.17
Compiling serde_spanned v0.6.1
Compiling toml_datetime v0.6.1
Compiling hyper v0.14.26
Compiling toml_edit v0.19.8
Compiling serde_urlencoded v0.7.1
Compiling regex-syntax v0.7.1
Compiling hyper-tls v0.5.0
Compiling unicode-width v0.1.10
Compiling base64 v0.21.0
Compiling ipnet v2.7.2
Compiling lazy_static v1.4.0
Compiling iana-time-zone v0.1.56
Compiling chrono v0.4.24
Compiling console v0.15.5
Compiling reqwest v0.11.17
Compiling regex v1.8.1
Compiling toml v0.7.3
Compiling pep-508 v0.3.0
Compiling clap v4.2.7
Compiling lenient_semver v0.4.2
Compiling pyscan v0.1.5 (/tmp/pip-install-gagoeh84/pyscan-rs_ae881a838eaf4ff2971e48f40e49b2f3)
error[E0658]: use of unstable library feature 'once_cell'
--> src/main.rs:5:5
|
5 | use std::sync::OnceLock;
| ^^^^^^^^^^^^^^^^^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/main.rs:89:19
|
89 | static ARGS: Lazy<OnceLock<Cli>> = Lazy::new(|| {OnceLock::from(Cli::parse())});
| ^^^^^^^^^^^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/main.rs:89:51
|
89 | static ARGS: Lazy<OnceLock<Cli>> = Lazy::new(|| {OnceLock::from(Cli::parse())});
| ^^^^^^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/parser/structs.rs:148:17
|
148 | if ARGS.get().unwrap().pip {
| ^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/parser/structs.rs:150:24
|
150 | } else if ARGS.get().unwrap().pypi {
| ^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/main.rs:106:15
|
106 | if !&ARGS.get().unwrap().cache_off {
| ^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/main.rs:111:17
|
111 | match &ARGS.get().unwrap().subcommand {
| ^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/main.rs:147:30
|
147 | if let Some(dir) = &ARGS.get().unwrap().dir { parser::scan_dir(dir.as_path()).await }
| ^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
For more information about this error, try `rustc --explain E0658`.
error: could not compile `pyscan` due to 8 previous errors
💥 maturin failed
Caused by: Failed to build a native library through cargo
Caused by: Cargo build finished with "exit status: 101": `"cargo" "rustc" "--message-format" "json-render-diagnostics" "--manifest-path" "/tmp/pip-install-gagoeh84/pyscan-rs_ae881a838eaf4ff2971e48f40e49b2f3/Cargo.toml" "--release" "--bin" "pyscan"`
Error: command ['maturin', 'pep517', 'build-wheel', '-i', '/tmp/venv/bin/python', '--compatibility', 'off'] returned non-zero exit status 1
[end of output]
note: This error originates from a subprocess, and is likely not a problem with pip.
ERROR: Failed building wheel for pyscan-rs
Failed to build pyscan-rs
ERROR: Could not build wheels for pyscan-rs, which is required to install pyproject.toml-based projects
Expected behavior
Desktop (please complete the following information):
Additional context
Using rust version 1.67.1 as advised in the README
https://github.com/aswinnnn/pyscan#building
Describe the bug
When a vulnerability was found the exit code of the program is zero. Thus it makes it hard to integrate the tool into an automation that should raise an alert in case a vulnerability was found. This is the case when running pyscan either for a specific package or within a repository.
To Reproduce
Steps to reproduce the behavior:
pyscan package -n requests -v 2.30.0echo $?0 is returnedExpected behavior
It is expected that a non-zero exit code is returned in case a vulnerability is found.
Desktop (please complete the following information):
Describe the bug
Although #1 is now fixed, I still encountered a similar issue that I didn't recognize before (since I didn't test this case). When a minimum version is specified in the requirements.txt, then the tool will take the version that is specified instead of checking which version is actually used.
To Reproduce
Steps to reproduce the behavior:
pandas>=1.5.0
requests>=2.30.0
beautifulsoup4>=4.12.2
lxml>=4.9.2
pip freeze to investigate the installed versions:
pandas==2.0.1
requests==2.31.0
beautifulsoup4==4.12.2
lxml==4.9.2
pyscan and investigate the output:
pyscan v0.1.3 | by Aswin (github.com/aswinnnn)
Found 4 dependencies...
|-| pandas [1.5.0] -> No vulnerabilities found.
|-| requests [2.30.0] -> Found vulnerabilities!
|-| beautifulsoup4 [4.12.2] -> No vulnerabilities found.
|-| lxml [4.9.2] -> No vulnerabilities found.
SUMMARY
...
Expected behavior
The version number of the currently installed packages should be taken instead of the minimum required version specified in the requirements.txt file.
Desktop (please complete the following information):
pyscan version
v0.1.3
So the CI fails because it cannot build OpenSSL... for which I have opened an issue over here:
The CI badge showing the "failing" thing is very annoying, but It cannot be helped till they figure out why. I tried my best to work out from other users who had the same problem but no luck. Let's hope for the best.
Look at the mentioned issue if you want to see whether you can help me out on this.
Python 3.11 in a conda environment on Windows, pip installed pyscan-rs:
pyscan v0.1.3 | by Aswin (github.com/aswinnnn)
Found 9 dependencies...
|-| fasteners [0.18] -> No vulnerabilities found.
thread 'main' panicked at 'Could not retrive package version.: PipError("could not retrive package version from Pip")', src\scanner\mod.rs:28:69
stack backtrace:
0: 0x973780 - <unknown>
1: 0x9cbc1b - <unknown>
2: 0x965605 - <unknown>
3: 0x97698f - <unknown>
4: 0x976647 - <unknown>
5: 0x9771bf - <unknown>
6: 0x9770c5 - <unknown>
7: 0x9742bf - <unknown>
8: 0x976de0 - <unknown>
9: 0x9c86a5 - <unknown>
10: 0x9c8a73 - <unknown>
11: 0x422bc9 - <unknown>
12: 0x42ebf8 - <unknown>
13: 0x4410a5 - <unknown>
14: 0x447be6 - <unknown>
15: 0x41cecc - <unknown>
16: 0x958097 - <unknown>
17: 0x44524d - <unknown>
18: 0x4013f8 - <unknown>
19: 0x40151b - <unknown>
20: 0x7ffffab07614 - <unknown>
21: 0x7ffffc0a26a1 - <unknown>
Any idea?
Describe the bug
run pyscan
❯ pyscan
pyscan v0.1.5 | by Aswin S (github.com/aswinnnn)
Using pyproject.toml as source...
thread 'main' panicked at 'no entry found for key', src/parser/extractor.rs:61:24
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
To Reproduce
run pyscan on any project
Expected behavior
should work
Desktop (please complete the following information):
Describe the bug
When considering a requirements.txt file that contains additional information on the python version for which a package should be installed as well as additional arguments passed to pip, pyscan says there are no dependencies and it fails parsing the API response:
pyscan v0.1.5 | by Aswin S (github.com/aswinnnn)
Using requirements.txt/constraints.txt as source...
Found 0 dependencies
Invalid parse of API reponse at src/scanner/api.rs::query_batched
To Reproduce
Steps to reproduce the behavior:
requirements.txt file: https://github.com/anotherbridge/pdfalyzer/blob/master/requirements.txtpyscanExpected behavior
Since the requirements.txt file is in a valid format (c.f. https://pip.pypa.io/en/latest/reference/requirements-file-format/) and can also be installed via pip without any issue, it is expected that pyscan detects the correct version according to the option that is specified.
Desktop (please complete the following information):
Describe the bug
When I am trying to install pyscan on a macOS ARM machine it fails to compile pyscan. This issue occurs when trying to install via pip, but also when trying to install it via cargo.
To Reproduce
Steps to reproduce the behavior:
pip install pyscan-rs or cargo install pyscanExpected behavior
The package gets installed and can be run without a problem.
Actual behavior
When running pip install pyscan-rs I receive the following output:
Collecting pyscan-rs
Using cached pyscan_rs-0.1.4.tar.gz (38 kB)
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: pyscan-rs
Building wheel for pyscan-rs (pyproject.toml) ... error
error: subprocess-exited-with-error
× Building wheel for pyscan-rs (pyproject.toml) did not run successfully.
│ exit code: 1
╰─> [190 lines of output]
Running `maturin pep517 build-wheel -i <venv path>/.venv/bin/python --compatibility off`
📦 Including license file "/private/var/folders/g6/1dvcy97x3csc2l37gkddt5v80000gn/T/pip-install-n_84foc6/pyscan-rs_c4f7cbfdf3f345208a46148b7460f024/LICENSE"
🔗 Found bin bindings
📡 Using build options bindings from pyproject.toml
💻 Using `MACOSX_DEPLOYMENT_TARGET=11.0` for aarch64-apple-darwin by default
Compiling libc v0.2.144
Compiling autocfg v1.1.0
Compiling proc-macro2 v1.0.57
Compiling unicode-ident v1.0.8
Compiling quote v1.0.27
Compiling cfg-if v1.0.0
Compiling io-lifetimes v1.0.10
Compiling once_cell v1.18.0
Compiling rustix v0.37.19
Compiling log v0.4.17
Compiling bitflags v1.3.2
Compiling pin-project-lite v0.2.9
Compiling core-foundation-sys v0.8.4
Compiling futures-core v0.3.28
Compiling serde v1.0.163
Compiling memchr v2.5.0
Compiling bytes v1.4.0
Compiling indexmap v1.9.3
Compiling tokio v1.28.1
Compiling itoa v1.0.6
Compiling cc v1.0.79
Compiling slab v0.4.8
Compiling futures-task v0.3.28
Compiling syn v2.0.16
Compiling hashbrown v0.12.3
Compiling tracing-core v0.1.31
Compiling semver v1.0.17
Compiling fnv v1.0.7
Compiling futures-util v0.3.28
Compiling errno v0.3.1
Compiling num_cpus v1.15.0
Compiling socket2 v0.4.9
Compiling mio v0.8.6
Compiling version_check v0.9.4
Compiling ahash v0.8.3
Compiling security-framework-sys v2.9.0
Compiling core-foundation v0.9.3
Compiling tracing v0.1.37
Compiling http v0.2.9
Compiling psm v0.1.21
Compiling pin-utils v0.1.0
Compiling fastrand v1.9.0
Compiling tinyvec_macros v0.1.1
Compiling httparse v1.8.0
Compiling lazy_static v1.4.0
Compiling futures-channel v0.3.28
Compiling futures-sink v0.3.28
Compiling futures-io v0.3.28
Compiling native-tls v0.2.11
Compiling tempfile v3.5.0
Compiling tinyvec v1.6.0
Compiling security-framework v2.9.0
Compiling stacker v0.1.15
Compiling num-traits v0.2.15
Compiling try-lock v0.2.4
Compiling utf8parse v0.2.1
Compiling percent-encoding v2.2.0
Compiling want v0.3.0
Compiling form_urlencoded v1.1.0
Compiling anstyle-parse v0.2.0
Compiling unicode-normalization v0.1.22
Compiling serde_derive v1.0.163
Compiling tokio-macros v2.1.0
Compiling lenient_semver_version_builder v0.4.2
Compiling http-body v0.4.5
Compiling is-terminal v0.4.7
Compiling num-integer v0.1.45
Compiling httpdate v1.0.2
Compiling anstyle-query v1.0.0
Compiling tower-service v0.3.2
Compiling unicode-bidi v0.3.13
Compiling anstyle v1.0.0
Compiling colorchoice v1.0.0
Compiling ryu v1.0.13
Compiling idna v0.3.0
Compiling anstream v0.3.2
Compiling lenient_semver_parser v0.4.2
Compiling hashbrown v0.13.2
Compiling heck v0.4.1
Compiling winnow v0.4.6
Compiling serde_json v1.0.96
Compiling strsim v0.10.0
Compiling clap_lex v0.4.1
Compiling chumsky v1.0.0-alpha.4
Compiling clap_derive v4.2.0
Compiling clap_builder v4.2.7
Compiling url v2.3.1
Compiling lenient_version v0.4.2
Compiling time v0.1.45
Compiling aho-corasick v1.0.1
Compiling iana-time-zone v0.1.56
Compiling tokio-util v0.7.8
Compiling tokio-native-tls v0.3.1
Compiling encoding_rs v0.8.32
Compiling h2 v0.3.19
Compiling base64 v0.21.0
Compiling regex-syntax v0.7.1
Compiling mime v0.3.17
Compiling ipnet v2.7.2
Compiling toml_datetime v0.6.1
Compiling serde_spanned v0.6.1
Compiling toml_edit v0.19.8
Compiling serde_urlencoded v0.7.1
Compiling hyper v0.14.26
Compiling unicode-width v0.1.10
Compiling console v0.15.5
Compiling regex v1.8.1
Compiling toml v0.7.3
Compiling hyper-tls v0.5.0
Compiling reqwest v0.11.17
Compiling pep-508 v0.3.0
Compiling clap v4.2.7
Compiling chrono v0.4.24
Compiling lenient_semver v0.4.2
Compiling pyscan v0.1.4 (/private/var/folders/g6/1dvcy97x3csc2l37gkddt5v80000gn/T/pip-install-n_84foc6/pyscan-rs_c4f7cbfdf3f345208a46148b7460f024)
error[E0658]: use of unstable library feature 'once_cell'
--> src/main.rs:5:5
|
5 | use std::sync::OnceLock;
| ^^^^^^^^^^^^^^^^^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/main.rs:89:19
|
89 | static ARGS: Lazy<OnceLock<Cli>> = Lazy::new(|| {OnceLock::from(Cli::parse())});
| ^^^^^^^^^^^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/main.rs:89:51
|
89 | static ARGS: Lazy<OnceLock<Cli>> = Lazy::new(|| {OnceLock::from(Cli::parse())});
| ^^^^^^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/parser/structs.rs:148:17
|
148 | if ARGS.get().unwrap().pip {
| ^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/parser/structs.rs:150:24
|
150 | } else if ARGS.get().unwrap().pypi {
| ^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/main.rs:106:15
|
106 | if !&ARGS.get().unwrap().cache_off {
| ^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/main.rs:111:17
|
111 | match &ARGS.get().unwrap().subcommand {
| ^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
error[E0658]: use of unstable library feature 'once_cell'
--> src/main.rs:147:30
|
147 | if let Some(dir) = &ARGS.get().unwrap().dir { parser::scan_dir(dir.as_path()).await }
| ^^^
|
= note: see issue #74465 <https://github.com/rust-lang/rust/issues/74465> for more information
For more information about this error, try `rustc --explain E0658`.
error: could not compile `pyscan` due to 8 previous errors
💥 maturin failed
Caused by: Failed to build a native library through cargo
Caused by: Cargo build finished with "exit status: 101": `MACOSX_DEPLOYMENT_TARGET="11.0" "cargo" "rustc" "--message-format" "json-render-diagnostics" "--manifest-path" "/private/var/folders/g6/1dvcy97x3csc2l37gkddt5v80000gn/T/pip-install-n_84foc6/pyscan-rs_c4f7cbfdf3f345208a46148b7460f024/Cargo.toml" "--release" "--bin" "pyscan"`
Error: command ['maturin', 'pep517', 'build-wheel', '-i', '<venv path>/.venv/bin/python', '--compatibility', 'off'] returned non-zero exit status 1
[end of output]
note: This error originates from a subprocess, and is likely not a problem with pip.
ERROR: Failed building wheel for pyscan-rs
Failed to build pyscan-rs
ERROR: Could not build wheels for pyscan-rs, which is required to install pyproject.toml-based projects
Desktop (please complete the following information):
Describe the bug
tool does not work when pip is not on your path
To Reproduce
❯ pyscan
pyscan v0.1.5 | by Aswin S (github.com/aswinnnn)
Failed to execute 'pip list' command. pyscan caches the dependencies from pip with versions to be faster and it could not run 'pip list'. You can turn this off via just using --cache-off [note: theres a chance pyscan might still fallback to using pip]
Note:
Not having a global pip is indeed a very good thing on e.g Ubuntu, as then you completely avoid installing packages into the global site-packages, which could break your Ubuntu installation.
And when you ask how I install packages... When creating a venv, the tool virtualenv also installs pip and setuptools into that environment.
pyscan is very slow for a repo with 429 3rd-party packages (which is claimed to be the #1 feature of pyscan according to the homepage). If I am not mistaken, it makes one HTTP request to the OSV API per scanned packages despite the fact that we know all scanned packages and versions in advance. OSV as a batch API which could be leveraged to make pyscan IMO much faster: https://google.github.io/osv.dev/post-v1-querybatch/
BTW: What is the added value of Rust in app that just parses a text file, makes a HTTP call and formats the results?
Compiling the pyscan-rs takes ages and perhaps a pure Python code could be fast enough?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.