python-social-auth
Consider excluding test code from package artifacts
Expected behaviour
pypi distributions of social-core should be able to pass basic security scanning by run-of-the-mill tools, like Aqua Scan, Qualys, Snyk, etc.
Actual behaviour
Scans against social-core or environments that utilize social-core as a project dependency alert on the presence of private key material. Specifically, such scans take issue with these files:
social_core/tests/backends/test_apple.pysocial_core/tests/backends/testkey.pem
What are the steps to reproduce this issue?
Input clear steps to reproduce the issue for a maintainer.
- Install social-core==4.1.0 in a python environment using the pypi distribution
- Run a security scan of that python environment (Aqua Scan with the default policy in place)
Any logs, error output, etc?
Any other comments?
The root of the issue here is that the test code is being bundled in the package distributions. In fact, I see that social-core's MANIFEST.in is explicitly including all test code. I'd like to understand if there is a specific reason or desire to package the test code and related fixtures as it is generally considered an industry best practice to exclude test code? At best it is bloat on the package, and at worst it may introduce legitimate vulnerabilities. In this case, this is an obvious false positive, but it is brought about by the presence of test code that IMO does not need to be included in the package.
Yes, there is reason to include tests, so that anybody can run the tests after installing the package. Typically, this is required by Linux distributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}