dependency-review-action icon indicating copy to clipboard operation
dependency-review-action copied to clipboard
verified publisher icon actions

[BUG] Pip Require Hashes for uv>=0.7.14

Open scottschreckengaust opened this issue 9 months ago • 4 comments

Describe the bug I do not see an incompatible license.

To Reproduce Steps to reproduce the behavior:

  1. Go to https://github.com/scottschreckengaust/dependency-review-action-issues-944/pulls
  2. Click on the test/0.7.14
  3. See error

Expected behavior Accepted MIT or Apache 2.0

Screenshots https://github.com/scottschreckengaust/dependency-review-action-issues-944/actions

Action version 4.7.1

Note: if you're not running the latest release please try that first!

Running latest

Examples If possible, please link to a public example of the issue that you're encountering, or a copy of the workflow that you're using to run the action.

https://github.com/scottschreckengaust/dependency-review-action-issues-944/blob/main/.github/workflows/issue.yml

If you have encountered a problem with a specific package (e.g. issue with license or attributions data) please share details about the package, as well as a link to the manifest where it's being referenced.

https://pypi.org/project/uv/ https://github.com/astral-sh/uv

Additional context Add any other context about the problem here.

The prior two versions seem to be fine...not sure what happened...

scottschreckengaust avatar Jun 24 '25 01:06 scottschreckengaust

This is now a blocker due to inability to upgrade to 0.8.6 from GHSA-8qf3-x8v5-2pj8

Why is https://github.com/koehlma/uv sourced here? It should be https://github.com/astral-sh/uv!

See https://github.com/scottschreckengaust/dependency-review-action-issues-944/pull/5 and debug run https://github.com/scottschreckengaust/dependency-review-action-issues-944/actions/runs/16949667881/attempts/2?pr=5

##[debug]Filtered Changes: [{"change_type":"added","manifest":"requirements.txt","ecosystem":"pip","name":"uv","version":"0.8.6","package_url":"pkg:pypi/[email protected]","license":null,"source_repository_url":"https://github.com/koehlma/uv","scope":"runtime","vulnerabilities":[]}]
##[debug]Config Deny Packages: {"fail_on_severity":"low","fail_on_scopes":["runtime"],"deny_licenses":["AGPL-1.0","AGPL-1.0-only","AGPL-1.0-or-later","AGPL-3.0","AGPL-3.0-only","AGPL-3.0-or-later","AML","CDLA-Sharing-1.0","CPAL-1.0","MIT-enna","EUPL-1.1","EUPL-1.2","LGPL-3.0+","LGPL-3.0","LGPL-3.0-only","LGPL-3.0-or-later","GPL-3.0-only","GPL-3.0-or-later","GPL-3.0","GPL-3.0+","GPL-3.0-with-autoconf-exception","GPL-3.0-with-GCC-exception","NASA-1.3","ODbL-1.0","OSL-3.0","Parity-7.0.0","RPSL-1.0","SSPL-1.0"],"allow_ghsas":[],"deny_packages":[],"deny_groups":[],"license_check":true,"vulnerability_check":true,"retry_on_snapshot_warnings":false,"retry_on_snapshot_warnings_timeout":120,"show_openssf_scorecard":true,"warn_on_openssf_scorecard_level":3,"comment_summary_in_pr":"never","warn_only":false}
##[debug]Couldn't get scorecard data for github.com/koehlma/uv

scottschreckengaust avatar Aug 13 '25 21:08 scottschreckengaust

FYI: PyPi is reporting accurately, while the GitHub Dependency Graph API is not:

curl -s https://pypi.org/pypi/uv/json | jq '.info.home_page, .info.project_urls'
{
  "Changelog": "https://github.com/astral-sh/uv/blob/main/CHANGELOG.md",
  "Discord": "https://discord.gg/astral-sh",
  "Documentation": "https://docs.astral.sh/uv",
  "Homepage": "https://pypi.org/project/uv/",
  "Releases": "https://github.com/astral-sh/uv/releases",
  "Repository": "https://github.com/astral-sh/uv"
}

and the advisory pointing to an incorrect source_repository_url:

% curl -L -H "Authorization: Bearer TOKEN" \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/scottschreckengaust/dependency-review-action-issues-944/dependency-graph/compare/main...test%2F0.7.13
[
  {
    "change_type": "added",
    "manifest": "requirements.txt",
    "ecosystem": "pip",
    "name": "uv",
    "version": "0.7.13",
    "package_url": "pkg:pypi/[email protected]",
    "license": "Apache-2.0 AND MIT",
    "source_repository_url": "https://github.com/koehlma/uv",
    "scope": "runtime",
    "vulnerabilities": [
      {
        "severity": "moderate",
        "advisory_ghsa_id": "GHSA-8qf3-x8v5-2pj8",
        "advisory_summary": "uv allows ZIP payload obfuscation through parsing differentials",
        "advisory_url": "https://github.com/advisories/GHSA-8qf3-x8v5-2pj8"
      }
    ]
  }
]

scottschreckengaust avatar Aug 13 '25 22:08 scottschreckengaust

Hi @scottschreckengaust I'm trying to understand the root cause of this problem - is it still an issue? Is it happening because there are two packages with the uv name, from different source repos? I don't see the kohelma repo referenced in the advisory DB API at this point in time. https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-8qf3-x8v5-2pj8/GHSA-8qf3-x8v5-2pj8.json

ahpook avatar Oct 17 '25 21:10 ahpook

I’ll rerun the PR and see

scottschreckengaust avatar Dec 03 '25 02:12 scottschreckengaust