python-fastjsonschema icon indicating copy to clipboard operation
python-fastjsonschema copied to clipboard
verified publisher icon horejsek

Datadog's Guarddog detects exec in setup.py and complains

Open maciejstromich opened this issue 3 years ago • 3 comments

Guarddog's output

code-execution: found 1 source code matches
  * setup.py file executing code at fastjsonschema-2.16.2/setup.py:14
        execfile('fastjsonschema/version.py')

wouldn't it be sufficient in this case to just call it

from fastjsonschema.version import VERSION

instead of using exec which together with eval is considered a bad practice?

maciejstromich avatar Nov 25 '22 12:11 maciejstromich

Not sure if something changed, but it was not possible because importing the package during the install process doesn't work. I want to avoid having it manually in two places, and this was a commonly used solution, unfortunately. Another version would be to do some regexps I guess.

horejsek avatar Nov 29 '22 10:11 horejsek

importing works just fine

https://packaging.python.org/en/latest/guides/single-sourcing-package-version/

6. Set the value to __version__ in sample/__init__.py and import sample in setup.py.

but it works also the way I showed in the issue description

maciejstromich avatar Nov 29 '22 20:11 maciejstromich

also the link used in the setup.py about the versioning is broken and should be replaced with https://packaging.python.org/en/latest/guides/single-sourcing-package-version/

maciejstromich avatar Nov 29 '22 21:11 maciejstromich

Number six comes with a warning, plus it can take a wrong library (installed one instead the one from the folder, at least I had that problem in the past). But point taken, I changed setup.py to simply read the file and not execute it.

horejsek avatar Jun 15 '24 14:06 horejsek