skjold icon indicating copy to clipboard operation
skjold copied to clipboard

Published 20 hours ago verified publisher icon twu

Invalid specifier error

Open Bernardoow opened this issue 2 years ago • 7 comments

Hi @twu !! I got the bellow error. Can I help to fix this?

specifiers.SpecifierSet(f"=={x}", prereleases=True) File "/home/bernardo.abreu/.cache/pre-commit/repow4ikj4am/py_env-python3/lib/python3.10/site-packages/packaging/specifiers.py", line 700, in __init__ parsed.add(Specifier(specifier)) File "/home/bernardo.abreu/.cache/pre-commit/repow4ikj4am/py_env-python3/lib/python3.10/site-packages/packaging/specifiers.py", line 234, in __init__ raise InvalidSpecifier(f"Invalid specifier: '{spec}'") packaging.specifiers.InvalidSpecifier: Invalid specifier: '==0.7.1.fix1'

Bernardoow avatar Dec 28 '22 18:12 Bernardoow

Hej 👋, Thank you for reporting this and sorry for the late reply! I'm not sure whether this is a bug in skjold as it looks more like a legacy version specifier (and thus would be unsupported as of packaging>=22). It also looks like this version belongs to an ipython version from 2006 (See https://pypi.org/project/ipython/#history). If it is indeed that old ipython version bumping the requirement to the next patch version e.g. 0.7.3 (assuming they follow semver) might be lazier but probably better solution here 😅

Context: The reason for the invalid specifier is related to the recent packaging changes ( https://github.com/pypa/packaging/pull/407) and the attempt to loosen up the requirement for it (see https://github.com/twu/skjold/pull/162). As a workaround (besides updating the package which would probably be the easiest/best thing) you can either pin packaging to <22.0 which should make things work with the current skjold version or use skjold before 0.6.1. HTH and let me know if this fixes your issue 🙇

❯ pip install skjold==0.6.0
❯ echo "ipython==0.7.1.fix1" | skjold -v audit -s pyup -                                                               
...
No vulnerable packages found!

twu avatar Jan 03 '23 22:01 twu

A ok !! Thanks !!

Bernardoow avatar Jan 04 '23 14:01 Bernardoow

Hi @twu, I closed this issed but I've one question

My poetry.lock has the below code. Ipython is 8.8.0 and not 0.7.1.fix1. Can I think that this issue will show up to every package with similar used format version on his history?

[[package]] name = "ipython" version = "8.8.0" description = "IPython: Productive Interactive Computing" category = "dev" optional = false python-versions = ">=3.8" files = [ {file = "ipython-8.8.0-py3-none-any.whl", hash = "sha256:da01e6df1501e6e7c32b5084212ddadd4ee2471602e2cf3e0190f4de6b0ea481"}, {file = "ipython-8.8.0.tar.gz", hash = "sha256:f3bf2c08505ad2c3f4ed5c46ae0331a8547d36bf4b21a451e8ae80c0791db95b"}, ]

Bernardoow avatar Jan 04 '23 21:01 Bernardoow

Seems to still be reproducible in 0.6.1:

$ echo ipython==8.5.0 | skjold audit --sources pypa - |& tail -n 1
packaging.specifiers.InvalidSpecifier: Invalid specifier: '==0.7.1.fix1'

$ skjold --version
skjold, version 0.6.1

@twu I think this issue should be reopened. Awesome library/cli btw :+1:

petarmaric avatar Jan 17 '23 14:01 petarmaric

Sorry @Bernardoow for the late reply 🙇 As @petarmaric's comment made me revisit this I took another look and it seems like the issue lies with how pypa stores their affected versions (explicitly listing all vulnerable versions under versions field). I also looks like that .fix1 is only half the problem as there are probably other packages listed using old or unsupported version identifiers. Maybe skipping them is the only good option here?

❯ rg '0.7.1.fix1'
ipython/PYSEC-2015-24.yaml
46:  - 0.7.1.fix1

ipython/PYSEC-2017-47.yaml
43:  - 0.7.1.fix1

ipython/PYSEC-2022-12.yaml
53:  - 0.7.1.fix1

ipython/PYSEC-2017-46.yaml
45:  - 0.7.1.fix1

ipython/PYSEC-2015-25.yaml
44:  - 0.7.1.fix1

I will try working on this sometime this week/weekend. Thanks again 🙇 As a temporary workaround you can either:

  1. Pin packaging==21.3, the latest version before switching to the new version parser for now.
# Using the latest version
❯ skjold --version
skjold, version 0.6.1

# Pin `packaging` to the 21.3 (see above)
❯ pip install packaging==21.3

❯ pip list
Package    Version
---------- -------
...
packaging  21.3
...
skjold     0.6.1

# `packaging` will happily parse "0.7.1.fix1"
❯ echo ipython==8.5.0 | skjold audit --sources pypa -
Warning: No 'pyproject.toml' found!
No vulnerable packages found!
  1. Use any of the other sources since they store using ranges and should work without issues.
❯ echo ipython==8.5.0 | skjold audit --sources pyup -
Warning: No 'pyproject.toml' found!
No vulnerable packages found!

twu avatar Jan 17 '23 20:01 twu

Any updates in this issue?

pythrick avatar May 19 '23 16:05 pythrick

I have the same issue now with gemnasium:

Traceback (most recent call last):
  File ".venv/bin/skjold", line 8, in <module>
    sys.exit(cli())
  File ".venv/lib/python3.8/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
  File ".venv/lib/python3.8/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
  File ".venv/lib/python3.8/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File ".venv/lib/python3.8/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File ".venv/lib/python3.8/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
  File ".venv/lib/python3.8/site-packages/click/decorators.py", line 92, in new_func
    return ctx.invoke(f, obj, *args, **kwargs)
  File ".venv/lib/python3.8/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
  File ".venv/lib/python3.8/site-packages/skjold/cli.py", line 186, in audit_
    findings = audit(config, packages, ignore=ignore)
  File ".venv/lib/python3.8/site-packages/skjold/tasks.py", line 222, in audit
    is_vulnerable, advisories = source.is_vulnerable_package(dependency)
  File ".venv/lib/python3.8/site-packages/skjold/sources/gemnasium.py", line 161, in is_vulnerable_package
    if candidate.is_affected(dependency.version):
  File ".venv/lib/python3.8/site-packages/skjold/sources/gemnasium.py", line 102, in is_affected
    affected_versions = map(allows_, self.vulnerable_version_range)
  File ".venv/lib/python3.8/site-packages/skjold/sources/gemnasium.py", line 90, in vulnerable_version_range
    vulnerable_versions.append(specifiers.SpecifierSet(spec, prereleases=True))
  File ".venv/lib/python3.8/site-packages/packaging/specifiers.py", line 714, in __init__
    parsed.add(Specifier(specifier))
  File ".venv/lib/python3.8/site-packages/packaging/specifiers.py", line 245, in __init__
    raise InvalidSpecifier(f"Invalid specifier: '{spec}'")
packaging.specifiers.InvalidSpecifier: Invalid specifier: '>=4.2.'

wrvdklooster avatar Dec 20 '23 14:12 wrvdklooster