ܖiYdZddlmZddlZddlZddlZddlZddlZddlm Z ddl m Z m Z ddl mZddlmZmZmZddlmZdd lmZmZdd lmZmZmZmZmZdd lmZdd l m!Z!m"Z"m#Z#dd l$m%Z%m&Z&m'Z'm(Z(m)Z)ddl*m+Z+m,Z,m-Z-ddl.m/Z0ddl.m1Z1m2Z2m3Z3m4Z4m5Z5ddl6m7Z7m8Z8ddl9m:Z:ejvejxe=Z>ejxdZ?e?jejjddje d'dZDejGddeFejZHejGddeFejZIejGddeFejZJejGddeFejZKejGdd eFejZLd(d!ZMd)d"ZNd*d#ZOd+d$ZP d,d%ZQd-d&ZRy).z+ Command-line entrypoints for `pip-audit`. ) annotationsN)Iterator) ExitStackcontextmanager)Path)IONoReturncast) __version__) AuditOptionsAuditor)DependencySourceDependencySourceError PipSourcePyProjectSourceRequirementSource) PyLockSource)ResolvedFixVersionSkippedFixVersionresolve_fix_versions) ColumnsFormatCycloneDxFormat JsonFormatMarkdownFormatVulnerabilityFormat)EcosystemsService OsvService PyPIService)ConnectionError) DependencyResolvedDependencySkippedDependencyVulnerabilityResultVulnerabilityService) AuditSpinner AuditState) assert_never pip_auditPIP_AUDIT_LOGLEVELINFOc#Kt|dvrtjy|jd5}|dddy#1swYyxYww)z A context managing wrapper for pip-audit's `--output` flag. This allows us to avoid `argparse.FileType`'s "eager" file creation, which is generally the wrong/unexpected behavior when dealing with fallible processes. >stdout-wN)strsysr,open)nameios R/var/www/html/content-pipeline/venv/lib/python3.12/site-packages/pip_audit/_cli.py _output_ior58sD 4yO#jj YYs^ rH   s2AA AA Ac4eZdZdZdZdZdZdZdZd dZ d dZ y ) OutputFormatChoicez: Output formats supported by the `pip-audit` CLI. columnsjsonzcyclonedx-jsonz cyclonedx-xmlmarkdownc|tjur t||S|tjur t ||S|tj ur$t t jjS|tjur$t t jjS|tjur t||St|y)N) inner_format) r7ColumnsrJsonr CycloneDxJsonr InnerFormat CycloneDxXmlXmlMarkdownrr')self output_descoutput_aliasess r4 to_formatzOutputFormatChoice.to_formatRs %-- - n= = ',, ,k>: : '55 5"0K0K0P0PQ Q '44 4"0K0K0O0OP P '00 0!+~> >  c|jSNvaluerDs r4__str__zOutputFormatChoice.__str__` zzrHN)rEboolrFrPreturnrrQr/) __name__ __module__ __qualname____doc__r=r>r?rArCrGrNrHr4r7r7Fs,G D$M"LH rHr7c$eZdZdZdZdZdZddZy)VulnerabilityServiceChoicezA Python vulnerability services supported by `pip-audit`. osvpypiesmsc|jSrJrKrMs r4rNz"VulnerabilityServiceChoice.__str__nrOrHNrR)rSrTrUrVOsvPypiEsmsrNrWrHr4rYrYds C D DrHrYc,eZdZdZdZdZdZddZd dZy) VulnerabilityDescriptionChoicez^ Whether or not vulnerability descriptions should be added to the `pip-audit` output. onoffautoc|tjury|tjury|tjurt |t j uSt|yNTF)rbOnOffAutorPr7r>r'rDformat_s r4to_boolz&VulnerabilityDescriptionChoice.to_bool|sT 144 4 377 7 388 8#5#:#::; ;  rHc|jSrJrKrMs r4rNz&VulnerabilityDescriptionChoice.__str__rOrHNrlr7rQrPrR rSrTrUrVrhrirjrmrNrWrHr4rbrbr" B C DrHrbc,eZdZdZdZdZdZddZd dZy) VulnerabilityAliasChoicezY Whether or not vulnerability aliases should be added to the `pip-audit` output. rcrdrec|tjury|tjury|tjurt |t j uSt|yrg)rsrhrirjrPr7r>r'rks r4rmz VulnerabilityAliasChoice.to_boolsT +.. . -11 1 -22 2#5#:#::; ;  rHc|jSrJrKrMs r4rNz VulnerabilityAliasChoice.__str__rOrHNrorRrprWrHr4rsrsrqrHrsc(eZdZdZdZdZddZddZy) ProgressSpinnerChoicezG Whether or not `pip-audit` should display a progress spinner. rcrdc&|tjuSrJ)rwrhrMs r4__bool__zProgressSpinnerChoice.__bool__s,////rHc|jSrJrKrMs r4rNzProgressSpinnerChoice.__str__rOrHN)rQrPrR)rSrTrUrVrhriryrNrWrHr4rwrws B C0rHrwc>|ddjd|DdS)zC Render a `--help`-style string for the given enumeration. z (choices: , c32K|]}t|ywrJ)r/).0vs r4 z_enum_help..s':1A':s))join)msges r4 _enum_helprs'U+dii':'::;1 ==rHcXtj|tjdy)zB Log a fatal error to the standard error stream and exit. N)loggererrorr0exit)rs r4_fatalrs  LLHHQKrHc tjddtj}|j}|j ddddt |j d d d d |j ddt dddd|j dt dd|j dd d |j ddtttjjdtjdtdt |j d!d"tttjjd#tjd$td%t |j d&td'd(tjjd)t j"d*+|j d,d-d d. |j d/d0d d1 |j d2t$t$dt$j&tjjd3t$j(d45|j d6t*t*dt*j&t*j(d75|j d8t d9:|j d;t,t,tjjd|j d?t.d@dAB|j dCt dDddEgdFG|j dHdIdJdKdLM|j dNd dO |j dPd dQ |j dRtdS:|j dTtdUddVgdWG|j dXd dY |j dZd d[ |j d\d]t d^d_tjjd`dab|j dctddddegdfG|j dgd dh |S)iNz pip-auditzHaudit the Python environment for dependencies with known vulnerabilities)prog descriptionformatter_classz-Vz --versionversionz %(prog)s )actionrz-lz--local store_truez;show only results for dependencies in the local environment)rhelpz-rz --requirement REQUIREMENTappend requirementszIaudit the given requirements file; this option can be used multiple times)typemetavarrdestr project_path?z.audit a local Python project at the given path)rnargsrz--lockedzeaudit lock files from the local Python project. This flag only applies to auditing from project pathsz-fz--formatPIP_AUDIT_FORMATFORMATz#the format to emit audit results in)rchoicesdefaultrrz-sz--vulnerability-servicePIP_AUDIT_VULNERABILITY_SERVICESERVICEz7the vulnerability service to audit dependencies againstz --osv-urlOSV_URLosv_urlPIP_AUDIT_OSV_URLz1URL to use for the OSV API instead of the default)rrrrrz-dz --dry-runzwithout `--fix`: collect all dependencies but do not perform the auditing step; with `--fix`: perform the auditing step but do not perform any fixesz-Sz--strictzFfail the entire audit if dependency collection fails on any dependencyz--descPIP_AUDIT_DESCzinclude a description for each vulnerability; `auto` defaults to `on` for the `json` format. This flag has no effect on the `cyclonedx-json` or `cyclonedx-xml` formats.)rrrconstrrz --aliaseszincludes alias IDs for each vulnerability; `auto` defaults to `on` for the `json` format. This flag has no effect on the `cyclonedx-json` or `cyclonedx-xml` formats.z --cache-dirzTthe directory to use as an HTTP cache for PyPI; uses the `pip` HTTP cache by default)rrz--progress-spinnerPIP_AUDIT_PROGRESS_SPINNERzdisplay a progress spinner)rrrrz --timeoutzset the socket timeout)rrrz--pathPATHpathszirestrict to the specified installation path for auditing packages; this option can be used multiple times)rrrrrrz-vz --verbosecountrzNrun with additional debug logging; supply multiple times to increase verbosity)rrrz--fixz=automatically upgrade dependencies with known vulnerabilitiesz--require-hasheszrequire a hash to check each requirement against, for repeatable audits; this option is implied when any package in a requirements file has a `--hash` option.z --index-urlzbase URL of the Python Package Index; this should point to a repository compliant with PEP 503 (the simple repository API); this will be resolved by pip if not specifiedz--extra-index-urlURLextra_index_urlszpextra URLs of package indexes to use in addition to `--index-url`; should follow the same rules as `--index-url`z--skip-editablez0don't audit packages that are marked as editablez --no-depszadon't perform any dependency resolution; requires all requirements are pinned to an exact versionz-oz--outputFILEz output results to the given filePIP_AUDIT_OUTPUTr,)rrrrz --ignore-vulnID ignore_vulnsz_ignore a specific vulnerability by its vulnerability ID; this option can be used multiple timesz --disable-pipzdon't use `pip` for dependency resolution; this can only be used with hashed requirements files or if the `--no-deps` flag has been provided)argparseArgumentParserArgumentDefaultsHelpFormatteradd_mutually_exclusive_group add_argumentr rr7osenvirongetr=rrYr_r/rDEFAULT_OSV_URLrbrhrjrsrwint)parserdep_source_argss r4_parserrs  $ $ ^ >>F 99;O k)yQ\P]E^_   J        X!    = !  ;    " 13E3M3MN =?Q R  ! '* @B\BaBab  E &      2J4N4NO @   O    U    +.,// /1O1T1TUE   %(&))(--E    c   "% ;=R=U=UV )    %      1!    ]   L  T   b    &   ?       / 18<     5   MrHc|j}|jdk\rtjd|jdk\r#t j jdt jd||S)NrDEBUGzparsed arguments: ) parse_argsverbosepackage_loggersetLevellogging getLoggerrdebug)rargss r4 _parse_argsrsh    D ||q( ||q$$W- LL%dV,- KrHc"|r[t|jd}|dz }|jr|j||st d|t |S|dz }|jrt ||||St d|y)Nz pylock.*.tomlz pylock.tomlzno lockfiles found in zpyproject.toml) index_urlrstatez*couldn't find a supported project file in )listglobis_filerrrr)rrrlockedr all_pylocksgeneric_pylockpyproject_paths r4_dep_source_from_project_pathrs<,,_=> % 5  ! ! #   ~ . +L>: ;K(("$44N -    7 ~ FGrHc dt}t|}|jtjur-t |j |j|j}n|jtjur"t|j |j}nS|jtjur"t|j |j}nt|j|jj|j }|j"j|j }|j j%||}|j&|j(r|j+d|j,|j.r|j+dnw|j0r|j+dnY|j2r|j+dn;|j4r|j+dn|j6r|j+d |j.r!|j4rt8j;d |j.r%t=t rt8j;d |j4r*t8j;d t8j;d t?5}g}|j@r|jCtEd|jGtI|}|j,|j,D]!} | jKrtMd| #tO|j,|j.|j4|j6|jP|j0|j2|} nq|j&8tS|j&|j0|j2|j(|} n-tU|jV|jX|jP|} t[t]|j^xr |j` } i} d} d}d}d}tc|jd} | jg| D][\}}|jirrtktl|}|jnr%tM|jpd|jrn+|jud|jpd|jr|dz }nltktv|}t8jyd|jpd|jzd|jud|jpd|jzd|r=|Dcgc]}|j}|r|}}|t|t|z z }|}|| |<t|dkDsI| dz } |t|z }^ t}d}d}|j`r't|| |D]}|j^r|jirJtkt|}t8jd|jjpd|jrnItkt|}t8jd|jjpd |jz|jisBtkt|} | ja||dz }|t| |jz }|jC|ddddkDrrd!|}nd"}d#|d$|dk(rd%nd&|d' d(| dk(rd)nd* }|j`r|d+d(|dk(rd%nd&d'd(|dk(rd)nd*z }t|tj,t|j5}t|j! |,ddd| k7rtjdyyd-}r |d.|d/z }t|tj,dkDs |jrBI  ;; LLQ R     LL] ^ ^^ LLX Y  " " LL^ _ \\ LLV W    LLZ [ t||XY z':> E  || "   G r"  MM,':; <##Jv$>?    ((( Azz|9#?@ A'!!#22  ,,"00..!%!6!6 F   * 3!!%%  Fjjjj"00 F'< @]UYU]U]Q]+^_>@   d//0 &}}V4 - e??$ 148D{{$))Bt/?/?.@AB**YtyykDDTDTCU+VW!OJ 2D9DLL9TYYKr$,,q!IJ&&499+R ~Q'OP"16%\Aall?>[a%\N%\%Uc.6I)II%*E$t u:>NI#e*,J' -B 88+GVUC "<<~~'"#4c: :377<<.I//2.?A ##5s; &CCGGLL>QUVYVaVaUb$cd~~'137CF 3'1,(Csww,@@(  S!/ "wr"hA~ "#4"56GGZL",/7HIitI;aY!^ 'T V  88 ./q&6!&;?ARST%&a /1 49*EG K k +  $ < )""651 ; <  ' HHQK (7  R 12(; ;K  >Y22DKK( @Bi&&vu5B? @ @3g&]%  3q6NN)  LLQ 8    D1F&)#h  [1/EF]r"r"N < <  @ @s>A/d .D*d D a%a<a1a3a C=d 1b?8d d,d&a b<"a<6d < b<)b71d 7b<<d ? d 6d>d d  d  dd#&d/)r2rrQzIterator[IO[str]])rr/rztype[enum.Enum]rQr/)rr/rQr )rQargparse.ArgumentParser)rrrQzargparse.Namespace) rrrr/rz list[str]rrPrr&rQr)rQNone)SrV __future__rrenumrrr0collections.abcr contextlibrrpathlibrtypingrr r r(r pip_audit._auditr r pip_audit._dependency_sourcerrrrr#pip_audit._dependency_source.pylockrpip_audit._fixrrrpip_audit._formatrrrrrpip_audit._servicerrrpip_audit._service.interfacerrr r!r"r#r$pip_audit._stater%r&pip_audit._utilr' basicConfigrrSrrrrrupperr5uniquer/Enumr7rYrbrsrwrrrrrrrWrHr4r-s#  $0%%!2=VVJIV6(   8 $#"";/ ';VDJJLM  dii : dii   S$)) .sDII . C   >GT HH#&H:CHMQHZdHH