Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid specifier error #169

Open
Bernardoow opened this issue Dec 28, 2022 · 7 comments
Open

Invalid specifier error #169

Bernardoow opened this issue Dec 28, 2022 · 7 comments
Assignees
@twu
Labels
bug Something isn't working source:osv OSV.dev Database / PYPA Advisory Database

Comments

@Bernardoow
Copy link

Hi @twu !! I got the bellow error. Can I help to fix this?

specifiers.SpecifierSet(f"=={x}", prereleases=True) File "/home/bernardo.abreu/.cache/pre-commit/repow4ikj4am/py_env-python3/lib/python3.10/site-packages/packaging/specifiers.py", line 700, in __init__ parsed.add(Specifier(specifier)) File "/home/bernardo.abreu/.cache/pre-commit/repow4ikj4am/py_env-python3/lib/python3.10/site-packages/packaging/specifiers.py", line 234, in __init__ raise InvalidSpecifier(f"Invalid specifier: '{spec}'") packaging.specifiers.InvalidSpecifier: Invalid specifier: '==0.7.1.fix1'
@twu
Copy link
Owner

twu commented Jan 3, 2023
edited

Hej 👋, Thank you for reporting this and sorry for the late reply! I'm not sure whether this is a bug in skjold as it looks more like a legacy version specifier (and thus would be unsupported as of packaging>=22). It also looks like this version belongs to an ipython version from 2006 (See https://pypi.org/project/ipython/#history). If it is indeed that old ipython version bumping the requirement to the next patch version e.g. 0.7.3 (assuming they follow semver) might be lazier but probably better solution here 😅

Context: The reason for the invalid specifier is related to the recent packaging changes (
pypa/packaging#407) and the attempt to loosen up the requirement for it (see #162). As a workaround (besides updating the package which would probably be the easiest/best thing) you can either pin packaging to <22.0 which should make things work with the current skjold version or use skjold before 0.6.1. HTH and let me know if this fixes your issue 🙇

❯ pip install skjold==0.6.0
❯ echo "ipython==0.7.1.fix1" | skjold -v audit -s pyup -                                                               
...
No vulnerable packages found!

@twu twu self-assigned this Jan 3, 2023
@Bernardoow
Copy link
Author

A ok !! Thanks !!

@Bernardoow
Copy link
Author

Bernardoow commented Jan 4, 2023
edited

Hi @twu, I closed this issed but I've one question

My poetry.lock has the below code. Ipython is 8.8.0 and not 0.7.1.fix1. Can I think that this issue will show up to every package with similar used format version on his history?

[[package]] name = "ipython" version = "8.8.0" description = "IPython: Productive Interactive Computing" category = "dev" optional = false python-versions = ">=3.8" files = [ {file = "ipython-8.8.0-py3-none-any.whl", hash = "sha256:da01e6df1501e6e7c32b5084212ddadd4ee2471602e2cf3e0190f4de6b0ea481"}, {file = "ipython-8.8.0.tar.gz", hash = "sha256:f3bf2c08505ad2c3f4ed5c46ae0331a8547d36bf4b21a451e8ae80c0791db95b"}, ]

@petarmaric
Copy link

Seems to still be reproducible in 0.6.1:

$ echo ipython==8.5.0 | skjold audit --sources pypa - |& tail -n 1
packaging.specifiers.InvalidSpecifier: Invalid specifier: '==0.7.1.fix1'

$ skjold --version
skjold, version 0.6.1

@twu I think this issue should be reopened. Awesome library/cli btw 👍

@twu
Copy link
Owner

twu commented Jan 17, 2023

Sorry @Bernardoow for the late reply 🙇 As @petarmaric's comment made me revisit this I took another look and it seems like the issue lies with how pypa stores their affected versions (explicitly listing all vulnerable versions under versions field). I also looks like that .fix1 is only half the problem as there are probably other packages listed using old or unsupported version identifiers. Maybe skipping them is the only good option here?

❯ rg '0.7.1.fix1'
ipython/PYSEC-2015-24.yaml
46:  - 0.7.1.fix1

ipython/PYSEC-2017-47.yaml
43:  - 0.7.1.fix1

ipython/PYSEC-2022-12.yaml
53:  - 0.7.1.fix1

ipython/PYSEC-2017-46.yaml
45:  - 0.7.1.fix1

ipython/PYSEC-2015-25.yaml
44:  - 0.7.1.fix1

I will try working on this sometime this week/weekend. Thanks again 🙇 As a temporary workaround you can either:

  1. Pin packaging==21.3, the latest version before switching to the new version parser for now.
# Using the latest version
❯ skjold --version
skjold, version 0.6.1

# Pin `packaging` to the 21.3 (see above)
❯ pip install packaging==21.3

❯ pip list
Package    Version
---------- -------
...
packaging  21.3
...
skjold     0.6.1

# `packaging` will happily parse "0.7.1.fix1"
❯ echo ipython==8.5.0 | skjold audit --sources pypa -
Warning: No 'pyproject.toml' found!
No vulnerable packages found!
  1. Use any of the other sources since they store using ranges and should work without issues.
❯ echo ipython==8.5.0 | skjold audit --sources pyup -
Warning: No 'pyproject.toml' found!
No vulnerable packages found!

@twu twu reopened this Jan 17, 2023
@twu twu added bug Something isn't working source:osv OSV.dev Database / PYPA Advisory Database labels Jan 17, 2023
@pythrick
Copy link

Any updates in this issue?

@twu twu mentioned this issue Aug 1, 2023
Closed
@wrvdklooster
Copy link

I have the same issue now with gemnasium:

Traceback (most recent call last):
  File ".venv/bin/skjold", line 8, in <module>
    sys.exit(cli())
  File ".venv/lib/python3.8/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
  File ".venv/lib/python3.8/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
  File ".venv/lib/python3.8/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File ".venv/lib/python3.8/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File ".venv/lib/python3.8/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
  File ".venv/lib/python3.8/site-packages/click/decorators.py", line 92, in new_func
    return ctx.invoke(f, obj, *args, **kwargs)
  File ".venv/lib/python3.8/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
  File ".venv/lib/python3.8/site-packages/skjold/cli.py", line 186, in audit_
    findings = audit(config, packages, ignore=ignore)
  File ".venv/lib/python3.8/site-packages/skjold/tasks.py", line 222, in audit
    is_vulnerable, advisories = source.is_vulnerable_package(dependency)
  File ".venv/lib/python3.8/site-packages/skjold/sources/gemnasium.py", line 161, in is_vulnerable_package
    if candidate.is_affected(dependency.version):
  File ".venv/lib/python3.8/site-packages/skjold/sources/gemnasium.py", line 102, in is_affected
    affected_versions = map(allows_, self.vulnerable_version_range)
  File ".venv/lib/python3.8/site-packages/skjold/sources/gemnasium.py", line 90, in vulnerable_version_range
    vulnerable_versions.append(specifiers.SpecifierSet(spec, prereleases=True))
  File ".venv/lib/python3.8/site-packages/packaging/specifiers.py", line 714, in __init__
    parsed.add(Specifier(specifier))
  File ".venv/lib/python3.8/site-packages/packaging/specifiers.py", line 245, in __init__
    raise InvalidSpecifier(f"Invalid specifier: '{spec}'")
packaging.specifiers.InvalidSpecifier: Invalid specifier: '>=4.2.'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@twu twu

Labels
bug Something isn't working source:osv OSV.dev Database / PYPA Advisory Database
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@twu @petarmaric @wrvdklooster @Bernardoow @pythrick