guarddog fails to parse the whole requirements.txt after encountering package name starting with git+https://
See original GitHub issuerequirements.txt
black==22.3.0
git+https://github.com/PyCQA/bandit.git@main
cfn-lint
hypothesis
docker-compose.yml
guarddog:
image: ghcr.io/datadog/guarddog:v0.1.4
volumes:
- ./:/code
execution:
docker-compose run guarddog verify /code/requirements.txt
Received error Parse error at "'+https:/'": Expected string_endFound 0 potentially malicious indicators scanning black version 22.3.0
as seen in the output anything below git+https:// is not being checked for malicious indicators. also upon parse error the output is broken and doesn’t contain break line between string_end and Found
Issue Analytics
- State:
- Created 10 months ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Handle requirement file parsing errors #96 - GitHub
guarddog fails to parse the whole requirements.txt after encountering package name starting with git+https:// #88. Open. @vdeturckheim ...
Read more >PIP install error with git repository packages - Stack Overflow
I thinks the problem is with git urls in the requirements.txt . Please check the following requirements.txt and let me know what to...
Read more >pip install - pip documentation v22.3.1
Description#. Install packages from: PyPI (and other indexes) using requirement specifiers. VCS project urls. Local project directories.
Read more >Package requirements inspection warning for Python ...
txt does not match module name. but this should be a simple fix, because if package is installed via pip, it creates an...
Read more >Sysdig Agent Release Notes
If any of the above cases are present in custom rules file, the agent fails to parse the respective rule and outputs the...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I guess it’s fine as long as the whole requirements file gets processed. I can update my files and put package_name @ before so they get checked correctly.
Yeah you are definitely right. I think this is an issue with
pkg_resources
. Pip has some magic to get around this, but they specifically don’t have an API that lets you do this