Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

guarddog fails to parse the whole requirements.txt after encountering package name starting with git+https://

See original GitHub issue

requirements.txt

black==22.3.0
git+https://github.com/PyCQA/bandit.git@main
cfn-lint
hypothesis

docker-compose.yml

  guarddog:
    image: ghcr.io/datadog/guarddog:v0.1.4
    volumes:
      - ./:/code

execution:

docker-compose run  guarddog verify /code/requirements.txt
Received error Parse error at "'+https:/'": Expected string_endFound 0 potentially malicious indicators scanning black version 22.3.0

as seen in the output anything below git+https:// is not being checked for malicious indicators. also upon parse error the output is broken and doesn’t contain break line between string_end and Found

Issue Analytics

State:
Created 10 months ago
Comments:8 (4 by maintainers)

Top GitHub Comments

2reactions

maciejstromichcommented, Nov 30, 2022

I guess it’s fine as long as the whole requirements file gets processed. I can update my files and put package_name @ before so they get checked correctly.

1reaction

zmallencommented, Nov 29, 2022

Yeah you are definitely right. I think this is an issue with pkg_resources. Pip has some magic to get around this, but they specifically don’t have an API that lets you do this