Bandit broken via `stevedore` dependency with `importlib-metadata>=5`.
See original GitHub issueDescribe the bug
Bandit depends on the stevedore
package for extension management. That package, in turn, depends on importlib-metadata
for the entrypoints mechanism that it uses. importlib-metadata
5.0.0 was recently released and apparently removed compatibility with the mechanism used by stevedore
.
The following crash now happens, if importlib-metadata
5.0.0 is installed:
$ bandit --version
Traceback (most recent call last):
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/stevedore/_cache.py", line 159, in _get_data_for_path
with open(filename, 'r') as f:
FileNotFoundError: [Errno 2] No such file or directory: '/home/me/.cache/python-entrypoints/19c8187c80a898f0d56eed9b81a44d91389b2a2953186081f4546ac88dcb6e00'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/me/src/python-lockup/stevedore-bug/bin/bandit", line 5, in <module>
from bandit.cli.main import main
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/bandit/__init__.py", line 7, in <module>
from bandit.core import config # noqa
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/bandit/core/__init__.py", line 5, in <module>
from bandit.core import config # noqa
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/bandit/core/config.py", line 15, in <module>
from bandit.core import extension_loader
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/bandit/core/extension_loader.py", line 109, in <module>
MANAGER = Manager()
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/bandit/core/extension_loader.py", line 21, in __init__
self.load_formatters(formatters_namespace)
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/bandit/core/extension_loader.py", line 29, in load_formatters
verify_requirements=False,
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/stevedore/extension.py", line 136, in __init__
verify_requirements)
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/stevedore/extension.py", line 218, in _load_plugins
for ep in self.list_entry_points():
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/stevedore/extension.py", line 207, in list_entry_points
eps = list(_cache.get_group_all(self.namespace))
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/stevedore/_cache.py", line 179, in get_group_all
data = self._get_data_for_path(path)
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/stevedore/_cache.py", line 162, in _get_data_for_path
data = _build_cacheable_data(path)
File "/home/me/src/python-lockup/stevedore-bug/lib/python3.7/site-packages/stevedore/_cache.py", line 110, in _build_cacheable_data
for name, group_data in real_groups.items():
AttributeError: 'EntryPoints' object has no attribute 'items'
Reproduction steps
For crash:
ASDF_PYTHON_VERSION=3.7.14 python3 -m venv stevedore-bug
# or your favorite way of creating a Python virtual environment. stevedore-bug/bin/activate
# Assuming a Bourne shell-like sourcing mechanism for your shell.pip install bandit importlib-metadata
bandit --version
# crashes
To prove that newest importlib-metadata
is the culprit by constraining it:
ASDF_PYTHON_VERSION=3.7.14 python3 -m venv stevedore-workaround
. stevedore-workaround/bin/activate
pip install bandit 'importlib-metadata<5'
bandit --version
# works
Expected behavior
Display of Bandit version:
bandit 1.7.4
python version = 3.7.14 (default, Sep 12 2022, 16:42:27) [GCC 9.4.0]
Bandit version
1.7.4 (Default)
Python version
3.7
Additional context
Have not reported upstream to stevedore
project yet since their issue tracker is not on Github. May do so later, depending on level of effort/hassle. Probably best workaround for now is to explicitly clamp the importlib-metadata
version.
Issue Analytics
- State:
- Created a year ago
- Reactions:10
- Comments:9 (2 by maintainers)
Top Results From Across the Web
339 / v4.8.0 broke stevedore which broke bandit ... - GitHub
I updated the python -m pip command to include importlib-metadata==4.13.0 and now everything is passing as expected. new command. source $CONDA/ ...
Read more >switch to importlib.metadata package · d5297167e0 - stevedore
Load entry points using 'importlib.metadata' instead of 'pkg_resources'. Include a caching layer. The cache stores the parsed text data from all of the...
Read more >Package List — Spack 0.19.0 documentation
This is a list of things you can install using Spack. It is automatically generated based on the packages in this Spack version....
Read more >poetry.lock - wemake-services/wemake-python-styleguide
description = "A utility for ensuring Google-style docstrings stay up to date with the source code.".
Read more >gemnasium-python-dependency_scanning (#7192) · Jobs · osm ...
This behaviour is the source of the following dependency conflicts. 332virtualenv 20.0.13 requires importlib-metadata<2,>=0.12; python_version < "3.8", but you ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@kszmigiel Until a fix is released, you can
pip install 'importlib-metadata<5;python_version<"3.8"'
manually in the environment where bandit is installed.@emcd thank you for creating this issue, I was tearing my hair out since yesterday as I couldn’t find the reason behind this. Do you think updating the whole app to python 3.8 will help? Unfortunately I can’t wait for official fix, and can’t skip bandit check either.