Fresh installed pip-audit via conda-forge failed to install packages (internal pip failure)

[ovalerio]

Bug description

Hello pip-audit Team:

I installed pip-audit in a fresh conda environment one time using pip and in a second attempt from conda-forge. The installation went flawless. After I attempted running pip-audit providing a requirements.txt and I got an error about a missing dependency (filelock).

(pip-audit) user@host:~/pip-audit$ pip-audit -r requirements.txt 
Traceback (most recent call last):                                                                                               
  File "/home/user/anaconda3/envs/pip-audit/lib/python3.11/site-packages/cachecontrol/caches/file_cache.py", line 73, in __init__                                                                                                                              
    from filelock import FileLock                                                                                                
ModuleNotFoundError: No module named 'filelock'                                                                                  
                                                                                                                                 
ImportError: 
NOTE: In order to use the FileCache you must have
filelock installed. You can install it via pip:
  pip install filelock

I corrected that error installing filelock using conda. Then I run again and got the following error message:

(pip-audit) user@host:~/pip-audit$ pip-audit -r requirements.txt 
ERROR:pip_audit._virtual_env:internal pip failure: ERROR: Could not install packages due to an OSError: [Errno 2] No such file or directory: '/home/conda/feedstock_root/build_artifacts/anyio_1652463865103/work/dist'

ERROR:pip_audit._cli:Failed to install packages: ['/tmp/tmpsn337brm/bin/python3.11', '-m', 'pip', 'install', '--dry-run', '--report', '/tmp/tmpze67rno8', '-r', 'requirements.txt']

Reproduction steps

conda create -n pip-audit
conda activate pip-audit
conda install -c conda-forge pip-audit
pip-audit -r requirements.txt 
conda install -c conda-forge filelock
pip-audit -r requirements.txt 

Expected behavior

Expecting a vulnerability report from the requirements.txt

Platform information

• OS name and version: Ubuntu 20.04.6 LTS
• pip-audit version (pip-audit -V): pip-audit 2.5.5
• Python version (python -V or python3 -V): Python 3.11.4
• pip version (pip -V or pip3 -V): pip 23.1.2

[woodruffw]

Hi @ovalerio!

The conda distribution of pip-audit is not directly supported by us: it's maintained downstream by contributors, and may have outdated or incorrect dependencies.

Can you try installing directly from pip instead, and seeing if the error still occurs?

In a fresh venv:

python -m pip install pip-audit
pip-audit -r requirements.txt

If that succeeds, then this is probably an upstream dependency issue that we don't have the ability to fix. In particular, it's likely that the upstream doesn't specify the filecache extra correctly or at all -- they need to use cachecontrol[filecache] to do so.

[ovalerio]

Hi @woodruffw!

Thank you for your help. I tried again using a fresh environment. This time I installed pip-audit using pip as you recommended me:

conda create -n pip-audit-env
conda activate pip-audit-env
conda install -c conda-forge pip
python -m pip install pip-audit
pip-audit -r requirements.txt 

This time. I got a different error message.

pip-audit -r requirements.txt 
ERROR:pip_audit._virtual_env:internal pip failure:   error: subprocess-exited-with-error
  
  × python setup.py egg_info did not run successfully.
  │ exit code: 1
  ╰─> [49 lines of output]
      running egg_info
      creating /tmp/pip-pip-egg-info-iq8su0dt/imagecodecs.egg-info
      writing /tmp/pip-pip-egg-info-iq8su0dt/imagecodecs.egg-info/PKG-INFO
      writing dependency_links to /tmp/pip-pip-egg-info-iq8su0dt/imagecodecs.egg-info/dependency_links.txt
      writing entry points to /tmp/pip-pip-egg-info-iq8su0dt/imagecodecs.egg-info/entry_points.txt
      writing requirements to /tmp/pip-pip-egg-info-iq8su0dt/imagecodecs.egg-info/requires.txt
      writing top-level names to /tmp/pip-pip-egg-info-iq8su0dt/imagecodecs.egg-info/top_level.txt
      writing manifest file '/tmp/pip-pip-egg-info-iq8su0dt/imagecodecs.egg-info/SOURCES.txt'
      Traceback (most recent call last):
        File "<string>", line 2, in <module>
        File "<pip-setuptools-caller>", line 34, in <module>
        File "/tmp/pip-install-a4d35b4o/imagecodecs_6c9fb90a7ad7464da90943188494447d/setup.py", line 631, in <module>
          setup(
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/__init__.py", line 107, in setup
          return distutils.core.setup(**attrs)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/_distutils/core.py", line 185, in setup
          return run_commands(dist)
                 ^^^^^^^^^^^^^^^^^^
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/_distutils/core.py", line 201, in run_commands
          dist.run_commands()
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/_distutils/dist.py", line 969, in run_commands
          self.run_command(cmd)
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/dist.py", line 1234, in run_command
          super().run_command(command)
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/_distutils/dist.py", line 988, in run_command
          cmd_obj.run()
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/command/egg_info.py", line 314, in run
          self.find_sources()
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/command/egg_info.py", line 322, in find_sources
          mm.run()
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/command/egg_info.py", line 551, in run
          self.add_defaults()
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/command/egg_info.py", line 589, in add_defaults
          sdist.add_defaults(self)
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/command/sdist.py", line 104, in add_defaults
          super().add_defaults()
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/_distutils/command/sdist.py", line 251, in add_defaults
          self._add_defaults_ext()
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/_distutils/command/sdist.py", line 335, in _add_defaults_ext
          build_ext = self.get_finalized_command('build_ext')
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/_distutils/cmd.py", line 305, in get_finalized_command
          cmd_obj.ensure_finalized()
        File "/tmp/tmpv4ffnjvb/lib/python3.11/site-packages/setuptools/_distutils/cmd.py", line 111, in ensure_finalized
          self.finalize_options()
        File "/tmp/pip-install-a4d35b4o/imagecodecs_6c9fb90a7ad7464da90943188494447d/setup.py", line 600, in finalize_options
          import numpy
      ModuleNotFoundError: No module named 'numpy'
      [end of output]
  
  note: This error originates from a subprocess, and is likely not a problem with pip.
error: metadata-generation-failed

× Encountered error while generating package metadata.
╰─> See above for output.

note: This is an issue with the package mentioned above, not pip.
hint: See above for details.

ERROR:pip_audit._cli:Failed to install packages: ['/tmp/tmpv4ffnjvb/bin/python', '-m', 'pip', 'install', '--dry-run', '--report', '/tmp/tmp_dbh_91v', '-r', 'requirements.txt']

This is the (requirements.txt) that I am trying to audit.

[woodruffw]

From the error message: this is almost certainly a bug in the package (imagecodec) build, not pip (or pip-audit).

From a quick look, it looks like they try to import numpy at build time, which is probably failing because of our build isolation.

The good news is that it looks like imagecodec specifies their build dependencies correctly in their latest release:

https://github.com/cgohlke/imagecodecs/blob/57ea74b0e1d8bf78f10a74d0ee896eee36eaf65c/pyproject.toml#L3-L5

The bad news is that your dependency tree doesn't appear to resolve that latest release: it looks like your dependency link is pharaglow->imagecodec, so your pharaglow dependency needs to update their subdependency.

TL;DR: You should probably raise an upstream request with pharaglow to bump their dependency on imagecodec, which should then fix the build error here.

[woodruffw]

Closing as not our bug.