Audit Python packages for known vulnerabilities

Sergey Vilgelm · Sergey Vilgelm · commit d00bf6d4ec85 · 2020-02-11T09:04:31.000-06:00
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -19,6 +19,20 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install ".[dev]"
+      - name: Audit Python packages for known vulnerabilities
+        run: |
+          if ! type ossaudit; then
+            echo "::warning ::ossaudit tool is not installed"
+            exit 0
+          fi
+          if ! RES=$(ossaudit --installed --config setup.cfg); then
+            RES="${RES//'%'/'%25'}"
+            RES="${RES//$'\n'/'%0A'}"
+            RES="${RES//$'\r'/'%0D'}"
+            echo "::error ::${RES}"
+            exit 1
+          fi
+          echo ${RES}
       - name: Test with inv
         run: inv cover qa
       - name: Coveralls
diff --git a/requirements/test.pip b/requirements/test.pip
@@ -10,3 +10,4 @@ pytest-mock==1.10.4
 pytest-profiling==1.7.0
 pytest-sugar==0.9.2
 tzlocal
+ossaudit; python_version >= '3.5'
diff --git a/setup.cfg b/setup.cfg
@@ -14,3 +14,10 @@ python_classes = *Test *Benchmark
 markers =
     api: test requiring an initialized API
     request_context: switch the request
+
+[ossaudit]
+# 06e60262-8241-42ef-8f64-e3d72091de19 - setuptools
+# the fix is released in the v40.8.0 of setuptools,
+# but the database is not updated yet.
+# Here is the ticket: https://github.com/OSSIndex/vulns/issues/58
+ignore-ids = 06e60262-8241-42ef-8f64-e3d72091de19
