🐶 Yorkshire is your friend; Yorkshire checks Python's requirements files for a possible dependency confusion.
Note if PEP-708: Extending the Repository API to Mitigate Dependency Confusion Attacks gets accepted, you do not need to use Yorkshire anymore.
Yorkshire was developed to perform scans on all the possible files that can manipulate with Python package index configuration. The scan will reveal configuration of multiple Python package indexes to check for a possible dependency confusion. By reviewing results, users can prevent from issues like the one with PyTorch's torchvision. The tool does not report whether there is an actual dependency confusion (that would require more in-depth analysis), but whether there is a possibility for a dependency confusion - whether packages could be consumed from multiple Python package indexes.
The tool checks whether there are configured any extra index URLs in corresponding files. Currently, there are supported the following installation methods and their files:
- PDM -
pyproject.toml
andpdm.lock
- Pipenv -
Pipfile
andPipfile.lock
- Poetry -
pyproject.toml
(poetry.lock is not sufficient for a dependency confusion detection) - pip - raw
requirements.txt
- pip-tools -
requirements.txt
andrequirements.in
- setup.cfg - the tool parses setuptool's
setup.cfg
configuration - setup.py - the tool statically analyzes sources of the
setup.py
script
Yorkshire is available on PyPI:
pip install yorkshire
yorkshire --help
To install the tool from this Git repository, issue the following command from
the root of the yorkshire
directory:
python3 -m venv venv
source venv/bin/activate
pip install -e .
yorkshire --help
yorkshire detect DIR|FILE|URL
- if the argument supplied is a directory, Yorkshire traverses the whole directory tree and checks files present
- if the argument supplied is a file, Yorkshire performs analysis on the given file
- if the argument supplied is URL, Yorksire downloads the referenced file and perfoms analysis (the file is deleted as the analysis finishes)
See --help
for more information:
yorkshire --help
yorkshire detect --help
The tool can be run on a single requirements file and check Python package indexes configured:
$ yorkshire detect tests/data/requirements_files/fail/pipfile/Pipfile
2023-03-10 14:07:01,640 [24252] INFO yorkshire._lib: Performing detection in Pipfile file located at 'tests/data/requirements_files/fail/pipfile'
2023-03-10 14:07:01,640 [24252] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/pipfile/Pipfile' states one or multiple Python package indexes: ['https://pypi.org/simple', 'https://download.pytorch.org/whl/cpu']
Or, it can traverse a directory tree and report findings:
$ yorkshire detect tests/data/requirements_files/fail
2023-03-10 14:08:39,811 [24502] INFO yorkshire._lib: Performing detection in setup.py file located at 'tests/data/requirements_files/fail/setup_py'
2023-03-10 14:08:39,811 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/setup_py/setup.py' uses dependency links
2023-03-10 14:08:39,811 [24502] INFO yorkshire._lib: Performing detection in pyproject.toml file located at 'tests/data/requirements_files/fail/pyproject_toml/poetry'
2023-03-10 14:08:39,811 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/pyproject_toml/poetry/pyproject.toml' uses an explicitly configured Poetry source: ['https://test.pypi.org/simple/']
2023-03-10 14:08:39,811 [24502] INFO yorkshire._lib: Performing detection in pyproject.toml file located at 'tests/data/requirements_files/fail/pyproject_toml/pdm'
2023-03-10 14:08:39,811 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/pyproject_toml/pdm/pyproject.toml' uses an explicitly configured PDM source: ['https://test.pypi.org/simple']
2023-03-10 14:08:39,811 [24502] INFO yorkshire._lib: Performing detection in setup.cfg file located at 'tests/data/requirements_files/fail/setup_cfg/01'
2023-03-10 14:08:39,811 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/setup_cfg/01/setup.cfg' uses dependency links: http://peak.telecommunity.com/snapshots/
2023-03-10 14:08:39,812 [24502] INFO yorkshire._lib: Performing detection in requirements.in file located at 'tests/data/requirements_files/fail/requirements/02'
2023-03-10 14:08:39,812 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/requirements/02/requirements.in' states one or multiple extra index URLs: ['https://download.pytorch.org/whl/cpu']
2023-03-10 14:08:39,812 [24502] INFO yorkshire._lib: Performing detection in requirements.in file located at 'tests/data/requirements_files/fail/requirements/01'
2023-03-10 14:08:39,812 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/requirements/01/requirements.in' states --find-links: ['https://github.com/NVIDIA/Torch-TensorRT/releases']
2023-03-10 14:08:39,813 [24502] INFO yorkshire._lib: Performing detection in pdm.lock file located at 'tests/data/requirements_files/fail/pdm_lock'
2023-03-10 14:08:39,813 [24502] WARNING yorkshire._lib: Package 'certifi 2021.10.8' is not consumed from PyPI: https://files.custom.org/packages/37/45/946c02767aabb873146011e665728b680884cd8fe70dde973c640e45b775/certifi-2021.10.8-py2.py3-none-any.whl
2023-03-10 14:08:39,813 [24502] INFO yorkshire._lib: Performing detection in Pipfile file located at 'tests/data/requirements_files/fail/pipfile'
2023-03-10 14:08:39,813 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/pipfile/Pipfile' states one or multiple Python package indexes: ['https://pypi.org/simple', 'https://download.pytorch.org/whl/cpu']
2023-03-10 14:08:39,813 [24502] INFO yorkshire._lib: Performing detection in Pipfile.lock file located at 'tests/data/requirements_files/fail/pipfile_lock'
2023-03-10 14:08:39,813 [24502] WARNING yorkshire._lib: File 'tests/data/requirements_files/fail/pipfile_lock/Pipfile.lock' states one or multiple Python package indexes: ['https://pypi.org/simple', 'https://localhost:8080/simple']
The tool can also check a file referenced by URL (any query parameters are intentionally discarded):
$ yorkshire detect https://raw.githubusercontent.com/pytorch/pytorch/master/requirements.txt
2023-03-10 14:11:45,774 [24832] INFO yorkshire._lib: Performing detection in requirements.txt file located at 'https://raw.githubusercontent.com/pytorch/pytorch/master'
$ echo $?
0
Yorkshire can be used as a library in your application:
>>> import yorkshire
>>> path = os.getcwd()
>>> yorkshire.detect(path)
>>> yorkshire.detect_file(path)
>>> help(yorkshire.detect)
>>> help(yorkshire.detect_file)
See the LICENSE file.