Resolution fails due to encoding issue with version strings containing a `+` #143

fviernau · 2023-09-14T15:02:45Z

The following requirements.txt can be resolved with pip, but not with python-inspector.

--extra-index-url https://download.pytorch.org/whl/cpu
torch==2.0.0+cpu

Outcome:

python-inspector -p 3.10  --operating-system linux --json-pdt x.json --analyze-setup-py-insecurely --requirement requirements.txt --verbose
Resolving dependencies...
direct_dependencies:
 DependentPackage(purl='pkg:pypi/[email protected]%2Bcpu', extracted_requirement='torch==2.0.0+cpu', scope='install')
environment: Environment(python_version='310', operating_system='linux')
repos:
 PypiSimpleRepository(index_url='https://pypi.org/simple', credentials=None)
Traceback (most recent call last):
  File "/home/frank/.local/lib/python3.10/site-packages/resolvelib/resolvers.py", line 397, in resolve
    self._add_to_criteria(self.state.criteria, r, parent=None)
  File "/home/frank/.local/lib/python3.10/site-packages/resolvelib/resolvers.py", line 174, in _add_to_criteria
    raise RequirementsConflicted(criterion)
resolvelib.resolvers.RequirementsConflicted: Requirements conflict: <Requirement('torch==2.0.0+cpu')>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/frank/.local/lib/python3.10/site-packages/python_inspector/resolve_cli.py", line 247, in resolve_dependencies
    resolution_result: Dict = resolver_api(
  File "/home/frank/.local/lib/python3.10/site-packages/python_inspector/api.py", line 263, in resolve_dependencies
    resolution, purls = resolve(
  File "/home/frank/.local/lib/python3.10/site-packages/python_inspector/api.py", line 322, in resolve
    resolved_dependencies, packages = get_resolved_dependencies(
  File "/home/frank/.local/lib/python3.10/site-packages/python_inspector/api.py", line 360, in get_resolved_dependencies
    resolver_results = resolver.resolve(requirements=requirements, max_rounds=max_rounds)
  File "/home/frank/.local/lib/python3.10/site-packages/resolvelib/resolvers.py", line 546, in resolve
    state = resolution.resolve(requirements, max_rounds=max_rounds)
  File "/home/frank/.local/lib/python3.10/site-packages/resolvelib/resolvers.py", line 399, in resolve
    raise ResolutionImpossible(e.criterion.information)
resolvelib.resolvers.ResolutionImpossible: [RequirementInformation(requirement=<Requirement('torch==2.0.0+cpu')>, parent=None)]

Observation:

After some debugging, I found that packages_from_links() in utils_pypi.py operates on packages which have the version encoded. In particular, the + is encoded as %2B. My guess is that the matching somehow then compares + with %2B and fails. I tried the following (workaround) requirements.txt, which can be successfully analyzed. I guess this proofs that it's an encoding bug:

--extra-index-url https://download.pytorch.org/whl/cpu
torch==2.0.0%2Bcpu

The text was updated successfully, but these errors were encountered:

`Distribution.from_link()` derives the version string of a package from the given (percent encoded) `Link.url`. That derivation lacks the decoded, so the resulting version string may also contain percent encoded characters in which case the dependency resolution fails. Fix the resolution by URL adding the missing unquoting. Fixes aboutcode-org#143. Signed-off-by: Frank Viernau <[email protected]>

`Distribution.from_link()` derives the version string of a package from the given (percent encoded) `Link.url`. That derivation lacks the decoding, so the resulting version string may also contain percent encoded characters in which case the dependency resolution fails. Fix the resolution by URL adding the missing unquoting. Fixes aboutcode-org#143. Signed-off-by: Frank Viernau <[email protected]>

pombredanne · 2023-09-25T14:29:01Z

For reference, not sure if you have read this before, the + is for "local version identifiers" as explained here https://peps.python.org/pep-0440/#local-version-identifiers and here https://peps.python.org/pep-0440/#adding-local-version-identifiers

`Distribution.from_link()` derives the version string of a package from the given (percent encoded) `Link.url`. That derivation lacks the decoding, so the resulting version string may also contain percent encoded characters in which case the dependency resolution fails. Fix the resolution by URL adding the missing unquoting. Fixes aboutcode-org#143. Signed-off-by: Frank Viernau <[email protected]>

pombredanne · 2023-10-18T15:00:43Z

@fviernau I have a fewthings to push to our branch shortly

Move the resolution to the from_filename() method in subclasses Reference: aboutcode-org#143 Signed-off-by: Philippe Ombredanne <[email protected]>

These new test were missing originally and they excercise all the corner cases of encoding. Reference: aboutcode-org#143 Signed-off-by: Philippe Ombredanne <[email protected]>

* Ensure that we honor the --generic-paths option when converting to plain mapping. * Avoid recursive imports by moving remove_test_data_dir_variable_prefix to utils.py * Simplifify tests to bypass the creation of an output file when not needed * Some tests are also updated to account for package version updates. Reference: aboutcode-org#143 Signed-off-by: Philippe Ombredanne <[email protected]>

Amongst others, the new release has a fix for a version string encoding related issue, see aboutcode-org/python-inspector#143. Signed-off-by: Frank Viernau <[email protected]>

fviernau mentioned this issue Sep 14, 2023

--find-links in requirements.txt not handled #142

Open

fviernau mentioned this issue Sep 15, 2023

Fix resolving requirements with percent encoded characters #144

Merged

pombredanne closed this as completed in #144 Oct 30, 2023

fviernau mentioned this issue Oct 31, 2023

chore(docker): Upgrade python-inspector to version 0.10.0 oss-review-toolkit/ort#7774

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Resolution fails due to encoding issue with version strings containing a `+` #143

Resolution fails due to encoding issue with version strings containing a `+` #143

fviernau commented Sep 14, 2023 •

edited

Loading

pombredanne commented Sep 25, 2023

pombredanne commented Oct 18, 2023

Resolution fails due to encoding issue with version strings containing a + #143

Resolution fails due to encoding issue with version strings containing a + #143

Comments

fviernau commented Sep 14, 2023 • edited Loading

pombredanne commented Sep 25, 2023

pombredanne commented Oct 18, 2023

Resolution fails due to encoding issue with version strings containing a `+` #143

Resolution fails due to encoding issue with version strings containing a `+` #143

fviernau commented Sep 14, 2023 •

edited

Loading