Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pip install with --hash is throwing PinnedDependenciesID #4189

Closed
Tracked by #1583
johnandersen777 opened this issue Jun 22, 2024 · 5 comments
Closed
Tracked by #1583

pip install with --hash is throwing PinnedDependenciesID #4189

johnandersen777 opened this issue Jun 22, 2024 · 5 comments

Comments

@johnandersen777
Copy link

johnandersen777 commented Jun 22, 2024
edited
Loading 

            {
               "ruleId": "PinnedDependenciesID",
               "ruleIndex": 4,
               "message": {
                  "text": "score is 4: pipCommand not pinned by hash\nClick Remediation section below to solve this issue"
               },
               "locations": [
                  {
                     "physicalLocation": {
                        "region": {
                           "startLine": 8,
                           "endLine": 20,
                           "snippet": {
                              "text": "python3 -m pip install -U pip==24.1 --hash=sha256:a775837439bf5da2c1a0c2fa43d5744854497c689ddbd9344cf3ea6d00598540 --hash=sha256:bdae551038c0ce6a83030b4aedef27fc95f0daa683593fea22fa05e55ed8e317"
                           }
                        },
                        "artifactLocation": {
                           "uri": "operations/image/Dockerfile",
                           "uriBaseId": "%SRCROOT%"
                        }
                     },
                     "message": {
                        "text": "pipCommand not pinned by hash"
                     }
                  }
               ]
            }
@johnandersen777 johnandersen777 mentioned this issue Jun 22, 2024
Closed
3 tasks
@johnandersen777
Copy link
Author

It looks like this is because any pip install without a requirements.txt will trigger a pinning finding.

johnandersen777 pushed a commit to johnandersen777/dffml that referenced this issue Jun 22, 2024
@pdxjohnny
Revert "best practices: ossf scorecard: Pin pip install commands"
a9a16aa 
Related: ossf/scorecard#3953
Related: ossf/scorecard#4189
This reverts commit 0e59b55.
johnandersen777 pushed a commit to johnandersen777/dffml that referenced this issue Jun 23, 2024
@pdxjohnny
Revert "best practices: ossf scorecard: Pin pip install commands"
a3e1c33 
Related: ossf/scorecard#3953
Related: ossf/scorecard#4189
This reverts commit 0e59b55.
johnandersen777 pushed a commit to intel/dffml that referenced this issue Jun 23, 2024
@pdxjohnny
Revert "best practices: ossf scorecard: Pin pip install commands"
3a20c5c 
Related: ossf/scorecard#3953
Related: ossf/scorecard#4189
This reverts commit 0e59b55.
@johnandersen777
Copy link
Author 

            {
               "ruleId": "PinnedDependenciesID",
               "ruleIndex": 4,
               "message": {
                  "text": "score is 4: pipCommand not pinned by hash\nClick Remediation section below to solve this issue"
               },
               "locations": [
                  {
                     "physicalLocation": {
                        "region": {
                           "startLine": 8,
                           "endLine": 22,
                           "snippet": {
                              "text": "python -m pip install -r requirements-lock.txt"
                           }
                        },
                        "artifactLocation": {
                           "uri": "operations/image/Dockerfile",
                           "uriBaseId": "%SRCROOT%"
                        }
                     },
                     "message": {
                        "text": "pipCommand not pinned by hash"
                     }
                  }
               ]
            }

@johnandersen777
Copy link
Author

I don't understand, how can one pin dependencies with pip in a way scorecard recognizes? There is no example in testdata/ can someone please help?

@pnacht
Copy link
Contributor

pnacht commented Jun 24, 2024

Scorecard expects the following:

python -m pip install -r requirements-lock.txt --require-hashes

The --requre-hashes means pip will fail if the requirements file isn't hashed. Scorecard doesn't actually open the requirements file itself.

Though it probably should detect the --hash format you tried as well...

@johnandersen777
Copy link
Author

Okay great, thank you!

johnandersen777 pushed a commit to johnandersen777/dffml that referenced this issue Jun 24, 2024
best practices: ossf scorecard: Fix pinning per Pedro suggestion with…
d084f8f 
… --require-hashes

Related: ossf/scorecard#4189 (comment)
Signed-off-by: John Andersen <[email protected]>
johnandersen777 pushed a commit to johnandersen777/dffml that referenced this issue Jun 24, 2024
@pdxjohnny
best practices: ossf scorecard: Fix pinning per Pedro suggestion with…
804c44b 
… --require-hashes

Related: ossf/scorecard#4189 (comment)
Signed-off-by: John Andersen <[email protected]>
johnandersen777 pushed a commit to intel/dffml that referenced this issue Jun 24, 2024
@pdxjohnny
best practices: ossf scorecard: Fix pinning per Pedro suggestion with…
0d93632 
… --require-hashes

Related: ossf/scorecard#4189 (comment)
Signed-off-by: John Andersen <[email protected]>
@italvi italvi mentioned this issue Jul 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Scorecard - NEW
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johnandersen777 @pnacht