diff --git a/.ci/check_unsupported.sh b/.ci/check_unsupported.sh index ad06b7dcf7..9d037be397 100755 --- a/.ci/check_unsupported.sh +++ b/.ci/check_unsupported.sh @@ -11,7 +11,7 @@ set -x # Many bear dependencies do not install on unsupported versions echo "" > bear-requirements.txt -pip install 'pip==9.0.1' 'setuptools==21.2.2' +pip install 'pip==9.0.3' 'setuptools==21.2.2' python setup.py install 2>&1 | tee setup.log diff --git a/.ci/constants.ps1 b/.ci/constants.ps1 index f8979db466..e697e436ea 100644 --- a/.ci/constants.ps1 +++ b/.ci/constants.ps1 @@ -1,6 +1,6 @@ New-Variable -Scope global -Name project_name -Value 'coala-bears' -New-Variable -Scope global -Name pip_version -Value '9.0.1' +New-Variable -Scope global -Name pip_version -Value '9.0.3' New-Variable -Scope global -Name setuptools_version -Value '21.2.2' $old_EAP = $ErrorActionPreference diff --git a/.moban.dt/travis-before-install.yaml b/.moban.dt/travis-before-install.yaml index 958ba51803..9518f97415 100644 --- a/.moban.dt/travis-before-install.yaml +++ b/.moban.dt/travis-before-install.yaml @@ -26,8 +26,9 @@ before_install: export PATH="$HOME/.pyenv/bin:$PATH"; fi - hash -r && pyenv versions --bare && python --version + - pip install pip==9.0.3 - if [ "${TRAVIS_PYTHON_VERSION/3.4/}" != "$TRAVIS_PYTHON_VERSION" ]; then - pip install pip==9.0.3 setuptools==21.2.2; + pip install setuptools==21.2.2; fi - if [ -f ".ci/deps.$TRAVIS_LANGUAGE.sh" ]; then diff --git a/.moban.dt/travis-manual-matrix.yaml b/.moban.dt/travis-manual-matrix.yaml index 96a308ca77..4a5859d159 100644 --- a/.moban.dt/travis-manual-matrix.yaml +++ b/.moban.dt/travis-manual-matrix.yaml @@ -156,11 +156,11 @@ before_script: true script: .ci/check_unsupported.sh -- python: 3.6 +- python: 3.6.9 stage: sentinel - before_install: false - install: pip install moban - before_script: false + before_install: [] + install: pip install moban~=0.5.0 gitfs2 pypifs + before_script: [] script: .ci/check_moban.sh - after_success: false - after_failure: false + after_success: [] + after_failure: [] diff --git a/.travis.yml b/.travis.yml index cc8249b4fe..5897396ab5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -197,7 +197,7 @@ jobs: before_script: true script: .ci/check_unsupported.sh - - python: 3.6 + - python: 3.6.9 stage: sentinel before_install: [] install: pip install moban~=0.5.0 gitfs2 pypifs @@ -600,8 +600,9 @@ before_install: export PATH="$HOME/.pyenv/bin:$PATH"; fi - hash -r && pyenv versions --bare && python --version + - pip install pip==9.0.3 - if [ "${TRAVIS_PYTHON_VERSION/3.4/}" != "$TRAVIS_PYTHON_VERSION" ]; then - pip install pip==9.0.3 setuptools==21.2.2; + pip install setuptools==21.2.2; fi - if [ -f ".ci/deps.$TRAVIS_LANGUAGE.sh" ]; then diff --git a/bear-metadata.yaml b/bear-metadata.yaml index e28fb24bcb..ebed31515a 100644 --- a/bear-metadata.yaml +++ b/bear-metadata.yaml @@ -36,7 +36,7 @@ bear_metadata: apertium-lint: version: ~=0.29 lxml: - version: '>=1.0,<4.4.0' + version: '>4.4.0' languages: - Apertium tags: diff --git a/bear-requirements.txt b/bear-requirements.txt index 5052a0cff6..922e856d9e 100644 --- a/bear-requirements.txt +++ b/bear-requirements.txt @@ -17,7 +17,7 @@ html-linter~=0.4.0 isort~=4.2 language-check~=1.0 libclang-py3~=3.4.0 -lxml>=1.0,<4.4.0 +lxml>4.4.0 memento-client~=0.6.1 munkres~=1.1.2 mypy==0.590 diff --git a/bear-requirements.yaml b/bear-requirements.yaml index d168d4535c..1728514bc8 100644 --- a/bear-requirements.yaml +++ b/bear-requirements.yaml @@ -13,7 +13,7 @@ pip_requirements: autopep8: version: ~=1.2 bandit: - version: ~=1.2 + version: ~=1.2,<1.6.3 bashate: version: ~=0.5.1 cmakelint: @@ -41,7 +41,7 @@ pip_requirements: libclang-py3: version: ~=3.4.0 lxml: - version: '>=1.0,<4.4.0' + version: '>4.4.0' memento-client: version: ~=0.6.1 munkres: diff --git a/bears/apertium/ApertiumLintBear.py b/bears/apertium/ApertiumLintBear.py index 50c86284f1..17b03e6d8f 100644 --- a/bears/apertium/ApertiumLintBear.py +++ b/bears/apertium/ApertiumLintBear.py @@ -26,7 +26,7 @@ class ApertiumLintBear: """ LANGUAGES = {'Apertium'} REQUIREMENTS = {PipRequirement('apertium-lint', '0.29'), - PipRequirement('lxml', '>=1.0,<4.4.0')} + PipRequirement('lxml', '>4.4.0')} AUTHORS = {'The coala developers'} AUTHORS_EMAILS = {'coala-devel@googlegroups.com'} LICENSE = 'AGPL-3.0' diff --git a/bears/python/requirements/PySafetyBear.py b/bears/python/requirements/PySafetyBear.py index 843ed5bc25..091d5881b0 100644 --- a/bears/python/requirements/PySafetyBear.py +++ b/bears/python/requirements/PySafetyBear.py @@ -138,6 +138,6 @@ def try_parse_requirements(lines: typed_list(str)): for line in lines: try: yield from pkg_resources.parse_requirements(line) - except pkg_resources.RequirementParseError: + except pkg_resources.RequirementParseError: # pragma: no cover # unsupported requirement specification pass diff --git a/setup.cfg b/setup.cfg index 18c0be3a5c..3e41245210 100644 --- a/setup.cfg +++ b/setup.cfg @@ -18,7 +18,7 @@ addopts = --color=yes --doctest-glob=*.rst --doctest-modules - --doctest-ignore-import-error + --doctest-ignore-import-errors --cov --instafail --profile diff --git a/setup.py b/setup.py index 281fe35641..253e09a86a 100755 --- a/setup.py +++ b/setup.py @@ -420,9 +420,9 @@ def read_requirements(filename): if __name__ == '__main__': pip_version = LooseVersion(pip.__version__) - if pip_version < LooseVersion('9.0.1'): - raise RuntimeError('Version of pip is less than 9.0.1. ' - 'Consider upgrading pip to pip~=9.0.1') + if pip_version < LooseVersion('9.0.3'): + raise RuntimeError('Version of pip is less than 9.0.3. ' + 'Consider upgrading pip to pip~=9.0.3') setup(name='coala-bears', version=VERSION, description=DESCRIPTION, diff --git a/test-requirements.txt b/test-requirements.txt index 69914db0a9..d55372998d 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -3,21 +3,18 @@ # ignore the dependency version difference and only fail when the # bear is loaded. colorama<0.4 -# coverage 4.4.2 broke compatibility with coverage-config-reload-plugin -# and thus broke https://github.com/jayvdb/coverage_env_plugin . -# See https://github.com/jayvdb/coverage_config_reload_plugin/issues/1 -coverage==4.4.1 +coverage>=5.2.1 coverage-env-plugin~=0.1 coverage-config-reload-plugin~=0.2 -codecov~=2.1.0 +codecov~=2.0.5 moban~=0.5.0 ; python_version > '3.0' packaging~=16.8 -pytest~=4.6 -pytest-cov~=2.4 +pytest~=3.6.4 +pytest-cov>=2.4,<2.6 pytest-env~=0.6.0 pytest-instafail~=0.3.0 pytest-mock~=1.1 -pytest-profiling~=1.3.0 +pytest-profiling~=1.7.0 pytest-pythonpath~=0.7.0 pytest-reorder~=0.1.0 git+https://github.com/jayvdb/pytest-reqs@coala#egg=pytest-reqs diff --git a/tests/python/requirements/PySafetyBearWithoutMockTest.py b/tests/python/requirements/PySafetyBearWithoutMockTest.py index 9da4452f42..d138da17dd 100644 --- a/tests/python/requirements/PySafetyBearWithoutMockTest.py +++ b/tests/python/requirements/PySafetyBearWithoutMockTest.py @@ -28,7 +28,7 @@ def setUp(self): self.uut = PySafetyBear(self.section, Queue()) def test_without_vulnerability(self): - self.check_validity(self.uut, ['lxml==3.6.0']) + self.check_validity(self.uut, ['lxml>4.4.0']) def test_with_vulnerability(self): self.check_invalidity(self.uut, ['bottle==0.10.1']) @@ -41,6 +41,31 @@ def test_with_cve_vulnerability(self): self.uut, file_contents, [Result.from_values('PySafetyBear', + 'bottle<0.12.19 is vulnerable ' + 'to CVE-2020-28473 and your project ' + 'is using 0.10.0.', + file=get_testfile_path(file_name), + line=1, + column=9, + end_line=1, + end_column=15, + severity=RESULT_SEVERITY.NORMAL, + additional_info='The package bottle ' + 'from 0 and before 0.12.19 are vulnerable ' + 'to Web Cache Poisoning by using a vector ' + 'called parameter cloaking. When the ' + 'attacker can separate query parameters ' + 'using a semicolon (;), they can cause a ' + 'difference in the interpretation of the ' + 'request between the proxy (running with ' + 'default configuration) and the server. ' + 'This can result in malicious requests ' + 'being cached as completely safe ones, ' + 'as the proxy would usually not see the ' + 'semicolon as a separator, and therefore ' + 'would not include it in a cache key of ' + 'an unkeyed parameter. See CVE-2020-28473.'), + Result.from_values('PySafetyBear', 'bottle<0.12.10 is vulnerable ' 'to CVE-2016-9964 and your project ' 'is using 0.10.0.', @@ -99,8 +124,8 @@ def test_without_cve_vulnerability(self): filename=get_testfile_path(file_name)) def test_with_cve_ignore(self): - self.section.append(Setting('cve_ignore', 'CVE-2016-9964, ' - 'CVE-2014-3137')) + self.section.append(Setting('cve_ignore', 'CVE-2020-28473, ' + 'CVE-2016-9964, ' 'CVE-2014-3137')) file_name = 'requirement.txt' file_contents = load_testfile(file_name) # file_contents = [file_contents[0]] diff --git a/tox.ini b/tox.ini index a94d8b655e..40a5ec8c1c 100644 --- a/tox.ini +++ b/tox.ini @@ -70,7 +70,7 @@ passenv = _R_CHECK_CRAN_INCOMING_ NOT_CRAN R_PROFILE -pip_version = 9.0.1 +pip_version = 9.0.3 alwayscopy = true skipsdist = true sitepackages={env:TOXINI_SITEPACKAGES:False} @@ -92,7 +92,7 @@ deps = java{7,8}-!pip: guess-language-spirit~=0.5.2 -rtest-requirements.txt # pytest-cov-threshold is incompatible with py34 - !py34: git+https://github.com/krkd/pytest-cov-threshold + !py34: git+https://github.com/krkd/pytest-cov-threshold#egg=pytest-cov-threshold noskip: pytest-error-for-skips setenv = LINTR_COMMENT_BOT=false