check_software: fix warning on python2

On python2, warnings.warn expects the message to be passed as a str and it will silently output nothing when the message is an unicode that can not be converted to str using ascii encoding (cf. https://bugs.python.org/issue34752 ) Since october update of pyupio/safety-db there is a new vulnerability for pytest-runner, which is described as: "pytest-runner": [ { "advisory": "Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example \u2018setup_requires\u2019 and \u2018tests_require\u2019 bypass pip --require-hashes. See also pypa/setuptools#1684.\r\nIt is recommended that you:\r\n- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.\r\n- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.\r\n- Select a tool to bootstrap and then run tests such as tox.", "cve": "PVE-2021-43313", "id": "pyup.io-43313", "specs": [ ">0" ], "v": ">0" } ], notice the quotes: \u2018setup_requires\u2019 and \u2018tests_require\u2019 this was sent to warnings.warn as unicode and because all our softwares have this vulnerability (that BTW do not impact us because we run buildout with a patch for setup_requires), we no longer saw any warning on python2 software release tests.

check_software: fix warning on python2
On python2, warnings.warn expects the message to be passed as a str and it will silently output nothing when the message is an unicode that can not be converted to str using ascii encoding (cf. https://bugs.python.org/issue34752 ) Since october update of pyupio/safety-db there is a new vulnerability for pytest-runner, which is described as: "pytest-runner": [ { "advisory": "Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example \u2018setup_requires\u2019 and \u2018tests_require\u2019 bypass pip --require-hashes. See also pypa/setuptools#1684.\r\nIt is recommended that you:\r\n- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.\r\n- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.\r\n- Select a tool to bootstrap and then run tests such as tox.", "cve": "PVE-2021-43313", "id": "pyup.io-43313", "specs": [ ">0" ], "v": ">0" } ], notice the quotes: \u2018setup_requires\u2019 and \u2018tests_require\u2019 this was sent to warnings.warn as unicode and because all our softwares have this vulnerability (that BTW do not impact us because we run buildout with a patch for setup_requires), we no longer saw any warning on python2 software release tests.
e6b637a2 · Jérome Perrin · 3cb8a899 · e6b637a2
Commit e6b637a2 authored Jan 25, 2022 by Jérome Perrin
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

slapos/testing/check_software.py slapos/testing/check_software.py +6 -1

No files found.
--- a/slapos/testing/check_software.py
+++ b/slapos/testing/check_software.py
@@ -35,6 +35,7 @@ import warnings
 import pkg_resources
 import requests
 from six.moves.configparser import ConfigParser
+import six
 try:
  import subprocess32 as subprocess
@@ -302,6 +303,10 @@ def checkSoftware(slap, software_url):
                  ))))
  if warning_list:
+    if six.PY2:
+      # https://bugs.python.org/issue34752
+      warnings.warn('\n'.join(warning_list).encode('utf-8'))
+    else:
      warnings.warn('\n'.join(warning_list))
  if error_list:
    raise RuntimeError('\n'.join(error_list))