From 7fc528c3c627dc077b0db19224132338b165f55d Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Tue, 6 Dec 2022 10:38:53 +0100 Subject: [PATCH 1/4] python-setup: Don't allow Poetry to make venv in project I mostly verified this works on my local machine, but did add a sample `poetry.toml` to the tests, so it can be verified from looking at the logs :shrug: --- python-setup/auto_install_packages.py | 14 ++++++++++---- python-setup/tests/poetry/requests-3/poetry.toml | 2 ++ 2 files changed, 12 insertions(+), 4 deletions(-) create mode 100644 python-setup/tests/poetry/requests-3/poetry.toml diff --git a/python-setup/auto_install_packages.py b/python-setup/auto_install_packages.py index 0e3a5fa1fd..0e922ed59c 100755 --- a/python-setup/auto_install_packages.py +++ b/python-setup/auto_install_packages.py @@ -33,10 +33,16 @@ def _check_output(command, extra_env={}): def install_packages_with_poetry(): - # To handle poetry 1.2, which started to use keyring interaction MUCH more, we need - # add a workaround. See - # https://github.com/python-poetry/poetry/issues/2692#issuecomment-1235683370 - extra_poetry_env = {"PYTHON_KEYRING_BACKEND": "keyring.backends.null.Keyring"} + extra_poetry_env = { + # To handle poetry 1.2, which started to use keyring interaction MUCH more, we need + # add a workaround. See + # https://github.com/python-poetry/poetry/issues/2692#issuecomment-1235683370 + "PYTHON_KEYRING_BACKEND": "keyring.backends.null.Keyring", + # Projects that specify `in-project = true` in their poetry.toml would get the + # venv created inside the repo directory, which would cause CodeQL to consider + # it as user-written code. We don't want this to happen. + "POETRY_VIRTUALENVS_IN_PROJECT": "False", + } command = [sys.executable, '-m', 'poetry'] if sys.platform.startswith('win32'): diff --git a/python-setup/tests/poetry/requests-3/poetry.toml b/python-setup/tests/poetry/requests-3/poetry.toml new file mode 100644 index 0000000000..ab1033bd37 --- /dev/null +++ b/python-setup/tests/poetry/requests-3/poetry.toml @@ -0,0 +1,2 @@ +[virtualenvs] +in-project = true From 27c143845593aafc0350ab04402e827bb5378ccd Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Tue, 6 Dec 2022 11:32:21 +0100 Subject: [PATCH 2/4] python-setup: Apply suggestions from code review --- python-setup/auto_install_packages.py | 1 + 1 file changed, 1 insertion(+) diff --git a/python-setup/auto_install_packages.py b/python-setup/auto_install_packages.py index 0e922ed59c..e84c620285 100755 --- a/python-setup/auto_install_packages.py +++ b/python-setup/auto_install_packages.py @@ -41,6 +41,7 @@ def install_packages_with_poetry(): # Projects that specify `in-project = true` in their poetry.toml would get the # venv created inside the repo directory, which would cause CodeQL to consider # it as user-written code. We don't want this to happen. + # see https://python-poetry.org/docs/configuration/#virtualenvsin-project "POETRY_VIRTUALENVS_IN_PROJECT": "False", } From 5566638d56bf082e73162c2765aebe1645c34c79 Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Tue, 6 Dec 2022 11:37:31 +0100 Subject: [PATCH 3/4] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc8b2720ca..3dd2db8eae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## [UNRELEASED] - Add a step that tries to upload a SARIF file for the workflow run when that workflow run fails. This will help better surface failed code scanning workflow runs. [#1393](https://github.com/github/codeql-action/pull/1393) +- Python automatic dependency installation will no longer consider dependecy code installed in venv as user-written, for projects using Poetry that specify `virtualenvs.in-project = true` in their `poetry.toml`. [#1419](https://github.com/github/codeql-action/pull/1419). ## 2.1.35 - 01 Dec 2022 From 3b0a2f607d13fb12861c674db5d880c2cb5f9e5f Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Tue, 6 Dec 2022 11:37:57 +0100 Subject: [PATCH 4/4] python-setup: Update comment with fully qualified configuration name --- python-setup/auto_install_packages.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/python-setup/auto_install_packages.py b/python-setup/auto_install_packages.py index e84c620285..7385914a30 100755 --- a/python-setup/auto_install_packages.py +++ b/python-setup/auto_install_packages.py @@ -38,10 +38,10 @@ def install_packages_with_poetry(): # add a workaround. See # https://github.com/python-poetry/poetry/issues/2692#issuecomment-1235683370 "PYTHON_KEYRING_BACKEND": "keyring.backends.null.Keyring", - # Projects that specify `in-project = true` in their poetry.toml would get the - # venv created inside the repo directory, which would cause CodeQL to consider - # it as user-written code. We don't want this to happen. - # see https://python-poetry.org/docs/configuration/#virtualenvsin-project + # Projects that specify `virtualenvs.in-project = true` in their poetry.toml + # would get the venv created inside the repo directory, which would cause CodeQL + # to consider it as user-written code. We don't want this to happen. see + # https://python-poetry.org/docs/configuration/#virtualenvsin-project "POETRY_VIRTUALENVS_IN_PROJECT": "False", }