feat: add support for setup.py

setup.py doesn't have a dedicated package manager so pip is used temporary.
snyk · Dec 1, 2019 · dec4f5a · dec4f5a
1 parent f92319f
commit dec4f5a
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 1 deletion.
diff --git a/package.json b/package.json
@@ -84,7 +84,7 @@
     "snyk-nuget-plugin": "1.13.1",
     "snyk-php-plugin": "1.7.0",
     "snyk-policy": "1.13.5",
-    "snyk-python-plugin": "^1.13.3",
+    "snyk-python-plugin": "^1.14.0",
     "snyk-resolve": "1.0.1",
     "snyk-resolve-deps": "4.4.0",
     "snyk-sbt-plugin": "2.9.0",

diff --git a/src/lib/detect.ts b/src/lib/detect.ts
@@ -48,6 +48,7 @@ const DETECTABLE_PACKAGE_MANAGERS: {
   'yarn.lock': 'yarn',
   'package.json': 'npm',
   Pipfile: 'pip',
+  'setup.py': 'pip',
   'requirements.txt': 'pip',
   'Gopkg.lock': 'golangdep',
   'go.mod': 'gomodules',

diff --git a/test/acceptance/cli-test/cli-test.python.spec.ts b/test/acceptance/cli-test/cli-test.python.spec.ts
@@ -254,5 +254,66 @@ export const PythonTests: AcceptanceTests = {
         'calls python plugin',
       );
     },
+    '`test setup_py-app --file=setup.py`': (params, utils) => async (t) => {
+      utils.chdirWorkspaces();
+      const plugin = {
+        async inspect() {
+          return {
+            plugin: {
+              targetFile: 'setup.py',
+              name: 'snyk-python-plugin',
+              runtime: 'Python',
+            },
+            package: {},
+          };
+        },
+      };
+      const spyPlugin = sinon.spy(plugin, 'inspect');
+
+      const loadPlugin = sinon.stub(params.plugins, 'loadPlugin');
+      t.teardown(loadPlugin.restore);
+      loadPlugin.withArgs('pip').returns(plugin);
+
+      await params.cli.test('setup_py-app', {
+        file: 'setup.py',
+      });
+
+      let req = params.server.popRequest();
+
+      t.equal(req.method, 'GET', 'makes GET request');
+      t.match(
+        req.url,
+        'cli-config/feature-flags/pythonPinningAdvice',
+        'to correct url',
+      );
+
+      req = params.server.popRequest();
+      t.equal(req.method, 'POST', 'makes POST request');
+      t.equal(
+        req.headers['x-snyk-cli-version'],
+        params.versionNumber,
+        'sends version number',
+      );
+      t.match(req.url, '/test-dep-graph', 'posts to correct url');
+      t.equal(req.body.targetFile, 'setup.py', 'specifies target');
+      t.equal(req.body.depGraph.pkgManager.name, 'pip');
+      t.same(
+        spyPlugin.getCall(0).args,
+        [
+          'setup_py-app',
+          'setup.py',
+          {
+            args: null,
+            file: 'setup.py',
+            org: null,
+            projectName: null,
+            packageManager: 'pip',
+            path: 'setup_py-app',
+            showVulnPaths: 'some',
+          },
+        ],
+        'calls python plugin',
+      );
+    },
   },
 };
diff --git a/test/acceptance/workspaces/setup_py-app/setup.py b/test/acceptance/workspaces/setup_py-app/setup.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+from distutils.core import setup
+
+setup(
+    name="test_package",
+    version="1.0.2",
+    packages=[
+        "Jinja2==2.7.2",
+        "Django==1.6.1",
+        "python-etcd==0.4.5",
+        "Django-Select2==6.0.1",  # this version installs with lowercase so it catches a previous bug in pip_resolve.py
+        "irc==16.2",  # this has a cyclic dependecy (interanl jaraco.text <==> jaraco.collections)
+        "testtools==2.3.0",  # this has a cycle (fixtures ==> testtols)
+    ],
+)