pip-audit: Problems authenticating to a private index

Pre-submission checks

  • I am not filing an auditing error (false positive or negative). These must be reported to pypa/advisory-database instead.
  • I agree to follow the PSF Code of Conduct.
  • I have looked through the open issues for a duplicate report.

Expected behavior

Hi,

I have a project with a dependency on a package hosted in a private index. The private index is a Google Artifact Registry. This project uses a requirements.txt file to handle the dependencies.

I’m authenticating through the keyring with the Google Artifact Registry backend. I’m authenticated and have the right permissions in Google Cloud.

I can install my private package without issue by providing the extra index url:

pip install --extra-index-url MY_INDEX_URL -r requirements/requirements.txt

However, when I run pip-audit with --extra-index-url it can’t find the package:

pip-audit -vvvv --extra-index-url MY_INDEX_URL -r requirements/requirements.txt

I expected pip-audit to be able to analyze the dependencies (at least the public ones)

Actual behavior

pip-audit returns an error because it could not find the private package

Reproduction steps

  1. Have a requirements.txt file with a package hosted in a Google Artifact Registry with a correct setup of the keyring
  2. Run pip-audit -vvvv --extra-index-url MY_INDEX_URL -r requirements/requirements.txt

Logs

DEBUG:pip_audit._cli:parsed arguments: Namespace(local=False, requirements=[<_io.TextIOWrapper name='requirements/requirements.txt' mode='r' encoding='UTF-8'>], project_path=None, format=<OutputFormatChoice.Columns: 'columns'>, vulnerability_service=<VulnerabilityServiceChoice.Pypi: 'pypi'>, dry_run=False, strict=False, desc=<VulnerabilityDescriptionChoice.Auto: 'auto'>, aliases=<VulnerabilityAliasChoice.Auto: 'auto'>, cache_dir=None, progress_spinner=<ProgressSpinnerChoice.On: 'on'>, timeout=15, paths=[], verbose=4, fix=False, require_hashes=False, index_url=None, extra_index_urls=['MY_INDEX_URL'], skip_editable=False, no_deps=False, output=PosixPath('stdout'), ignore_vulns=[], disable_pip=False)
ERROR:pip_audit._virtual_env:internal pip failure:  [...]
ERROR: Could not find a version that satisfies the requirement MY_PRIVATE_PACKAGE==X.Y.Z (from versions: none)
ERROR: No matching distribution found for MY_PRIVATE_PACKAGE==X.Y.Z

ERROR:pip_audit._cli:Failed to install packages: ['/var/folders/nl/jq_nzg654wn573pkhr9949xh0000gn/T/tmpful3a4s9/bin/python3.11', '-m', 'pip', 'install', '--no-input', '--extra-index-url', 'MY_INDEX_URL', '--dry-run', '--report', '/var/folders/nl/jq_nzg654wn573pkhr9949xh0000gn/T/tmpn0nqqkdw/tmpcz4kjwr9', '-r', 'requirements/requirements.txt']

Additional context

No response

OS name, version, and architecture

Mac OS 14.2.1 Apple Silicon & Ubuntu 22.04 x86_64

pip-audit version

2.7.1

pip version

24.0

Python version

3.11

About this issue

  • Original URL
  • State: open
  • Created 4 months ago
  • Comments: 15 (9 by maintainers)

Most upvoted comments

I found this issue that address the username problems. But it didn’t work for me 🤔. And also there is this other issue.

So, as you said, #743 is the only thing required in pip-audit.

Thanks again!

+1
fgsalomon on Feb 29, 2024

Dang. Just to confirm: _json_key_base64 didn’t work in either the URL or the .pypirc, right? It didn’t work (I’m not using a service account key BTW)

To me the first option makes more sense since there are backends that don’t need the username.

In the mean time, I think https://github.com/pypa/pip-audit/pull/743 will fix some use cases, but not this one unfortunately. So I’m going to merge there, and also write up some docs that link to this issue until we have a real fix here.

Great. Thanks for your help @woodruffw !

+1
fgsalomon on Feb 29, 2024

Yes, keyring is on my $PATH.

+1
fgsalomon on Feb 27, 2024
Read more comments on GitHub
← pip-audit: pip-audit failure using --index-url
pip: Basic auth credentials in --extra-index-urls are not used when specifying multiple under the same domain →