Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

checkov: init at 1.0.674 #107028

Merged
merged 4 commits into from Jan 16, 2021
Merged

checkov: init at 1.0.674 #107028

merged 4 commits into from Jan 16, 2021

Conversation

anhdle14
Copy link
Contributor

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@symphorien
Copy link
Member

Is there a reason to not put the python dependencies in pkgs/development/python-modules and pkgs/top-level/python-packages.nix ?

@anhdle14
Copy link
Contributor Author

anhdle14 commented Dec 16, 2020
edited

The 4 I put here is the only version that worked with the build. I tried to not override, but the build will fail with the versions in python-packages.nix.

@symphorien
Copy link
Member

I don't know what the policy is about duplicating python packages in full vs overriding, cc @jonringer ?

deep_merge and bc-python-hcl2 are not in nixpkgs, so they should go with other python modules.

In any case, you should try to run tests. If you leave doCheck = false, please also leave a comment explaining why it's not possible to run the tests.

@jonringer
Copy link
Contributor

The more generic python packages should be added to python-modules.nix.

If specific version is necessary, then I would prefer to do an override specific to the application as so:

let
  py = python.override {
    packageOverrides = self: super: {
      aws-sam-translator = super.aws-sam-translator.overridePythonAttrs (oldAttrs: rec {
        version = "1.25.0";
        src = oldAttrs.src.override {
          inherit version;
          sha256 = "08756yl5lpqgrpr80f2b6bdcgygr37l6q1yygklcg9hz4yfpccav";
        };
      });

      flask = super.flask.overridePythonAttrs (oldAttrs: rec {
        version = "1.0.2";
        src = oldAttrs.src.override {
          inherit version;
          sha256 = "0j6f4a9rpfh25k1gp7azqhnni4mb4fgy50jammgjgddw1l3w0w92";
        };
      });

      cookiecutter = super.cookiecutter.overridePythonAttrs (oldAttrs: rec {
        version = "1.6.0";
        src = oldAttrs.src.override {
          inherit version;
          sha256 = "0glsvaz8igi2wy1hsnhm9fkn6560vdvdixzvkq6dn20z3hpaa5hk";
        };
      });
    };
  };

in

with py.pkgs;

buildPythonApplication rec {
   ....

Overall stance on pinning python packages:

The preference to handling pinning is to relax version bounds in the "install_requires" field. (could be in setup.py, pyproject.toml, requirements or others). In most cases, packages are still compatible with small API changes which may warrant a major version bump. We use test suites to verify that the package still works correctly.

If the package is still incompatible with the latest major version, then the most proper way to handle this is make an issue with the upstream package to adopt the latest major version. Or if upstream is not very responsive, you are free patch the source to make it compatible.

In very few circumstances, two versions of the same package are allowed to exist if the packages are extremely difficult to package. Some examples of this are tensorflow, which has huge ecosystems built around it and is hard to package. Another is django, which has 2 actively developed versions, and large ecosystems built around each.

One exception to this is applications, due to the way buildPythonApplication and toPythonApplication functions work, the related derivations will not bleed dependencies between packages. If the package doesn't need to be imported by other python modules, then this package would be a good candidate to convert into application. You can look at https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/admin/awscli/default.nix as an example of using an overlay within a python application.

Info on buildPythonApplication can be found here.
Info on toPythonApplication can be found here.

@anhdle14
Copy link
Contributor Author

@jonringer I updated based on guideline. Only dpath I kept within checkov/default.nix because dpath 2.0 will crash. Should I write dpath/1.5.nix fo it?

SuperSandro2000
SuperSandro2000 reviewed Dec 25, 2020
View reviewed changes
pkgs/development/python-modules/bc-python-hcl2/default.nix Show resolved Hide resolved
pkgs/development/python-modules/bc-python-hcl2/default.nix Outdated Show resolved Hide resolved
pkgs/development/python-modules/deep_merge/default.nix Outdated
sha256 = "tUQV+Qk0xC4zQRTihky01OczWzStOW41rYYQyWBlpH4=";
};

propagatedBuildInputs = [
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this just required for the tests?

pkgs/development/python-modules/bc-python-hcl2/default.nix Show resolved Hide resolved
pkgs/development/python-modules/deep_merge/default.nix
nose
];

doCheck = false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a pythonImportsCheck.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When added pythonImportsCheck it is always failing:

deep_merge.tests.test_merge.test_default_behaviors ... ok
deep_merge.tests.test_merge.test_big_merge ... FAIL
deep_merge.tests.test_merge.test_no_references
Ensure that read-only parameters aren't being modified. ... FAIL

======================================================================
FAIL: deep_merge.tests.test_merge.test_big_merge
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/nix/store/g80x8dysb6hnhrcjrpav7dmsb8jnwnyr-python3.8-nose-1.3.7/lib/python3.8/site-packages/nose/case.py", line 197, in runTest
    self.test(*self.arg)
  File "/private/tmp/nix-build-python3.8-deep_merge-0.0.4.drv-0/deep_merge-0.0.4/deep_merge/tests/test_merge.py", line 60, in test_big_merge
    assert merge(a, b, c) == expected
AssertionError

======================================================================
FAIL: deep_merge.tests.test_merge.test_no_references
Ensure that read-only parameters aren't being modified.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/nix/store/g80x8dysb6hnhrcjrpav7dmsb8jnwnyr-python3.8-nose-1.3.7/lib/python3.8/site-packages/nose/case.py", line 197, in runTest
    self.test(*self.arg)
  File "/private/tmp/nix-build-python3.8-deep_merge-0.0.4.drv-0/deep_merge-0.0.4/deep_merge/tests/test_merge.py", line 73, in test_no_references
    assert output == {"key1": {"key1a": "2"}, "key2": [3, 4, 4, 5]}
AssertionError

----------------------------------------------------------------------
Ran 3 tests in 0.013s

FAILED (failures=2)
Test failed: <unittest.runner.TextTestResult run=3 errors=0 failures=2>
error: Test failed: <unittest.runner.TextTestResult run=3 errors=0 failures=2>
error: --- Error ------------------------------------------------------------------------------------------------------------------------ nix-build
builder for '/nix/store/41dyki3vl4qp53vd6kl92lg1yrn2w797-python3.8-deep_merge-0.0.4.drv' failed with exit code 1; last 10 log lines:
    File "/private/tmp/nix-build-python3.8-deep_merge-0.0.4.drv-0/deep_merge-0.0.4/deep_merge/tests/test_merge.py", line 73, in test_no_references
      assert output == {"key1": {"key1a": "2"}, "key2": [3, 4, 4, 5]}
  AssertionError

  ----------------------------------------------------------------------
  Ran 3 tests in 0.013s

  FAILED (failures=2)
  Test failed: <unittest.runner.TextTestResult run=3 errors=0 failures=2>
  error: Test failed: <unittest.runner.TextTestResult run=3 errors=0 failures=2>

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hum, that does not look like a spurious failure. Can you open an issue upstream to ensure that it's not nixpkgs-specific?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a 3 years old repo... But I will try.

pkgs/top-level/all-packages.nix Outdated Show resolved Hide resolved
pkgs/development/tools/analysis/checkov/default.nix Outdated Show resolved Hide resolved
pkgs/development/tools/analysis/checkov/default.nix Outdated Show resolved Hide resolved
@SuperSandro2000
Copy link
Member

Result of nixpkgs-review pr 107028 run on x86_64-darwin 1

7 packages built:
  • checkov
  • python37Packages.bc-python-hcl2
  • python37Packages.deep_merge
  • python38Packages.bc-python-hcl2
  • python38Packages.deep_merge
  • python39Packages.bc-python-hcl2
  • python39Packages.deep_merge

@SuperSandro2000
Copy link
Member

Result of nixpkgs-review pr 107028 run on x86_64-linux 1

7 packages built:
  • checkov
  • python37Packages.bc-python-hcl2
  • python37Packages.deep_merge
  • python38Packages.bc-python-hcl2
  • python38Packages.deep_merge
  • python39Packages.bc-python-hcl2
  • python39Packages.deep_merge

@anhdle14
Copy link
Contributor Author

@symphorien @SuperSandro2000 I will fix all the commits one the changes are all agreed.

I want to ask on another part when moving propagatedBuildInputs to buildInputs.

This is the problem of moving lark-parser 0.7.8 from propagatedBuildInputs to buildInputs in bc-python-hcl2/default.nix.

  • Both checkov and bc-python-hcl2 share the lark-parser requirements and they have to be the same version to build successfully.
  • After testing, I think if switch to buildInputs I may need to patch it twice (checkov/default.nix, and bc-python-hcl2/default.nix). So I think it is best to include a lark-parser pinned version at 0.7.8 or just use propagatedBuildInputs.

I need your comments on the findings. Thank you!

@symphorien
Copy link
Member

leaving runtime python dependencies in propagatedBuildInputs is fine.

anhdle14 and others added 2 commits January 3, 2021 19:37
@anhdle14 @symphorien
bc-python-hcl2: init at 0.3.11
90b522e 
Co-authored-by: Guillaume Girol <symphorien@users.noreply.github.com>
@anhdle14 @symphorien
deep_merge: init at 0.0.4
7dc9da6 
Co-authored-by: Guillaume Girol <symphorien@users.noreply.github.com>
@symphorien symphorien merged commit afd7b55 into NixOS:master Jan 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

@symphorien symphorien symphorien left review comments

@FRidh FRidh Awaiting requested review from FRidh

@jonringer jonringer Awaiting requested review from jonringer

Assignees
No one assigned
Labels
6.topic: python 8.has: package (new) 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@anhdle14 @symphorien @jonringer @SuperSandro2000