Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Requirements.txt writer adds hashes and a way to remember to update codemodder deps #273

Merged
merged 6 commits into from
Feb 21, 2024

Conversation

clavedeluna
Copy link
Contributor

@clavedeluna clavedeluna commented Feb 18, 2024

Overview

Codemodder should include --hash.... for any new dependency it adds, but only for requirements.txt

# requirements.txt
security==1.2.1 \
    --hash=sha256:4ca5f8cfc6b836e2192a84bb5a28b72c17f3cd1abbfe3281f917394c6e6c9238 \
    --hash=sha256:0a9dc7b457330e6d0f92bdae3603fecb85394beefad0fd3b5058758a58781ded

Description

  • No other dependency store (setup.py, etc) uses --hash. These are used for higher level security
  • For now we decided to have these hashes hard coded into the project. However, I did add a script get-hashes to more easily get these hashes which we can then copy paste.
  • Later on we can go a step further and actually use the results from the script to automatically update dependency.py or whatever other file that stores the dependencies to use.
  • Separately, and not connected to this work at all, I recognized that we don't really remember when one of these dependencies gets a version update. As a temporary solution, I added a codemodder_dependencies.txt so dependabot will alert us of these changes. At that time, we would manually update. Later on we can build on this.

Closes #262

Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
2.4% Duplication on New Code

See analysis details on SonarCloud

@clavedeluna clavedeluna marked this pull request as ready for review February 18, 2024 13:05
@clavedeluna clavedeluna added this pull request to the merge queue Feb 21, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 21, 2024
@clavedeluna clavedeluna added this pull request to the merge queue Feb 21, 2024
Merged via the queue into main with commit fa6f5c9 Feb 21, 2024
12 checks passed
@clavedeluna clavedeluna deleted the dep-hashes branch February 21, 2024 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

New dependencies in requirements.txt should include --hash
2 participants