Fix errors during pypi package audit

Signed-off-by: Ashish Bijlani <ashish.bijlani@gmail.com>

Author: ashishbijlani

packj/audit/main.py

@@ -797,7 +797,6 @@ def parse_request_args(args):
 	if args.debug:
 		try:
 			_, filename = tempfile.mkstemp(prefix='debug_', dir=report_dir, suffix='.log')
-			os.chmod(filename, 0o544)
 			print(f'\n*** NOTE: Running in debug mode (log: {filename}) ***\n')
 			logging.basicConfig(filename=filename, datefmt='%H:%M:%S', level=logging.DEBUG,
 								format='%(asctime)s,%(msecs)d %(name)s %(levelname)s %(message)s')

packj/audit/static_proxy/astgen_py.py

@@ -43,26 +43,26 @@ def generic_visit(self, node):
 		ast.NodeVisitor.generic_visit(self, node)
 		if self.debug:
 			if hasattr(node, 'lineno'):
-				logging.warning('visiting %s node at line %d' % (type(node).__name__, node.lineno))
+				logging.warning(f'visiting {type(node).__name__} node at line {node.lineno}')
 			else:
-				logging.warning('visiting %s node' % (type(node).__name__))
+				logging.warning(f'visiting {type(node).__name__} node')
 
 	def visit_ImportFrom(self, node):
-		logging.debug('visiting ImportFrom node (line %d)' % (node.lineno))
+		logging.debug(f'visiting ImportFrom node (line {node.lineno})')
 		for name in node.names:
 			self.name2module.setdefault(name.name, node.module)
 			if name.asname is not None:
 				self.alias2name.setdefault(name.asname, name.name)
 		ast.NodeVisitor.generic_visit(self, node)
 
 	def visit_FunctionDef(self, node):
-		logging.debug('visiting FunctionDef node (line %d)' % (node.lineno))
+		logging.debug(f'visiting FunctionDef node (line {node.lineno})')
 		# FIXME: warn about redefined functions?
 		if node.name in self.alias2name or node.name in self.name2module:
-			logging.warning("redefined imported function %s!" % (node.name))
+			logging.warning(f'redefined imported function {node.name}!')
 		ast.NodeVisitor.generic_visit(self, node)
 		if self.save_feature:
-			logging.warning("set root_nodes")
+			logging.warning('set root_nodes')
 		node_details = {
 			 "Name"		: node.name,
 			 "File"		: self.infile,
@@ -71,10 +71,10 @@ def visit_FunctionDef(self, node):
 		self.all_declrefs["Functions"].append(node_details)
 
 	def visit_ClassDef(self, node):
-		logging.debug('visiting ClassDef node (line %d)' % (node.lineno))
+		logging.debug(f'visiting ClassDef node (line {node.lineno})')
 		ast.NodeVisitor.generic_visit(self, node)
 		if self.save_feature:
-			logging.warning("set root_nodes")
+			logging.warning('set root_nodes')
 
 		node_details = {
 			 "Name"		: node.name,
@@ -84,17 +84,17 @@ def visit_ClassDef(self, node):
 		self.all_declrefs["Classes"].append(node_details)
 
 	def visit_Call(self, node):
-		logging.debug('visiting Call node (line %d)' % (node.lineno))
+		logging.debug(f'visiting Call node (line {node.lineno})')
 
 		# debug code
 		if self.debug:
 			for fieldname, value in ast.iter_fields(node):
-				logging.warning('fieldname %s, value %s' % (fieldname, value))
+				logging.warning(f'fieldname {fieldname}, value {value}')
 				if fieldname == 'func':
 					for f_fieldname, f_value in ast.iter_fields(value):
-						logging.info('func fieldname %s, func value %s' % (f_fieldname, f_value))
+						logging.info(f'func fieldname {f_fieldname}, func value {f_value}')
 						if f_fieldname == 'id':
-							logging.warning('func id: %s' % (f_value))
+							logging.warning(f'func id: {f_value}')
 
 		# compute base and func
 		if isinstance(node.func, ast.Attribute):
@@ -104,24 +104,23 @@ def visit_Call(self, node):
 				base = node.func.value.id
 			elif isinstance(node.func.value, ast.Call):
 				base = self.asttok.get_text(node.func.value)
-				logging.debug("node.func.value is ast.Call, Ignoring!")
+				logging.debug('node.func.value is ast.Call, Ignoring!')
 			elif isinstance(node.func.value, ast.Subscript):
 				base = self.asttok.get_text(node.func.value)
 				# NOTE: currently, we use text of chained functions (i.e. foo().bar(), foo() is used),
 				# because Python is runtime type language, and it is not possible to get the type statically
-				logging.warning("node.func.value type ast.Subscript, fields: %s",
-								list(ast.iter_fields(node.func.value)))
+				logging.warning(f'node.func.value type ast.Subscript, fields: {list(ast.iter_fields(node.func.value))}')
 			else:
 				base = self.asttok.get_text(node.func.value)
-				logging.warning("node.func.value type: %s, fields: %s",
-							  type(node.func.value), list(ast.iter_fields(node.func.value)))
+				logging.warning(f'node.func.value type: {type(node.func.value)}, \
+									fields: {list(ast.iter_fields(node.func.value))}')
 		else:
 			# NOTE: we assume the imported functions are not redefined! this may not be true!
 			if isinstance(node.func, ast.Name):
 				name = node.func.id
 			else:
 				name = self.asttok.get_text(node.func)
-				logging.warning("node.func type: %s, name: %s" % (type(node.func), name))
+				logging.warning(f'node.func type: type(node.func), name: {name}')
 			name = self.alias2name[name] if name in self.alias2name else name
 			base = self.name2module[name] if name in self.name2module else None
 
@@ -139,10 +138,10 @@ def visit_Call(self, node):
 			args.append('**' + self.asttok.get_text(node.kwargs))
 
 		# log stuff
-		full_name = name if base is None else '%s.%s' % (base, name)
+		full_name = name if base is None else f'{base}.{name}'
 
 		# log stuff
-		logging.warning("calling function %s with args %s at line %d" % (full_name, args, node.lineno))
+		logging.warning(f'calling function {full_name} with args {args} at line {node.lineno}')
 		node_details = {
 			 "Name"	: full_name,
 			 "Args"	: args,
@@ -200,7 +199,7 @@ def py_astgen(inpath, outfile, configpb, root=None, pkg_name=None, pkg_version=N
 		try:
 			all_source = open(infile, 'r').read()
 		except Exception as e:
-			logging.warning("Failed to read file %s: %s" % (infile, str(e)))
+			logging.warning(f'Failed to read {infile}: {str(e)}')
 			continue
 
 		try:
@@ -211,23 +210,23 @@ def py_astgen(inpath, outfile, configpb, root=None, pkg_name=None, pkg_version=N
 			}
 			composition["Files"].append(file_details)
 		except Exception as e:
-			logging.warning("Failed to parse FILE %s ast details: %s" % (infile, str(e)))
+			logging.warning(f'Failed to parse {infile} ast details: {str(e)}')
 
 		if infile not in infiles:
 			continue
 
 		try:
 			tree = ast.parse(all_source, filename=infile)
 		except SyntaxError as se:
-			logging.warning("Syntax error %s parsing file %s in Python2. Skipping!" % (str(se), infile))
+			logging.warning(f'Syntax error {str(se)} parsing file {infile} in Python2. Skipping!')
 			continue
 
 		# mark the tree with tokens information
 		try:
 			asttok = asttokens.ASTTokens(source_text=all_source, tree=tree, filename=infile)
 			visitor = PythonDeclRefVisitor(buf=buf, infile=infile, asttok=asttok, configpb=configpb)
 			visitor.visit(tree)
-			logging.warning("collected functions: %s" % (Counter(visitor.get_declrefs()).items()))
+			logging.warning(f'collected functions: {Counter(visitor.get_declrefs()).items()}')
 
 			filepb = StaticAnalyzer._get_filepb(infile, root)
 			for base, name, args, source_text, source_range in visitor.get_declrefs():
@@ -237,11 +236,11 @@ def py_astgen(inpath, outfile, configpb, root=None, pkg_name=None, pkg_version=N
 			for item_type, item_details in visitor.get_all_declrefs().items():
 				composition[item_type] += item_details
 		except Exception as e:
-			logging.warning("Error parsing AST for file %s in Python3: %s" % (infile, str(se)))
+			logging.warning(f'Error parsing AST {infile} in Python3: {str(e)}')
 
 	# save AST details
 	try:
-		logging.warning('writing to %s' % (outfile+'.json'))
+		logging.warning(f'writing to {outfile}.json')
 		write_dict_to_file(composition, outfile + '.json')
 	except Exception as e:
 		logging.error(str(e))
@@ -272,7 +271,7 @@ def parse_args(argv):
 	configpath = args.configpath
 	configpb = AstLookupConfig()
 	read_proto_from_file(configpb, configpath, binary=False)
-	logging.debug("loaded lookup config from %s:\n%s", configpath, configpb)
+	logging.debug(f'loaded lookup config from {configpath}:\n{configpb}')
 
 	# Run the ast generation
 	py_astgen(inpath=args.inpath, outfile=args.outfile, configpb=configpb, root=args.root, pkg_name=args.package_name,

packj/audit/static_proxy/astgen_py3.py

@@ -50,28 +50,28 @@ def generic_visit(self, node):
 		ast.NodeVisitor.generic_visit(self, node)
 		if self.debug:
 			if hasattr(node, 'lineno'):
-				logging.warning('visiting %s node at line %d' % (type(node).__name__, node.lineno))
+				logging.warning(f'visiting {type(node).__name__} node at line {node.lineno}')
 			else:
-				logging.warning('visiting %s node' % (type(node).__name__))
+				logging.warning(f'visiting {type(node).__name__} node')
 
 	def visit_ImportFrom(self, node):
-		logging.debug('visiting ImportFrom node (line %d)' % (node.lineno))
+		logging.debug(f'visiting ImportFrom node (line {node.lineno})')
 		for name in node.names:
 			self.name2module.setdefault(name.name, node.module)
 			if name.asname is not None:
 				self.alias2name.setdefault(name.asname, name.name)
 		ast.NodeVisitor.generic_visit(self, node)
 
 	def visit_FunctionDef(self, node):
-		logging.debug('visiting FunctionDef node (line %d)' % (node.lineno))
+		logging.debug(f'visiting FunctionDef node (line {node.lineno})')
 
 		# FIXME: warn about redefined functions?
 		if node.name in self.alias2name or node.name in self.name2module:
-			logging.warning("redefined imported function %s!" % (node.name))
+			logging.warning(f'redefined imported function {node.name}!')
 
 		ast.NodeVisitor.generic_visit(self, node)
 		if self.save_feature:
-			logging.warning("set root_nodes")
+			logging.warning('set root_nodes')
 
 		args = []
 		for arg in node.args.args:
@@ -85,10 +85,10 @@ def visit_FunctionDef(self, node):
 		self.all_declrefs["Functions"].append(node_details)
 
 	def visit_ClassDef(self, node):
-		logging.debug('visiting ClassDef node (line %d)' % (node.lineno))
+		logging.debug(f'visiting ClassDef node (line {node.lineno})')
 		ast.NodeVisitor.generic_visit(self, node)
 		if self.save_feature:
-			logging.warning("set root_nodes")
+			logging.warning('set root_nodes')
 
 		node_details = {
 			 "Name"		: node.name,
@@ -98,17 +98,17 @@ def visit_ClassDef(self, node):
 		self.all_declrefs["Classes"].append(node_details)
 
 	def visit_Call(self, node):
-		logging.debug('visiting Call node (line %d)' % (node.lineno))
+		logging.debug(f'visiting Call node (line {node.lineno})')
 
 		# debug code
 		if self.debug:
 			for fieldname, value in ast.iter_fields(node):
-				logging.warning('fieldname %s, value %s' % (fieldname, value))
+				logging.warning(f'fieldname {fieldname}, value {value}')
 				if fieldname == 'func':
 					for f_fieldname, f_value in ast.iter_fields(value):
-						logging.info('func fieldname %s, func value %s' % (f_fieldname, f_value))
+						logging.info(f'func fieldname {f_fieldname}, func value {f_value}')
 						if f_fieldname == 'id':
-							logging.warning('func id: %s' % (f_value))
+							logging.warning(f'func id: {f_value}')
 
 		# compute base and func
 		if isinstance(node.func, ast.Attribute):
@@ -118,24 +118,23 @@ def visit_Call(self, node):
 				base = node.func.value.id
 			elif isinstance(node.func.value, ast.Call):
 				base = self.asttok.get_text(node.func.value)
-				logging.debug("node.func.value is ast.Call, Ignoring!")
+				logging.debug('node.func.value is ast.Call, Ignoring!')
 			elif isinstance(node.func.value, ast.Subscript):
 				base = self.asttok.get_text(node.func.value)
 				# NOTE: currently, we use text of chained functions (i.e. foo().bar(), foo() is used),
 				# because Python is runtime type language, and it is not possible to get the type statically
-				logging.warning("node.func.value type ast.Subscript, fields: %s",
-								list(ast.iter_fields(node.func.value)))
+				logging.warning(f'node.func.value type ast.Subscript, fields: {list(ast.iter_fields(node.func.value))}')
 			else:
 				base = self.asttok.get_text(node.func.value)
-				logging.warning("node.func.value type: %s, fields: %s",
-							  type(node.func.value), list(ast.iter_fields(node.func.value)))
+				logging.warning(f'node.func.value type: {type(node.func.value)}, \
+									fields: {list(ast.iter_fields(node.func.value))}')
 		else:
 			# NOTE: we assume the imported functions are not redefined! this may not be true!
 			if isinstance(node.func, ast.Name):
 				name = node.func.id
 			else:
 				name = self.asttok.get_text(node.func)
-				logging.warning("node.func type: %s, name: %s" % (type(node.func), name))
+				logging.warning(f'node.func type: {type(node.func)}, name: {name}')
 			name = self.alias2name[name] if name in self.alias2name else name
 			base = self.name2module[name] if name in self.name2module else None
 
@@ -152,10 +151,10 @@ def visit_Call(self, node):
 			# append '**' to reproduce the calling text
 			args.append('**' + self.asttok.get_text(node.kwargs))
 
-		full_name = name if base is None else '%s.%s' % (base, name)
+		full_name = name if base is None else f'{base}.{name}'
 
 		# log stuff
-		logging.warning("calling function %s with args %s at line %d" % (full_name, args, node.lineno))
+		logging.warning(f'calling function {full_name} with args {args} at line {node.lineno}')
 
 		node_details = {
 			 "Name"	: full_name,
@@ -213,7 +212,7 @@ def py3_astgen(inpath, outfile, configpb, root=None, pkg_name=None, pkg_version=
 		try:
 			all_source = open(infile, 'r').read()
 		except Exception as e:
-			logging.warning("Failed to read file %s: %s" % (infile, str(e)))
+			logging.warning(f'Failed to read file {infile}: {str(e)}')
 			continue
 
 		try:
@@ -224,23 +223,23 @@ def py3_astgen(inpath, outfile, configpb, root=None, pkg_name=None, pkg_version=
 			}
 			composition["Files"].append(file_details)
 		except Exception as e:
-			logging.error("Failed to parse FILE %s ast details: %s" % (infile, str(e)))
+			logging.error(f'Failed to parse FILE {infile} ast details: {str(e)}')
 
 		if infile not in infiles:
 			continue
 
 		try:
 			tree = ast.parse(all_source, filename=infile)
 		except SyntaxError as se:
-			logging.warning("Syntax error %s parsing file %s in Python3. Skipping!" % (str(se), infile))
+			logging.warning(f'Syntax error {str(se)} parsing file {infile} in Python3. Skipping!')
 			continue
 
 		# mark the tree with tokens information
 		try:
 			asttok = asttokens.ASTTokens(source_text=all_source, tree=tree, filename=infile)
 			visitor = PythonDeclRefVisitor(infile=infile, asttok=asttok, configpb=configpb)
 			visitor.visit(tree)
-			logging.warning("collected functions: %s" % (Counter(visitor.get_declrefs()).items()))
+			logging.warning(f'collected functions: {Counter(visitor.get_declrefs()).items()}')
 
 			filepb = StaticAnalyzer._get_filepb(infile, root)
 			for base, name, args, source_text, source_range in visitor.get_declrefs():
@@ -250,14 +249,14 @@ def py3_astgen(inpath, outfile, configpb, root=None, pkg_name=None, pkg_version=
 			for item_type, item_details in visitor.get_all_declrefs().items():
 				composition[item_type] += item_details
 		except Exception as e:
-			logging.debug("Error parsing AST for file %s in Python3: %s" % (infile, str(se)))
+			logging.debug(f'Error parsing AST for file {infile} in Python3: {str(e)}')
 
 	# save AST details
 	try:
-		logging.warning('writing to %s' % (outfile+'.json'))
+		logging.warning(f'writing to {outfile}.json')
 		write_dict_to_file(composition, outfile + '.json')
 	except Exception as e:
-		logging.debug("failed to write ast_details: %s" % (str(e)))
+		logging.debug(f'failed to write ast_details: {str(e)}')
 
 	# save resultpb
 	write_proto_to_file(resultpb, outfile, binary=False)
@@ -283,7 +282,7 @@ def parse_args(argv):
 	configpath = args.configpath
 	configpb = AstLookupConfig()
 	read_proto_from_file(configpb, configpath, binary=False)
-	logging.debug("loaded lookup config from %s:\n%s" % (configpath, configpb))
+	logging.debug(f'loaded lookup config from {configpath}:\n{configpb}')
 
 	# Run the ast generation
 	py3_astgen(inpath=args.inpath, outfile=args.outfile, configpb=configpb, root=args.root, pkg_name=args.package_name,

packj/audit/static_proxy/py_analyzer.py

@@ -34,9 +34,9 @@ def exec_py2_astgen(analyze_path, outfile, configpath, root=None, pkg_name=None,
             if pkg_version is not None:
                 astgen_py2_cmd.extend(['-v', pkg_version])
             stdout, stderr, error = exec_command("python2 astgen", astgen_py2_cmd, cwd="static_proxy", redirect_mask=3)
-            assert not error, "could not generate AST"
+            assert not error, 'could not generate AST'
         except Exception as e:
-            logging.debug("Failed to analyze for APIs using Python2: %s" % (str(e)))
+            logging.debug(f'Failed to analyze for APIs using Python2: {str(e)}')
 
     def astgen(self, inpath, outfile, root=None, configpath=None, pkg_name=None, pkg_version=None, evaluate_smt=False):
         analyze_path, is_decompress_path, outfile, root, configpath = self._sanitize_astgen_args(
@@ -48,17 +48,17 @@ def astgen(self, inpath, outfile, root=None, configpath=None, pkg_name=None, pkg
             configpb = AstLookupConfig()
             read_proto_from_file(configpb, configpath, binary=False)
 
-            logging.debug("loaded lookup config from %s:\n%s", configpath, configpb)
+            logging.debug(f'loaded lookup config from {configpath}:\n{configpb}')
 
             # invoke the language specific ast generators to call functions
             py3_astgen(inpath=analyze_path, outfile=outfile, configpb=configpb, root=root, pkg_name=pkg_name, pkg_version=pkg_version)
 
         # try python2
         except SyntaxError as se:
-            logging.debug("Syntax error %s, now trying to parse %s again in python2!", se, analyze_path)
+            logging.debug(f'Syntax error {str(se)}, now trying to parse {analyze_path} again in python2!')
             self.exec_py2_astgen(analyze_path, outfile, configpath, root=root, pkg_name=pkg_name, pkg_version=pkg_version)
         except Exception as e:
-            logging.debug("Fatal error %s running astgen for %s!" % (str(e), analyze_path))
+            logging.debug(f'Fatal error {str(e)} running astgen for {analyze_path}!')
 
         # clean up residue files
         self._cleanup_astgen(analyze_path=analyze_path, is_decompress_path=is_decompress_path)