Merge pull request #51 from snyk/feat/pip-dry-run

feat: add functions to run pip install --dry-run

Author: james-snyk

.circleci/config.yml

@@ -3,33 +3,61 @@ version: 2.1
 orbs:
   prodsec: snyk/prodsec-orb@1
 
+parameters:
+  go_version:
+    type: string
+    default: "1.24"
+
 metadata:
   resource_class: small
   working_directory: ~/<project name>
 
 go_image: &go_image
   resource_class: medium
   docker:
-    - image: cimg/go:1.24
+    - image: cimg/go:<< pipeline.parameters.go_version >>
 
 jobs:
   lint:
-    docker:
-      - image: cimg/go:1.24
+    <<: *go_image
     steps:
       - checkout
       - run:
           name: run lint check
           command: make lint
   unit_test:
-    docker:
-      - image: cimg/go:1.24
+    <<: *go_image
     steps:
       - checkout
       - run:
           name: run unit tests
           command: make test
 
+  python_integration_test:
+    parameters:
+      python_version:
+        type: string
+    resource_class: medium
+    docker:
+      - image: cimg/python:<< parameters.python_version >>
+    steps:
+      - checkout
+      - run:
+          name: Install Go
+          command: |
+            wget -qO- https://go.dev/dl/go<< pipeline.parameters.go_version >>.0.linux-amd64.tar.gz | sudo tar -C /usr/local -xz
+            echo 'export PATH=$PATH:/usr/local/go/bin' >> $BASH_ENV
+            source $BASH_ENV
+      - run:
+          name: Verify installations
+          command: |
+            go version
+            python --version
+            pip --version
+      - run:
+          name: Run Python integration tests
+          command: make test-python-integration
+
   security-scans:
     <<: *go_image
     resource_class: small
@@ -68,3 +96,14 @@ workflows:
             branches:
               ignore:
                 - main
+      - python_integration_test:
+          name: Python << matrix.python_version >> integration tests
+          requires:
+            - Unit tests
+          matrix:
+            parameters:
+              python_version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]
+          filters:
+            branches:
+              ignore:
+                - main

Makefile

@@ -16,4 +16,7 @@ tidy:
 test:
 	$(GOTEST) ./... -coverprofile cp.out
 
-.PHONY: install-req fmt test lint tidy imports
+test-python-integration:
+	$(GOTEST) -v -tags="integration,python" -timeout=10m ./pkg/ecosystems/python/pip/ -coverprofile cp.out
+
+.PHONY: install-req fmt test test-python-integration lint tidy imports

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/snyk/error-catalog-golang-public v0.0.0-20250310083934-7ac627e3451f
 	github.com/snyk/go-application-framework v0.0.0-20230714085540-37d34ad405bc
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 )
 
 require (

go.sum

@@ -219,8 +219,8 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
 github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

pkg/ecosystems/python/pip/report.go

@@ -0,0 +1,203 @@
+package pip
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os/exec"
+	"strings"
+
+	"github.com/snyk/error-catalog-golang-public/opensource/ecosystems"
+	"github.com/snyk/error-catalog-golang-public/snyk"
+	"github.com/snyk/error-catalog-golang-public/snyk_errors"
+)
+
+// Report represents the minimal JSON output from pip install --report
+// needed to build a dependency graph.
+type Report struct {
+	Install []InstallItem `json:"install"`
+}
+
+// InstallItem represents a single package in the pip install report.
+type InstallItem struct {
+	Metadata  PackageMetadata `json:"metadata"`
+	Requested bool            `json:"requested"` // True if explicitly requested in requirements
+}
+
+// IsDirectDependency returns true if this package is a direct dependency.
+func (item InstallItem) IsDirectDependency() bool {
+	return item.Requested
+}
+
+// PackageMetadata contains the package name, version, and dependencies.
+//
+//nolint:tagliatelle // requires_dist is the field name used by pip's JSON output
+type PackageMetadata struct {
+	Name         string   `json:"name"`
+	Version      string   `json:"version"`
+	RequiresDist []string `json:"requires_dist"` // List of dependencies (e.g., "urllib3 (<3,>=1.21.1)")
+}
+
+// GetInstallReport runs pip install with --dry-run and --report flags to get
+// a JSON report of what would be installed from a requirements file.
+// No files are written to disk; the report is captured from stdout.
+//
+// This is a convenience wrapper around GetInstallReportWithExecutor that uses
+// the default executor. For testing, use GetInstallReportWithExecutor directly.
+func GetInstallReport(ctx context.Context, requirementsFile string) (*Report, error) {
+	return GetInstallReportWithExecutor(ctx, requirementsFile, &DefaultExecutor{})
+}
+
+// GetInstallReportWithExecutor is a testable version that accepts a CommandExecutor.
+// It runs pip install with the following flags:
+//   - --dry-run: Don't actually install anything
+//   - --ignore-installed: Show all packages, not just new ones
+//   - --report -: Output JSON report to stdout (dash means stdout)
+//   - --quiet: Suppress non-error output (except the report)
+//   - -r: Read from requirements file
+func GetInstallReportWithExecutor(ctx context.Context, requirementsFile string, executor CommandExecutor) (*Report, error) {
+	if requirementsFile == "" {
+		return nil, fmt.Errorf("requirements file path cannot be empty")
+	}
+
+	// Build pip command arguments
+	args := []string{
+		"install",
+		"--dry-run",
+		"--ignore-installed",
+		"--report", "-",
+		"--quiet",
+		"-r", requirementsFile,
+	}
+
+	// Execute the command
+	output, err := executor.Execute(ctx, "pip", args...)
+	if err != nil {
+		return nil, classifyPipError(err)
+	}
+
+	// Parse the JSON report
+	var report Report
+	if err := json.Unmarshal(output, &report); err != nil {
+		return nil, fmt.Errorf("failed to parse pip report: %w", err)
+	}
+
+	return &report, nil
+}
+
+// CommandExecutor is an interface for executing commands.
+// This allows for dependency injection and easier testing.
+type CommandExecutor interface {
+	Execute(ctx context.Context, name string, args ...string) ([]byte, error)
+}
+
+// DefaultExecutor uses os/exec to run commands.
+type DefaultExecutor struct{}
+
+// Execute runs a command and returns its stdout output.
+func (e *DefaultExecutor) Execute(ctx context.Context, name string, args ...string) ([]byte, error) {
+	cmd := exec.CommandContext(ctx, name, args...)
+
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return nil, &pipError{
+			err:    err,
+			stderr: stderr.String(),
+		}
+	}
+
+	return stdout.Bytes(), nil
+}
+
+// pipError wraps an error with stderr output from pip.
+type pipError struct {
+	err    error
+	stderr string
+}
+
+func (e *pipError) Error() string {
+	return fmt.Sprintf("%v (stderr: %s)", e.err, e.stderr)
+}
+
+func (e *pipError) Unwrap() error {
+	return e.err
+}
+
+// classifyPipError analyzes pip error output and returns appropriate error catalog error.
+//
+//nolint:gocyclo // Error classification requires checking multiple patterns sequentially
+func classifyPipError(err error) error {
+	var pipErr *pipError
+	if !errors.As(err, &pipErr) {
+		// Not a pip error, return as-is
+		return fmt.Errorf("pip install failed: %w", err)
+	}
+
+	stderr := pipErr.stderr
+
+	// Check for syntax errors in requirements.txt
+	if strings.Contains(stderr, "Invalid requirement") ||
+		strings.Contains(stderr, "Could not parse") ||
+		strings.Contains(stderr, "invalid requirement") ||
+		strings.Contains(stderr, "InvalidVersion") ||
+		strings.Contains(stderr, "Invalid version") {
+		return ecosystems.NewSyntaxIssuesError(
+			fmt.Sprintf("Invalid syntax in requirements file: %s", stderr),
+			snyk_errors.WithCause(pipErr.err),
+		)
+	}
+
+	// Check for package not found errors
+	if strings.Contains(stderr, "Could not find a version") ||
+		strings.Contains(stderr, "No matching distribution") ||
+		strings.Contains(stderr, "Could not find a version that satisfies") {
+		return ecosystems.NewPythonPackageNotFoundError(
+			fmt.Sprintf("Package not found: %s", stderr),
+			snyk_errors.WithCause(pipErr.err),
+		)
+	}
+
+	// Check for Python version mismatch
+	if strings.Contains(stderr, "requires Python") ||
+		strings.Contains(stderr, "Requires-Python") {
+		return ecosystems.NewPipUnsupportedPythonVersionError(
+			fmt.Sprintf("Python version mismatch: %s", stderr),
+			snyk_errors.WithCause(pipErr.err),
+		)
+	}
+
+	// Check for conflicting requirements
+	if strings.Contains(stderr, "Conflict") ||
+		strings.Contains(stderr, "conflicting") ||
+		strings.Contains(stderr, "incompatible") {
+		return ecosystems.NewPythonVersionConfictError(
+			fmt.Sprintf("Conflicting package requirements: %s", stderr),
+			snyk_errors.WithCause(pipErr.err),
+		)
+	}
+
+	// Check for context cancellation or timeout
+	if errors.Is(pipErr.err, context.Canceled) {
+		// User-initiated cancellation (e.g., Ctrl+C) - not a catalog error
+		return fmt.Errorf("pip install canceled: %w", pipErr.err)
+	}
+	if errors.Is(pipErr.err, context.DeadlineExceeded) {
+		// Timeout - use catalog timeout error
+		return snyk.NewTimeoutError(
+			fmt.Sprintf("Pip install timed out: %s", stderr),
+			snyk_errors.WithCause(pipErr.err),
+		)
+	}
+
+	// Generic installation failure
+	return ecosystems.NewInstallationFailureError(
+		fmt.Sprintf("Pip install failed: %s", stderr),
+		snyk_errors.WithCause(pipErr.err),
+	)
+}