XRAY-140550 - Onboarding uv for jf curation-audit#798
Conversation
6f420f7 to
cd04ca3
Compare
40b19e4 to
7299624
Compare
37647c8 to
6a6a2a3
Compare
d9b118d to
f99aedc
Compare
f99aedc to
3082d8d
Compare
0d8fe73 to
1f5b0be
Compare
| return errorutils.CheckErrorf("uv: no 'jf c' server configured") | ||
| } | ||
| copied := *base | ||
| copied.ArtifactoryUrl = registryConfig.ArtifactoryUrl |
There was a problem hiding this comment.
A project-local pyproject.toml can replace the configured Artifactory origin while retaining its credentials. Running jf ca can therefore send credentials for the configured JPD to another host.
Review generated by xray-pr-review
| var buildErr error | ||
| artiIndexUrl, buildErr = buildUvCurationIndexUrl(params.ServerDetails, params.DependenciesRepository) | ||
| if buildErr != nil { | ||
| log.Warn(fmt.Sprintf("uv: failed to build curation index URL: %v — will fall back to public PyPI", buildErr)) |
There was a problem hiding this comment.
If curation-index URL construction fails, this continues with an empty UV_DEFAULT_INDEX, so uv lock resolves through ambient/public configuration and the audit can bypass curation. Consider returning buildErr here so the audit fails closed.
This regression test currently fails with An error is expected but got nil:
func TestScriptAuditFailsClosedWhenCurationIndexCannotBeBuilt(t *testing.T) {
fakeBinDir := t.TempDir()
writeFakeUvExecutableForScriptLock(t, fakeBinDir, "https://ambient.example", "repo")
scriptPath := filepath.Join(t.TempDir(), "demo.py")
require.NoError(t, os.WriteFile(scriptPath, []byte(pep723ScriptContent), 0o644))
params := technologies.BuildInfoBomGeneratorParams{
ScriptPath: scriptPath,
ServerDetails: &config.ServerDetails{ArtifactoryUrl: ":// malformed"},
DependenciesRepository: "repo",
}
_, _, _, err := buildDependencyTreeForScript(params)
require.Error(t, err, "curation audit must not run uv against an ambient index")
}Review generated by xray-pr-review
| if !hasPw || pw == "" { | ||
| return s | ||
| } | ||
| return strings.ReplaceAll(s, pw, "***") |
There was a problem hiding this comment.
u.User.Password() returns the decoded password, while uv can echo its percent-encoded userinfo, leaving credentials such as p%40ss%2Fword in logs and returned errors. Consider redacting the encoded userinfo as well as the decoded secret.
This regression test currently fails because the encoded password remains in masked:
func TestMaskPasswordMasksPercentEncodedPassword(t *testing.T) {
u := &url.URL{
Scheme: "https",
Host: "host.example",
Path: "/artifactory/api/pypi/repo/simple",
User: url.UserPassword("user", "p@ss/word"),
}
encodedSecret := "p%40ss%2Fword"
out := "uv failed while fetching " + u.String()
masked := maskPassword(out, u.String())
assert.NotContains(t, masked, encodedSecret)
}Review generated by xray-pr-review
|
Could you add a description covering the uv project and PEP 723 script flows, registry/auth behavior, validation performed, and the Poetry CVS fallback changes? The current body is only the unchecked template, so reviewers cannot verify the intended scope or design trade-offs. Review generated by xray-pr-review |
devbranch.go vet ./....go fmt ./....Onboards uv as a supported package manager for jf curation-audit, plus support for auditing standalone PEP 723 inline scripts. Registry details are read from pyproject.toml's [[tool.uv.index]] or ~/.config/uv/uv.toml (however Artifactory's "Set Me Up" configures it) — no jf uv-config step needed. Resolution always goes through Artifactory's curation pass-through endpoint: uv.lock is regenerated in a temp dir unless it's both up-to-date and verified as already resolved from Artifactory, in which case it's reused as-is.
New --script flag audits a single PEP 723 inline script directly instead of scanning the working directory. When a uv project has an un-audited sibling script, jf ca surfaces a one-line hint to use --script.
Changes