Moban Sync

template sync to make pipeline green.

closes coala#2987

.ci/check_unsupported.sh

@@ -11,7 +11,7 @@ set -x
 # Many bear dependencies do not install on unsupported versions
 echo "" > bear-requirements.txt
 
-pip install 'pip==9.0.1' 'setuptools==21.2.2'
+pip install 'pip==9.0.3' 'setuptools==21.2.2'
 
 python setup.py install 2>&1 | tee setup.log
 

.ci/constants.ps1

@@ -1,6 +1,6 @@
 
 New-Variable -Scope global -Name project_name -Value 'coala-bears'
-New-Variable -Scope global -Name pip_version -Value '9.0.1'
+New-Variable -Scope global -Name pip_version -Value '9.0.3'
 New-Variable -Scope global -Name setuptools_version -Value '21.2.2'
 
 $old_EAP = $ErrorActionPreference

.moban.dt/travis-before-install.yaml

@@ -26,8 +26,9 @@ before_install:
       export PATH="$HOME/.pyenv/bin:$PATH";
     fi
   - hash -r && pyenv versions --bare && python --version
+  - pip install pip==9.0.3
   - if [ "${TRAVIS_PYTHON_VERSION/3.4/}" != "$TRAVIS_PYTHON_VERSION" ]; then
-      pip install pip==9.0.3 setuptools==21.2.2;
+      pip install setuptools==21.2.2;
     fi
 
   - if [ -f ".ci/deps.$TRAVIS_LANGUAGE.sh" ]; then

.moban.dt/travis-manual-matrix.yaml

@@ -156,11 +156,11 @@
   before_script: true
   script: .ci/check_unsupported.sh
 
-- python: 3.6
+- python: 3.6.9
   stage: sentinel
-  before_install: false
-  install: pip install moban
-  before_script: false
+  before_install: []
+  install: pip install moban~=0.5.0 gitfs2 pypifs
+  before_script: []
   script: .ci/check_moban.sh
-  after_success: false
-  after_failure: false
+  after_success: []
+  after_failure: []

.travis.yml

@@ -197,7 +197,7 @@ jobs:
       before_script: true
       script: .ci/check_unsupported.sh
 
-    - python: 3.6
+    - python: 3.6.9
       stage: sentinel
       before_install: []
       install: pip install moban~=0.5.0 gitfs2 pypifs
@@ -600,8 +600,9 @@ before_install:
       export PATH="$HOME/.pyenv/bin:$PATH";
     fi
   - hash -r && pyenv versions --bare && python --version
+  - pip install pip==9.0.3
   - if [ "${TRAVIS_PYTHON_VERSION/3.4/}" != "$TRAVIS_PYTHON_VERSION" ]; then
-      pip install pip==9.0.3 setuptools==21.2.2;
+      pip install setuptools==21.2.2;
     fi
 
   - if [ -f ".ci/deps.$TRAVIS_LANGUAGE.sh" ]; then

bear-metadata.yaml

@@ -36,7 +36,7 @@ bear_metadata:
         apertium-lint:
           version: ~=0.29
         lxml:
-          version: '>=1.0,<4.4.0'
+          version: '>4.4.0'
     languages:
       - Apertium
     tags:

bear-requirements.txt

@@ -17,7 +17,7 @@ html-linter~=0.4.0
 isort~=4.2
 language-check~=1.0
 libclang-py3~=3.4.0
-lxml>=1.0,<4.4.0
+lxml>4.4.0
 memento-client~=0.6.1
 munkres~=1.1.2
 mypy==0.590

bear-requirements.yaml

@@ -13,7 +13,7 @@ pip_requirements:
   autopep8:
     version: ~=1.2
   bandit:
-    version: ~=1.2
+    version: ~=1.2,<1.6.3
   bashate:
     version: ~=0.5.1
   cmakelint:
@@ -41,7 +41,7 @@ pip_requirements:
   libclang-py3:
     version: ~=3.4.0
   lxml:
-    version: '>=1.0,<4.4.0'
+    version: '>4.4.0'
   memento-client:
     version: ~=0.6.1
   munkres:

bears/apertium/ApertiumLintBear.py

@@ -26,7 +26,7 @@ class ApertiumLintBear:
     """
     LANGUAGES = {'Apertium'}
     REQUIREMENTS = {PipRequirement('apertium-lint', '0.29'),
-                    PipRequirement('lxml', '>=1.0,<4.4.0')}
+                    PipRequirement('lxml', '>4.4.0')}
     AUTHORS = {'The coala developers'}
     AUTHORS_EMAILS = {'[email protected]'}
     LICENSE = 'AGPL-3.0'

bears/python/requirements/PySafetyBear.py

@@ -138,6 +138,6 @@ def try_parse_requirements(lines: typed_list(str)):
         for line in lines:
             try:
                 yield from pkg_resources.parse_requirements(line)
-            except pkg_resources.RequirementParseError:
+            except pkg_resources.RequirementParseError:  # pragma: no cover
                 # unsupported requirement specification
                 pass

setup.cfg

@@ -18,7 +18,7 @@ addopts =
   --color=yes
   --doctest-glob=*.rst
   --doctest-modules
-  --doctest-ignore-import-error
+  --doctest-ignore-import-errors
   --cov
   --instafail
   --profile

setup.py

@@ -420,9 +420,9 @@ def read_requirements(filename):
 
 if __name__ == '__main__':
     pip_version = LooseVersion(pip.__version__)
-    if pip_version < LooseVersion('9.0.1'):
-        raise RuntimeError('Version of pip is less than 9.0.1. '
-                           'Consider upgrading pip to pip~=9.0.1')
+    if pip_version < LooseVersion('9.0.3'):
+        raise RuntimeError('Version of pip is less than 9.0.3. '
+                           'Consider upgrading pip to pip~=9.0.3')
     setup(name='coala-bears',
           version=VERSION,
           description=DESCRIPTION,

test-requirements.txt

@@ -3,21 +3,18 @@
 # ignore the dependency version difference and only fail when the
 # bear is loaded.
 colorama<0.4
-# coverage 4.4.2 broke compatibility with coverage-config-reload-plugin
-# and thus broke https://github.com/jayvdb/coverage_env_plugin .
-# See https://github.com/jayvdb/coverage_config_reload_plugin/issues/1
-coverage==4.4.1
+coverage>=5.2.1
 coverage-env-plugin~=0.1
 coverage-config-reload-plugin~=0.2
-codecov~=2.1.0
+codecov~=2.0.5
 moban~=0.5.0 ; python_version > '3.0'
 packaging~=16.8
-pytest~=4.6
-pytest-cov~=2.4
+pytest~=3.6.4
+pytest-cov>=2.4,<2.6
 pytest-env~=0.6.0
 pytest-instafail~=0.3.0
 pytest-mock~=1.1
-pytest-profiling~=1.3.0
+pytest-profiling~=1.7.0
 pytest-pythonpath~=0.7.0
 pytest-reorder~=0.1.0
 git+https://github.com/jayvdb/pytest-reqs@coala#egg=pytest-reqs

tests/python/requirements/PySafetyBearWithoutMockTest.py

@@ -28,7 +28,7 @@ def setUp(self):
         self.uut = PySafetyBear(self.section, Queue())
 
     def test_without_vulnerability(self):
-        self.check_validity(self.uut, ['lxml==3.6.0'])
+        self.check_validity(self.uut, ['lxml>4.4.0'])
 
     def test_with_vulnerability(self):
         self.check_invalidity(self.uut, ['bottle==0.10.1'])
@@ -41,6 +41,31 @@ def test_with_cve_vulnerability(self):
             self.uut,
             file_contents,
             [Result.from_values('PySafetyBear',
+                                'bottle<0.12.19 is vulnerable '
+                                'to CVE-2020-28473 and your project '
+                                'is using 0.10.0.',
+                                file=get_testfile_path(file_name),
+                                line=1,
+                                column=9,
+                                end_line=1,
+                                end_column=15,
+                                severity=RESULT_SEVERITY.NORMAL,
+                                additional_info='The package bottle '
+                                'from 0 and before 0.12.19 are vulnerable '
+                                'to Web Cache Poisoning by using a vector '
+                                'called parameter cloaking. When the '
+                                'attacker can separate query parameters '
+                                'using a semicolon (;), they can cause a '
+                                'difference in the interpretation of the '
+                                'request between the proxy (running with '
+                                'default configuration) and the server. '
+                                'This can result in malicious requests '
+                                'being cached as completely safe ones, '
+                                'as the proxy would usually not see the '
+                                'semicolon as a separator, and therefore '
+                                'would not include it in a cache key of '
+                                'an unkeyed parameter. See CVE-2020-28473.'),
+             Result.from_values('PySafetyBear',
                                 'bottle<0.12.10 is vulnerable '
                                 'to CVE-2016-9964 and your project '
                                 'is using 0.10.0.',
@@ -99,8 +124,8 @@ def test_without_cve_vulnerability(self):
             filename=get_testfile_path(file_name))
 
     def test_with_cve_ignore(self):
-        self.section.append(Setting('cve_ignore', 'CVE-2016-9964, '
-                                    'CVE-2014-3137'))
+        self.section.append(Setting('cve_ignore', 'CVE-2020-28473, '
+                                    'CVE-2016-9964, ' 'CVE-2014-3137'))
         file_name = 'requirement.txt'
         file_contents = load_testfile(file_name)
         # file_contents = [file_contents[0]]

tox.ini

@@ -70,7 +70,7 @@ passenv =
   _R_CHECK_CRAN_INCOMING_
   NOT_CRAN
   R_PROFILE
-pip_version = 9.0.1
+pip_version = 9.0.3
 alwayscopy = true
 skipsdist = true
 sitepackages={env:TOXINI_SITEPACKAGES:False}
@@ -92,7 +92,7 @@ deps =
   java{7,8}-!pip: guess-language-spirit~=0.5.2
   -rtest-requirements.txt
   # pytest-cov-threshold is incompatible with py34
-  !py34: git+https://github.com/krkd/pytest-cov-threshold
+  !py34: git+https://github.com/krkd/pytest-cov-threshold#egg=pytest-cov-threshold
   noskip: pytest-error-for-skips
 setenv =
   LINTR_COMMENT_BOT=false