Skip to main content

Meta static analysis tool for Python packages

Project description

shouldi

shouldi

What Is ShouldI?

shouldi is a tool that runs static analysis tools to let you know if there are any issues in any of the python packages you were thinking of installing.

shouldi is similar to things like Go Report Card.

shouldi is in its very early stages. Expect things to change.

Installation

$ python3 -m pip install -U shouldi

Usage

There are several different subcommands of shoudli

  • install
    • Analogous to pip install but runs checks to tell you if you should install
  • use
    • Point this command at any Git URL or directory and it will run appropriate static analysis tools for that language
  • project
    • Auto discover projects and depedencies of those projects within a directory

Install Command

Run bandit and safety. Tell the person who ran the command not to install the Python package if there were any issues found by either tool.

$ shouldi install insecure-package bandit
bandit is okay to install
Do not install insecure-package! {'safety_check_number_of_issues': 1}

Use Command

Given a Git URL or a directory, figure out what the language the codebase is and run the appropriate static analysis tools for that language.

Tools for each language are as follows.

You must have the following tools installed on the system

$ shouldi use https://github.com/trekhleb/javascript-algorithms
{'static_analysis': SAResultsSpec(critical=1, high=2941, medium=16, low=41049, report={'npm_audit_output': {'info': 0, 'low': 41049, 'moderate': 16, 'high': 2941, 'critical': 1}})}

Project Command

Given a directory, output a JSON describing the dependencies found within that directory.

At the moment it will auto discover Python dependencies listed in setup.py's install_requires section or within requirements.txt

Dependencies which cannot be automatically identified can be specified in YAML files.

dependencies:
  python:
    name: Python
    url: https://python.org
    license: Python License 2.0

Here's an example of running the project command on the shouldi codebase with the above deps.yaml adding in dependencies that couldn't be auto discovered.

$ shouldi project create -add deps.yaml -- .
{
    "dependencies": [
        {
            "extra": {
                "pypi": {
                    "euuid": "7bd67f47-9972-57fd-8da1-233783b35321",
                    "license": "Apache 2",
                    "name": "aiohttp",
                    "url": "https://pypi-hypernode.com/pypi/aiohttp",
                    "uuid": null
                }
            },
            "license": "Apache 2",
            "name": "aiohttp",
            "url": "https://github.com/aio-libs/aiohttp",
            "uuid": "a6172a74-11ca-5624-bbf4-2e064084ee95"
        },
        {
            "extra": {
                "pypi": {
                    "euuid": "8ce644e4-20ef-5a24-85bb-0449fb8e2c94",
                    "license": "",
                    "name": "bandit",
                    "url": "https://pypi-hypernode.com/pypi/bandit",
                    "uuid": null
                }
            },
            "license": null,
            "name": "bandit",
            "url": "https://bandit.readthedocs.io/en/latest/",
            "uuid": "1fa385fc-91ae-59c5-8d4c-220b9820f173"
        },
        {
            "extra": {
                "pypi": {
                    "euuid": "c09eaab1-7676-55b8-96fd-cb50f5dc125c",
                    "license": "MIT license",
                    "name": "safety",
                    "url": "https://pypi-hypernode.com/pypi/safety",
                    "uuid": null
                }
            },
            "license": "MIT license",
            "name": "safety",
            "url": "https://github.com/pyupio/safety",
            "uuid": "f2cc3711-8652-584d-8d46-7e060398eff4"
        },
        {
            "extra": {
                "pypi": {
                    "euuid": "5143b2bf-be54-5688-8077-efbd038fbdc5",
                    "license": "MIT",
                    "name": "PyYAML",
                    "url": "https://pypi-hypernode.com/pypi/PyYAML",
                    "uuid": null
                }
            },
            "license": "MIT",
            "name": "PyYAML",
            "url": "https://github.com/yaml/pyyaml",
            "uuid": "406495d7-1ba9-5a7e-bec9-f2a1119d3913"
        },
        {
            "extra": {},
            "license": "Python License 2.0",
            "name": "Python",
            "url": "https://python.org",
            "uuid": "807b7876-01ec-5fef-ad5a-4cc588b97719"
        },
    ]
}

License

shouldi is distributed under the MIT License.

What's This Really Called

The real name of this package is "DFFML Evaluator for PyPi Packages". shouldi is mearly the command line invokation, and we claim shouldi, the package name on PyPi, to avoid a supply chain attack.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

shouldi-0.1.0.post0.tar.gz (23.2 kB view details)

Uploaded Source

Built Distribution

shouldi-0.1.0.post0-py3-none-any.whl (32.3 kB view details)

Uploaded Python 3

File details

Details for the file shouldi-0.1.0.post0.tar.gz.

File metadata

  • Download URL: shouldi-0.1.0.post0.tar.gz
  • Upload date:
  • Size: 23.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/3.7.3 pkginfo/1.7.0 requests/2.24.0 requests-toolbelt/0.9.1 tqdm/4.59.0 CPython/3.9.5

File hashes

Hashes for shouldi-0.1.0.post0.tar.gz
Algorithm Hash digest
SHA256 8d5af258af25d3937935721f34425b5525bf2e7dced98d8fb82e8c74ac361c20
MD5 e2ae16ec5c67d2b040671baf4a9b1fd0
BLAKE2b-256 16e88cfc52602c5d4f85c7c2bc38d6d48b31e001302013e6e0c095d33a03a0c6

See more details on using hashes here.

File details

Details for the file shouldi-0.1.0.post0-py3-none-any.whl.

File metadata

  • Download URL: shouldi-0.1.0.post0-py3-none-any.whl
  • Upload date:
  • Size: 32.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/3.7.3 pkginfo/1.7.0 requests/2.24.0 requests-toolbelt/0.9.1 tqdm/4.59.0 CPython/3.9.5

File hashes

Hashes for shouldi-0.1.0.post0-py3-none-any.whl
Algorithm Hash digest
SHA256 b505f993cba0d63e810f4732aa6e165418c57876a53d70b6a11487b5784dbb2c
MD5 950e5477f324267e544cb48be5c7544d
BLAKE2b-256 c61e5f98bf3730dc3a85fcc412f510ea89ba037227088e528c7fb6980c32b440

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page