uv-audit 0.0.50

This is an internal component crate of uv
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

//! Auditing for [PEP 792] adverse project statuses.
//!
//! [PEP 792]: https://peps.python.org/pep-0792/

use futures::{StreamExt as _, stream};
use tokio::sync::Semaphore;
use tracing::trace;

use uv_client::{MetadataFormat, RegistryClient};
use uv_configuration::Concurrency;
use uv_distribution_types::{IndexCapabilities, IndexMetadataRef, IndexUrl};
use uv_normalize::PackageName;
use uv_pypi_types::{ProjectStatus as PypiProjectStatus, Status};

use crate::types::{self, AdverseStatus, Finding};

/// Audit projects for PEP 792 adverse status markers using a [`RegistryClient`].
pub struct ProjectStatusAudit<'a> {
    client: &'a RegistryClient,
    capabilities: &'a IndexCapabilities,
    concurrency: Concurrency,
}

impl<'a> ProjectStatusAudit<'a> {
    /// Create a new audit session backed by the given [`RegistryClient`].
    pub fn new(
        client: &'a RegistryClient,
        capabilities: &'a IndexCapabilities,
        concurrency: Concurrency,
    ) -> Self {
        Self {
            client,
            capabilities,
            concurrency,
        }
    }

    /// Query the project-level status of each project on its index.
    ///
    /// Transient per-project query failures (network errors, not-found, offline
    /// without a cache hit) are logged and dropped, on the principle that one
    /// misbehaving index should not invalidate the rest of the audit.
    pub async fn query_batch(&self, projects: &[(&PackageName, IndexUrl)]) -> Vec<Finding> {
        if projects.is_empty() {
            return Vec::new();
        }

        let semaphore = self.concurrency.downloads_semaphore.clone();

        stream::iter(projects)
            .map(|(name, index)| {
                let semaphore = semaphore.clone();
                async move { self.query_one(name, index, semaphore.as_ref()).await }
            })
            .buffer_unordered(self.concurrency.downloads)
            .filter_map(|finding| async move { finding })
            .collect()
            .await
    }

    async fn query_one(
        &self,
        name: &PackageName,
        index: &IndexUrl,
        semaphore: &Semaphore,
    ) -> Option<Finding> {
        let results = match self
            .client
            .simple_detail(
                name,
                Some(IndexMetadataRef::from(index)),
                self.capabilities,
                semaphore,
            )
            .await
        {
            Ok(results) => results,
            Err(err) => {
                trace!("Skipping project-status check for `{name}`: {err}");
                return None;
            }
        };

        let archive = results
            .into_iter()
            .map(|(_, format)| match format {
                MetadataFormat::Simple(archive) => archive,
                MetadataFormat::Flat(_) => {
                    unreachable!("Flat metadata should not be returned by `simple_detail`")
                }
            })
            .next()?;

        let project_status: PypiProjectStatus =
            match rkyv::deserialize::<PypiProjectStatus, rkyv::rancor::Error>(
                archive.project_status(),
            ) {
                Ok(project_status) => project_status,
                Err(err) => {
                    trace!("Failed to read archived project status for `{name}`: {err}");
                    return None;
                }
            };

        let status = to_adverse(project_status.status)?;
        let reason = project_status.reason.map(|reason| reason.to_string());
        Some(Finding::ProjectStatus(types::ProjectStatus {
            name: name.clone(),
            status,
            reason,
        }))
    }
}

/// Map a PEP 792 [`Status`] to its [`AdverseStatus`] counterpart, if any.
fn to_adverse(status: Status) -> Option<AdverseStatus> {
    match status {
        Status::Active => None,
        Status::Archived => Some(AdverseStatus::Archived),
        Status::Quarantined => Some(AdverseStatus::Quarantined),
        Status::Deprecated => Some(AdverseStatus::Deprecated),
    }
}