Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] ImportError: cannot import name 'sha1sum' from 'cyclonedx.model' #5841

Closed
nvuillam opened this issue Dec 10, 2023 · 8 comments · Fixed by #5846
Closed

[Bug] ImportError: cannot import name 'sha1sum' from 'cyclonedx.model' #5841

nvuillam opened this issue Dec 10, 2023 · 8 comments · Fixed by #5846
Labels
crash

Comments

@nvuillam
Copy link

nvuillam commented Dec 10, 2023
edited
Loading

Describe the issue

Crash ImportError: cannot import name 'sha1sum' from 'cyclonedx.model' undepending how checkov is called :/

Examples

Traceback (most recent call last):
  File "/venvs/checkov/bin/checkov", line 2, in <module>
    from checkov.main import Checkov
  File "/venvs/checkov/lib/python3.11/site-packages/checkov/main.py", line 50, in <module>
    from checkov.common.runners.runner_registry import RunnerRegistry
  File "/venvs/checkov/lib/python3.11/site-packages/checkov/common/runners/runner_registry.py", line 31, in <module>
    from checkov.common.output.cyclonedx import CycloneDX
  File "/venvs/checkov/lib/python3.11/site-packages/checkov/common/output/cyclonedx.py", line 11, in <module>
    from cyclonedx.model import (
ImportError: cannot import name 'sha1sum' from 'cyclonedx.model' (/venvs/checkov/lib/python3.11/site-packages/cyclonedx/model/__init__.py)

Exception Trace
Please share the trace for the exception and all relevant output by checkov.
To maximize the understanding, please run checkov with LOG_LEVEL set to debug
as follows:

[checkov] command: ['checkov', '--directory', '.', '--config-file', '/action/lib/.automation/.checkov.yml', '--output', 'sarif', '--output-file-path', '/tmp/d22d2[833](https://github.com/oxsecurity/megalinter/actions/runs/7160719035/job/19495393865?pr=3205#step:9:834)-baa6-40fa-b7d0-a287757729c0']
[checkov] CWD: /tmp/lint/.automation/test/repository_checkov/bad
Could not find /tmp/d22d2833-baa6-40fa-b7d0-a287757729c0/results_sarif.sarif (linter sarif output error?)
[checkov] result: 1 2023-12-10 22:49:53,627 [MainThread  ] [DEBUG]  Adding the IntegrationFeatureRegistry <checkov.common.bridgecrew.integration_features.features.repo_config_integration.RepoConfigIntegration object at 0x7fa122a38810> with order 0
2023-12-10 22:49:53,627 [MainThread  ] [DEBUG]  self.features after the sort:
2023-12-10 22:49:53,627 [MainThread  ] [DEBUG]  [<checkov.common.bridgecrew.integration_features.features.repo_config_integration.RepoConfigIntegration object at 0x7fa122a38810>]
2023-12-10 22:49:53,701 [MainThread  ] [DEBUG]  Leveraging the bundled IAM Definition.
2023-12-10 22:49:53,701 [MainThread  ] [DEBUG]  Leveraging the IAM definition at /venvs/checkov/lib/python3.11/site-packages/policy_sentry/shared/data/iam-definition.json
2023-12-10 22:49:54,012 [MainThread  ] [DEBUG]  Adding the IntegrationFeatureRegistry <checkov.common.bridgecrew.integration_features.features.policy_metadata_integration.PolicyMetadataIntegration object at 0x7fa120702590> with order 0
2023-12-10 22:49:54,012 [MainThread  ] [DEBUG]  self.features after the sort:
2023-12-10 22:49:54,012 [MainThread  ] [DEBUG]  [<checkov.common.bridgecrew.integration_features.features.repo_config_integration.RepoConfigIntegration object at 0x7fa122a38810>, <checkov.common.bridgecrew.integration_features.features.policy_metadata_integration.PolicyMetadataIntegration object at 0x7fa120702590>]
2023-12-10 22:49:54,013 [MainThread  ] [DEBUG]  Adding the IntegrationFeatureRegistry <checkov.common.bridgecrew.integration_features.features.fixes_integration.FixesIntegration object at 0x7fa120702650> with order 10
2023-12-10 22:49:54,013 [MainThread  ] [DEBUG]  self.features after the sort:
2023-12-10 22:49:54,013 [MainThread  ] [DEBUG]  [<checkov.common.bridgecrew.integration_features.features.repo_config_integration.RepoConfigIntegration object at 0x7fa122a38810>, <checkov.common.bridgecrew.integration_features.features.policy_metadata_integration.PolicyMetadataIntegration object at 0x7fa120702590>, <checkov.common.bridgecrew.integration_features.features.fixes_integration.FixesIntegration object at 0x7fa120702650>]
2023-12-10 22:49:54,013 [MainThread  ] [DEBUG]  Adding the IntegrationFeatureRegistry <checkov.common.bridgecrew.integration_features.features.licensing_integration.LicensingIntegration object at 0x7fa120702b90> with order 6
2023-12-10 22:49:54,013 [MainThread  ] [DEBUG]  self.features after the sort:
2023-12-10 22:49:54,013 [MainThread  ] [DEBUG]  [<checkov.common.bridgecrew.integration_features.features.repo_config_integration.RepoConfigIntegration object at 0x7fa122a38810>, <checkov.common.bridgecrew.integration_features.features.policy_metadata_integration.PolicyMetadataIntegration object at 0x7fa120702590>, <checkov.common.bridgecrew.integration_features.features.licensing_integration.LicensingIntegration object at 0x7fa120702b90>, <checkov.common.bridgecrew.integration_features.features.fixes_integration.FixesIntegration object at 0x7fa120702650>]
2023-12-10 22:49:54,014 [MainThread  ] [DEBUG]  Adding the IntegrationFeatureRegistry <checkov.common.bridgecrew.integration_features.features.custom_policies_integration.CustomPoliciesIntegration object at 0x7fa120703cd0> with order 1
2023-12-10 22:49:54,014 [MainThread  ] [DEBUG]  self.features after the sort:
2023-12-10 22:49:54,014 [MainThread  ] [DEBUG]  [<checkov.common.bridgecrew.integration_features.features.repo_config_integration.RepoConfigIntegration object at 0x7fa122a38810>, <checkov.common.bridgecrew.integration_features.features.policy_metadata_integration.PolicyMetadataIntegration object at 0x7fa120702590>, <checkov.common.bridgecrew.integration_features.features.custom_policies_integration.CustomPoliciesIntegration object at 0x7fa120703cd0>, <checkov.common.bridgecrew.integration_features.features.licensing_integration.LicensingIntegration object at 0x7fa120702b90>, <checkov.common.bridgecrew.integration_features.features.fixes_integration.FixesIntegration object at 0x7fa120702650>]
2023-12-10 22:49:54,016 [MainThread  ] [DEBUG]  Adding the IntegrationFeatureRegistry <checkov.common.bridgecrew.integration_features.features.policies_3d_integration.Policies3DIntegration object at 0x7fa120734ed0> with order 11
2023-12-10 22:49:54,016 [MainThread  ] [DEBUG]  self.features after the sort:
2023-12-10 22:49:54,016 [MainThread  ] [DEBUG]  [<checkov.common.bridgecrew.integration_features.features.repo_config_integration.RepoConfigIntegration object at 0x7fa122a38810>, <checkov.common.bridgecrew.integration_features.features.policy_metadata_integration.PolicyMetadataIntegration object at 0x7fa120702590>, <checkov.common.bridgecrew.integration_features.features.custom_policies_integration.CustomPoliciesIntegration object at 0x7fa120703cd0>, <checkov.common.bridgecrew.integration_features.features.licensing_integration.LicensingIntegration object at 0x7fa120702b90>, <checkov.common.bridgecrew.integration_features.features.fixes_integration.FixesIntegration object at 0x7fa120702650>, <checkov.common.bridgecrew.integration_features.features.policies_3d_integration.Policies3DIntegration object at 0x7fa120734ed0>]
2023-12-10 22:49:54,017 [MainThread  ] [DEBUG]  Adding the IntegrationFeatureRegistry <checkov.common.bridgecrew.integration_features.features.suppressions_integration.SuppressionsIntegration object at 0x7fa120742[850](https://github.com/oxsecurity/megalinter/actions/runs/7160719035/job/19495393865?pr=3205#step:9:851)> with order 2
2023-12-10 22:49:54,017 [MainThread  ] [DEBUG]  self.features after the sort:
2023-12-10 22:49:54,017 [MainThread  ] [DEBUG]  [<checkov.common.bridgecrew.integration_features.features.repo_config_integration.RepoConfigIntegration object at 0x7fa122a38810>, <checkov.common.bridgecrew.integration_features.features.policy_metadata_integration.PolicyMetadataIntegration object at 0x7fa120702590>, <checkov.common.bridgecrew.integration_features.features.custom_policies_integration.CustomPoliciesIntegration object at 0x7fa120703cd0>, <checkov.common.bridgecrew.integration_features.features.suppressions_integration.SuppressionsIntegration object at 0x7fa120742850>, <checkov.common.bridgecrew.integration_features.features.licensing_integration.LicensingIntegration object at 0x7fa120702b90>, <checkov.common.bridgecrew.integration_features.features.fixes_integration.FixesIntegration object at 0x7fa120702650>, <checkov.common.bridgecrew.integration_features.features.policies_3d_integration.Policies3DIntegration object at 0x7fa120734ed0>]
2023-12-10 22:49:54,018 [MainThread  ] [DEBUG]  Adding the IntegrationFeatureRegistry <checkov.common.bridgecrew.integration_features.features.vulnerabilities_integration.VulnerabilitiesIntegration object at 0x7fa120755650> with order 2
2023-12-10 22:49:54,018 [MainThread  ] [DEBUG]  self.features after the sort:
2023-12-10 22:49:54,018 [MainThread  ] [DEBUG]  [<checkov.common.bridgecrew.integration_features.features.repo_config_integration.RepoConfigIntegration object at 0x7fa122a38810>, <checkov.common.bridgecrew.integration_features.features.policy_metadata_integration.PolicyMetadataIntegration object at 0x7fa120702590>, <checkov.common.bridgecrew.integration_features.features.custom_policies_integration.CustomPoliciesIntegration object at 0x7fa120703cd0>, <checkov.common.bridgecrew.integration_features.features.suppressions_integration.SuppressionsIntegration object at 0x7fa120742850>, <checkov.common.bridgecrew.integration_features.features.vulnerabilities_integration.VulnerabilitiesIntegration object at 0x7fa120755650>, <checkov.common.bridgecrew.integration_features.features.licensing_integration.LicensingIntegration object at 0x7fa120702b90>, <checkov.common.bridgecrew.integration_features.features.fixes_integration.FixesIntegration object at 0x7fa120702650>, <checkov.common.bridgecrew.integration_features.features.policies_3d_integration.Policies3DIntegration object at 0x7fa120734ed0>]
2023-12-10 22:49:54,043 [MainThread  ] [DEBUG]  Loading external checks from /venvs/checkov/lib/python3.11/site-packages/checkov/bicep/checks/graph_checks
2023-12-10 22:49:54,043 [MainThread  ] [DEBUG]  Searching through [] and ['__init__.py', 'SQLServerAuditingEnabled.json']
2023-12-10 22:49:54,338 [MainThread  ] [DEBUG]  Popen(['git', 'version'], cwd=/tmp/lint/.automation/test/repository_checkov/bad, stdin=None, shell=False, universal_newlines=False)
2023-12-10 22:49:54,340 [MainThread  ] [DEBUG]  Popen(['git', 'version'], cwd=/tmp/lint/.automation/test/repository_checkov/bad, stdin=None, shell=False, universal_newlines=False)
2023-12-10 22:49:54,352 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.DataClassification with custom name None
2023-12-10 22:49:54,352 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.AttachedText with custom name None
2023-12-10 22:49:54,353 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.HashType with custom name None
2023-12-10 22:49:54,354 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.XsUri with custom name None
2023-12-10 22:49:54,354 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.ExternalReference with custom name None
2023-12-10 22:49:54,354 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.Property with custom name None
2023-12-10 22:49:54,354 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.NoteText with custom name None
2023-12-10 22:49:54,355 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.Note with custom name None
2023-12-10 22:49:54,355 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.OrganizationalContact with custom name None
2023-12-10 22:49:54,355 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.OrganizationalEntity with custom name None
2023-12-10 22:49:54,355 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.Tool with custom name None
2023-12-10 22:49:54,356 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.IdentifiableAction with custom name None
2023-12-10 22:49:54,356 [MainThread  ] [DEBUG]  Registering Class cyclonedx.model.Copyright with custom name None
Traceback (most recent call last):
  File "/venvs/checkov/bin/checkov", line 2, in <module>
    from checkov.main import Checkov
  File "/venvs/checkov/lib/python3.11/site-packages/checkov/main.py", line 50, in <module>
    from checkov.common.runners.runner_registry import RunnerRegistry
  File "/venvs/checkov/lib/python3.11/site-packages/checkov/common/runners/runner_registry.py", line 31, in <module>
    from checkov.common.output.cyclonedx import CycloneDX
  File "/venvs/checkov/lib/python3.11/site-packages/checkov/common/output/cyclonedx.py", line 11, in <module>
    from cyclonedx.model import (
ImportError: cannot import name 'sha1sum' from 'cyclonedx.model' (/venvs/checkov/lib/python3.11/site-packages/cyclonedx/model/__init__.py)

Desktop (please complete the following information):

  • OS: python:3.11.6-alpine3.18 (docker image)
  • Checkov Version : 3.1.27 to 3.1.29

Additional context

You can see the crash in this GitHub Actions job -> https://github.com/oxsecurity/megalinter/actions/runs/7160719035/job/19495393865?pr=3205

Dockerfile is here -> https://github.com/oxsecurity/megalinter/blob/b46d0166a4033bcaa183cb86afcd1e856e233381/linters/repository_checkov/Dockerfile (we had the same result without specifying the checkov version to install)
@nvuillam nvuillam added the crash label Dec 10, 2023
@nvuillam nvuillam mentioned this issue Dec 10, 2023
Merged
@nvuillam
Copy link
Author

nvuillam commented Dec 10, 2023
edited
Loading

The delta seems to come from cyclonedx-python-lib-5.2.0 that does work, whereas with cyclonedx-python-lib-6.0.0 checkov crashes.

The dependency probably needs to be upgraded :)

@microamp
Copy link

As @nvuillam said above, checkov started to work for me again after cyclonedx-python-lib had been explicitly downgraded to 5.2.0.

python3 -m pip install --user cyclonedx-python-lib==5.2.0 # Ubuntu 22.04

@nvuillam
Copy link
Author

nvuillam commented Dec 11, 2023
edited
Loading

@microamp i did the same on MegaLinter and i confirm it works with pip3 install --no-cache-dir packaging cyclonedx-python-lib=='5.2.0' checkov :)

@gionn gionn mentioned this issue Dec 11, 2023
Merged
@Saarett Saarett linked a pull request Dec 11, 2023 that will close this issue
feat(general): anchor cyclonedx to last non breaking version #5846
Merged
7 tasks
@gionn
Copy link

gionn commented Dec 11, 2023

Workaround for pre-commit:

repos:
  - repo: https://github.com/bridgecrewio/checkov.git
    rev: 3.1.29
    hooks:
      - id: checkov
        additional_dependencies:
          - "cyclonedx-python-lib==5.2.0"

@jor2
Copy link

jor2 commented Dec 11, 2023

Breaking change here CycloneDX/cyclonedx-python-lib#506

@ocofaigh ocofaigh mentioned this issue Dec 11, 2023
Merged
6 tasks
@Saarett
Copy link
Contributor

Saarett commented Dec 11, 2023

Hey everyone, we apologize for the inconvenience. We have set the specific version of cyclonedx-python-lib to 5.2.0 in the setup.py. The latest version of Checkov (3.1.30), which is already deployed, has addressed this issue.

Please let us know if there are any other issues 🙏

@Saarett Saarett closed this as completed Dec 11, 2023
@charlesavanade
Copy link

@microamp i did the same on MegaLinter and i confirm it works with pip3 install --no-cache-dir packaging cyclonedx-python-lib=='5.2.0' checkov :)

Thanks, helped fixed mine too :)

@nvuillam
Copy link
Author

I confirm it's now ok in MegaLinter beta version, without any workaround necessary , thanks for the quick patch :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crash
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(general): anchor cyclonedx to last non breaking version bridgecrewio/checkov
6 participants
@gionn @microamp @Saarett @nvuillam @jor2 @charlesavanade