does not work when one of many dependencíes is not present on PyPI

[jugmac00]

Bug description

Running this tool on a requirements.txt where one of the many entries e.g. points to github causes an error.

Reproduction steps

A step-by-step list of actions to reproduce the behavior.

git clone https://git.launchpad.net/lpcraft

cd lpcraft

pip-audit -r requirements.txt

/ Resolving craft-cli                             
Traceback (most recent call last):
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/resolvelib/resolvelib.py", line 41, in resolve
    result = self.resolver.resolve([req])
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 481, in resolve
    state = resolution.resolve(requirements, max_rounds=max_rounds)
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 348, in resolve
    self._add_to_criteria(self.state.criteria, r, parent=None)
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 147, in _add_to_criteria
    matches = self._p.find_matches(
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/resolvelib/pypi_provider.py", line 279, in find_matches
    return sorted(candidates, key=attrgetter("version", "is_wheel"), reverse=True)
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/resolvelib/pypi_provider.py", line 272, in <genexpr>
    candidates = (
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/resolvelib/pypi_provider.py", line 188, in get_project_from_pypi
    response.raise_for_status()
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/requests/models.py", line 953, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://pypi.org/simple/craft-cli/

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/requirement.py", line 62, in collect
    for _, deps in self.resolver.resolve_all(iter(req_values)):
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/interface.py", line 67, in resolve_all
    yield (req, self.resolve(req))
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/resolvelib/resolvelib.py", line 43, in resolve
    raise ResolveLibResolverError("failed to resolve dependencies") from e
pip_audit._dependency_source.resolvelib.resolvelib.ResolveLibResolverError: failed to resolve dependencies

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/jugmac00/.local/bin/pip-audit", line 8, in <module>
    sys.exit(audit())
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_cli.py", line 240, in audit
    for (spec, vulns) in auditor.audit(source):
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_audit.py", line 60, in audit
    yield from self._service.query_all(specs)
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_service/interface.py", line 115, in query_all
    for spec in specs:
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/requirement.py", line 74, in collect
    raise RequirementSourceError("dependency resolver raised an error") from dre
pip_audit._dependency_source.requirement.RequirementSourceError: dependency resolver raised an error

Expected behavior

I expected to receive a proper report.

Screenshots and logs

$ PIP_AUDIT_LOGLEVEL=debug pip-audit -r requirements.txt 
DEBUG:pip_audit._cli:parsed arguments: Namespace(cache_dir=None, desc=<VulnerabilityDescriptionChoice.Auto: 'auto'>, dry_run=False, format=<OutputFormatChoice.Columns: 'columns'>, local=False, progress_spinner=<ProgressSpinnerChoice.On: 'on'>, requirements=[<_io.TextIOWrapper name='requirements.txt' mode='r' encoding='UTF-8'>], strict=False, timeout=15, vulnerability_service=<VulnerabilityServiceChoice.Pypi: 'pypi'>)
/ Resolving craft-cli                             
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): pypi.org:443
DEBUG:urllib3.connectionpool:https://pypi.org:443 "GET /simple/certifi HTTP/1.1" 301 113
DEBUG:urllib3.connectionpool:https://pypi.org:443 "GET /simple/certifi/ HTTP/1.1" 200 7534
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): files.pythonhosted.org:443
DEBUG:urllib3.connectionpool:https://files.pythonhosted.org:443 "GET /packages/37/45/946c02767aabb873146011e665728b680884cd8fe70dde973c640e45b775/certifi-2021.10.8-py2.py3-none-any.whl HTTP/1.1" 200 149195
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/pypi/certifi/2021.10.8/json" in the cache
DEBUG:cachecontrol.controller:Current age based on date: 324
DEBUG:cachecontrol.controller:Freshness lifetime from max-age: 900
DEBUG:cachecontrol.controller:The response is "fresh", returning cached response
DEBUG:cachecontrol.controller:900 > 324
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): pypi.org:443
DEBUG:urllib3.connectionpool:https://pypi.org:443 "GET /simple/charset-normalizer HTTP/1.1" 301 224
DEBUG:urllib3.connectionpool:https://pypi.org:443 "GET /simple/charset-normalizer/ HTTP/1.1" 200 5124
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): files.pythonhosted.org:443
DEBUG:urllib3.connectionpool:https://files.pythonhosted.org:443 "GET /packages/de/c8/820b1546c68efcbbe3c1b10dd925fbd84a0dda7438bc18db0ef1fa567733/charset_normalizer-2.0.7-py3-none-any.whl HTTP/1.1" 200 38247
DEBUG:cachecontrol.controller:Looking up "https://pypi.org/pypi/charset-normalizer/2.0.7/json" in the cache
DEBUG:cachecontrol.controller:Current age based on date: 324
DEBUG:cachecontrol.controller:Freshness lifetime from max-age: 900
DEBUG:cachecontrol.controller:The response is "fresh", returning cached response
DEBUG:cachecontrol.controller:900 > 324
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): pypi.org:443
DEBUG:urllib3.connectionpool:https://pypi.org:443 "GET /simple/craft-cli HTTP/1.1" 301 215
DEBUG:urllib3.connectionpool:https://pypi.org:443 "GET /simple/craft-cli/ HTTP/1.1" 404 13
Traceback (most recent call last):
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/resolvelib/resolvelib.py", line 41, in resolve
    result = self.resolver.resolve([req])
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 481, in resolve
    state = resolution.resolve(requirements, max_rounds=max_rounds)
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 348, in resolve
    self._add_to_criteria(self.state.criteria, r, parent=None)
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/resolvelib/resolvers.py", line 147, in _add_to_criteria
    matches = self._p.find_matches(
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/resolvelib/pypi_provider.py", line 279, in find_matches
    return sorted(candidates, key=attrgetter("version", "is_wheel"), reverse=True)
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/resolvelib/pypi_provider.py", line 272, in <genexpr>
    candidates = (
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/resolvelib/pypi_provider.py", line 188, in get_project_from_pypi
    response.raise_for_status()
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/requests/models.py", line 953, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://pypi.org/simple/craft-cli/

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/requirement.py", line 62, in collect
    for _, deps in self.resolver.resolve_all(iter(req_values)):
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/interface.py", line 67, in resolve_all
    yield (req, self.resolve(req))
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/resolvelib/resolvelib.py", line 43, in resolve
    raise ResolveLibResolverError("failed to resolve dependencies") from e
pip_audit._dependency_source.resolvelib.resolvelib.ResolveLibResolverError: failed to resolve dependencies

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/jugmac00/.local/bin/pip-audit", line 8, in <module>
    sys.exit(audit())
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_cli.py", line 240, in audit
    for (spec, vulns) in auditor.audit(source):
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_audit.py", line 60, in audit
    yield from self._service.query_all(specs)
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_service/interface.py", line 115, in query_all
    for spec in specs:
  File "/home/jugmac00/.local/pipx/venvs/pip-audit/lib/python3.8/site-packages/pip_audit/_dependency_source/requirement.py", line 74, in collect
    raise RequirementSourceError("dependency resolver raised an error") from dre
pip_audit._dependency_source.requirement.RequirementSourceError: dependency resolver raised an error

Platform information

• OS name and version: Ubuntu 20.4
• pip-audit version (pip-audit -V): 1.0.0
• Python version (python -V or python3 -V): 3.8.10
• pip version (pip -V or pip3 -V): N/A

[tetsuo-cpp]

Thanks for the report @jugmac00!

Just leaving some notes for myself/whoever takes a stab at this:

I believe if we can't find a dependency on PyPI, we need to just skip it because it could otherwise come from anywhere (and we won't be able to find vulnerability information for it anyhow). We already do the right thing when we try to query PyPI for vulnerabilities, we just need to apply that to dependency resolution. We should do something similar to what we do here where we propagate a SkippedDependency so it comes up in the skipped dependencies portion of the audit summary.

[BertRaeymaekers]

I have the same issue in my use case:
Our application uses some home build libraries that are in our private repo and not on pypi. Running pip-audit fails on trying to get info on pypi for those internal libraries.