Skip to content

Commit

Permalink
add pip -f pattern
Browse files Browse the repository at this point in the history
  • Loading branch information
stoletheminerals committed Aug 1, 2024
1 parent 2335249 commit ebc1bd0
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,8 @@ sphinx-reredirects==0.1.2
// ruleid: find-links-without-no-index
--find-links https://mlc.ai/wheels
mlc-ai-nightly
--find-links --no-index https://mlc.ai/wheels
--find-links --no-index https://mlc.ai/wheels
--no-index --find-links https://mlc.ai/wheels
// ruleid: find-links-without-no-index
pip install --quiet --pre -U -f https://mlc.ai/wheels mlc-ai-nightly
pip install --quiet --pre -U -f --no-index https://mlc.ai/wheels mlc-ai-nightly
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,10 @@ rules:
- https://portswigger.net/daily-swig/dependency-confusion-attack-mounted-via-pypi-repo-exposes-flawed-package-installer-behavior
- https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/
confidence: LOW
pattern-regex: '^(?!.*--no-index).*--find-links'
message: "When --find-links is used without --no-index, pip may try to install the package from PyPI. Add --no-index to avoid dependency confusion."
pattern-either:
- pattern-regex: ^(?!.*--no-index).*--find-links
- pattern-regex: ^(?!.*--no-index).*pip\s.*\s-f
message: "When --find-links or -f is used without --no-index, pip may try to install the package from PyPI. Add --no-index to avoid dependency confusion."
severity: INFO
languages:
- generic

0 comments on commit ebc1bd0

Please sign in to comment.