Skip to content

fix(python): discover interpreters to find all site-packages#165

Open
swarit-stepsecurity wants to merge 1 commit into
step-security:mainfrom
swarit-stepsecurity:swarit/fix/wt/py-interpreter-discovery
Open

fix(python): discover interpreters to find all site-packages#165
swarit-stepsecurity wants to merge 1 commit into
step-security:mainfrom
swarit-stepsecurity:swarit/fix/wt/py-interpreter-discovery

Conversation

@swarit-stepsecurity

Copy link
Copy Markdown
Member

The disk-based Python scanner gathered site-packages from a fixed allow-list of globs (PythonGlobalRoots), so packages installed under any interpreter not on that list were never scanned. The clearest case is Apple's Command Line Tools python
(/Library/Developer/CommandLineTools/.../Python3.framework), whose site-packages no glob matched. After the agent upgraded from the pre-1.13 command-based scan (which ran whatever pip/conda/uv was on PATH) to the 1.13 disk scan, packages there stopped being reported and showed as "No Longer Available" in the dashboard while still installed.

Discover interpreters directly instead: enumerate python executables on PATH, in version-manager trees (pyenv/asdf/uv/conda), and at common locations, then ask each one via a small python -c (site.getsitepackages

  • user-site + sysconfig) where its site-packages actually live, and union those dirs with the existing static roots so coverage never regresses. Probes are gated by the Apple CLT stub check (so a Mac without CLT is not prompted), individually timed out, and capped in number; a failed probe logs a warning rather than silently dropping an interpreter.

Also raise the METADATA read cap from 1 MiB to 32 MiB so an installed package whose METADATA embeds a large README is no longer silently dropped from the scan.

What does this PR do?

Type of change

  • Bug fix
  • Enhancement
  • Documentation

Testing

  • Tested on macOS (version: ___)
  • Binary runs without errors: ./stepsecurity-dev-machine-guard --verbose
  • JSON output is valid: ./stepsecurity-dev-machine-guard --json | python3 -m json.tool
  • No secrets or credentials included
  • Lint passes: make lint
  • Tests pass: make test

Related Issues

The disk-based Python scanner gathered site-packages from a fixed
allow-list of globs (PythonGlobalRoots), so packages installed under any
interpreter not on that list were never scanned. The clearest case is
Apple's Command Line Tools python
(/Library/Developer/CommandLineTools/.../Python3.framework), whose
site-packages no glob matched. After the agent upgraded from the
pre-1.13 command-based scan (which ran whatever pip/conda/uv was on PATH)
to the 1.13 disk scan, packages there stopped being reported and showed
as "No Longer Available" in the dashboard while still installed.

Discover interpreters directly instead: enumerate python executables on
PATH, in version-manager trees (pyenv/asdf/uv/conda), and at common
locations, then ask each one via a small `python -c` (site.getsitepackages
+ user-site + sysconfig) where its site-packages actually live, and union
those dirs with the existing static roots so coverage never regresses.
Probes are gated by the Apple CLT stub check (so a Mac without CLT is not
prompted), individually timed out, and capped in number; a failed probe
logs a warning rather than silently dropping an interpreter.

Also raise the METADATA read cap from 1 MiB to 32 MiB so an installed
package whose METADATA embeds a large README is no longer silently
dropped from the scan.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant