2.4.6 crashes

[TECH7Fox]

Bug description

pip-audit crashes at pip_audit/_service/interface.py, line 162

Right here: https://github.com/pypa/pip-audit/blob/v2.4.6/pip_audit/_service/interface.py#L162

Reproduction steps

tox -e audit

Expected behavior

No errors.

Screenshots and logs

Traceback (most recent call last):
  File "/home/jordy/repo/.tox/audit/bin/pip-audit", line 8, in <module>
    sys.exit(audit())
  File "/home/jordy/repo/.tox/audit/lib/python3.10/site-packages/pip_audit/_cli.py", line 434, in audit
    for (spec, vulns) in auditor.audit(source):
  File "/home/jordy/repo/.tox/audit/lib/python3.10/site-packages/pip_audit/_audit.py", line 66, in audit
    for dep, vulns in self._service.query_all(specs):
  File "/home/jordy/repo/.tox/audit/lib/python3.10/site-packages/pip_audit/_service/interface.py", line 156, in query_all
    yield self.query(spec)
  File "/home/jordy/repo/.tox/audit/lib/python3.10/site-packages/pip_audit/_service/osv.py", line 150, in query
    published=self._parse_rfc3339(vuln.get("published")),
  File "/home/jordy/repo/.tox/audit/lib/python3.10/site-packages/pip_audit/_service/interface.py", line 162, in _parse_rfc3339
    return datetime.strptime(dt, "%Y-%m-%dT%H:%M:%SZ")
  File "/home/jordy/.pyenv/versions/3.10.6/lib/python3.10/_strptime.py", line 568, in _strptime_datetime
    tt, fraction, gmtoff_fraction = _strptime(data_string, format)
  File "/home/jordy/.pyenv/versions/3.10.6/lib/python3.10/_strptime.py", line 349, in _strptime
    raise ValueError("time data %r does not match format %r" %
ValueError: time data '2022-10-22T00:00:27.668938Z' does not match format '%Y-%m-%dT%H:%M:%SZ'

Platform information

• OS name and version: Ubuntu 20.04.5 LTS
• pip-audit version (pip-audit -V): 2.4.6
• Python version (python -V or python3 -V): 3.10.6
• pip version (pip -V or pip3 -V): 22.3.1

[woodruffw]

Thanks for the report!

tox -e audit doesn't give us a lot of context -- do you happen to know how that's invoking pip-audit internally? In particular, is it using the OSV service or the PyPI one?

Similarly, could you share the dependency source(s) you're auditing? That will help us reproduce the bug.

[woodruffw]

Never mind, I see in your stack trace that the OSV service is the one being used. That's generally not encouraged unless you have a specific reason to prefer it over the PyPI one (which is the default).

This does look like our bug, however, and probably introduced with #404. I'll look into it some more.

[woodruffw]

Yeah, this looks like us failing to handle fractional seconds in the RFC3339 timestamp we're getting back from OSV. I'll have a fix in a moment.

[woodruffw]

Looks like OSV now returns some RFC3339 timestamps with fractional seconds, while others don't have it. I'm going to raise this upstream, since while it's strictly correct from RFC3339's perspective it makes things harder for clients and might indicate an unintentional change on their part.

[woodruffw]

#417 has the fix. @TECH7Fox would you mind giving the changes in that PR a try?

[TECH7Fox]

Thanks that was fast. Will try tomorrow. Is there a easy way to use the PR?

[woodruffw]

Is there a easy way to use the PR?

The easiest way is to check the repository out and follow the development steps in the CONTRIBUTING.md.

[TECH7Fox]

@woodruffw the branch works for me.

[woodruffw]

@woodruffw the branch works for me.

Glad to hear it! I'll merge and get a release cut soon. Thanks again for reporting, and for helping debug!

[TECH7Fox]

Glad to hear it! I'll merge and get a release cut soon. Thanks again for reporting, and for helping debug!

Great, thanks for the fast update!

[woodruffw]

No problem! In the mean time, the PyPI service (-s pypi) should still be functioning correctly.