feat: added pyproject.toml

[Rexbeast2]

fixes #1595

[terriko]

This looks like a good start, but it seems like it's got some syntax issues around setuptools? I don't actually know how to resolve these so you'll have to read the docs.

        File "/tmp/pip-build-env-3gi0wdcb/overlay/lib/python3.8/site-packages/setuptools/config/pyprojecttoml.py", line 51, in validate
          raise ValueError(f"{error}\n{summary}") from None
      ValueError: invalid pyproject.toml config: `tool.setuptools`.
      configuration error: `tool.setuptools` must not contain {'source', 'dependencies', 'extras', 'dev-dependencies'} properties
      [end of output]
  
  note: This error originates from a subprocess, and is likely not a problem with pip.
error: subprocess-exited-with-error

× Getting requirements to build wheel did not run successfully.
│ exit code: 1
╰─> See above for output.

note: This error originates from a subprocess, and is likely not a problem with pip.

[Rexbeast2]

@terriko Could you guide me on this one? I got stuck on the test, and I think they are checker tests. It could be because I have not included the checker as an entry point. I have read through their documentation but wasn't able to find how to implement a checker as a function in the entry point. A solution that I have guessed is to hardcode every checker in toml. but it is impractical and awful to look.

[terriko]

@Rexbeast2 I actually don't know enough to provide guidance here since I haven't really used pyproject.toml for anything as complicated as our current checker setup. You'll probably have to do a lot of searching and reading the docs to figure it out.

[Rexbeast2]

@terriko OK. I will try to figure out as soon as possible.

[codecov-commenter]

Codecov Report

Merging #2654 (0f61af2) into main (cc190a3) will increase coverage by 0.17%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #2654      +/-   ##
==========================================
+ Coverage   80.00%   80.17%   +0.17%     
==========================================
  Files         670      670              
  Lines       10490    10490              
  Branches     1220     1220              
==========================================
+ Hits         8392     8410      +18     
+ Misses       1719     1706      -13     
+ Partials      379      374       -5     

Flag	Coverage Δ
win-longtests	80.17% <ø> (+0.17%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 3 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[Rexbeast2]

@terriko I have updated pyproject.toml and I think this pyproject.toml is ready. Can you review it, please.

[terriko]

Ran out of time for code review today but this looks maybe ready. (sorry it fell off my radar for a while there!)

I'm not sure if it's a good idea to have both pyproject.toml and setup.py at the same time so I need to some research, and I'm going to update the branch to see if that resolves whatever was going on with the windows tests. I should be back to look at it tomorrow!

[terriko]

Looks like we're getting a lot of errors or warnings on python 3.11. Here's one of the shorter ones:

              ********************************************************************************
              ##########################################################################
              # configuration would be ignored/result in error due to `pyproject.toml` #
              ##########################################################################
      
              The following seems to be defined outside of `pyproject.toml`:
      
              `maintainers = 'Terri Oda'`
      
              According to the spec (see the link below), however, setuptools CANNOT
              consider this value unless `maintainers` is listed as `dynamic`.
      
              https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
      
              For the time being, `setuptools` will still consider the given value (as a
              **transitional** measure), but please note that future releases of setuptools will
              follow strictly the standard.
      
              To prevent this warning, you can list `maintainers` under `dynamic` or alternatively
              remove the `[project]` table from your file and rely entirely on other means of
              configuration.
      
              By 2023-Oct-30, you need to update your project and remove deprecated calls
              or your builds will no longer be supported.
              ********************************************************************************

I can't tell if most of these happen because setup.py still exists (as in that's the "other place" where things are defined) or if there's something else going on.

[terriko]

Okay, I updated this branch to see what kind of errors were being thrown and if it was likely to get worked on and what I get is this....

      /tmp/pip-build-env-86geumey/overlay/lib/python3.8/site-packages/setuptools/config/_apply_pyprojecttoml.py:73: _WouldIgnoreField: `scripts` defined outside of `pyproject.toml` would be ignored.
      !!
      
              ********************************************************************************
              ##########################################################################
              # configuration would be ignored/result in error due to `pyproject.toml` #
              ##########################################################################
      
              The following seems to be defined outside of `pyproject.toml`:
      
              `scripts = ['cve-bin-tool = cve_bin_tool.cli:main', 'csv2cve = cve_bin_tool.csv2cve:main']`
      
              According to the spec (see the link below), however, setuptools CANNOT
              consider this value unless `scripts` is listed as `dynamic`.
      
              https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
      
              For the time being, `setuptools` will still consider the given value (as a
              **transitional** measure), but please note that future releases of setuptools will
              follow strictly the standard.
      
              To prevent this warning, you can list `scripts` under `dynamic` or alternatively
              remove the `[project]` table from your file and rely entirely on other means of
              configuration.
      
              By 2023-Oct-30, you need to update your project and remove deprecated calls
              or your builds will no longer be supported.
              ********************************************************************************
      
      !!
        _handle_missing_dynamic(dist, project_table)
      /tmp/pip-build-env-86geumey/overlay/lib/python3.8/site-packages/setuptools/config/_apply_pyprojecttoml.py:73: _WouldIgnoreField: `dependencies` defined outside of `pyproject.toml` would be ignored.
      !!
      
              ********************************************************************************
              ##########################################################################
              # configuration would be ignored/result in error due to `pyproject.toml` #
              ##########################################################################
      
              The following seems to be defined outside of `pyproject.toml`:
      
              `dependencies = ['aiohttp[speedups]>=3.7.4', 'beautifulsoup4', 'cvss', 'defusedxml', 'distro', 'gsutil', 'importlib_metadata>=3.6; python_version < "3.10"', 'importlib_resources; python_version < "3.9"', 'jinja2>=2.11.3', 'jsonschema>=3.0.2', 'lib4sbom>=0.3.0', 'python-gnupg', 'packaging<22.0', 'plotly', 'pyyaml>=5.4', 'requests', 'rich', 'rpmfile>=1.0.6', 'toml', 'urllib3>=1.26.5 # dependency of requests added explictly to avoid CVEs', 'xmlschema', 'zstandard; python_version >= "3.4"', '']`
      
              According to the spec (see the link below), however, setuptools CANNOT
              consider this value unless `dependencies` is listed as `dynamic`.
      
              https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
      
              For the time being, `setuptools` will still consider the given value (as a
              **transitional** measure), but please note that future releases of setuptools will
              follow strictly the standard.
      
              To prevent this warning, you can list `dependencies` under `dynamic` or alternatively
              remove the `[project]` table from your file and rely entirely on other means of
              configuration.
      
              By 2023-Oct-30, you need to update your project and remove deprecated calls
              or your builds will no longer be supported.
              ********************************************************************************
      
      !!
        _handle_missing_dynamic(dist, project_table)
      error: can't copy 'cache/gad/gemnasium-db-master-pypi/pypi/rpc.py': doesn't exist or not a regular file
      [end of output]
  
  note: This error originates from a subprocess, and is likely not a problem with pip.
  ERROR: Failed building wheel for cve-bin-tool
ERROR: Could not build wheels for cve-bin-tool, which is required to install pyproject.toml-based projects
Failed to build cve-bin-tool

I don't really know how to fix this at this time, and I'm not sure we're up for maintaining pyproject.toml yet and I know you're busy finishing up GSoC and doing school. So I think what I'm going to do is cut/paste some notes into the issue about how far you got, then close this for now.

[terriko]

Okay, I've updated the issue in case we want to work on it more in the future, and I'm going to close this PR so it's no longer on my to-review list before 3.3 release.