Appinspect is generating failures for Splunklib 1.7.4

[cschmidt0121]

Describe the bug
Running Appinspect in precert mode with cloud tags enabled on an app containing splunklib results in a failure for lack of support for v2 API. This seems likely an issue with appinspect's check but I'm opening an issue here to try and get visibility on it.

To Reproduce

1. Grab an app that has splunklib.py in it
2. splunk-appinspect inspect ./<the app>.spl --mode precert --included-tags cloud

Expected behavior
No failed checks, since this is a Splunk module, or an update to splunklib.

Logs or Screenshots

            FAILURE: Some 'search/*' endpoints has been deprecated in Splunk
            9.0.1 and replaced by new v2 APIs.They might be removed entirely in
            a future release. An alternative could be found at
            https://docs.splunk.com/Documentation/Splunk/9.0.1/RESTREF/RESTsearch#Semantic_API_versioning
            File: lib/splunklib/client.py Line Number: 578

Splunk (please complete the following information):
N/A

SDK (please complete the following information):

• Version: 1.7.4
• Language Runtime Version: 3.11
• OS: Mac OS 13.6

Additional context
N/A

[aciesielczyk-splunk]

Good morning,
Could you provide AppInspect CLI version?
Could you also try to submit the same app via AppInspect API and let us know whether this behaviour still occurs?
Thanks

[sanjay900]

I can confirm i am seeing this behaviour with Splunklib 2.0.0 and the AppInspect API as well.

[max-ipinfo]

@aciesielczyk-splunk @szymonjas @maszyk99 This is still an issue with Splunklib 2.1.0.

How can we ignore this failure message? Splunkbase report after uploading a new app version says "Failures will block the Cloud Vetting. They must be fixed"

[max-ipinfo]

Thanks to @bigboynaruto's insight in #594, I was able to bypass the error:
#594 (comment)

TL;DR make sure that you have the exact copy of splunklib in your Splunk application, without linting/formatting of that code, otherwise AppInspect may complain.

[aciesielczyk-splunk]

Yes, that's right

[jonathan-s]

We bumped into this issue as well, our fix was that we changed that line to contain /v1/ which is valid according to documentation. So it's either a bug here in splunklib or in appinspect.

[bigboynaruto]

Hi @jonathan-s

Could you let me know which exact line was changed?

[jonathan-s]

@bigboynaruto It was this line here >
https://github.com/splunk/splunk-sdk-python/blob/master/splunklib/client.py#L572

[bigboynaruto]

@jonathan-s
Could you share the documentation that states that search/v1/parser is correct? According to REST API Reference Manual , it's either search/parser or search/v2/parser.
In general, splunklib source code should not be modified, otherwise it is not splunklib anymore, therefore AppInspect may not pass it.

[jonathan-s]

@bigboynaruto The error message that OP has links to the documentation.
https://docs.splunk.com/Documentation/Splunk/9.0.1/RESTREF/RESTsearch#Semantic_API_versioning

Instead, refer to this v1 endpoint without any version or with v1 only, like the following example:
https://localhost:8089/services/search/jobs/export
https://localhost:8089/services/search/v1/jobs/export

I know that splunklib should not be modified, but obviously there are bugs in there. Otherwise we wouldn't be raising issues here. :)

[bigboynaruto]

@jonathan-s That's the same page I linked. Can you point me to the place that mentions specifically search/v1/parser? I can only find search/parser (see screenshot).

Could you also clarify what was the bug that you were trying to fix by attaching /v1/?

[jonathan-s]

@bigboynaruto I was linking to a specific version of that page. Notice 9.0.1 in the url that linked. Your link does not contain that. The bug is the same as the name of this issue; appinspect generating failures.

So you could argue that the origin of the bug is actually in appinspect as it's not accepting an url without v1/v2. However adding v1 silences the error.

[bigboynaruto]

@jonathan-s

However adding v1 silences the error.

Now I understand what you meant. So you had this failure before adding /v1/. Yes, it is indeed silenced because AppInspect searches for search/parser.

Could you submit your package to AppInspect API and share the request ID. For privacy reasons you can do so by contacting us via email: https://dev.splunk.com/enterprise/docs/developapps/testvalidate/appinspect/#Get-help-with-Splunk-AppInspect.
Then I'll get back to you after reviewing your submission.

[bigboynaruto]

Hey @jonathan-s , hope you are doing well! I was wondering, have you already submitted your package to AppInspect?

[jonathan-s]

@bigboynaruto Sorry for the late reply. The package should have been submitted to appinspect when we sent in the latest version of https://splunkbase.splunk.com/app/4920 for certification.

[bigboynaruto]

@jonathan-s
Your app has modifications in two places of client.py:

1. Imports from . instead of splunklib, i.e. from . import xyz should be from splunklib import xyz
2. New line at the end of the file

You can run diff utility on your file and the one in the SDK source code to find out the exact places.
It's best to just copy the source code form the Splunk SDK's Github repo, as suggested in #554 (comment). Unfortunately, you might need to restructure your project a bit.