From 2a31bb48c755e22b97a198e81029825dc5c06834 Mon Sep 17 00:00:00 2001
From: timothy-bartlett <timobartlett@outlook.com>
Date: Wed, 28 Dec 2022 19:44:40 -0500
Subject: [PATCH] Include setuptools in upgrade set (#454)

* _virtual_env: ensure setuptools is up-to-date

Signed-off-by: William Woodruff <william@trailofbits.com>

* _virtual_env: add TODO

Signed-off-by: William Woodruff <william@trailofbits.com>

* CHANGELOG: record changes

Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 CHANGELOG.md              | 6 ++++++
 pip_audit/_virtual_env.py | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 17e66a67..28aac0be 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,12 @@ All versions prior to 0.0.9 are untracked.
 
 ## [Unreleased]
 
+### Fixed
+
+* Fixed `pip-audit`'s virtual environment creation and upgrade behavior,
+  preventing spurious vulnerability reports
+  ([#454](https://github.com/pypa/pip-audit/pull/454))
+
 ## [2.4.11]
 
 ### Fixed
diff --git a/pip_audit/_virtual_env.py b/pip_audit/_virtual_env.py
index 39830eec..d8be08f7 100644
--- a/pip_audit/_virtual_env.py
+++ b/pip_audit/_virtual_env.py
@@ -78,6 +78,8 @@ def post_setup(self, context: SimpleNamespace) -> None:
 
         # Firstly, upgrade our `pip` versions since `ensurepip` can leave us with an old version
         # and install `wheel` in case our package dependencies are offered as wheels
+        # TODO: This is probably replaceable with the `upgrade_deps` option on `EnvBuilder`
+        # itself, starting with Python 3.9.
         pip_upgrade_cmd = [
             context.env_exe,
             "-m",
@@ -86,6 +88,7 @@ def post_setup(self, context: SimpleNamespace) -> None:
             "--upgrade",
             "pip",
             "wheel",
+            "setuptools",
         ]
         try:
             run(pip_upgrade_cmd, state=self._state)