🐞 Vulnerability issue creator fails when Maven report does not contai…

…n "vulnerable" entry Fixes #102
exasol · Nov 13, 2023 · bf8e120 · bf8e120
1 parent ef2fffa
commit bf8e120
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 11 deletions.
diff --git a/doc/changelog.rst b/doc/changelog.rst
@@ -6,6 +6,10 @@
 Unreleased
 ==========
 
+🐞 Fixed
+--------
+* Fix failing vulnerability issue creator when Maven report does not contain "vulnerable" entry
+
 🔧 Changed
 ----------
 

diff --git a/exasol/toolbox/tools/security.py b/exasol/toolbox/tools/security.py
@@ -87,17 +87,18 @@ def gh_security_issues() -> Generator[Tuple[str, str], None, None]:
 def from_maven(report: str) -> Iterable[Issue]:
     # Note: Consider adding warnings if there is the same cve with multiple coordinates
     report = json.loads(report)
-    dependencies = report["vulnerable"]  # type: ignore
-    for _, dependency in dependencies.items():  # type: ignore
-        for v in dependency["vulnerabilities"]:  # type: ignore
-            references = [v["reference"]] + v["externalReferences"]
-            yield Issue(
-                cve=v["cve"],
-                cwe=v["cwe"],
-                description=v["description"],
-                coordinates=dependency["coordinates"],
-                references=tuple(references),
-            )
+    if "vulnerable" in report:
+        dependencies = report["vulnerable"]  # type: ignore
+        for _, dependency in dependencies.items():  # type: ignore
+            for v in dependency["vulnerabilities"]:  # type: ignore
+                references = [v["reference"]] + v["externalReferences"]
+                yield Issue(
+                    cve=v["cve"],
+                    cwe=v["cwe"],
+                    description=v["description"],
+                    coordinates=dependency["coordinates"],
+                    references=tuple(references),
+                )
 
 
 def security_issue_title(issue: Issue) -> str:

diff --git a/test/unit/security_test.py b/test/unit/security_test.py
@@ -354,3 +354,8 @@ def test_convert_maven_input(maven_report):  # pylint: disable=redefined-outer-n
     }
     actual = set(security.from_maven(maven_report))
     assert actual == expected
+
+
+def test_convert_maven_input_no_vulnerable():  # pylint: disable=redefined-outer-name
+    actual = set(security.from_maven("{}"))
+    assert len(actual) == 0