-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --cve Flag to Safety Scan Command for CVE Details Reporting #635
base: main
Are you sure you want to change the base?
Conversation
WalkthroughThe changes primarily enhance the scanning functionality within the Changes
Possibly related PRs
Poem
📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
Tested locally by running Data output looks like the following:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 1
🧹 Outside diff range and nitpick comments (3)
safety/scan/command.py (3)
470-472
: Optimize type checking for CVE dataThe multiple
isinstance
checks can be combined for better readability and performance.-filtered_cve = [ - cve for cve in vuln.CVE if isinstance(cve, str) or isinstance(cve, dict) -] +filtered_cve = [ + cve for cve in vuln.CVE if isinstance(cve, (str, dict)) +]🧰 Tools
🪛 Ruff
471-471: Multiple
isinstance
calls forcve
, merge into a single callMerge
isinstance
calls forcve
(SIM101)
492-498
: Consider moving severity order mapping to constantsThe severity order mapping should be defined as a constant at the module level for better maintainability and reusability.
+SEVERITY_ORDER = { + "CRITICAL": 4, + "HIGH": 3, + "MEDIUM": 2, + "LOW": 1, + "UNKNOWN": 0, +} -severity_order = { - "CRITICAL": 4, - "HIGH": 3, - "MEDIUM": 2, - "LOW": 1, - "UNKNOWN": 0, # Catch-all for unrecognized severities -}
482-487
: Simplify severity extraction logicThe nested conditional for severity extraction can be simplified using the get method with a default value.
-"severity": vuln.severity.cvssv3.get( - "base_severity", "Unknown" -) -if vuln.severity and vuln.severity.cvssv3 -else "Unknown", +"severity": (vuln.severity and vuln.severity.cvssv3 and + vuln.severity.cvssv3.get("base_severity")) or "Unknown",
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (2)
safety/scan/command.py
(5 hunks)safety/scan/constants.py
(1 hunks)
🧰 Additional context used
🪛 Ruff
safety/scan/command.py
471-471: Multiple isinstance
calls for cve
, merge into a single call
Merge isinstance
calls for cve
(SIM101)
🔇 Additional comments (3)
safety/scan/constants.py (1)
Line range hint 89-91
: LGTM! Clear and consistent help text.
The updated help text for SCAN_APPLY_FIXES
follows the established pattern and clearly communicates:
- The scope of supported files
- The impact on requirements.txt files
- Proper formatting using [bold] and [nhc] tags
safety/scan/command.py (2)
244-247
: LGTM: Well-structured CLI parameter addition
The new --cve
flag follows the established pattern and includes proper type annotations and help text.
Line range hint 845-867
: LGTM: Well-implemented vulnerability summary function
The function is well-documented, uses proper type hints, and efficiently processes the nested data structure to calculate vulnerability totals.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for the launch.json in .vscode can you add the below please?
|
It will be worth adding unit tests and assert that the newly added |
This PR introduces a new
--cve
flag to the safety scan command, enabling users to fetch and display detailed CVE (Common Vulnerabilities and Exposures) information for identified vulnerabilities in their project dependencies.Changes Made
1. New --cve Flag
2. CVE Data Extraction
3. Custom Severity-Based Sorting
4. Enhanced Output
5. Fallback Handling for Missing/Unknown Data
Example Usage
Run the following command to scan a project and include CVE details in the output:
safety scan --cve
Summary by CodeRabbit
New Features
--cve
for scanning, allowing users to request CVE details during the scan.Documentation