Switch to pip-audit

Replace Safety with pip-audit. The safety used an old cve database and requires a licence for commercial use. Signed-off-by: Ales Raszka <[email protected]>
redhat-openshift-ecosystem · Jan 2, 2025 · c7b6080 · c7b6080
1 parent 3a15582
commit c7b6080
Show file tree

Hide file tree

Showing 12 changed files with 1,171 additions and 786 deletions.
diff --git a/local-dev/pip-audit-parse.py b/local-dev/pip-audit-parse.py
@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+import json
+import argparse
+from typing import Dict, Any
+
+from rich.table import Table
+from rich.console import Console
+
+
+def parse_vulnerabilities_json(data: Dict[str, Any]) -> bool:
+    """
+    Parses pip-audit json output, extracts fixable vulnerabilities
+    and pretty prints them.
+    """
+
+    vulnerable_packages = []
+    for package in data.get("dependencies", {}):
+        name = package.get("name")
+        vulnerabilities = package.get("vulns", [])
+        version = package.get("version")
+        if not vulnerabilities:
+            print(f"✅ {name} {version}")
+        else:
+            has_fixable_vulnerabilities = False
+            for vulnerability in vulnerabilities:
+                # filter out vulnerabilities that cannot be fixed
+                if fix := vulnerability.get("fix_versions", []) or None:
+                    vulnerable_packages.append(
+                        {
+                            "name": name,
+                            "version": version,
+                            "vulnerability": vulnerability.get("id"),
+                            "fix": fix,
+                        }
+                    )
+                    has_fixable_vulnerabilities = True
+            if has_fixable_vulnerabilities:
+                print(f"❌ {name} {version}")
+            else:
+                print(f"❗ {name} {version}")
+
+    if vulnerable_packages:
+        print("Vulnerable packages found:")
+        table = Table("Package", "Version", "Vulnerability", "Fixed version")
+        to_update = []
+        for package in vulnerable_packages:
+            table.add_row(
+                package["name"],
+                package["version"],
+                package["vulnerability"],
+                ",".join(package["fix"]),
+            )
+            to_update.append(package["name"])
+        console = Console()
+        console.print(table)
+        print(f"To fix, run:\npdm update {' '.join(to_update)}  --update-reuse")
+        return False
+    return True
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser(description="Process a JSON file.")
+    parser.add_argument("filename", help="The JSON file to process")
+
+    args = parser.parse_args()
+    with open(args.filename, "r") as file:
+        data = json.load(file)
+
+    if not parse_vulnerabilities_json(data):
+        exit(1)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/local-dev/pip-audit.sh b/local-dev/pip-audit.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+# remove any previous runs to ensure isolated run
+rm -f /tmp/audit-output.json
+# run pip-audit on dependencies, output to json file, mask any failures
+pip-audit -r /tmp/requirements.txt --format=json -o /tmp/audit-output.json || true
diff --git a/operator-pipeline-images/operatorcert/entrypoints/build_scratch_catalog.py b/operator-pipeline-images/operatorcert/entrypoints/build_scratch_catalog.py
@@ -53,7 +53,7 @@ def setup_argparser() -> argparse.ArgumentParser:
     return parser
 
 
-def generate_and_save_basic_template(  # pylint: disable=too-many-arguments
+def generate_and_save_basic_template(  # pylint: disable=too-many-arguments,too-many-positional-arguments
     template_path: str,
     package: str,
     default_channel: str,

diff --git a/operator-pipeline-images/operatorcert/entrypoints/check_permissions.py b/operator-pipeline-images/operatorcert/entrypoints/check_permissions.py
@@ -67,7 +67,7 @@ class OperatorReview:
     A class represents a pull request review and permissions check
     """
 
-    def __init__(  # pylint: disable=too-many-arguments
+    def __init__(  # pylint: disable=too-many-arguments,too-many-positional-arguments
         self,
         operator: Operator,
         pr_owner: str,

diff --git a/operator-pipeline-images/operatorcert/entrypoints/github_pr.py b/operator-pipeline-images/operatorcert/entrypoints/github_pr.py
@@ -69,7 +69,7 @@ def setup_argparser() -> Any:  # pragma: no cover
     return parser
 
 
-def open_pr(  # pylint: disable=too-many-arguments
+def open_pr(  # pylint: disable=too-many-arguments,too-many-positional-arguments
     github_api_url: str,
     repo_name: str,
     head: str,

diff --git a/operator-pipeline-images/operatorcert/entrypoints/static_tests.py b/operator-pipeline-images/operatorcert/entrypoints/static_tests.py
@@ -54,7 +54,7 @@ def setup_argparser() -> argparse.ArgumentParser:
     return parser
 
 
-def execute_checks(  # pylint: disable=too-many-arguments
+def execute_checks(  # pylint: disable=too-many-arguments,too-many-positional-arguments
     repo_path: str,
     operator_name: str,
     bundle_version: str,

diff --git a/operator-pipeline-images/operatorcert/github.py b/operator-pipeline-images/operatorcert/github.py
@@ -274,7 +274,7 @@ def add_or_remove_labels(  # pylint: disable=too-many-locals
     remove_labels_from_pull_request(pull_request, labels_to_remove)
 
 
-def open_pull_request(  # pylint: disable=too-many-arguments
+def open_pull_request(  # pylint: disable=too-many-arguments,too-many-positional-arguments
     github_client: Github,
     repository_name: str,
     title: str,

diff --git a/operator-pipeline-images/operatorcert/parsed_file.py b/operator-pipeline-images/operatorcert/parsed_file.py
@@ -151,7 +151,7 @@ class ParserResults:
     Data class to store the results of the detect_changes function
     """
 
-    def __init__(  # pylint: disable=too-many-arguments
+    def __init__(  # pylint: disable=too-many-arguments,too-many-positional-arguments
         self,
         affected_operators: AffectedOperatorCollection,
         affected_bundles: AffectedBundleCollection,

diff --git a/operator-pipeline-images/operatorcert/umb.py b/operator-pipeline-images/operatorcert/umb.py
@@ -18,7 +18,7 @@ class UmbClient:
     A UMB client for sending and receiving messages from the UMB.
     """
 
-    def __init__(  # pylint: disable=too-many-arguments
+    def __init__(  # pylint: disable=too-many-arguments,too-many-positional-arguments
         self,
         hostnames: List[tuple[str, int]],
         cert_file: str,