Move references_links to Vulnerability

Author: ArBridgeman

exasol/toolbox/tools/security.py

@@ -105,19 +105,14 @@ def from_maven(report: str) -> Iterable[Issue]:
             )
 
 
-def identify_pypi_references(
-    references: list[str], package_name: str
-) -> tuple[list[str], list[str], list[str]]:
+def identify_pypi_references(references: list[str]) -> tuple[list[str], list[str]]:
     refs: dict = {k: [] for k in VulnerabilitySource}
-    links = []
     for reference in references:
         if source := VulnerabilitySource.from_prefix(reference.upper()):
             refs[source].append(reference)
-            links.append(source.get_link(package=package_name, vuln_id=reference))
     return (
         refs[VulnerabilitySource.CVE],
         refs[VulnerabilitySource.CWE],
-        links,
     )
 
 
@@ -142,6 +137,11 @@ def from_pip_audit(report: str) -> Iterable[Issue]:
               "CVE-2025-27516"
             ],
             "description": "An oversight ..."
+            "coordinates": "jinja2:3.1.5",
+            "references": [
+              "https://github.com/advisories/GHSA-cpwx-vrp4-4pq7",
+              "https://nvd.nist.gov/vuln/detail/CVE-2025-27516"
+            ]
           }
         ]
 
@@ -153,16 +153,16 @@ def from_pip_audit(report: str) -> Iterable[Issue]:
     vulnerabilities = json.loads(report)
 
     for vulnerability in vulnerabilities:
-        cves, cwes, links = identify_pypi_references(
-            references=vulnerability["refs"], package_name=vulnerability["name"]
+        cves, cwes = identify_pypi_references(
+            references=vulnerability["refs"],
         )
         if cves:
             yield Issue(
                 cve=sorted(cves)[0],
                 cwe="None" if not cwes else ", ".join(cwes),
                 description=vulnerability["description"],
                 coordinates=vulnerability["coordinates"],
-                references=tuple(links),
+                references=tuple(vulnerability["references"]),
             )
 
 

exasol/toolbox/util/dependencies/audit.py

@@ -83,14 +83,27 @@ def from_audit_entry(
             description=vuln_entry["description"],
         )
 
+    @property
+    def references(self) -> list[str]:
+        return [self.id] + self.aliases
+
+    @property
+    def reference_links(self) -> tuple[str, ...]:
+        return tuple(
+            source.get_link(package=self.name, vuln_id=reference)
+            for reference in self.references
+            if (source := VulnerabilitySource.from_prefix(reference.upper()))
+        )
+
     @property
     def security_issue_entry(self) -> dict[str, str | list[str]]:
         return {
             "name": self.name,
             "version": str(self.version),
-            "refs": [self.id] + self.aliases,
+            "refs": self.references,
             "description": self.description,
             "coordinates": self.coordinates,
+            "references": self.reference_links,
         }
 
 

test/conftest.py

@@ -1,6 +1,5 @@
 import json
 from inspect import cleandoc
-from typing import Union
 
 import pytest
 
@@ -60,13 +59,17 @@ def nox_dependencies_audit(self) -> str:
         return json.dumps([self.security_issue_entry], indent=2) + "\n"
 
     @property
-    def security_issue_entry(self) -> dict[str, str | list[str]]:
+    def security_issue_entry(self) -> dict[str, str | list[str] | tuple[str, ...]]:
         return {
             "name": self.package_name,
             "version": self.version,
             "refs": [self.vulnerability_id, self.cve_id],
             "description": self.description,
             "coordinates": f"{self.package_name}:{self.version}",
+            "references": (
+                f"https://github.com/advisories/{self.vulnerability_id}",
+                f"https://nvd.nist.gov/vuln/detail/{self.cve_id}",
+            ),
         }
 
     @property

test/unit/security_test.py

@@ -47,18 +47,18 @@ def test_security_issue_title_template(self, expected, issue):
             (
                 cleandoc(
                     """
-                    ## Summary
-                    Random Multiline
-                    Description
-                    ;)
-
-                    CVE: CVE-2023-39410
-                    CWE: CWE-XYZ
-
-                    ## References
-                    - https://www.example.com
-                    - https://www.foobar.com
-                    """
+                        ## Summary
+                        Random Multiline
+                        Description
+                        ;)
+
+                        CVE: CVE-2023-39410
+                        CWE: CWE-XYZ
+
+                        ## References
+                        - https://www.example.com
+                        - https://www.foobar.com
+                        """
                 ),
                 security.Issue(
                     cve="CVE-2023-39410",
@@ -354,38 +354,28 @@ def test_from_prefix(prefix: str, expected):
     [
         pytest.param(
             "CVE-2025-27516",
-            (
-                ["CVE-2025-27516"],
-                [],
-                ["https://nvd.nist.gov/vuln/detail/CVE-2025-27516"],
-            ),
+            (["CVE-2025-27516"], []),
             id="CVE_identified_with_link",
         ),
         pytest.param(
             "CWE-611",
-            ([], ["CWE-611"], ["https://cwe.mitre.org/data/definitions/611.html"]),
+            ([], ["CWE-611"]),
             id="CWE_identified_with_link",
         ),
         pytest.param(
             "GHSA-cpwx-vrp4-4pq7",
-            ([], [], ["https://github.com/advisories/GHSA-cpwx-vrp4-4pq7"]),
+            ([], []),
             id="GHSA_link",
         ),
         pytest.param(
             "PYSEC-2025-9",
-            (
-                [],
-                [],
-                [
-                    "https://github.com/pypa/advisory-database/blob/main/vulns/dummy/PYSEC-2025-9.yaml"
-                ],
-            ),
+            ([], []),
             id="PYSEC_link",
         ),
     ],
 )
 def test_identify_pypi_references(reference: str, expected):
-    actual = security.identify_pypi_references([reference], package_name="dummy")
+    actual = security.identify_pypi_references([reference])
     assert actual == expected
 
 
@@ -397,7 +387,7 @@ def test_no_vulnerability_returns_empty_list():
 
     @staticmethod
     def test_convert_vulnerability_to_issue(sample_vulnerability):
-        actual = set(
+        actual = next(
             security.from_pip_audit(sample_vulnerability.nox_dependencies_audit)
         )
-        assert actual == {sample_vulnerability.security_issue}
+        assert actual == sample_vulnerability.security_issue

test/unit/util/dependencies/audit_test.py

@@ -46,6 +46,44 @@ def test_security_issue_entry(sample_vulnerability):
             == sample_vulnerability.security_issue_entry
         )
 
+    @staticmethod
+    @pytest.mark.parametrize(
+        "reference, expected",
+        [
+            pytest.param(
+                "CVE-2025-27516",
+                "https://nvd.nist.gov/vuln/detail/CVE-2025-27516",
+                id="CVE",
+            ),
+            pytest.param(
+                "CWE-611",
+                "https://cwe.mitre.org/data/definitions/611.html",
+                id="CWE",
+            ),
+            pytest.param(
+                "GHSA-cpwx-vrp4-4pq7",
+                "https://github.com/advisories/GHSA-cpwx-vrp4-4pq7",
+                id="GHSA",
+            ),
+            pytest.param(
+                "PYSEC-2025-9",
+                "https://github.com/pypa/advisory-database/blob/main/vulns/jinja2/PYSEC-2025-9.yaml",
+                id="PYSEC",
+            ),
+        ],
+    )
+    def test_reference_links(sample_vulnerability, reference: str, expected: list[str]):
+        result = Vulnerability(
+            name=sample_vulnerability.package_name,
+            version=sample_vulnerability.version,
+            id=reference,
+            aliases=[],
+            fix_versions=[sample_vulnerability.fix_version],
+            description=sample_vulnerability.description,
+        )
+
+        assert result.reference_links == (expected,)
+
 
 class TestAuditPoetryFiles:
     @staticmethod