Add vulnerability_id and subsection_for_changelog_summary with tests

ArBridgeman · ArBridgeman · commit 27937f89f4ae · 2025-11-06T10:10:47.000+01:00
diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md
@@ -6,6 +6,10 @@
 * #535: Added more information about Sonar's usage of ``exclusions``
 * #596: Corrected and added more information regarding ``pyupgrade``
 
+## Features
+
+* #595: Created class `ResolvedVulnerabilities` to track resolved vulnerabilities between versions
+
 ## Refactoring
 
 * #596: Added newline after header in versioned changelog
diff --git a/exasol/toolbox/util/dependencies/audit.py b/exasol/toolbox/util/dependencies/audit.py
@@ -5,6 +5,7 @@
 import tempfile
 from dataclasses import dataclass
 from enum import Enum
+from inspect import cleandoc
 from pathlib import Path
 from re import search
 from typing import (
@@ -85,7 +86,7 @@ def from_audit_entry(
 
     @property
     def references(self) -> list[str]:
-        return [self.id] + self.aliases
+        return sorted([self.id] + self.aliases)
 
     @property
     def reference_links(self) -> tuple[str, ...]:
@@ -106,6 +107,31 @@ def security_issue_entry(self) -> dict[str, str | list[str]]:
             "references": self.reference_links,
         }
 
+    @property
+    def vulnerability_id(self) -> str | None:
+        """
+        Ensure a consistent way of identifying a vulnerability for string generation.
+        """
+        for ref in self.references:
+            ref_upper = ref.upper()
+            if ref_upper.startswith(VulnerabilitySource.CVE.value):
+                return ref
+            if ref_upper.startswith(VulnerabilitySource.GHSA.value):
+                return ref
+            if ref_upper.startswith(VulnerabilitySource.PYSEC.value):
+                return ref
+        return self.references[0]
+
+    @property
+    def subsection_for_changelog_summary(self) -> str:
+        """
+        Create a subsection to be included in the Summary section of a versioned changelog.
+        """
+        links_join = "\n* ".join(sorted(self.reference_links))
+        references_subsection = f"\n#### References:\n\n* {links_join}\n\n "
+        subsection = f"### {self.vulnerability_id} in {self.coordinates}\n\n{self.description}\n{references_subsection}"
+        return cleandoc(subsection.strip())
+
 
 def audit_poetry_files(working_directory: Path) -> str:
     """
diff --git a/test/conftest.py b/test/conftest.py
@@ -63,12 +63,12 @@ def security_issue_entry(self) -> dict[str, str | list[str] | tuple[str, ...]]:
         return {
             "name": self.package_name,
             "version": self.version,
-            "refs": [self.vulnerability_id, self.cve_id],
+            "refs": [self.cve_id, self.vulnerability_id],
             "description": self.description,
             "coordinates": f"{self.package_name}:{self.version}",
             "references": (
-                f"https://github.com/advisories/{self.vulnerability_id}",
                 f"https://nvd.nist.gov/vuln/detail/{self.cve_id}",
+                f"https://github.com/advisories/{self.vulnerability_id}",
             ),
         }
 
@@ -80,8 +80,8 @@ def security_issue(self) -> Issue:
             description=self.description,
             coordinates=f"{self.package_name}:{self.version}",
             references=(
-                f"https://github.com/advisories/{self.vulnerability_id}",
                 f"https://nvd.nist.gov/vuln/detail/{self.cve_id}",
+                f"https://github.com/advisories/{self.vulnerability_id}",
             ),
         )
 
diff --git a/test/unit/util/dependencies/audit_test.py b/test/unit/util/dependencies/audit_test.py
@@ -1,4 +1,5 @@
 import json
+from inspect import cleandoc
 from pathlib import Path
 from subprocess import CompletedProcess
 from unittest import mock
@@ -85,6 +86,48 @@ def test_reference_links(sample_vulnerability, reference: str, expected: list[st
 
         assert result.reference_links == (expected,)
 
+    @pytest.mark.parametrize(
+        "aliases,expected",
+        (
+            pytest.param(["A", "PYSEC", "CVE", "GHSA"], "CVE", id="CVE"),
+            pytest.param(["A", "PYSEC", "GHSA"], "GHSA", id="GHSA"),
+            pytest.param(["A", "PYSEC"], "PYSEC", id="PYSEC"),
+            pytest.param(["Z", "A"], "A", id="alphabetical_case"),
+        ),
+    )
+    def test_vulnerability_id(self, sample_vulnerability, aliases: list[str], expected):
+
+        result = Vulnerability(
+            name=sample_vulnerability.package_name,
+            version=sample_vulnerability.version,
+            id="DUMMY_IDENTIFIER",
+            aliases=aliases,
+            fix_versions=[sample_vulnerability.fix_version],
+            description=sample_vulnerability.description,
+        )
+
+        assert result.vulnerability_id == expected
+
+    def test_subsection_for_changelog_summary(self, sample_vulnerability):
+        expected = cleandoc(
+            """
+            ### CVE-2025-27516 in jinja2:3.1.5
+
+            An oversight in how the Jinja sandboxed environment interacts with the
+            `|attr` filter allows an attacker that controls the content of a template
+            to execute arbitrary Python code.
+
+            #### References:
+
+            * https://github.com/advisories/GHSA-cpwx-vrp4-4pq7
+            * https://nvd.nist.gov/vuln/detail/CVE-2025-27516
+            """
+        )
+        assert (
+            sample_vulnerability.vulnerability.subsection_for_changelog_summary
+            == expected
+        )
+
 
 class TestAuditPoetryFiles:
     @staticmethod
