Add ResolvedVulnerabilities to detect if vulnerability has been

ArBridgeman · ArBridgeman · commit 5db9eef440b7 · 2025-11-05T14:05:12.000+01:00
resolved from previous work to the present
diff --git a/exasol/toolbox/util/dependencies/track_vulnerabilities.py b/exasol/toolbox/util/dependencies/track_vulnerabilities.py
@@ -0,0 +1,43 @@
+from pydantic import (
+    BaseModel,
+    ConfigDict,
+)
+
+from exasol.toolbox.util.dependencies.audit import Vulnerability
+
+
+class ResolvedVulnerabilities(BaseModel):
+    model_config = ConfigDict(frozen=True, arbitrary_types_allowed=True)
+
+    previous_vulnerabilities: list[Vulnerability]
+    current_vulnerabilities: list[Vulnerability]
+
+    def _is_resolved(self, previous_vuln: Vulnerability):
+        """
+        Detects if a vulnerability has been resolved.
+
+        A vulnerability is said to be resolved when it cannot be found
+        in the `current_vulnerabilities`. In order to see if a vulnerability
+        is still present, its id and aliases are compared to values in the
+        `current_vulnerabilities`. While one could hope that the IDs
+        are the same, it's possible between pip-audit versions that
+        there are differences.
+        """
+        previous_vuln_set = {previous_vuln.id, *previous_vuln.aliases}
+        for current_vuln in self.current_vulnerabilities:
+            if previous_vuln.name == current_vuln.name:
+                current_vuln_id_set = {current_vuln.id, *current_vuln.aliases}
+                if previous_vuln_set.intersection(current_vuln_id_set):
+                    return False
+        return True
+
+    @property
+    def resolutions(self) -> list[Vulnerability]:
+        """
+        Return resolved vulnerabilities
+        """
+        resolved_vulnerabilities = []
+        for previous_vuln in self.previous_vulnerabilities:
+            if self._is_resolved(previous_vuln):
+                resolved_vulnerabilities.append(previous_vuln)
+        return resolved_vulnerabilities
diff --git a/test/unit/util/dependencies/track_vulnerabilities_test.py b/test/unit/util/dependencies/track_vulnerabilities_test.py
@@ -0,0 +1,55 @@
+from exasol.toolbox.util.dependencies.track_vulnerabilities import (
+    ResolvedVulnerabilities,
+)
+
+
+class TestResolvedVulnerabilities:
+    def test_vulnerability_present_for_previous_and_current(self, sample_vulnerability):
+        vuln = sample_vulnerability.vulnerability
+        resolved = ResolvedVulnerabilities(
+            previous_vulnerabilities=[vuln], current_vulnerabilities=[vuln]
+        )
+        assert resolved._is_resolved(vuln) is False
+
+    def test_vulnerability_present_for_previous_and_current_with_different_id(
+        self, sample_vulnerability
+    ):
+        vuln2 = sample_vulnerability.vulnerability.__dict__.copy()
+        vuln2["version"] = sample_vulnerability.version
+        # flipping aliases & id to ensure can match across types
+        vuln2["aliases"] = [sample_vulnerability.vulnerability_id]
+        vuln2["id"] = sample_vulnerability.cve_id
+
+        resolved = ResolvedVulnerabilities(
+            previous_vulnerabilities=[sample_vulnerability.vulnerability],
+            current_vulnerabilities=[vuln2],
+        )
+        assert resolved._is_resolved(sample_vulnerability.vulnerability) is False
+
+    def test_vulnerability_in_previous_resolved_in_current(self, sample_vulnerability):
+        vuln = sample_vulnerability.vulnerability
+        resolved = ResolvedVulnerabilities(
+            previous_vulnerabilities=[vuln], current_vulnerabilities=[]
+        )
+        assert resolved._is_resolved(vuln) is True
+
+    def test_no_vulnerabilities_for_previous_and_current(self):
+        resolved = ResolvedVulnerabilities(
+            previous_vulnerabilities=[], current_vulnerabilities=[]
+        )
+        assert resolved.resolutions == []
+
+    def test_vulnerability_in_current_but_not_present(self, sample_vulnerability):
+        resolved = ResolvedVulnerabilities(
+            previous_vulnerabilities=[],
+            current_vulnerabilities=[sample_vulnerability.vulnerability],
+        )
+        # only care about "resolved" vulnerabilities, not new ones
+        assert resolved.resolutions == []
+
+    def test_resolved_vulnerabilities(self, sample_vulnerability):
+        resolved = ResolvedVulnerabilities(
+            previous_vulnerabilities=[sample_vulnerability.vulnerability],
+            current_vulnerabilities=[],
+        )
+        assert resolved.resolutions == [sample_vulnerability.vulnerability]
