🐞 Vulnerability issue creator fails when Maven report does not contain "vulnerable" entry

kaklakariada · kaklakariada · commit bf8e1209470d · 2023-11-13T10:19:21.000+01:00
Fixes #102
diff --git a/doc/changelog.rst b/doc/changelog.rst
@@ -6,6 +6,10 @@
 Unreleased
 ==========
 
+🐞 Fixed
+--------
+* Fix failing vulnerability issue creator when Maven report does not contain "vulnerable" entry
+
 🔧 Changed
 ----------
 
diff --git a/exasol/toolbox/tools/security.py b/exasol/toolbox/tools/security.py
@@ -87,17 +87,18 @@ def gh_security_issues() -> Generator[Tuple[str, str], None, None]:
 def from_maven(report: str) -> Iterable[Issue]:
     # Note: Consider adding warnings if there is the same cve with multiple coordinates
     report = json.loads(report)
-    dependencies = report["vulnerable"]  # type: ignore
-    for _, dependency in dependencies.items():  # type: ignore
-        for v in dependency["vulnerabilities"]:  # type: ignore
-            references = [v["reference"]] + v["externalReferences"]
-            yield Issue(
-                cve=v["cve"],
-                cwe=v["cwe"],
-                description=v["description"],
-                coordinates=dependency["coordinates"],
-                references=tuple(references),
-            )
+    if "vulnerable" in report:
+        dependencies = report["vulnerable"]  # type: ignore
+        for _, dependency in dependencies.items():  # type: ignore
+            for v in dependency["vulnerabilities"]:  # type: ignore
+                references = [v["reference"]] + v["externalReferences"]
+                yield Issue(
+                    cve=v["cve"],
+                    cwe=v["cwe"],
+                    description=v["description"],
+                    coordinates=dependency["coordinates"],
+                    references=tuple(references),
+                )
 
 
 def security_issue_title(issue: Issue) -> str:
diff --git a/test/unit/security_test.py b/test/unit/security_test.py
@@ -354,3 +354,8 @@ def test_convert_maven_input(maven_report):  # pylint: disable=redefined-outer-n
     }
     actual = set(security.from_maven(maven_report))
     assert actual == expected
+
+
+def test_convert_maven_input_no_vulnerable():  # pylint: disable=redefined-outer-name
+    actual = set(security.from_maven("{}"))
+    assert len(actual) == 0

Original file line number	Diff line number	Diff line change
`@@ -354,3 +354,8 @@ def test_convert_maven_input(maven_report): # pylint: disable=redefined-outer-n`
`354`	`354`	`}`
`355`	`355`	`actual = set(security.from_maven(maven_report))`
`356`	`356`	`assert actual == expected`
	`357`	`+`
	`358`	`+`
	`359`	`+def test_convert_maven_input_no_vulnerable(): # pylint: disable=redefined-outer-name`
	`360`	`+ actual = set(security.from_maven("{}"))`
	`361`	`+ assert len(actual) == 0`