Change structure of vulnerability so clearer delineation between package information and vulnerability

ArBridgeman · ArBridgeman · commit c8a58c8146a6 · 2025-11-10T13:42:47.000+01:00
diff --git a/exasol/toolbox/util/dependencies/audit.py b/exasol/toolbox/util/dependencies/audit.py
@@ -12,7 +12,10 @@
     Any,
 )
 
-from pydantic import BaseModel
+from pydantic import (
+    BaseModel,
+    ConfigDict,
+)
 
 from exasol.toolbox.util.dependencies.shared_models import (
     Package,
@@ -62,7 +65,10 @@ def get_link(self, package: str, vuln_id: str) -> str:
         return map_link[self].format(package=package, vuln_id=vuln_id)
 
 
-class Vulnerability(Package):
+class Vulnerability(BaseModel):
+    model_config = ConfigDict(frozen=True, arbitrary_types_allowed=True)
+
+    package: Package
     id: str
     aliases: list[str]
     fix_versions: list[str]
@@ -76,8 +82,7 @@ def from_audit_entry(
         Create a Vulnerability from a pip-audit vulnerability entry
         """
         return cls(
-            name=package_name,
-            version=version,
+            package=Package(name=package_name, version=version),
             id=vuln_entry["id"],
             aliases=vuln_entry["aliases"],
             fix_versions=vuln_entry["fix_versions"],
@@ -91,19 +96,19 @@ def references(self) -> list[str]:
     @property
     def reference_links(self) -> tuple[str, ...]:
         return tuple(
-            source.get_link(package=self.name, vuln_id=reference)
+            source.get_link(package=self.package.name, vuln_id=reference)
             for reference in self.references
             if (source := VulnerabilitySource.from_prefix(reference.upper()))
         )
 
     @property
     def security_issue_entry(self) -> dict[str, str | list[str]]:
         return {
-            "name": self.name,
-            "version": str(self.version),
+            "name": self.package.name,
+            "version": str(self.package.version),
             "refs": self.references,
             "description": self.description,
-            "coordinates": self.coordinates,
+            "coordinates": self.package.coordinates,
             "references": self.reference_links,
         }
 
@@ -129,7 +134,7 @@ def subsection_for_changelog_summary(self) -> str:
         """
         links_join = "\n* ".join(sorted(self.reference_links))
         references_subsection = f"\n#### References:\n\n* {links_join}\n\n "
-        subsection = f"### {self.vulnerability_id} in {self.coordinates}\n\n{self.description}\n{references_subsection}"
+        subsection = f"### {self.vulnerability_id} in {self.package.coordinates}\n\n{self.description}\n{references_subsection}"
         return cleandoc(subsection.strip())
 
 
diff --git a/exasol/toolbox/util/dependencies/track_vulnerabilities.py b/exasol/toolbox/util/dependencies/track_vulnerabilities.py
@@ -24,7 +24,7 @@ def _is_resolved(self, previous_vuln: Vulnerability):
         """
         previous_vuln_set = {previous_vuln.id, *previous_vuln.aliases}
         for current_vuln in self.current_vulnerabilities:
-            if previous_vuln.name == current_vuln.name:
+            if previous_vuln.package.name == current_vuln.package.name:
                 current_vuln_id_set = {current_vuln.id, *current_vuln.aliases}
                 if previous_vuln_set.intersection(current_vuln_id_set):
                     return False
diff --git a/test/unit/util/dependencies/audit_test.py b/test/unit/util/dependencies/audit_test.py
@@ -33,8 +33,7 @@ class TestVulnerability:
     def test_from_audit_entry(sample_vulnerability):
         result = sample_vulnerability.vulnerability
         assert result == Vulnerability(
-            name=sample_vulnerability.package_name,
-            version=sample_vulnerability.version,
+            package=sample_vulnerability.vulnerability.package,
             id=sample_vulnerability.vulnerability_id,
             aliases=[sample_vulnerability.cve_id],
             fix_versions=[sample_vulnerability.fix_version],
@@ -76,8 +75,7 @@ def test_security_issue_entry(sample_vulnerability):
     )
     def test_reference_links(sample_vulnerability, reference: str, expected: list[str]):
         result = Vulnerability(
-            name=sample_vulnerability.package_name,
-            version=sample_vulnerability.version,
+            package=sample_vulnerability.vulnerability.package,
             id=reference,
             aliases=[],
             fix_versions=[sample_vulnerability.fix_version],
@@ -98,8 +96,7 @@ def test_reference_links(sample_vulnerability, reference: str, expected: list[st
     def test_vulnerability_id(self, sample_vulnerability, aliases: list[str], expected):
 
         result = Vulnerability(
-            name=sample_vulnerability.package_name,
-            version=sample_vulnerability.version,
+            package=sample_vulnerability.vulnerability.package,
             id="DUMMY_IDENTIFIER",
             aliases=aliases,
             fix_versions=[sample_vulnerability.fix_version],
