Add support to vuln report for pulp_python plugin

closes: #1272

Author: git-hyagi

CHANGES/1272.feature

@@ -0,0 +1 @@
+Added support to vulnerability report for pulp_python plugin.

pulp-glue/pulp_glue/common/context.py

@@ -1284,6 +1284,9 @@ def needs_capability(self, capability: str) -> None:
                 )
             )
 
+    def scan(self) -> t.Any:
+        return self.call("scan", parameters={self.HREF: self.pulp_href})
+
 
 class PulpRemoteContext(PulpEntityContext):
     """

pulp-glue/pulp_glue/core/context.py

@@ -613,3 +613,11 @@ def find(self, **kwargs: t.Any) -> t.Any:
 
     def replicate(self) -> t.Any:
         return self.call("replicate", parameters={self.HREF: self.pulp_href})
+
+
+class PulpVulnerabilityReportContext(PulpEntityContext):
+    ENTITY = _("vulnerability report")
+    ENTITIES = _("vulnerability reports")
+    ID_PREFIX = "vuln_report"
+    HREF = "vulnerability_report_href"
+    NEEDS_PLUGINS = [PluginRequirement("core", specifier=">=3.85.3")]

pulp-glue/pulp_glue/python/context.py

@@ -101,6 +101,7 @@ class PulpPythonRepositoryVersionContext(PulpRepositoryVersionContext):
     HREF = "python_python_repository_version_href"
     ID_PREFIX = "repositories_python_python_versions"
     NEEDS_PLUGINS = [PluginRequirement("python", specifier=">=3.1.0")]
+    CAPABILITIES = {"scan": [PluginRequirement("python", specifier=">=3.21.0")]}
 
 
 class PulpPythonRepositoryContext(PulpRepositoryContext):

pulp_cli/generic.py

@@ -1521,11 +1521,33 @@ def callback(entity_ctx: PulpEntityContext, /) -> None:
     return callback
 
 
+def scan_command(**kwargs: t.Any) -> click.Command:
+    """A factory that creates a scan command."""
+
+    kwargs.setdefault("name", "scan")
+    kwargs.setdefault("help", _("Verify repository version package vulnerabilities."))
+    decorators = kwargs.pop("decorators", [])
+
+    @pulp_command(**kwargs)
+    @pass_entity_context
+    def callback(entity_ctx: PulpEntityContext, /) -> None:
+        """
+        Scan a {entity}.
+        """
+        entity_ctx.needs_capability("scan")
+        entity_ctx.scan()
+
+    for option in decorators:
+        # Decorate callback
+        callback = option(callback)
+    return callback
+
+
 def version_command(**kwargs: t.Any) -> click.Command:
     """
     A factory that creates a repository version command group.
 
-    This group contains `list`, `show`, `destroy` and `repair` subcommands.
+    This group contains `list`, `show`, `destroy`, `repair` and `scan` subcommands.
     If `list_only=True` is passed, only the `list` command will be instantiated.
     Repository lookup options can be provided in `decorators`.
     """
@@ -1545,6 +1567,7 @@ def callback(ctx: click.Context, repository_ctx: PulpRepositoryContext, /) -> No
     if not list_only:
         callback.add_command(show_command(decorators=decorators + [version_option]))
         callback.add_command(destroy_command(decorators=decorators + [version_option]))
+        callback.add_command(scan_command(decorators=decorators + [version_option]))
 
         @callback.command()
         @repository_lookup_option

pulpcore/cli/core/__init__.py

@@ -25,6 +25,7 @@
 from pulpcore.cli.core.upload import upload
 from pulpcore.cli.core.upstream_pulp import upstream_pulp
 from pulpcore.cli.core.user import user
+from pulpcore.cli.core.vulnerability_report import vulnerability_report
 from pulpcore.cli.core.worker import worker
 
 
@@ -52,6 +53,7 @@ def mount(main: click.Group, **kwargs: t.Any) -> None:
     main.add_command(upload)
     main.add_command(upstream_pulp)
     main.add_command(user)
+    main.add_command(vulnerability_report)
     main.add_command(worker)
 
     _orig_get_command = main.get_command

pulpcore/cli/core/vulnerability_report.py

@@ -0,0 +1,81 @@
+import typing as t
+
+import click
+from pulp_glue.common.context import PulpRepositoryContext
+from pulp_glue.common.exceptions import PulpException
+from pulp_glue.common.i18n import get_translation
+from pulp_glue.core.context import PulpVulnerabilityReportContext
+from pulp_glue.python.context import PulpPythonRepositoryVersionContext
+
+from pulpcore.cli.common.generic import (
+    PulpCLIContext,
+    href_option,
+    list_command,
+    pass_pulp_context,
+    pulp_group,
+    resource_option,
+    show_command,
+)
+
+translation = get_translation(__package__)
+_ = translation.gettext
+
+lookup_options = [href_option]
+
+repository_option = resource_option(
+    "--repository",
+    default_plugin="python",
+    default_type="python",
+    context_table=PulpRepositoryContext.TYPE_REGISTRY,
+    href_pattern=PulpRepositoryContext.HREF_PATTERN,
+    help=_("Repository to scan in the form '[<plugin>:<resource_type>:]<name>' or by href."),
+    required=True,
+)
+
+
+@pulp_group()
+@pass_pulp_context
+@click.pass_context
+def vulnerability_report(ctx: click.Context, pulp_ctx: PulpCLIContext, /) -> None:
+    ctx.obj = PulpVulnerabilityReportContext(pulp_ctx)
+
+
+vulnerability_report.add_command(list_command())
+vulnerability_report.add_command(show_command(decorators=lookup_options))
+
+
+@vulnerability_report.command()
+@repository_option
+@click.option(
+    "--version",
+    type=int,
+    help=_("Version of the repository to scan. Leave blank for latest version."),
+)
+@pass_pulp_context
+def create(
+    pulp_ctx: PulpCLIContext,
+    /,
+    repository: PulpRepositoryContext,
+    version: t.Optional[int],
+) -> None:
+
+    if version is None:
+        version_ctx = t.cast(PulpPythonRepositoryVersionContext, repository.get_version_context())
+        # fetch repository to get the latest version
+        repo_data = repository.show()
+        version_ctx.pulp_href = repo_data["latest_version_href"]
+    else:
+        version_ctx = t.cast(
+            PulpPythonRepositoryVersionContext, repository.get_version_context(version)
+        )
+
+    if version_ctx.capable("scan"):
+        result = version_ctx.scan()
+        pulp_ctx.output_result(result)
+    else:
+        raise PulpException(
+            _("Capability '{capability}' needed on '{entity}' for this command.").format(
+                capability="scan",
+                entity=version_ctx.ID_PREFIX,
+            )
+        )

tests/scripts/pulpcore/test_vulnerability_report.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -eu
+# shellcheck source=tests/scripts/config.source
+. "$(dirname "$(dirname "$(realpath "$0")")")"/config.source
+
+cleanup() {
+  pulp python repository destroy --name python || true
+  pulp python remote destroy --name python || true
+  pulp orphan cleanup --protection-time=0
+}
+trap cleanup EXIT
+
+# create a test repository
+pulp python repository create --name python
+pulp python remote create --name python --url "https://pypi.org/" --includes '["django==5.2.1"]'
+pulp python repository sync --name python --remote python
+
+REPO_VERSION=$(pulp python repository show --name python|jq -r .pulp_href)
+expect_succ pulp vulnerability-report create --repository "$REPO_VERSION"
+expect_succ pulp vulnerability-report list
+
+VULN_REPORT=$(pulp vulnerability-report list --field pulp_href --limit 1|jq .[0].pulp_href -r)
+expect_succ pulp vulnerability-report show --href "$VULN_REPORT"
+
+#  test with non-implemented content type
+pulp file repository create --name file-repo
+expect_fail pulp file repository version scan --repository file-repo