Skip to content

Implements the vulnerability report #1013

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gerrod3 merged 1 commit into from
Nov 18, 2025
Merged

Implements the vulnerability report #1013

gerrod3 merged 1 commit into from
Nov 18, 2025

Conversation

@git-hyagi
Copy link
Contributor

@git-hyagi git-hyagi commented Nov 12, 2025

closes: #1012

gerrod3
gerrod3 requested changes Nov 12, 2025
View reviewed changes
docs/user/guides/vulnerability_report.md Outdated
Comment on lines 105 to 109
REPO=$(pulp python repository show --name security-scan-repo)
VERSION_HREF=$(echo $REPO | jq -r '.latest_version_href')

# 5. Scan for vulnerabilities
curl -XPOST -u <user>:<password> ${BASE_ADDR}${VERSION_HREF}scan/
Copy link
Contributor

@gerrod3 gerrod3 Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's get this into the cli. Do you need help with adding the command?

Copy link
Contributor Author

@git-hyagi git-hyagi Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm... I have never worked on the pulp-cli code. Let me study it a little :D

Copy link
Contributor Author

@git-hyagi git-hyagi Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pulp/pulp-cli#1273

pulp_python/app/viewsets.py Outdated
Comment on lines 660 to 661
repo_version = await sync_to_async(RepositoryVersion.objects.get)(pk=repo_version_pk)
content_units = python_models.PythonPackageContent.objects.filter(pk__in=repo_version.content)
Copy link
Contributor

@gerrod3 gerrod3 Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
repo_version = await sync_to_async(RepositoryVersion.objects.get)(pk=repo_version_pk)
content_units = python_models.PythonPackageContent.objects.filter(pk__in=repo_version.content)
repo_version = await RepositoryVersion.objects.aget(pk=repo_version_pk)
content_units = python_models.PythonPackageContent.objects.filter(pk__in=repo_version.content).values("name", "version")

Copy link
Contributor Author

@git-hyagi git-hyagi Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the

content_units = python_models.PythonPackageContent.objects.filter(pk__in=repo_version.content).values("name", "version")

I think this will not work because we also need the content objects found:
https://github.com/pulp/pulp_python/pull/1013/files#diff-38cc3b67ebd1f8ea44002fc7897552b1674435d85771f6ab27a0c86e383d00aeR666
https://github.com/pulp/pulpcore/blob/d9651981e20ac5b2dc1997f181204924f5c36cce/pulpcore/app/tasks/vulnerability_report.py#L133-L134

pulp_python/app/viewsets.py Outdated
content_units = python_models.PythonPackageContent.objects.filter(pk__in=repo_version.content)
ecosystem = "PyPI"
async for content in sync_to_async_iterable(content_units):
repo_content_osv_data = _build_osv_data(content.name, ecosystem, content.version)
Copy link
Contributor

@gerrod3 gerrod3 Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we know if the osv requires the package name to be normalize? e.g. Django->django, pulp_python->pulp-python

Copy link
Contributor Author

@git-hyagi git-hyagi Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it seems like we don't need it: https://github.com/google/osv.dev/pull/3088/files#diff-f0076c6d3c021f2596f325ce199b2781bfc3ef236eb3b854bab96d5641aa1087R193-R195

@git-hyagi git-hyagi mentioned this pull request Nov 14, 2025
Open
@git-hyagi git-hyagi requested a review from gerrod3 November 14, 2025 19:37
gerrod3
gerrod3 requested changes Nov 17, 2025
View reviewed changes
Copy link
Contributor

@gerrod3 gerrod3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking good, two small changes and I think we can LGTM.

pulp_python/app/tasks/vulnerability_report.py Outdated
Retrieve Python package content from a repository version for vulnerability scanning.
"""
repo_version = await RepositoryVersion.objects.aget(pk=repo_version_pk)
content_units = PythonPackageContent.objects.filter(pk__in=repo_version.content)
Copy link
Contributor

@gerrod3 gerrod3 Nov 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
content_units = PythonPackageContent.objects.filter(pk__in=repo_version.content)
content_units = PythonPackageContent.objects.filter(pk__in=repo_version.content).only("name", "version")

There's a lot of metadata on the Package object, but we only need these two fields. Also, this one is different from values as it creates the model instance rather than just a dictionary, but it only populates the specified fields and pk so it should work.

Copy link
Contributor Author

@git-hyagi git-hyagi Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome!! it worked!

pulp_python/tests/functional/api/test_vulnerability_report.py Outdated
Comment on lines 41 to 43
repo_version = python_bindings.RepositoriesPythonVersionsApi.read(
python_python_repository_version_href=latest_version_href
)
Copy link
Contributor

@gerrod3 gerrod3 Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
repo_version = python_bindings.RepositoriesPythonVersionsApi.read(
python_python_repository_version_href=latest_version_href
)
repo_version = python_bindings.RepositoriesPythonVersionsApi.read(latest_version_href)

jobselko
jobselko reviewed Nov 18, 2025
View reviewed changes
pyproject.toml Outdated
requires-python = ">=3.11"
dependencies = [
"pulpcore>=3.81.0,<3.100",
"pulpcore>=3.85.0,<3.100",
Copy link
Contributor

@jobselko jobselko Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bugfix we need for vuln reports will be in 3.85.3

Copy link
Contributor Author

@git-hyagi git-hyagi Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch!

@gerrod3 gerrod3 merged commit f6e6f00 into pulp:main Nov 18, 2025
23 of 25 checks passed
@git-hyagi git-hyagi deleted the add-vuln-report branch November 18, 2025 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gerrod3 gerrod3 gerrod3 approved these changes

@jobselko jobselko jobselko approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add vulnerability reports to python plugin

3 participants

@git-hyagi @gerrod3 @jobselko