Add OSV dependency vulnerability scanning#266
Merged
Merged
Conversation
The SBOM only inventoried dependencies and SARIF only exported findings, so nothing ever produced a vulnerability finding. Match SBOM components against an injected OSV advisory database (introduced/fixed/last_affected range sweep, PEP-503 name normalization, severity to SARIF level) and bridge results into the SARIF exporter for code scanning. Advisories are injected as data so matching is offline and deterministic; the live osv.dev query stays an optional fetcher seam. Wired through the facade, AC_scan_vulns executor command, ac_scan_vulns MCP tool and Script Builder.
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 79 |
| Duplication | 0 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
build_sbomonly inventoried dependencies andto_sarifonly exported findings — nothing in between ever produced a vulnerability finding (no advisory matching existed). This closes that loop with a pure-stdlib OSV matcher that bridges straight into the existing SARIF exporter.scan_components(components, advisories, *, fetcher=None)— scan an SBOM's components against an OSV advisory database; returns findings{id, package, version, summary, severity, fixed, aliases}.match_package(...)/is_affected(version, osv_range)— per-package and per-range checks (sweepsintroduced/fixed/last_affectedevents; explicitversionslists honored).version_key(...)— pragmatic numeric version ordering (pre-release sorts before final release).findings_to_sarif(findings)— bridge intomake_finding/to_sarifso vulns land in GitHub/Azure DevOps code scanning alongside lint/secrets/a11y findings.Package names compared with PEP-503 normalization; OSV severity (
CRITICAL/HIGH/MODERATE/LOW) maps to SARIFerror/warning/note. The advisory DB is injected as data, so matching is offline and deterministic; the liveosv.devquery is an optionalfetcherseam (CI-tested with a fake fetcher). Git ranges and full CVSS-vector scoring are out of scope.Five-layer wiring
je_auto_control/utils/vuln_scan/__init__.py+__all__AC_scan_vulns(accepts a component list, a full SBOM dict, or JSON; optionalsarif_path)ac_scan_vulnsTests & docs
test/unit_test/headless/test_vuln_scan_batch.py(14 tests, green; full headless suite 2525 passed / 15 skipped)Lint clean: ruff / pylint / bandit / radon (no function CC > 10).
import je_auto_controlstays Qt-free.