Skip to content

Add OSV dependency vulnerability scanning#266

Merged
JE-Chen merged 1 commit into
devfrom
feat/osv-vuln-scan
Jun 20, 2026
Merged

Add OSV dependency vulnerability scanning#266
JE-Chen merged 1 commit into
devfrom
feat/osv-vuln-scan

Conversation

@JE-Chen

@JE-Chen JE-Chen commented Jun 20, 2026

Copy link
Copy Markdown
Member

Summary

build_sbom only inventoried dependencies and to_sarif only exported findings — nothing in between ever produced a vulnerability finding (no advisory matching existed). This closes that loop with a pure-stdlib OSV matcher that bridges straight into the existing SARIF exporter.

  • scan_components(components, advisories, *, fetcher=None) — scan an SBOM's components against an OSV advisory database; returns findings {id, package, version, summary, severity, fixed, aliases}.
  • match_package(...) / is_affected(version, osv_range) — per-package and per-range checks (sweeps introduced/fixed/last_affected events; explicit versions lists honored).
  • version_key(...) — pragmatic numeric version ordering (pre-release sorts before final release).
  • findings_to_sarif(findings) — bridge into make_finding/to_sarif so vulns land in GitHub/Azure DevOps code scanning alongside lint/secrets/a11y findings.

Package names compared with PEP-503 normalization; OSV severity (CRITICAL/HIGH/MODERATE/LOW) maps to SARIF error/warning/note. The advisory DB is injected as data, so matching is offline and deterministic; the live osv.dev query is an optional fetcher seam (CI-tested with a fake fetcher). Git ranges and full CVSS-vector scoring are out of scope.

Five-layer wiring

  • Headless core: je_auto_control/utils/vuln_scan/
  • Facade: re-exported from __init__.py + __all__
  • Executor: AC_scan_vulns (accepts a component list, a full SBOM dict, or JSON; optional sarif_path)
  • MCP: ac_scan_vulns
  • Script Builder: "Scan Dependencies for Vulnerabilities" under Security

Tests & docs

  • test/unit_test/headless/test_vuln_scan_batch.py (14 tests, green; full headless suite 2525 passed / 15 skipped)
  • v58 feature docs (EN + Zh) + toctree registration
  • What's-new sections in all three READMEs

Lint clean: ruff / pylint / bandit / radon (no function CC > 10). import je_auto_control stays Qt-free.

The SBOM only inventoried dependencies and SARIF only exported findings,
so nothing ever produced a vulnerability finding. Match SBOM components
against an injected OSV advisory database (introduced/fixed/last_affected
range sweep, PEP-503 name normalization, severity to SARIF level) and
bridge results into the SARIF exporter for code scanning. Advisories are
injected as data so matching is offline and deterministic; the live
osv.dev query stays an optional fetcher seam. Wired through the facade,
AC_scan_vulns executor command, ac_scan_vulns MCP tool and Script Builder.
@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 79 complexity · 0 duplication

Metric Results
Complexity 79
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@JE-Chen
JE-Chen merged commit 727473b into dev Jun 20, 2026
16 checks passed
@JE-Chen
JE-Chen deleted the feat/osv-vuln-scan branch June 20, 2026 17:29
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant