Add nox target for auditing workspaces in reagard to known vulnerabilities (#347)

Jannis-Mittenzwei · web-flow · commit 58773f87c827 · 2025-03-04T15:52:25.000+01:00
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -117,6 +117,25 @@ jobs:
           path: .security.json
           include-hidden-files: true
 
+  Vulnerabilities:
+    name: Check Vulnerabilities (Python-${{ matrix.python-version }})
+    needs: [ Version-Check, build-matrix ]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
+
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python & Poetry Environment
+        uses: ./.github/actions/python-environment
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Run Package vulnerabilities Check
+        run: poetry run nox -s dependency:audit
+
   Format:
     name: Format Check
     runs-on: ubuntu-latest
diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md
@@ -1 +1,5 @@
 # Unreleased
+
+## ✨ Added
+
+* [#73](https://github.com/exasol/python-toolbox/issues/73): Added nox target for auditing work spaces in regard to known vulnerabilities
diff --git a/exasol/toolbox/nox/_dependencies.py b/exasol/toolbox/nox/_dependencies.py
@@ -212,10 +212,20 @@ def _normalize_package_name(name: str) -> str:
     return template.format(heading=heading(), rows=rows)
 
 
+def _audit(session: Session) -> None:
+    session.run("poetry", "run", "pip-audit")
+
+
 @nox.session(name="dependency:licenses", python=False)
 def dependency_licenses(session: Session) -> None:
     """returns the packages and their licenses"""
     toml = Path("pyproject.toml")
     dependencies = _dependencies(toml.read_text())
     package_infos = _licenses()
     print(_packages_to_markdown(dependencies=dependencies, packages=package_infos))
+
+
+@nox.session(name="dependency:audit", python=False)
+def audit(session: Session) -> None:
+    """Check for known vulnerabilities"""
+    _audit(session)
diff --git a/exasol/toolbox/nox/tasks.py b/exasol/toolbox/nox/tasks.py
@@ -81,6 +81,7 @@ def check(session: Session) -> None:
 
 from exasol.toolbox.nox._dependencies import (
     dependency_licenses,
+    audit
 )
 
 # isort: on
diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml
@@ -123,6 +123,25 @@ jobs:
           path: .security.json
           include-hidden-files: true
 
+  Vulnerabilities:
+    name: Check Vulnerabilities (Python-${{ matrix.python-version }})
+    needs: [ Version-Check, build-matrix ]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
+
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python & Poetry Environment
+        uses: ./.github/actions/python-environment
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Run Package vulnerabilities Check
+        run: poetry run nox -s dependency:audit
+
   Format:
     name: Format Check
     runs-on: ubuntu-latest
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -59,6 +59,7 @@ typer = {extras = ["all"], version = ">=0.7.0"}
 bandit = {extras = ["toml"], version = "^1.7.9"}
 jinja2 = "^3.1.4"
 pip-licenses = "^5.0.0"
+pip-audit = "^2.7.3"
 
 [tool.poetry.group.dev.dependencies]
 autoimport = "^1.4.0"

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,7 @@ def check(session: Session) -> None:`
`81`	`81`
`82`	`82`	`from exasol.toolbox.nox._dependencies import (`
`83`	`83`	`dependency_licenses,`
	`84`	`+ audit`
`84`	`85`	`)`
`85`	`86`
`86`	`87`	`# isort: on`