Refactoring/518 make audit class more extendable (#520)

* Extract nox session to conftest.py

* Refactor audit to work in a variety of contexts, not just "dependency:audit"

* Ignore non-critical security issues

* Finish release sentence

* Add poetry export locally; though might be better globally if in many projects

* Fix file name and make unique so doesn't interfere with local running of both unit & integration tests

* Add poetry export to integration pyproject.toml

* Try alternate test with global poetry export

* Try local poetry again but with install afterwards

* Add to documentation

* Isolate poetry add and install to local virtual env in tmp_path

* Remove global poetry export addition

* Update dependencies to latest versions

* Fix over-indentation

* Use IDE to apply suggested change locally per comment and add closing bracket

* Use IDE to apply suggested change locally per comment for doctring

* Use ellipses to shorten docstring example

* Fix unreleased.md changes missed in merge commit

* Switch to output in tmp directory, so not needed in .gitignore

Author: ArBridgeman

.gitignore

@@ -57,4 +57,4 @@ nosetests.xml
 .vscode/settings.json
 
 # Emacs
-TAGS
+TAGS

doc/changes/unreleased.md

@@ -1 +1,9 @@
 # Unreleased
+
+With the refactoring of the `dependency:audit`, we use `poetry export`. For how it can
+be added (project-specific or globally), see the
+[poetry export documentation](https://github.com/python-poetry/poetry-plugin-export).
+
+## Refactoring
+
+* #517: Refactored `dependency:audit` & split up to support upcoming work

doc/user_guide/dependencies.rst

@@ -0,0 +1,9 @@
+Dependencies
+============
+
+Core dependencies
++++++++++++++++++
+
+- Python >= 3.9
+- poetry >= 2.1.2
+  - `poetry export <https://github.com/python-poetry/poetry-plugin-export>`__

doc/user_guide/features/index.rst

@@ -9,6 +9,7 @@ Features
     metrics/collecting_metrics
     creating_a_release
     documentation/index
+    managing_dependencies
 
 Uniform Project Layout
 ----------------------

doc/user_guide/features/managing_dependencies.rst

@@ -0,0 +1,12 @@
+Managing dependencies
+=====================
+
++--------------------------+------------------+----------------------------------------+
+| Nox session              | CI Usage         | Action                                 |
++==========================+==================+========================================+
+| ``dependency:licenses``  | ``report.yml``   | Uses ``pip-licenses`` to return        |
+|                          |                  | packages with their licenses           |
++--------------------------+------------------+----------------------------------------+
+| ``dependency:audit``     | No               | Uses ``pip-audit`` to return active    |
+|                          |                  | vulnerabilities in our dependencies    |
++--------------------------+------------------+----------------------------------------+

doc/user_guide/user_guide.rst

@@ -6,6 +6,7 @@
 .. toctree::
     :maxdepth: 2
 
+    dependencies
     getting_started
     features/index
     workflows

exasol/toolbox/nox/_dependencies.py

@@ -1,86 +1,22 @@
 from __future__ import annotations
 
-import argparse
 import json
-import subprocess
 from pathlib import Path
 
 import nox
 from nox import Session
 
+from exasol.toolbox.util.dependencies.audit import (
+    PipAuditException,
+    Vulnerabilities,
+)
 from exasol.toolbox.util.dependencies.licenses import (
     PackageLicenseReport,
     get_licenses,
 )
 from exasol.toolbox.util.dependencies.poetry_dependencies import get_dependencies
 
 
-class Audit:
-    @staticmethod
-    def _filter_json_for_vulnerabilities(audit_json_bytes: bytes) -> dict:
-        """
-        Filters JSON from pip-audit for only packages with vulnerabilities
-
-        Examples:
-        >>> audit_json_dict = {"dependencies": [
-        ... {"name": "alabaster", "version": "0.7.16", "vulns": []},
-        ... {"name": "cryptography", "version": "43.0.3", "vulns":
-        ... [{"id": "GHSA-79v4-65xg-pq4g", "fix_versions": ["44.0.1"],
-        ... "aliases": ["CVE-2024-12797"],
-        ... "description": "pyca/cryptography\'s wheels..."}]}]}
-        >>> audit_json = json.dumps(audit_json_dict).encode()
-        >>> Audit._filter_json_for_vulnerabilities(audit_json)
-        {"dependencies": [{"name": "cryptography", "version": "43.0.3", "vulns":
-        [{"id": "GHSA-79v4-65xg-pq4g", "fix_versions": ["44.0.1"], "aliases":
-        ["CVE-2024-12797"], "description": "pyca/cryptography\'s wheels..."}]}]}
-        """
-        audit_dict = json.loads(audit_json_bytes.decode("utf-8"))
-        return {
-            "dependencies": [
-                {
-                    "name": entry["name"],
-                    "version": entry["version"],
-                    "vulns": entry["vulns"],
-                }
-                for entry in audit_dict["dependencies"]
-                if entry["vulns"]
-            ]
-        }
-
-    @staticmethod
-    def _parse_args(session) -> argparse.Namespace:
-        parser = argparse.ArgumentParser(
-            description="Audits dependencies for security vulnerabilities",
-            usage="nox -s dependency:audit -- -- [options]",
-        )
-        parser.add_argument(
-            "-o",
-            "--output",
-            type=Path,
-            default=None,
-            help="Output results to the given file",
-        )
-        return parser.parse_args(args=session.posargs)
-
-    def run(self, session: Session) -> None:
-        args = self._parse_args(session)
-
-        command = ["pip-audit", "-f", "json"]
-        output = subprocess.run(command, capture_output=True)
-
-        audit_json = self._filter_json_for_vulnerabilities(output.stdout)
-        if args.output:
-            with open(args.output, "w") as file:
-                json.dump(audit_json, file)
-        else:
-            print(json.dumps(audit_json, indent=2))
-
-        if output.returncode != 0:
-            session.warn(
-                f"Command {' '.join(command)} failed with exit code {output.returncode}",
-            )
-
-
 @nox.session(name="dependency:licenses", python=False)
 def dependency_licenses(session: Session) -> None:
     """Return the packages with their licenses"""
@@ -95,4 +31,11 @@ def dependency_licenses(session: Session) -> None:
 @nox.session(name="dependency:audit", python=False)
 def audit(session: Session) -> None:
     """Check for known vulnerabilities"""
-    Audit().run(session=session)
+
+    try:
+        vulnerabilities = Vulnerabilities.load_from_pip_audit(working_directory=Path())
+    except PipAuditException as e:
+        session.error(e.return_code, e.stdout, e.stderr)
+
+    security_issue_dict = vulnerabilities.security_issue_dict
+    print(json.dumps(security_issue_dict, indent=2))

exasol/toolbox/tools/security.py

@@ -157,32 +157,38 @@ def from_pip_audit(report: str) -> Iterable[Issue]:
      - the same vulnerability ID (CVE, PYSEC, GHSA, etc.) is present across
      multiple coordinates.
 
-    Input:
-        '{"dependencies": [{"name": "<package_name>", "version": "<package_version>",
-        "vulns": [{"id": "<vuln_id>", "fix_versions": ["<fix_version>"],
-        "aliases": ["<vuln_id2>"], "description": "<vuln_description>"}]}]}'
+    Input as string:
+        [
+          {
+            "name": "jinja2",
+            "version": "3.1.5",
+            "refs": [
+              "GHSA-cpwx-vrp4-4pq7",
+              "CVE-2025-27516"
+            ],
+            "description": "An oversight ..."
+          }
+        ]
+
 
     Args:
         report:
             the JSON output of `nox -s dependency:audit` provided as a str
     """
-    report_dict = json.loads(report)
-    dependencies = report_dict.get("dependencies", [])
-    for dependency in dependencies:
-        package = dependency["name"]
-        for v in dependency["vulns"]:
-            refs = [v["id"]] + v["aliases"]
-            cves, cwes, links = identify_pypi_references(
-                references=refs, package_name=package
+    vulnerabilities = json.loads(report)
+
+    for vulnerability in vulnerabilities:
+        cves, cwes, links = identify_pypi_references(
+            references=vulnerability["refs"], package_name=vulnerability["name"]
+        )
+        if cves:
+            yield Issue(
+                cve=sorted(cves)[0],
+                cwe="None" if not cwes else ", ".join(cwes),
+                description=vulnerability["description"],
+                coordinates=f"{vulnerability['name']}:{vulnerability['version']}",
+                references=tuple(links),
             )
-            if cves:
-                yield Issue(
-                    cve=sorted(cves)[0],
-                    cwe="None" if not cwes else ", ".join(cwes),
-                    description=v["description"],
-                    coordinates=f"{package}:{dependency['version']}",
-                    references=tuple(links),
-                )
 
 
 @dataclass(frozen=True)

exasol/toolbox/util/dependencies/audit.py

@@ -0,0 +1,147 @@
+from __future__ import annotations
+
+import json
+import subprocess  # nosec
+import tempfile
+from dataclasses import dataclass
+from pathlib import Path
+from re import search
+from typing import (
+    Any,
+    Union,
+)
+
+from pydantic import BaseModel
+
+from exasol.toolbox.util.dependencies.shared_models import Package
+
+PIP_AUDIT_VULNERABILITY_PATTERN = (
+    r"^Found \d+ known vulnerabilit\w{1,3} in \d+ package\w?$"
+)
+
+
+@dataclass
+class PipAuditException(Exception):
+    return_code: int
+    stdout: str
+    stderr: str
+
+    def __init__(self, subprocess_output: subprocess.CompletedProcess) -> None:
+        self.return_code = subprocess_output.returncode
+        self.stdout = subprocess_output.stdout
+        self.stderr = subprocess_output.stderr
+
+
+class Vulnerability(Package):
+    id: str
+    aliases: list[str]
+    fix_versions: list[str]
+    description: str
+
+    @classmethod
+    def from_audit_entry(
+        cls, package_name: str, version: str, vuln_entry: dict[str, Any]
+    ) -> Vulnerability:
+        """
+        Create a Vulnerability from a pip-audit vulnerability entry
+        """
+        return cls(
+            name=package_name,
+            version=version,
+            id=vuln_entry["id"],
+            aliases=vuln_entry["aliases"],
+            fix_versions=vuln_entry["fix_versions"],
+            description=vuln_entry["description"],
+        )
+
+    @property
+    def security_issue_entry(self) -> dict[str, Union[str, list[str]]]:
+        return {
+            "name": self.name,
+            "version": str(self.version),
+            "refs": [self.id] + self.aliases,
+            "description": self.description,
+        }
+
+
+def audit_poetry_files(working_directory: Path) -> str:
+    """
+    Audit the `pyproject.toml` and `poetry.lock` files
+
+    pip-audit evaluates installed packages. This is to provide
+    additional security-related information beyond seeing if a given package
+    has a known vulnerability. Thus, to audit our `pyproject.toml` and
+    `poetry.lock` files without altering a locally sourced poetry environment,
+    this function first exports the locked packages to a requirements.txt file.
+    Then, pip-audit evaluates the requirements.txt by installing them to a virtualenv
+    and then inspecting the dependencies.
+    """
+
+    requirements_txt = "requirements.txt"
+    output = subprocess.run(
+        ["poetry", "export", "--format=requirements.txt"],
+        capture_output=True,
+        text=True,
+        cwd=working_directory,
+    )  # nosec
+    if output.returncode != 0:
+        raise PipAuditException(subprocess_output=output)
+
+    with tempfile.TemporaryDirectory() as path:
+        tmpdir = Path(path)
+        (tmpdir / requirements_txt).write_text(output.stdout)
+
+        command = ["pip-audit", "-r", requirements_txt, "-f", "json"]
+        output = subprocess.run(
+            command,
+            capture_output=True,
+            text=True,
+            cwd=tmpdir,
+        )  # nosec
+
+    if output.returncode != 0:
+        # pip-audit does not distinguish between 1) finding vulnerabilities
+        # and 2) other errors performing the pip-audit (i.e. malformed file);
+        # they both map to returncode = 1, so we have our own logic to raise errors
+        # for the case of 2) and not 1).
+        if not search(PIP_AUDIT_VULNERABILITY_PATTERN, output.stderr.strip()):
+            raise PipAuditException(subprocess_output=output)
+    return output.stdout
+
+
+class Vulnerabilities(BaseModel):
+    vulnerabilities: list[Vulnerability]
+
+    @classmethod
+    def load_from_pip_audit(cls, working_directory: Path) -> Vulnerabilities:
+        """
+        Convert the pip-audit JSON output into a Vulnerabilities model
+
+        The output from pip-audit is a JSON, which as a dictionary looks like:
+        >>> audit_dict = {"dependencies": [
+        ... {"name": "alabaster", "version": "0.7.16", "vulns": []},
+        ... {"name": "cryptography", "version": "43.0.3", "vulns":
+        ... [{"id": "GHSA-79v4-65xg-pq4g", "fix_versions": ["44.0.1"],
+        ... "aliases": ["CVE-2024-12797"],
+        ... "description": "pyca/cryptography\'s wheels..."}, ...]}]}
+        """
+        audit_json = audit_poetry_files(working_directory)
+        audit_dict = json.loads(audit_json)
+
+        vulnerabilities = []
+        for entry in audit_dict["dependencies"]:
+            for vuln_entry in entry["vulns"]:
+                vulnerabilities.append(
+                    Vulnerability.from_audit_entry(
+                        package_name=entry["name"],
+                        version=entry["version"],
+                        vuln_entry=vuln_entry,
+                    )
+                )
+        return Vulnerabilities(vulnerabilities=vulnerabilities)
+
+    @property
+    def security_issue_dict(self) -> list[dict[str, Union[str, list[str]]]]:
+        return [
+            vulnerability.security_issue_entry for vulnerability in self.vulnerabilities
+        ]