Feature/402 nox session report resolved security issues#770
Feature/402 nox session report resolved security issues#770
Conversation
and hid warning from pytest output
…ved_GitHub_security_issues
| ) | ||
| audit(nox_session) | ||
| # Proposal: Remove this test and the related nox task under test | ||
| def test_audit(monkeypatch, nox_session, sample_vulnerability, capsys): |
There was a problem hiding this comment.
Maybe we could think about removing this test and the related Nox session under test as it is unused.
There was a problem hiding this comment.
I'm not sure what you mean here. Could you expand on "it is unused"?
I and a few others use dependency:audit while updating dependencies step-wise. It's helpful to see which ones are still active without checking GitHub's dependabots.
There was a problem hiding this comment.
OK, then please ignore my comment. 🙂
| """ | ||
|
|
||
| other = sample_vulnerability | ||
| vuln_entry = { |
There was a problem hiding this comment.
This sounds like a good idea. Sorry, I'm a bit confused about the code changes here though.
In looking at the sample_vulneratbility, we have:
So I think that to make the docstring description & intent of this fixture match the code that the values for id and aliases[0] should be flipped. Is that right?
| current_vulnerabilities=[flipped_id_vulnerability] | ||
| ) | ||
| assert resolved._is_resolved(sample_vulnerability.vulnerability) is False | ||
| assert not matcher.is_resolved(sample_vulnerability.vulnerability) |
There was a problem hiding this comment.
| assert not matcher.is_resolved(sample_vulnerability.vulnerability) | |
| assert not matcher.is_resolved(flipped_id_vulnerability) |
| # Dict of current vulnerabilities: | ||
| # * keys: package names | ||
| # * values: set of each vulnerability's references | ||
| self._references = { |
There was a problem hiding this comment.
I think that this might be problematic as a dictionary based on the package.name. For a given package & version, we might have multiple unique vulnerability issues. This vulnerabilities might be resolved in different ways and not relate to one another at all.
1 (package-version combination): m (vulnerabilities)
m (vulnerabilities) : n (resolved package-version combinations)
| ) | ||
| audit(nox_session) | ||
| # Proposal: Remove this test and the related nox task under test | ||
| def test_audit(monkeypatch, nox_session, sample_vulnerability, capsys): |
There was a problem hiding this comment.
I'm not sure what you mean here. Could you expand on "it is unused"?
I and a few others use dependency:audit while updating dependencies step-wise. It's helpful to see which ones are still active without checking GitHub's dependabots.
Co-authored-by: Ariel Schulz <43442541+ArBridgeman@users.noreply.github.com>
Co-authored-by: Ariel Schulz <43442541+ArBridgeman@users.noreply.github.com>
|
2 participants
Closes #402
Closes #771
Checklist
Note: If any of the items in the checklist are not relevant to your PR, just check the box.
For any Pull Request
Is the following correct:
When Changes Were Made
Did you:
When Preparing a Release
Have you: