This is an automated email from the ASF dual-hosted git repository. sbp pushed a commit to branch copy-sbom-models in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit 323c53d3d676b1955092f149cce5c40e6a296388 Author: Sean B. Palmer <[email protected]> AuthorDate: Tue Jan 20 15:06:34 2026 +0000 Copy SBOM models to remove interdependencies --- atr/get/sbom.py | 19 ++++++++----------- atr/models/results.py | 36 ++++++++++++++++++++++++++++++++---- atr/tasks/sbom.py | 9 ++++++++- 3 files changed, 48 insertions(+), 16 deletions(-) diff --git a/atr/get/sbom.py b/atr/get/sbom.py index b65fc11..fc56c59 100644 --- a/atr/get/sbom.py +++ b/atr/get/sbom.py @@ -34,7 +34,6 @@ import atr.models.results as results import atr.models.sql as sql import atr.render as render import atr.sbom as sbom -import atr.sbom.models.osv as osv import atr.shared as shared import atr.template as template import atr.util as util @@ -338,7 +337,7 @@ def _cyclonedx_cli_errors(block: htm.Block, task_result: results.SBOMToolScore): block.p["No CycloneDX CLI validation errors found."] -def _extract_vulnerability_severity(vuln: osv.VulnerabilityDetails) -> str: +def _extract_vulnerability_severity(vuln: results.VulnerabilityDetails) -> str: """Extract severity information from vulnerability data.""" data = vuln.database_specific or {} if "severity" in data: @@ -588,10 +587,10 @@ def _vulnerability_scan_find_in_progress_task(osv_tasks: Sequence[sql.Task], rev def _vulnerability_scan_results( block: htm.Block, - vulns: list[osv.CdxVulnerabilityDetail], + vulns: list[results.CdxVulnerabilityDetail], scans: list[str], task: sql.Task | None, - prev: list[osv.CdxVulnerabilityDetail] | None, + prev: list[results.CdxVulnerabilityDetail] | None, ) -> None: previous_vulns = None if prev is not None: @@ -606,7 +605,7 @@ def _vulnerability_scan_results( def _vulnerability_results_from_bom( - vulns: list[osv.CdxVulnerabilityDetail], + vulns: list[results.CdxVulnerabilityDetail], block: htm.Block, scans: list[str], previous_vulns: dict[str, tuple[str, list[str]]] | None, @@ -677,12 +676,12 @@ def _vulnerability_results_from_scan( block.append(new_block) -def _cdx_to_osv(cdx: osv.CdxVulnerabilityDetail) -> osv.VulnerabilityDetails: +def _cdx_to_osv(cdx: results.CdxVulnerabilityDetail) -> results.VulnerabilityDetails: score = [] severity = "" if cdx.ratings is not None: severity, score = sbom.utilities.cdx_severity_to_osv(cdx.ratings) - return osv.VulnerabilityDetails( + return results.VulnerabilityDetails( id=cdx.id, summary=cdx.description, details=cdx.detail, @@ -714,14 +713,12 @@ def _vulnerability_scan_section( scans = [] if task_result.vulnerabilities is not None: - vulnerabilities = [ - sbom.models.osv.CdxVulnAdapter.validate_python(json.loads(e)) for e in task_result.vulnerabilities - ] + vulnerabilities = [results.CdxVulnAdapter.validate_python(json.loads(e)) for e in task_result.vulnerabilities] else: vulnerabilities = [] if task_result.prev_vulnerabilities is not None: prev_vulnerabilities = [ - sbom.models.osv.CdxVulnAdapter.validate_python(json.loads(e)) for e in task_result.prev_vulnerabilities + results.CdxVulnAdapter.validate_python(json.loads(e)) for e in task_result.prev_vulnerabilities ] else: prev_vulnerabilities = None diff --git a/atr/models/results.py b/atr/models/results.py index 6893f28..891f4be 100644 --- a/atr/models/results.py +++ b/atr/models/results.py @@ -15,12 +15,10 @@ # specific language governing permissions and limitations # under the License. -from typing import Annotated, Literal +from typing import Annotated, Any, Literal import pydantic -import atr.sbom.models.osv as osv - from . import schema @@ -63,9 +61,39 @@ class SBOMGenerateCycloneDX(schema.Strict): msg: str = schema.description("The message from the SBOM generation") +class VulnerabilityDetails(schema.Lax): + # Copied from atr/sbom/models/osv.py + id: str + summary: str | None = None + details: str | None = None + references: list[dict[str, Any]] | None = None + severity: list[dict[str, Any]] | None = None + published: str | None = None + modified: str + database_specific: dict[str, Any] = schema.Field(default={}) + + +class CdxVulnerabilityDetail(schema.Lax): + # Copied from atr/sbom/models/osv.py + bom_ref: str | None = schema.Field(default=None, alias="bom-ref") + id: str + source: dict[str, str] | None = None + description: str | None = None + detail: str | None = None + advisories: list[dict[str, str]] | None = None + cwes: list[int] | None = None + published: str | None = None + updated: str | None = None + affects: list[dict[str, str]] | None = None + ratings: list[dict[str, str | float]] | None = None + + +CdxVulnAdapter = pydantic.TypeAdapter(CdxVulnerabilityDetail) + + class OSVComponent(schema.Strict): purl: str = schema.description("Package URL") - vulnerabilities: list[osv.VulnerabilityDetails] = schema.description("Vulnerabilities found") + vulnerabilities: list[VulnerabilityDetails] = schema.description("Vulnerabilities found") class SBOMOSVScan(schema.Strict): diff --git a/atr/tasks/sbom.py b/atr/tasks/sbom.py index 0b2ea04..066fbec 100644 --- a/atr/tasks/sbom.py +++ b/atr/tasks/sbom.py @@ -145,7 +145,14 @@ async def osv_scan(args: FileArgs) -> results.Results | None: bundle = sbom.utilities.path_to_bundle(pathlib.Path(full_path)) vulnerabilities, ignored = await sbom.osv.scan_bundle(bundle) patch_ops = await sbom.utilities.bundle_to_vuln_patch(bundle, vulnerabilities) - components = [results.OSVComponent(purl=v.ref, vulnerabilities=v.vulnerabilities) for v in vulnerabilities] + components = [] + for v in vulnerabilities: + components.append( + results.OSVComponent( + purl=v.ref, + vulnerabilities=[results.VulnerabilityDetails.model_validate(vuln) for vuln in v.vulnerabilities], + ) + ) new_full_path: str | None = None new_version, merged = sbom.utilities.apply_patch("osv-scan", args.revision_number, bundle, patch_ops) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
