This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new 142707f Copy SBOM models to remove interdependencies
142707f is described below
commit 142707f1962d00c642134f98688998811c032fa2
Author: Sean B. Palmer <[email protected]>
AuthorDate: Tue Jan 20 15:06:34 2026 +0000
Copy SBOM models to remove interdependencies
---
atr/get/sbom.py | 19 ++++++++-----------
atr/models/results.py | 36 ++++++++++++++++++++++++++++++++----
atr/tasks/sbom.py | 9 ++++++++-
3 files changed, 48 insertions(+), 16 deletions(-)
diff --git a/atr/get/sbom.py b/atr/get/sbom.py
index b65fc11..fc56c59 100644
--- a/atr/get/sbom.py
+++ b/atr/get/sbom.py
@@ -34,7 +34,6 @@ import atr.models.results as results
import atr.models.sql as sql
import atr.render as render
import atr.sbom as sbom
-import atr.sbom.models.osv as osv
import atr.shared as shared
import atr.template as template
import atr.util as util
@@ -338,7 +337,7 @@ def _cyclonedx_cli_errors(block: htm.Block, task_result:
results.SBOMToolScore):
block.p["No CycloneDX CLI validation errors found."]
-def _extract_vulnerability_severity(vuln: osv.VulnerabilityDetails) -> str:
+def _extract_vulnerability_severity(vuln: results.VulnerabilityDetails) -> str:
"""Extract severity information from vulnerability data."""
data = vuln.database_specific or {}
if "severity" in data:
@@ -588,10 +587,10 @@ def _vulnerability_scan_find_in_progress_task(osv_tasks:
Sequence[sql.Task], rev
def _vulnerability_scan_results(
block: htm.Block,
- vulns: list[osv.CdxVulnerabilityDetail],
+ vulns: list[results.CdxVulnerabilityDetail],
scans: list[str],
task: sql.Task | None,
- prev: list[osv.CdxVulnerabilityDetail] | None,
+ prev: list[results.CdxVulnerabilityDetail] | None,
) -> None:
previous_vulns = None
if prev is not None:
@@ -606,7 +605,7 @@ def _vulnerability_scan_results(
def _vulnerability_results_from_bom(
- vulns: list[osv.CdxVulnerabilityDetail],
+ vulns: list[results.CdxVulnerabilityDetail],
block: htm.Block,
scans: list[str],
previous_vulns: dict[str, tuple[str, list[str]]] | None,
@@ -677,12 +676,12 @@ def _vulnerability_results_from_scan(
block.append(new_block)
-def _cdx_to_osv(cdx: osv.CdxVulnerabilityDetail) -> osv.VulnerabilityDetails:
+def _cdx_to_osv(cdx: results.CdxVulnerabilityDetail) ->
results.VulnerabilityDetails:
score = []
severity = ""
if cdx.ratings is not None:
severity, score = sbom.utilities.cdx_severity_to_osv(cdx.ratings)
- return osv.VulnerabilityDetails(
+ return results.VulnerabilityDetails(
id=cdx.id,
summary=cdx.description,
details=cdx.detail,
@@ -714,14 +713,12 @@ def _vulnerability_scan_section(
scans = []
if task_result.vulnerabilities is not None:
- vulnerabilities = [
- sbom.models.osv.CdxVulnAdapter.validate_python(json.loads(e)) for
e in task_result.vulnerabilities
- ]
+ vulnerabilities =
[results.CdxVulnAdapter.validate_python(json.loads(e)) for e in
task_result.vulnerabilities]
else:
vulnerabilities = []
if task_result.prev_vulnerabilities is not None:
prev_vulnerabilities = [
- sbom.models.osv.CdxVulnAdapter.validate_python(json.loads(e)) for
e in task_result.prev_vulnerabilities
+ results.CdxVulnAdapter.validate_python(json.loads(e)) for e in
task_result.prev_vulnerabilities
]
else:
prev_vulnerabilities = None
diff --git a/atr/models/results.py b/atr/models/results.py
index 6893f28..891f4be 100644
--- a/atr/models/results.py
+++ b/atr/models/results.py
@@ -15,12 +15,10 @@
# specific language governing permissions and limitations
# under the License.
-from typing import Annotated, Literal
+from typing import Annotated, Any, Literal
import pydantic
-import atr.sbom.models.osv as osv
-
from . import schema
@@ -63,9 +61,39 @@ class SBOMGenerateCycloneDX(schema.Strict):
msg: str = schema.description("The message from the SBOM generation")
+class VulnerabilityDetails(schema.Lax):
+ # Copied from atr/sbom/models/osv.py
+ id: str
+ summary: str | None = None
+ details: str | None = None
+ references: list[dict[str, Any]] | None = None
+ severity: list[dict[str, Any]] | None = None
+ published: str | None = None
+ modified: str
+ database_specific: dict[str, Any] = schema.Field(default={})
+
+
+class CdxVulnerabilityDetail(schema.Lax):
+ # Copied from atr/sbom/models/osv.py
+ bom_ref: str | None = schema.Field(default=None, alias="bom-ref")
+ id: str
+ source: dict[str, str] | None = None
+ description: str | None = None
+ detail: str | None = None
+ advisories: list[dict[str, str]] | None = None
+ cwes: list[int] | None = None
+ published: str | None = None
+ updated: str | None = None
+ affects: list[dict[str, str]] | None = None
+ ratings: list[dict[str, str | float]] | None = None
+
+
+CdxVulnAdapter = pydantic.TypeAdapter(CdxVulnerabilityDetail)
+
+
class OSVComponent(schema.Strict):
purl: str = schema.description("Package URL")
- vulnerabilities: list[osv.VulnerabilityDetails] =
schema.description("Vulnerabilities found")
+ vulnerabilities: list[VulnerabilityDetails] =
schema.description("Vulnerabilities found")
class SBOMOSVScan(schema.Strict):
diff --git a/atr/tasks/sbom.py b/atr/tasks/sbom.py
index 0b2ea04..066fbec 100644
--- a/atr/tasks/sbom.py
+++ b/atr/tasks/sbom.py
@@ -145,7 +145,14 @@ async def osv_scan(args: FileArgs) -> results.Results |
None:
bundle = sbom.utilities.path_to_bundle(pathlib.Path(full_path))
vulnerabilities, ignored = await sbom.osv.scan_bundle(bundle)
patch_ops = await sbom.utilities.bundle_to_vuln_patch(bundle,
vulnerabilities)
- components = [results.OSVComponent(purl=v.ref,
vulnerabilities=v.vulnerabilities) for v in vulnerabilities]
+ components = []
+ for v in vulnerabilities:
+ components.append(
+ results.OSVComponent(
+ purl=v.ref,
+
vulnerabilities=[results.VulnerabilityDetails.model_validate(vuln) for vuln in
v.vulnerabilities],
+ )
+ )
new_full_path: str | None = None
new_version, merged = sbom.utilities.apply_patch("osv-scan",
args.revision_number, bundle, patch_ops)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
