Merge pull request #103 from exasol/kaklakariada/issue102

kaklakariada · web-flow · commit e19f1b4f06e3 · 2023-11-13T11:06:49.000+01:00
diff --git a/doc/changelog.rst b/doc/changelog.rst
@@ -6,6 +6,10 @@
 Unreleased
 ==========
 
+🐞 Fixed
+--------
+* Fix failing vulnerability issue creator when Maven report does not contain "vulnerable" entry
+
 🔧 Changed
 ----------
 
diff --git a/exasol/toolbox/tools/security.py b/exasol/toolbox/tools/security.py
@@ -87,7 +87,7 @@ def gh_security_issues() -> Generator[Tuple[str, str], None, None]:
 def from_maven(report: str) -> Iterable[Issue]:
     # Note: Consider adding warnings if there is the same cve with multiple coordinates
     report = json.loads(report)
-    dependencies = report["vulnerable"]  # type: ignore
+    dependencies = report.get("vulnerable", {})  # type: ignore
     for _, dependency in dependencies.items():  # type: ignore
         for v in dependency["vulnerabilities"]:  # type: ignore
             references = [v["reference"]] + v["externalReferences"]
diff --git a/test/unit/security_test.py b/test/unit/security_test.py
@@ -354,3 +354,8 @@ def test_convert_maven_input(maven_report):  # pylint: disable=redefined-outer-n
     }
     actual = set(security.from_maven(maven_report))
     assert actual == expected
+
+
+def test_convert_maven_input_no_vulnerable():  # pylint: disable=redefined-outer-name
+    actual = set(security.from_maven("{}"))
+    assert len(actual) == 0

Original file line number	Diff line number	Diff line change
`@@ -354,3 +354,8 @@ def test_convert_maven_input(maven_report): # pylint: disable=redefined-outer-n`
`354`	`354`	`}`
`355`	`355`	`actual = set(security.from_maven(maven_report))`
`356`	`356`	`assert actual == expected`
	`357`	`+`
	`358`	`+`
	`359`	`+def test_convert_maven_input_no_vulnerable(): # pylint: disable=redefined-outer-name`
	`360`	`+ actual = set(security.from_maven("{}"))`
	`361`	`+ assert len(actual) == 0`