small fixes for security alerts (#141)

fix reference to github env var install python dependencies from requirements.txt
ministryofjustice · Jun 4, 2024 · 69b5b73 · 69b5b73
1 parent f15b50c
commit 69b5b73
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 13 deletions.
diff --git a/.github/workflows/python-tests.yml b/.github/workflows/python-tests.yml
@@ -21,10 +21,14 @@ jobs:
 
       - uses: actions/setup-python@v5
         with:
-          python-version: 3.11
+          python-version: "3.11"
 
-      - name: Install dependencies
-        run: pip install semantic-version pytest
+      - name: Install Python dependencies
+        run: |
+          pip install --upgrade pip
+          pip install --no-cache-dir -r requirements.txt
+          pip install --no-cache-dir -r requirements-dev.txt
+        
 
       - name: run unit tests
         id: python-tests

diff --git a/.github/workflows/security-alerts.yml b/.github/workflows/security-alerts.yml
@@ -28,7 +28,7 @@ jobs:
           -H "X-GitHub-Api-Version: 2022-11-28" \
           /repos/ministryofjustice/data-catalogue/actions/runs \
           --jq '.workflow_runs[] 
-            | select(.conclusion=="success" and .status=="completed" and .path=={{ github.action_path }}) 
+            | select(.conclusion=="success" and .status=="completed" and .path==${{ github.action_path }}) 
             | .run_started_at' \
           | head -n 1)
           echo "last_run_date=${LAST_RUN_DATE}" >> "${GITHUB_OUTPUT}"
@@ -44,11 +44,16 @@ jobs:
         with:
           python-version: "3.11"
 
-      - name: Install dependencies
-        run: pip install semantic-version
+      - name: Install Python dependencies
+        run: |
+          pip install --upgrade pip
+          pip install --no-cache-dir -r requirements.txt
 
       - name: Filter advisories
         id: filter_advisories
+        env:        
+          REPO: datahub
+          REPO_OWNER: datahub-project
         run: python scripts/filter_advisories.py \
           "${{ steps.read_current_version.outputs.current_version }}" \
           "${{ steps.get_last_run_date.outputs.last_run_date }}"

diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -0,0 +1 @@
+pytest==8.2.1
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1 @@
+semantic_version==2.10.0
diff --git a/scripts/filter_advisories.py b/scripts/filter_advisories.py
@@ -1,4 +1,5 @@
 import json
+import os
 import re
 import sys
 from datetime import datetime
@@ -98,7 +99,7 @@ def advisory_to_slack_block(advisory) -> tuple[dict[str, Any], bool]:
         "type": "section",
         "text": {
             "type": "mrkdwn",
-            "text": f"New <https://github.com/datahub-project/datahub/security/advisories|DataHub Security Advisory>:\n"
+            "text": f"New <https://github.com/{os.environ.get('REPO_OWNER', '')}/{os.environ.get('REPO', '')}/security/advisories|DataHub Security Advisory>:\n"
             f"*ID:* {advisory['ghsa_id']}\n"
             f"*Severity:* {severity}\n"
             f"*Published:* {advisory['published_at']}\n"

diff --git a/tests/test_filter_advisories.py b/tests/test_filter_advisories.py
@@ -1,4 +1,3 @@
-import json
 from datetime import datetime
 
 import pytest
@@ -22,7 +21,7 @@ def advisories():
             "severity": "medium",
             "published_at": "2023-06-01T00:00:00Z",
             "summary": "This is a test advisory",
-            "html_url": "https://github.com/datahub-project/datahub/security/advisories/GHSA-xxxx-xxxx-xxxx",
+            "html_url": "https://github.com/owner/target-repo/security/advisories/GHSA-xxxx-xxxx-xxxx",
             "vulnerabilities": [
                 {
                     "vulnerable_version_range": "< 0.12.0",
@@ -35,7 +34,7 @@ def advisories():
             "severity": "high",
             "published_at": "2023-07-01T00:00:00Z",
             "summary": "This is another test advisory",
-            "html_url": "https://github.com/datahub-project/datahub/security/advisories/GHSA-yyyy-yyyy-yyyy",
+            "html_url": "https://github.com/owner/target-repo/security/advisories/GHSA-yyyy-yyyy-yyyy",
             "vulnerabilities": [
                 {
                     "vulnerable_version_range": "ALL",
@@ -48,7 +47,7 @@ def advisories():
             "severity": "critical",
             "published_at": "2023-08-01T00:00:00Z",
             "summary": "This is yet another test advisory",
-            "html_url": "https://github.com/datahub-project/datahub/security/advisories/GHSA-zzzz-zzzz-zzzz",
+            "html_url": "https://github.com/owner/target-repo/security/advisories/GHSA-zzzz-zzzz-zzzz",
             "vulnerabilities": [
                 {
                     "vulnerable_version_range": "<= 0.10.1",
@@ -146,7 +145,7 @@ def test_parse_vulnerabilities(
                 "severity": "low",
                 "published_at": "2023-06-03T00:00:00Z",
                 "summary": "Missing vulnerable version range",
-                "html_url": "https://github.com/datahub-project/datahub/security/advisories/GHSA-zzzz-zzzz-zzzz",
+                "html_url": "https://github.com/owner/target-repo/security/advisories/GHSA-zzzz-zzzz-zzzz",
                 "vulnerabilities": [{}],
             }
         ],
@@ -167,7 +166,7 @@ def test_parse_vulnerabilities_invalid_version(self):
             "severity": "low",
             "published_at": "2023-06-04T00:00:00Z",
             "summary": "Invalid version range",
-            "html_url": "https://github.com/datahub-project/datahub/security/advisories/GHSA-aaaa-aaaa-aaaa",
+            "html_url": "https://github.com/owner/target-repo/security/advisories/GHSA-aaaa-aaaa-aaaa",
             "vulnerabilities": [{"vulnerable_version_range": "invalid_version"}],
         }
         parse_vulnerabilities(advisory, filtered, minimal_version)