Source code for runscripts.debug.process_vulnerabilities

"""
Process vulnerability data from comma-separated JSON format.

This script processes JSON data containing package vulnerability information,
generates a markdown report with vulnerability details, and creates a shell
script to apply package upgrades using uv.

Expected JSON format:
{
    "name": "package_name",
    "version": "current_version",
    "vulns": [
        {
            "id": "VULNERABILITY_ID",
            "fix_versions": ["fixed_version"],
            "aliases": ["ALIAS1", "ALIAS2"],
            "description": "Vulnerability description"
        }
    ]
}
"""

import os
import json
import sys
from typing import Any
from datetime import datetime
import argparse
from packaging.version import Version


[docs] def generate_markdown_report(packages: list[dict[str, Any]]) -> tuple[str, list[str]]: """Generate a markdown report of vulnerabilities and upgrades.""" markdown = f"""# Security Vulnerability Report Generated on: {datetime.now().strftime("%Y-%m-%d %H:%M:%S")} ## Summary Found vulnerabilities in **{len(packages)}** packages requiring updates. ## Package Upgrades Overview | Package | Current Version | Recommended Version | Vulnerabilities | |---------|----------------|-------------------|-----------------| """ # Package summary table upgrade_commands = [] for pkg in packages: name = pkg.get("name", "Unknown") current_version = pkg.get("version", "Unknown") vulns = pkg.get("vulns", []) # Find the highest fix version across all vulnerabilities all_fix_versions = [] vuln_count = len(vulns) for vuln in vulns: fix_versions = vuln.get("fix_versions", []) all_fix_versions.extend([Version(v) for v in fix_versions if v]) recommended_version = max(all_fix_versions) if all_fix_versions else "Unknown" markdown += f"| **{name}** | {current_version} | **{recommended_version}** | {vuln_count} |\n" if recommended_version != "Unknown": upgrade_commands.append(f'-P "{name}=={recommended_version}"') markdown += "\n## Detailed Vulnerability Information\n\n" # Detailed vulnerability information for pkg in packages: name = pkg.get("name", "Unknown") current_version = pkg.get("version", "Unknown") vulns = pkg.get("vulns", []) markdown += f"### {name} (v{current_version})\n\n" if not vulns: markdown += "No specific vulnerability details available.\n\n" continue markdown += "| Vulnerability ID | Fix Versions | Aliases |\n" markdown += "|-----------------|-------------|---------|\n" for vuln in vulns: vuln_id = vuln.get("id", "Unknown") fix_versions = ", ".join(vuln.get("fix_versions", ["Unknown"])) aliases = ", ".join(vuln.get("aliases", [])) markdown += f"| {vuln_id} | {fix_versions} | {aliases} |\n" markdown += "\n" markdown += """ ## Recommended Actions 1. Review the vulnerability details above. 2. Close and reopen this PR to trigger CI/CD tests. 3. Approve and merge the PR if everything looks good. --- *This report was generated automatically. Please verify all upgrades before applying.* """ return markdown, upgrade_commands
[docs] def main(): parser = argparse.ArgumentParser( description="Process vulnerability data and generate reports" ) parser.add_argument( "input_file", nargs="?", help="Input file with comma-separated JSONs (default: stdin)", ) parser.add_argument( "--output-md", default="vulnerability_report.md", help="Output markdown file" ) parser.add_argument( "--output-sh", default="apply_security_upgrades.sh", help="Output shell script file", ) args = parser.parse_args() # Read input data if args.input_file: try: with open(args.input_file, "r") as f: input_data = json.load(f) except FileNotFoundError: print(f"Error: File '{args.input_file}' not found.", file=sys.stderr) sys.exit(1) else: print("Reading from stdin... (Ctrl+D to end)") input_data = json.load(sys.stdin) if not input_data: print("Error: No input data provided.", file=sys.stderr) sys.exit(1) # Process the data packages = [pkg for pkg in input_data["dependencies"] if pkg["vulns"]] print(f"📋 Detected {len(packages)} vulnerable packages") # Generate markdown report markdown_content, upgrade_commands = generate_markdown_report(packages) with open(args.output_md, "w") as f: f.write(markdown_content) print(f"📄 Markdown report saved to: {args.output_md}") # Generate shell script script = f"""#!/bin/bash # Security upgrade script # Generated automatically from vulnerability analysis set -e # Exit on any error echo "🔒 Applying security upgrades..." echo "This script will upgrade vulnerable packages using uv lock --upgrade-package" uv lock {" ".join(upgrade_commands)} echo "✅ All security upgrades completed successfully!" """ with open(args.output_sh, "w") as f: f.write(script) # Make script executable os.chmod(args.output_sh, 0o755) print(f"🔧 Shell script saved to: {args.output_sh} (executable)") print("\n✅ Processing complete!") print(f"Review the report: {args.output_md}") print(f"Apply upgrades: ./{args.output_sh}")
if __name__ == "__main__": main()