Feature/402 nox session report resolved security issues #770

tkilias · 2026-05-05T23:33:47Z

What is the purpose of this line? Was the intention to disable the approval for scheduled runs such that the slow tests run always? However, this leads to, that they don't run and the workflow is stuck.

-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,12 @@ name: Merge-Gate @@
     on:
       workflow_call:
+        inputs:
+          root-event:
+            description: GitHub event triggering the root workflow ci.yml
+            required: false
+            type: string
+            default: unknown
     jobs:
       run-fast-checks:
@@ Expand All / @@ -15,12 +21,15 @@ jobs: @@
         needs:
           - run-fast-checks
         uses: ./.github/workflows/report.yml
+        with:
+          upload-metrics: false
         secrets: inherit
         permissions:
           contents: read
       approve-run-slow-tests:
         name: Approve Running Slow Tests?
+        if: ${{ inputs.root-event != 'schedule' }}
         runs-on: "ubuntu-24.04"
         permissions:
           contents: read
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -24,5 +24,5 @@ @@
     ## 🔩 Internal
-    * Update depdency constraints
-    * Relock dependencies
+    * Update dependency constraints
+    * Relock dependencies

-Original file line number
+Diff line change
@@ Expand Up @@
     to get linting, security, and unit test coverage before running the `slow-checks.yml`,
     as described in the [Pull Request description](https://exasol.github.io/python-toolbox/main/user_guide/features/github_workflows/index.html#pull-request).
+    This release also adds a `vulnerabilities:resolved` Nox session, which reports GitHub security issues resolved since the last release.
     This release fixes a vulnerability by updating the `poetry.lock` file.
     | Name   | Version | ID             | Fix Versions | Updated to |
@@ Expand All @@
     To ensure usage of secure packages, it is up to the user to similarly relock their dependencies.
+    ## Features
+    * #402: Created nox session `vulnerabilities:resolved` to report resolved GitHub security issues
     ## Refactoring
     * #764: Updated `action/upload-pages-artifact` from v4 to [v5](https://github.com/actions/upload-pages-artifact/releases/tag/v5.0.0)
@@ Expand Down @@

-Original file line number
+Diff line change
@@ -1,12 +1,17 @@
-    Managing dependencies
-    =====================
+    Managing Dependencies and Vulnerabilities
+    =========================================
-    +--------------------------+------------------+----------------------------------------+
-    | Nox session              | CI Usage         | Action                                 |
-    +==========================+==================+========================================+
-    | ``dependency:licenses``  | ``report.yml``   | Uses ``pip-licenses`` to return        |
-    |                          |                  | packages with their licenses           |
-    +--------------------------+------------------+----------------------------------------+
-    | ``dependency:audit``     | No               | Uses ``pip-audit`` to return active    |
-    |                          |                  | vulnerabilities in our dependencies    |
-    +--------------------------+------------------+----------------------------------------+
+    +------------------------------+----------------+-------------------------------------+
+    | Nox session                  | CI Usage       | Action                              |
+    +==============================+================+=====================================+
+    | ``dependency:licenses``      | ``report.yml`` | Uses ``pip-licenses`` to return     |
+    |                              |                | packages with their licenses        |
+    +------------------------------+----------------+-------------------------------------+
+    | ``dependency:audit``         | No             | Uses ``pip-audit`` to report active |
+    |                              |                | vulnerabilities in our dependencies |
+    +------------------------------+----------------+-------------------------------------+
+    | ``vulnerabilities:resolved`` | No             | Uses ``pip-audit`` to report known  |
+    |                              |                | vulnerabilities in dependencies     |
+    |                              |                | that have been resolved in          |
+    |                              |                | comparison to the last release.     |
+    +------------------------------+----------------+-------------------------------------+

-Original file line number
+Diff line change
@@ Expand Up / @@ -9,17 +9,21 @@ @@
     from exasol.toolbox.util.dependencies.audit import (
         PipAuditException,
         Vulnerabilities,
+        get_vulnerabilities,
+        get_vulnerabilities_from_latest_tag,
     )
     from exasol.toolbox.util.dependencies.licenses import (
         PackageLicenseReport,
         get_licenses,
     )
     from exasol.toolbox.util.dependencies.poetry_dependencies import get_dependencies
+    from exasol.toolbox.util.dependencies.track_vulnerabilities import DependenciesAudit
+    from noxconfig import PROJECT_CONFIG
     @nox.session(name="dependency:licenses", python=False)
     def dependency_licenses(session: Session) -> None:
-        """Return the packages with their licenses"""
+        """Report licenses for all dependencies."""
         dependencies = get_dependencies(working_directory=Path())
         licenses = get_licenses()
         license_markdown = PackageLicenseReport(
@@ Expand All / @@ -30,7 +34,7 @@ def dependency_licenses(session: Session) -> None: @@
     @nox.session(name="dependency:audit", python=False)
     def audit(session: Session) -> None:
-        """Check for known vulnerabilities"""
+        """Report known vulnerabilities."""
         try:
             vulnerabilities = Vulnerabilities.load_from_pip_audit(working_directory=Path())
@@ Expand All / @@ -39,3 +43,14 @@ def audit(session: Session) -> None: @@
         security_issue_dict = vulnerabilities.security_issue_dict
         print(json.dumps(security_issue_dict, indent=2))
+    @nox.session(name="vulnerabilities:resolved", python=False)
+    def report_resolved_vulnerabilities(session: Session) -> None:
+        """Report resolved vulnerabilities in dependencies."""
+        path = PROJECT_CONFIG.root_path
+        audit = DependenciesAudit(
+            previous_vulnerabilities=get_vulnerabilities_from_latest_tag(path),
+            current_vulnerabilities=get_vulnerabilities(path),
+        )
+        print(audit.report_resolved_vulnerabilities())

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feature/402 nox session report resolved security issues #770

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

tkilias May 5, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

-Original file line number
+Diff line change
@@ Expand Up / @@ -15,7 +15,7 @@ jobs: @@
       build-and-publish:
         needs:
-         - check-release-tag
+          - check-release-tag
         name: Build & Publish
         uses: ./.github/workflows/build-and-publish.yml
         permissions:
@@ Expand All / @@ -25,7 +25,7 @@ jobs: @@
       publish-docs:
         needs:
-         - build-and-publish
+          - build-and-publish
         name: Publish Documentation
         uses: ./.github/workflows/gh-pages.yml
         permissions:
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -11,14 +11,21 @@ jobs: @@
       merge-gate:
         name: Merge Gate
         uses: ./.github/workflows/merge-gate.yml
+        with:
+          root-event:  ${{ github.event_name }}
         secrets: inherit
         permissions:
           contents: read
       report:
+        # Job merge-gate requires manual approval for running the slow checks.  If
+        # current workflow ci.yml is triggered by schedule, there is no manual
+        # interaction, manual approval will never be given, slow checks will not
+        # be executed, merge-gate will never terminate, and the report will never
+        # be called.
         name: Report
         needs:
-         - merge-gate
+          - merge-gate
         uses: ./.github/workflows/report.yml
         secrets: inherit
         permissions:
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -177,7 +177,11 @@ def audit_poetry_files(working_directory: Path) -> str: @@
             tmpdir = Path(path)
             (tmpdir / requirements_txt).write_text(output.stdout)
-            command = ["pip-audit", "-r", requirements_txt, "-f", "json"]
+            # CLI option `--disable-pip` skips dependency resolution in pip.  The
+            # option can be used with hashed requirements files (which is the case
+            # here) to avoid `pip-audit` installing an isolated environment and
+            # speed up the audit significantly.
+            command = ["pip-audit", "--disable-pip", "-r", requirements_txt, "-f", "json"]
             output = subprocess.run(
                 command,
                 capture_output=True,
@@ Expand Down Expand Up @@
         ).vulnerabilities
-    def get_vulnerabilities_from_latest_tag(root_path: Path):
+    def get_vulnerabilities_from_latest_tag(root_path: Path) -> list[Vulnerability]:
         with poetry_files_from_latest_tag(root_path=root_path) as tmp_dir:
             return get_vulnerabilities(working_directory=tmp_dir)

Feature/402 nox session report resolved security issues #770

Uh oh!

Feature/402 nox session report resolved security issues #770

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

tkilias May 5, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!