Fix CWE parsing bug in notify.py

peter-at-progress · peter-at-progress · commit 5953039afb7b · 2026-04-29T13:01:48.000-04:00
Grype returns CWEs as a list of dicts with structure {"id": "CWE-79"},
not as plain strings. Updated get_cwes() to handle both formats.

Fixes TypeError: sequence item 0: expected str instance, dict found

Signed-off-by: peter-at-progress &lt;parsenau@progress.com&gt;
Signed-off-by: Peter Arsenault &lt;parsenau@progress.com&gt;
diff --git a/.github/actions/notify-new-cves/notify.py b/.github/actions/notify-new-cves/notify.py
@@ -138,7 +138,17 @@ def get_cwes(self) -> list[str]:
         """Get list of CWE IDs."""
         cwes = self.vulnerability.get("cwes", [])
         if isinstance(cwes, list):
-            return [cwe for cwe in cwes if cwe]
+            result = []
+            for cwe in cwes:
+                if isinstance(cwe, dict):
+                    # Grype format: {"id": "CWE-79", "name": "..."}
+                    cwe_id = cwe.get("id", "")
+                    if cwe_id:
+                        result.append(cwe_id)
+                elif isinstance(cwe, str) and cwe:
+                    # Plain string format
+                    result.append(cwe)
+            return result
         return []
     
     def get_urls(self) -> list[str]:
