LCORE-2631: Vulnerability report script: Dependabot data processing part#1961
Merged
tisnik merged 1 commit intoJun 22, 2026
Conversation
Contributor
Walkthrough
ChangesDependabot Alert Helpers and CLI Wiring
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/vulnerability_report.py`:
- Around line 175-177: The function process_dependabot_file() is currently a
stub that returns an empty dictionary, and main() ignores its result, breaking
the report generation flow. Implement process_dependabot_file() to read the
Dependabot alerts file specified by the dependabot_file parameter and return a
dictionary containing the processed alert statistics. Then update main() to
capture the dictionary returned from process_dependabot_file() and incorporate
that data into the report generation logic so the vulnerability report contains
actual data.
- Around line 118-133: The helper functions has_attribute_with_value and
has_deep_attribute_with_value directly access nested dictionary keys without
validation, which causes KeyError or TypeError exceptions if the JSON is
malformed. Add JSON schema validation in the load_dependabot_file function to
validate the Dependabot alert structure when the file is loaded, ensuring only
properly formatted data is returned and preventing runtime crashes when the
helper functions access attributes on malformed items.
- Around line 100-108: The --comparison argument is parsed but never utilized in
the main() function, breaking the advertised CLI contract. In the main()
function, add a conditional check to determine if comparison mode is enabled by
verifying if the comparison argument contains values. When comparison mode is
active, implement logic to process multiple JSON files provided in the
comparison argument instead of only processing organization__repository.json.
Ensure the current single-file processing remains the default behavior when the
comparison argument is not provided. This will make the parser argument
definition match the actual execution flow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: e0b596a7-65c2-4873-a0e3-683aa4977bc2
📒 Files selected for processing (1)
scripts/vulnerability_report.py
📜 Review details
⏰ Context from checks skipped due to timeout. (16)
- GitHub Check: integration_tests (3.12)
- GitHub Check: integration_tests (3.13)
- GitHub Check: Pylinter
- GitHub Check: spectral
- GitHub Check: build-pr
- GitHub Check: unit_tests (3.13)
- GitHub Check: unit_tests (3.12)
- GitHub Check: E2E: library mode / ci / group 1
- GitHub Check: E2E: server mode / ci / group 1
- GitHub Check: E2E: server mode / ci / group 2
- GitHub Check: E2E: library mode / ci / group 3
- GitHub Check: E2E: library mode / ci / group 2
- GitHub Check: E2E: server mode / ci / group 3
- GitHub Check: E2E Tests for Lightspeed Evaluation job
- GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-0-6-on-pull-request
- GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
🔇 Additional comments (1)
scripts/vulnerability_report.py (1)
39-40: PEP 695typealias syntax is compatible with declared Python version.The repository declares
requires-python = ">=3.12,<3.14"inpyproject.toml, confirming Python 3.12+ is the minimum supported version. Thetype DependabotAlert = ...syntax at lines 39–40 aligns with this requirement.
Comment on lines
100
to
108
| parser.add_argument( | ||
| "-c", | ||
| "--comparison", | ||
| default=False, | ||
| help="Compare two repositories and generate comparison report. " | ||
| "Need to be used with --data1 and --data2 options", | ||
| required=False, | ||
| nargs="+", | ||
| default=[], | ||
| help="Compare two or more repositories and generate comparison report. " | ||
| "Multiple JSON files with Dependabot alerts needs to be provided", | ||
| ) |
Contributor
There was a problem hiding this comment.
--comparison is documented/parsed but never used in execution flow.
The parser advertises comparison mode, but main() always processes only organization__repository.json. This is a contract break for the CLI option.
Also applies to: 199-201
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/vulnerability_report.py` around lines 100 - 108, The --comparison
argument is parsed but never utilized in the main() function, breaking the
advertised CLI contract. In the main() function, add a conditional check to
determine if comparison mode is enabled by verifying if the comparison argument
contains values. When comparison mode is active, implement logic to process
multiple JSON files provided in the comparison argument instead of only
processing organization__repository.json. Ensure the current single-file
processing remains the default behavior when the comparison argument is not
provided. This will make the parser argument definition match the actual
execution flow.
Comment on lines
+118
to
+133
| def load_dependabot_file(filename: str) -> Any: | ||
| """Load JSON file containing Dependabot alerts.""" | ||
| with open(filename, "r") as fin: | ||
| return json.load(fin) | ||
|
|
||
|
|
||
| def has_attribute_with_value(item: DependabotAlert, attribute: str, value: str) -> bool: | ||
| """Check if dictionary has attribute with given value.""" | ||
| return bool(item[attribute] == value) | ||
|
|
||
|
|
||
| def has_deep_attribute_with_value( | ||
| item: DependabotAlert, selector: str, attribute: str, value: str | ||
| ) -> bool: | ||
| """Check if dictionary has deep attribute with given value.""" | ||
| return bool(item[selector][attribute] == value) |
Contributor
There was a problem hiding this comment.
Validate Dependabot JSON schema at load time to prevent runtime crashes.
Helpers assume keys always exist (item[attribute], item[selector][attribute]). A single malformed alert will raise KeyError/TypeError and stop report generation.
Proposed fix
def load_dependabot_file(filename: str) -> Any:
"""Load JSON file containing Dependabot alerts."""
- with open(filename, "r") as fin:
- return json.load(fin)
+ with open(filename, "r", encoding="utf-8") as fin:
+ data = json.load(fin)
+ if not isinstance(data, list):
+ raise ValueError("Dependabot alerts file must contain a JSON array")
+ for idx, item in enumerate(data):
+ if not isinstance(item, dict):
+ raise ValueError(f"Alert at index {idx} must be an object")
+ if "state" not in item:
+ raise ValueError(f"Alert at index {idx} is missing 'state'")
+ sa = item.get("security_advisory")
+ if not isinstance(sa, dict) or "severity" not in sa:
+ raise ValueError(
+ f"Alert at index {idx} is missing 'security_advisory.severity'"
+ )
+ return dataAlso applies to: 136-155
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/vulnerability_report.py` around lines 118 - 133, The helper functions
has_attribute_with_value and has_deep_attribute_with_value directly access
nested dictionary keys without validation, which causes KeyError or TypeError
exceptions if the JSON is malformed. Add JSON schema validation in the
load_dependabot_file function to validate the Dependabot alert structure when
the file is loaded, ensuring only properly formatted data is returned and
preventing runtime crashes when the helper functions access attributes on
malformed items.
Comment on lines
+175
to
+177
| def process_dependabot_file(dependabot_file: str, prefix: str) -> dict[str, Any]: | ||
| """Read Dependabot alerts and prepare statistic info.""" | ||
| return {} |
Contributor
There was a problem hiding this comment.
main() currently performs no effective processing.
process_dependabot_file() is a stub returning {}, and main() ignores its result. The CLI succeeds without producing report data, which breaks the processing flow.
Proposed fix
def process_dependabot_file(dependabot_file: str, prefix: str) -> dict[str, Any]:
"""Read Dependabot alerts and prepare statistic info."""
- return {}
+ source_data: DependabotAlerts = load_dependabot_file(dependabot_file)
+ return {
+ "prefix": prefix,
+ "opened_cves": opened_cves(source_data),
+ "fixed_cves": fixed_cves(source_data),
+ "critical": with_severity("critical", source_data),
+ "high": with_severity("high", source_data),
+ "medium": with_severity("medium", source_data),
+ "low": with_severity("low", source_data),
+ }
@@
- process_dependabot_file(dependabot_file, prefix)
+ report = process_dependabot_file(dependabot_file, prefix)
+ print(json.dumps(report))
return 0Also applies to: 199-201
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/vulnerability_report.py` around lines 175 - 177, The function
process_dependabot_file() is currently a stub that returns an empty dictionary,
and main() ignores its result, breaking the report generation flow. Implement
process_dependabot_file() to read the Dependabot alerts file specified by the
dependabot_file parameter and return a dictionary containing the processed alert
statistics. Then update main() to capture the dictionary returned from
process_dependabot_file() and incorporate that data into the report generation
logic so the vulnerability report contains actual data.
This was referenced Jun 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
LCORE-2631: Vulnerability report script: Dependabot data processing part
Type of change
Tools used to create PR
Related Tickets & Documents
Summary by CodeRabbit