Feature/402 nox session report resolved security issues (#770)

* #402: Created nox task to detect resolved GitHub security issues
* added typehint to get_vulnerabilities_from_latest_tag
* Validated warning in test and hid warning from pytest output
* Renamed method resolved to resolved_vulnerabilities
* Renamed nox task and class SecurityAudit once again
* Added integration test
* merged changes from changelog.py
* Removed comment
* Removed unused imports
* nox -s format:fix
* Upload metrics.json only once and only for the main branch
* Modified trigger
* Updated GitHub workflows
* nox -s format:fix
* Fixed unit tests
* Updated workflows once again
* fixed typo in event name
* Apply suggestions from code review

Co-authored-by: Ariel Schulz <43442541+ArBridgeman@users.noreply.github.com>

* Added comment for CLI option --disable-pip to pip-audit

* Update .github/workflows/ci.yml

Co-authored-by: Ariel Schulz <43442541+ArBridgeman@users.noreply.github.com>

* Fixed test naming and implementation

---------

Co-authored-by: Ariel Schulz <43442541+ArBridgeman@users.noreply.github.com>

Author: ckunki

.github/workflows/ci.yml

@@ -2,6 +2,12 @@ name: Merge-Gate
 
 on:
   workflow_call:
+    inputs:
+      root-event:
+        description: GitHub event triggering the root workflow ci.yml
+        required: false
+        type: string
+        default: unknown
 
 jobs:
   run-fast-checks:
@@ -15,12 +21,15 @@ jobs:
     needs:
       - run-fast-checks
     uses: ./.github/workflows/report.yml
+    with:
+      upload-metrics: false
     secrets: inherit
     permissions:
       contents: read
 
   approve-run-slow-tests:
     name: Approve Running Slow Tests?
+    if: ${{ inputs.root-event != 'schedule' }}
     runs-on: "ubuntu-24.04"
     permissions:
       contents: read

.github/workflows/merge-gate.yml

@@ -24,5 +24,5 @@
 
 ## 🔩 Internal
 
-* Update depdency constraints
-* Relock dependencies
+* Update dependency constraints
+* Relock dependencies

.github/workflows/pr-merge.yml

@@ -11,6 +11,8 @@ The `report.yml` is also called after the `checks.yml` completes. This allows us
 to get linting, security, and unit test coverage before running the `slow-checks.yml`,
 as described in the [Pull Request description](https://exasol.github.io/python-toolbox/main/user_guide/features/github_workflows/index.html#pull-request).
 
+This release also adds a `vulnerabilities:resolved` Nox session, which reports GitHub security issues resolved since the last release.
+
 This release fixes a vulnerability by updating the `poetry.lock` file.
 
 | Name   | Version | ID             | Fix Versions | Updated to |
@@ -19,6 +21,10 @@ This release fixes a vulnerability by updating the `poetry.lock` file.
 
 To ensure usage of secure packages, it is up to the user to similarly relock their dependencies.
 
+## Features
+
+* #402: Created nox session `vulnerabilities:resolved` to report resolved GitHub security issues
+
 ## Refactoring
 
 * #764: Updated `action/upload-pages-artifact` from v4 to [v5](https://github.com/actions/upload-pages-artifact/releases/tag/v5.0.0)

.github/workflows/report.yml

@@ -1,12 +1,17 @@
-Managing dependencies
-=====================
+Managing Dependencies and Vulnerabilities
+=========================================
 
-+--------------------------+------------------+----------------------------------------+
-| Nox session              | CI Usage         | Action                                 |
-+==========================+==================+========================================+
-| ``dependency:licenses``  | ``report.yml``   | Uses ``pip-licenses`` to return        |
-|                          |                  | packages with their licenses           |
-+--------------------------+------------------+----------------------------------------+
-| ``dependency:audit``     | No               | Uses ``pip-audit`` to return active    |
-|                          |                  | vulnerabilities in our dependencies    |
-+--------------------------+------------------+----------------------------------------+
++------------------------------+----------------+-------------------------------------+
+| Nox session                  | CI Usage       | Action                              |
++==============================+================+=====================================+
+| ``dependency:licenses``      | ``report.yml`` | Uses ``pip-licenses`` to return     |
+|                              |                | packages with their licenses        |
++------------------------------+----------------+-------------------------------------+
+| ``dependency:audit``         | No             | Uses ``pip-audit`` to report active |
+|                              |                | vulnerabilities in our dependencies |
++------------------------------+----------------+-------------------------------------+
+| ``vulnerabilities:resolved`` | No             | Uses ``pip-audit`` to report known  |
+|                              |                | vulnerabilities in dependencies     |
+|                              |                | that have been resolved in          |
+|                              |                | comparison to the last release.     |
++------------------------------+----------------+-------------------------------------+

doc/changes/changes_0.15.0.md

@@ -9,17 +9,21 @@
 from exasol.toolbox.util.dependencies.audit import (
     PipAuditException,
     Vulnerabilities,
+    get_vulnerabilities,
+    get_vulnerabilities_from_latest_tag,
 )
 from exasol.toolbox.util.dependencies.licenses import (
     PackageLicenseReport,
     get_licenses,
 )
 from exasol.toolbox.util.dependencies.poetry_dependencies import get_dependencies
+from exasol.toolbox.util.dependencies.track_vulnerabilities import DependenciesAudit
+from noxconfig import PROJECT_CONFIG
 
 
 @nox.session(name="dependency:licenses", python=False)
 def dependency_licenses(session: Session) -> None:
-    """Return the packages with their licenses"""
+    """Report licenses for all dependencies."""
     dependencies = get_dependencies(working_directory=Path())
     licenses = get_licenses()
     license_markdown = PackageLicenseReport(
@@ -30,7 +34,7 @@ def dependency_licenses(session: Session) -> None:
 
 @nox.session(name="dependency:audit", python=False)
 def audit(session: Session) -> None:
-    """Check for known vulnerabilities"""
+    """Report known vulnerabilities."""
 
     try:
         vulnerabilities = Vulnerabilities.load_from_pip_audit(working_directory=Path())
@@ -39,3 +43,14 @@ def audit(session: Session) -> None:
 
     security_issue_dict = vulnerabilities.security_issue_dict
     print(json.dumps(security_issue_dict, indent=2))
+
+
+@nox.session(name="vulnerabilities:resolved", python=False)
+def report_resolved_vulnerabilities(session: Session) -> None:
+    """Report resolved vulnerabilities in dependencies."""
+    path = PROJECT_CONFIG.root_path
+    audit = DependenciesAudit(
+        previous_vulnerabilities=get_vulnerabilities_from_latest_tag(path),
+        current_vulnerabilities=get_vulnerabilities(path),
+    )
+    print(audit.report_resolved_vulnerabilities())

doc/changes/unreleased.md

@@ -15,7 +15,7 @@ jobs:
 
   build-and-publish:
     needs:
-     - check-release-tag
+      - check-release-tag
     name: Build & Publish
     uses: ./.github/workflows/build-and-publish.yml
     permissions:
@@ -25,7 +25,7 @@ jobs:
 
   publish-docs:
     needs:
-     - build-and-publish
+      - build-and-publish
     name: Publish Documentation
     uses: ./.github/workflows/gh-pages.yml
     permissions:

doc/user_guide/features/managing_dependencies.rst

@@ -11,14 +11,21 @@ jobs:
   merge-gate:
     name: Merge Gate
     uses: ./.github/workflows/merge-gate.yml
+    with:
+      root-event:  ${{ github.event_name }}
     secrets: inherit
     permissions:
       contents: read
 
   report:
+    # Job merge-gate requires manual approval for running the slow checks.  If
+    # current workflow ci.yml is triggered by schedule, there is no manual
+    # interaction, manual approval will never be given, slow checks will not
+    # be executed, merge-gate will never terminate, and the report will never
+    # be called.
     name: Report
     needs:
-     - merge-gate
+      - merge-gate
     uses: ./.github/workflows/report.yml
     secrets: inherit
     permissions: