Skip to content

[python] accept multiple cve_ids in SCA reachability tests #6985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
avara1986 merged 1 commit into from
May 20, 2026
Merged

[python] accept multiple cve_ids in SCA reachability tests #6985

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions tests/appsec/test_sca_reachability.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,22 +18,24 @@
# Only populate entries once the language's tracer supports SCA reachability
# and the expected values are confirmed. Missing languages gracefully
# degrade: structural assertions still run, but value comparisons are skipped.
_LANG_CONFIG: dict[str, dict[str, str]] = {
# `cve_id` is a list to support retrocompatibility across tracer versions that
# may emit different identifiers (e.g. CVE id vs GHSA id) for the same advisory.
_LANG_CONFIG: dict[str, dict[str, Any]] = {
"python": {
"cve_id": "CVE-2024-35195",
"cve_id": ["CVE-2024-35195", "GHSA-652x-xj99-gmcc"],
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Remove unrelated GHSA from expected reachability IDs

The newly accepted ID GHSA-652x-xj99-gmcc is not an alias of CVE-2024-35195; it refers to a different Requests advisory, so this change weakens the test oracle from “did we report the targeted CVE?” to “did we report either of two different advisories?”. Because the exercised endpoint is explicitly the CVE-2024-35195 target (utils/build/docker/python/flask/app.py), the test can now pass even when the tracer reports the wrong vulnerability identifier, masking real regressions in reachability matching.

Useful? React with 👍 / 👎.

"vulnerable_dep": "requests",
"path": "app.py",
"symbol": "sca_requests_vulnerable_call",
},
}


def _get_lang_config() -> dict[str, str]:
def _get_lang_config() -> dict[str, Any]:
"""Return per-language SCA reachability config, or empty dict if not configured."""
return _LANG_CONFIG.get(context.library.name, {})


def _cve_id() -> str:
def _cve_id() -> list[str]:
val = _get_lang_config().get("cve_id")
assert val is not None, f"No cve_id configured for '{context.library.name}'. Add entry to _LANG_CONFIG."
return val
Expand Down Expand Up @@ -63,8 +65,12 @@ def get_request_type(data: dict[str, Any]) -> str | None:
return get_request_content(data).get("request_type")


def _get_dependency_cve_metadata(dep_name: str, cve_id: str) -> list[dict[str, Any]]:
"""Collect all reachability metadata entries for a dep+CVE across all telemetry events."""
def _get_dependency_cve_metadata(dep_name: str, cve_ids: list[str]) -> list[dict[str, Any]]:
"""Collect all reachability metadata entries for a dep+CVE across all telemetry events.

`cve_ids` is a list of acceptable identifiers (for retrocompatibility across
tracer versions that may emit different identifiers for the same advisory).
"""
results: list[dict[str, Any]] = []
for data in interfaces.library.get_telemetry_data():
if get_request_type(data) != "app-dependencies-loaded":
Expand All @@ -76,7 +82,7 @@ def _get_dependency_cve_metadata(dep_name: str, cve_id: str) -> list[dict[str, A
if meta.get("type") != "reachability":
continue
value = json.loads(meta["value"])
if value.get("id") == cve_id:
if value.get("id") in cve_ids:
results.append(value)
return results

Expand Down
Loading