Skip to content

[python] accept multiple cve_ids in SCA reachability tests#6985

Merged
avara1986 merged 1 commit into
mainfrom
avara/sca-reachability-cve-id-list
May 20, 2026
Merged

[python] accept multiple cve_ids in SCA reachability tests#6985
avara1986 merged 1 commit into
mainfrom
avara/sca-reachability-cve-id-list

Conversation

@avara1986
Copy link
Copy Markdown
Member

@avara1986 avara1986 commented May 20, 2026

Summary

  • Make cve_id in tests/appsec/test_sca_reachability.py a list so the assertions accept either the CVE id or the GHSA id emitted by the tracer.
  • Provides retrocompatibility across tracer versions that emit different identifiers for the same advisory (e.g. CVE-2024-35195 vs GHSA-652x-xj99-gmcc).
  • _get_dependency_cve_metadata now matches via value.get("id") in cve_ids.

Related PR

Test plan

  • CI runs runtime_sca_reachability scenario against Python tracer and passes
  • Verify both CVE-2024-35195 and GHSA-652x-xj99-gmcc identifiers are accepted

🤖 Generated with Claude Code

@avara1986 @claude
[python] accept multiple cve_ids in SCA reachability tests
a6e84eb 
Make cve_id a list so the SCA reachability assertions match either the
CVE identifier or the GHSA identifier emitted by the tracer, providing
retrocompatibility across tracer versions.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 20, 2026

CODEOWNERS have been resolved as:

tests/appsec/test_sca_reachability.py                                   @DataDog/asm-libraries @DataDog/system-tests-core

@avara1986 avara1986 marked this pull request as ready for review May 20, 2026 14:41
@avara1986 avara1986 requested review from a team as code owners May 20, 2026 14:41
@avara1986 avara1986 merged commit a95bbd5 into main May 20, 2026
420 checks passed
@avara1986 avara1986 deleted the avara/sca-reachability-cve-id-list branch May 20, 2026 14:41
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a6e84eb6f9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread tests/appsec/test_sca_reachability.py
_LANG_CONFIG: dict[str, dict[str, Any]] = {
"python": {
"cve_id": "CVE-2024-35195",
"cve_id": ["CVE-2024-35195", "GHSA-652x-xj99-gmcc"],
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Remove unrelated GHSA from expected reachability IDs

The newly accepted ID GHSA-652x-xj99-gmcc is not an alias of CVE-2024-35195; it refers to a different Requests advisory, so this change weakens the test oracle from “did we report the targeted CVE?” to “did we report either of two different advisories?”. Because the exercised endpoint is explicitly the CVE-2024-35195 target (utils/build/docker/python/flask/app.py), the test can now pass even when the tracer reports the wrong vulnerability identifier, masking real regressions in reachability matching.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@jandro996 jandro996 jandro996 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@avara1986 @jandro996