Fix komodo-snyk-test reporting odd package versions

This commit fixes the issue where the script reports vulnerabilities in versions not used in the release. An example of this was numpy 1.21.3 vulnerabilities being reported, even though we do not use numpy 1.21.3. The reason this was reported was that it is dependency in patsy, but it is never mentioned that it is an indirect dependency. This commit makes it so that the script filters out vulnerable versions that are not present in the release.

komodo/snyk_reporting.py

@@ -5,8 +5,7 @@
 from typing import Any, Dict, List, Optional
 
 from snyk import SnykClient
-from snyk.managers import OrganizationManager
-from snyk.models import Vulnerability
+from snyk.models import Organization, Vulnerability
 
 from komodo.yaml_file_types import ReleaseDir, ReleaseFile, RepositoryFile
 
@@ -109,10 +108,22 @@ def get_unique_issues(issues: List[Vulnerability]) -> List[Vulnerability]:
     return result
 
 
+def filter_vulnerability_issues(
+    snyk_issues: List[Vulnerability], release_packages: Dict[str, str]
+):
+    filtered_vulnerability_issues = []
+    for snyk_issue in snyk_issues:
+        vulnerable_package_name = snyk_issue.package
+        vulnerable_package_version = snyk_issue.version
+        if release_packages.get(vulnerable_package_name) == vulnerable_package_version:
+            filtered_vulnerability_issues.append(snyk_issue)
+    return filtered_vulnerability_issues
+
+
 def find_vulnerabilities(
     releases: Dict[str, Dict[str, str]],
     repository: Dict[str, Any],
-    org: OrganizationManager,
+    org: Organization,
 ) -> Dict[str, List[Vulnerability]]:
     result = {}
 
@@ -121,8 +132,10 @@ def find_vulnerabilities(
         snyk_search_string = create_snyk_search_string(pip_packages)
         snyk_result = org.test_pipfile(snyk_search_string)
         vulnerability_issues = get_unique_issues(snyk_result.issues.vulnerabilities)
-        result[release_name] = vulnerability_issues
-
+        filtered_vulnerabity_issues = filter_vulnerability_issues(
+            vulnerability_issues, packages
+        )
+        result[release_name] = filtered_vulnerabity_issues
     return result
 
 
@@ -172,7 +185,7 @@ def _format_github(vulnerabilities: Dict[str, List[Vulnerability]]) -> str:
     return html.escape(result)
 
 
-def _get_org(api_token: str, org_id: str) -> OrganizationManager:
+def _get_org(api_token: str, org_id: str) -> Organization:
     client = SnykClient(api_token)
     return client.organizations.get(org_id)
 

tests/test_snyk_reporting.py

@@ -1,3 +1,4 @@
+from typing import Mapping, Sequence
 from unittest.mock import Mock, patch
 
 import pytest
@@ -6,17 +7,17 @@
 from komodo.snyk_reporting import snyk_main
 
 
-def _create_result_mock(issue_ids):
+def _create_result_mock(issues: Sequence[Mapping[str, str]]):
     result_mock = Mock()
     result_mock.issues.vulnerabilities = [
         Vulnerability(
-            id=issue_id,
+            id=issue["id"],
             url="some_url",
             title="some_title",
             description="some_description",
             upgradePath="some_upgradePath",
-            package="some_package",
-            version="some_version",
+            package=issue["package"],
+            version=issue["version"],
             severity="some_severity",
             exploitMaturity="some_exploitMaturity",
             isUpgradable="some_isUpgradable",
@@ -25,7 +26,7 @@ def _create_result_mock(issue_ids):
             identifiers="some_identifiers",
             semver="some_semver",
         )
-        for issue_id in issue_ids
+        for issue in issues
     ]
     return result_mock
 
@@ -40,32 +41,42 @@ def test_no_api_token():
 
 
 @pytest.mark.parametrize(
-    ("packages", "expected_search_string", "input_issue_ids", "expected_issue_ids"),
+    ("packages", "expected_search_string", "input_issues", "expected_issue_ids"),
     [
         (
             {"pyaml": "20.4.0"},
             "pyaml==20.4.0",
-            ("some_issue1", "some_issue2"),
+            (
+                {"id": "some_issue1", "package": "pyaml", "version": "20.4.0"},
+                {"id": "some_issue2", "package": "pyaml", "version": "20.4.0"},
+            ),
             ("some_issue1", "some_issue2"),
         ),
         (
             {"pyaml": "20.4.0"},
             "pyaml==20.4.0",
-            ("some_issue1", "some_issue2", "some_issue2"),
+            (
+                {"id": "some_issue1", "package": "pyaml", "version": "20.4.0"},
+                {"id": "some_issue2", "package": "pyaml", "version": "20.4.0"},
+                {"id": "some_issue2", "package": "pyaml", "version": "20.4.0"},
+            ),
             ("some_issue1", "some_issue2"),
         ),
         (
             {"pyaml": "20.4.0", "flask": "1.2.0"},
             "pyaml==20.4.0\nflask==1.2.0",
-            ("some_issue1", "some_issue1"),
+            (
+                {"id": "some_issue1", "package": "pyaml", "version": "20.4.0"},
+                {"id": "some_issue1", "package": "flask", "version": "1.2.0"},
+            ),
             ("some_issue1",),
         ),
     ],
 )
 def test_snyk_reporting(
     packages,
     expected_search_string,
-    input_issue_ids,
+    input_issues: Sequence[Mapping[str, str]],
     expected_issue_ids,
 ):
     releases = {"2025.05.00": packages}
@@ -93,7 +104,7 @@ def test_snyk_reporting(
         },
     )
     org_mock = Mock()
-    org_mock.test_pipfile.return_value = _create_result_mock(input_issue_ids)
+    org_mock.test_pipfile.return_value = _create_result_mock(input_issues)
     with patch(
         "komodo.snyk_reporting._get_org",
         return_value=org_mock,