Reapply #1209: vulnerability status field + carry-over across re-scans#1236
Reapply #1209: vulnerability status field + carry-over across re-scans#1236ocervell wants to merge 1 commit into
Conversation
WalkthroughAdds ChangesVulnerability status field and dedup carry-forward
Estimated code review effort🎯 2 (Simple) | ⏱️ ~15 minutes Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@secator/output_types/vulnerability.py`:
- Around line 73-76: Preserve legacy acknowledgment state in Vulnerability
deserialization: the current status normalization in Vulnerability.__init__ (or
the status handling path) always falls back to NEW when status is missing, which
breaks persisted records that only have is_acknowledged set. Update the
normalization logic so that when status is absent or invalid, it maps
is_acknowledged=True to ACKNOWLEDGED and only defaults to NEW otherwise, while
still uppercasing and validating against STATUSES. Add a regression test for
loading a legacy Vulnerability with is_acknowledged=True and no status, and
verify compute_duplicate_updates() carries ACKNOWLEDGED onto the re-found main.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: aad369e1-4b0d-497c-ad5a-9c706f1e0513
📒 Files selected for processing (6)
secator/config.pysecator/definitions.pysecator/hooks/_dedup.pysecator/output_types/vulnerability.pytests/unit/test_dedup.pytests/unit/test_output_types.py
| # Normalize status: coerce empty / None / unknown values to 'NEW', uppercase. | ||
| # Allowed values are NEW / ACKNOWLEDGED / FIXED (see STATUSES). | ||
| status = (self.status or '').strip().upper() | ||
| self.status = status if status in self.STATUSES else 'NEW' |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
Preserve legacy is_acknowledged state when status is absent.
Line 75-Line 76 always normalizes an unset/invalid status to NEW. That breaks upgrade compatibility for persisted findings created before this field existed: records with is_acknowledged=True but no status now deserialize as NEW, and compute_duplicate_updates() then treats that as unset instead of carrying ACKNOWLEDGED onto the re-found main.
💡 Proposed fix
- status = (self.status or '').strip().upper()
- self.status = status if status in self.STATUSES else 'NEW'
+ status = (self.status or '').strip().upper()
+ if status not in self.STATUSES or (status == 'NEW' and self.is_acknowledged):
+ status = 'ACKNOWLEDGED' if self.is_acknowledged else 'NEW'
+ self.status = statusA regression test around a legacy Vulnerability(is_acknowledged=True) load path would lock this down.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Normalize status: coerce empty / None / unknown values to 'NEW', uppercase. | |
| # Allowed values are NEW / ACKNOWLEDGED / FIXED (see STATUSES). | |
| status = (self.status or '').strip().upper() | |
| self.status = status if status in self.STATUSES else 'NEW' | |
| # Normalize status: coerce empty / None / unknown values to 'NEW', uppercase. | |
| # Allowed values are NEW / ACKNOWLEDGED / FIXED (see STATUSES). | |
| status = (self.status or '').strip().upper() | |
| if status not in self.STATUSES or (status == 'NEW' and self.is_acknowledged): | |
| status = 'ACKNOWLEDGED' if self.is_acknowledged else 'NEW' | |
| self.status = status |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@secator/output_types/vulnerability.py` around lines 73 - 76, Preserve legacy
acknowledgment state in Vulnerability deserialization: the current status
normalization in Vulnerability.__init__ (or the status handling path) always
falls back to NEW when status is missing, which breaks persisted records that
only have is_acknowledged set. Update the normalization logic so that when
status is absent or invalid, it maps is_acknowledged=True to ACKNOWLEDGED and
only defaults to NEW otherwise, while still uppercasing and validating against
STATUSES. Add a regression test for loading a legacy Vulnerability with
is_acknowledged=True and no status, and verify compute_duplicate_updates()
carries ACKNOWLEDGED onto the re-found main.
Restores the changes from #1209, which was merged (
0d7bf7d) and then accidentally reverted by #1234 (b556414a).A merged PR can't be reopened on GitHub, and re-merging
feat/vuln-statusis a no-op (its commits are already in main's history). The correct restore is to revert the revert — this PR reverts #1234, re-applying #1209's exact changes (vulnerabilitystatusfield + carry-over across re-scans; 6 files).Supersedes the accidental revert #1234. Original PR: #1209.
Summary by CodeRabbit
New Features
NEW,ACKNOWLEDGED, andFIXED.NEW.Bug Fixes
FIXEDstatuses from being overwritten by defaultNEWvalues.