Add CVE Details and Single-Key Filtering for JSON Output in safety scan

[dylanpulver]

This PR introduces the following enhancements to the safety scan command:

1. CVE Details in Detailed JSON Output

• Added a new section, cve_details, to the JSON output when --detailed-output is enabled and output format is specified to json.
• The cve_details section provides comprehensive information about CVEs, including affected packages, severity, CVE IDs, and advisory links.

2. Single-Key Filtering for JSON Output

• Implemented the ability to filter the JSON output by a single top-level key using the --filter option.
• Users can now focus on specific sections of the report, such as meta or cve_details, simplifying the output for targeted use cases.

3. Improved Report Processing

• Encapsulated the filtering logic into a reusable helper function, filter_json_keys, improving maintainability and readability.

Testing

• Manually tested JSON output with and without the --filter option to ensure correctness.
• Verified that:
  • JSON output includes cve_details only when --detailed-output is enabled.
  • The --filter option correctly outputs only the specified top-level key.

Usage Examples

• python -m safety scan --detailed-output --output json: Includes the new cve_details section in the JSON output.
• python -m safety scan --detailed-output --output json --filter cve_details: Outputs only the cve_details section.
• python -m safety scan --detailed-output --output json --filter meta: Outputs only the meta section.

These changes enhance the usability of the safety scan command by providing more actionable data and allowing users to filter output for specific use cases.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[jakub-safetycli]

Could you add a unit test for the generated JSON output.

[dylanpulver]

Could you add a unit test for the generated JSON output.

Hey @jakub-safetycli, I added unit tests that pass locally- the issue I am facing is that the cve_details new section is only added in the latest scan code which I run locally as a module

In the pre-existing test we invoke it via:

result = self.runner.invoke(cli, ["--stage", "cicd", "scan", "--target", self.dirname, "--output", "screen"])

For my new tests running this way does not contain the latest changes since it is not deployed.

I switched for my tests to use subprocess via:

process = subprocess.run(
            ["python", "-m", "safety", "scan", "--target", ".", "--detailed-output", "--output", "json"],
            capture_output=True,
            text=True
        )

but in the CI output it is not able to parse the stdout.

Since the feature here is mostly straightforward and was easy to manually test I think it would be quicker to not get bogged down in this and add testing afterwards if it is strictly need. Please let me know what you think!

[dylanpulver]

@jakub-safetycli and I agreed to skip the automated tests for now as we were facing issues in the CICD. The code has been manually tested and works as expected.

[jakub-safetycli]

LGTM