Feature/517 release prepare report resolved security issues

doc/changes/unreleased.md

@@ -5,6 +5,7 @@
 ## Features
 
 * #777: Improved VulnerabilityMatcher to handle packages with multiple vulnerabilities
+* #517: Modified nox session `release:prepare` to report resolved security issues
 
 ## Refactoring
 

doc/user_guide/features/creating_a_release.rst

@@ -17,15 +17,17 @@ Preparing a Release
     * Updates the version in the ``pyproject.toml`` and ``version.py``
     * Moves the content of unreleased changes file ``unreleased.md`` to a
       versioned changes file ``changes_<version>.md``
-    * Adds a description of dependency changes to the versioned changes file:
+    * Describes additional changes in the versioned changes file by comparing
+      file ``poetry.lock`` to the latest Git tag:
 
-      * Only direct dependencies are described, no transitive dependencies
-      * Changes are detected by comparing the current content of file
-        ``poetry.lock`` to the latest Git tag.
-    * Updates the ``changelog.md`` list with the newly created versioned changes file
+      * Resolved vulnerabilities based on `Pip Audit`_.
+      * Updated direct dependencies, excluding transitive dependencies
+    * Updates file ``changelog.md`` to list the newly created versioned changes file
     * Commits the changes (can be skipped with ``--no-add``)
     * Pushes the changes and creates a PR (can be skipped with ``--no-pr``)
 
+.. _Pip Audit: https://pypi.org/project/pip-audit/
+
 #. Merge your **Pull Request** to the **default branch**
 
 #. Trigger the release
@@ -53,12 +55,12 @@ Preparing a Release
     Your ``PROJECT_CONFIG`` needs to have the flag
     ``create_major_version_tags=True``.
 
-Updating Dependencies After Having Prepared the Release
-+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+Updating The Versioned Changes File
++++++++++++++++++++++++++++++++++++
 
-If you need to update some more dependencies after running the nox session
-``release:prepare`` you can update them in the changelog by running the nox
-session ``release:update``.
+If you need to update some dependencies after running the nox session
+``release:prepare`` you can update the versioned changes file by running the
+nox session ``release:update``.
 
 
 What to do if the Release Failed?

doc/user_guide/user_guide.rst

@@ -21,28 +21,30 @@ PTB simplifies keeping all of your projects up-to-date, secure, without bugs, us
 
 The PTB gains its name from employing a series of well-established tools to satisfy these goals:
 
-* `Poetry`_ for packaging and managing dependencies
-* `Nox`_ for using the tools via a common CLI
+* `Bandit`_ for detecting security vulnerabilities
 * `Black`_ and `Ruff`_ for source code formatting
-* `Pylint`_ / `Ruff` for linting
 * `Cookiecutter`_ for setting up new projects from a uniform template
-* `Mypy`_ for static type checking
 * `Coverage`_ for measuring code coverage by tests
-* `Bandit`_ for detecting security vulnerabilities
-* `Sphinx`_ for generating the documentation
+* `Mypy`_ for static type checking
+* `Nox`_ for using the tools via a common CLI
+* `Pip Audit`_ for known vulnerabilities in dependencies
+* `Poetry`_ for packaging and managing dependencies
+* `Pylint`_ / `Ruff` for linting
 * `Sonar`_ for reporting code quality based on the findings by other tools
+* `Sphinx`_ for generating the documentation
 
 In rare cases you may need to disable a particular finding reported by one of
 these tools, see :ref:`ptb_troubleshooting`.
 
-.. _Poetry: https://python-poetry.org
-.. _Nox: https://nox.thea.codes/en/stable/
+.. _Bandit: https://bandit.readthedocs.io/en/latest/
 .. _Black: https://black.readthedocs.io/en/stable/
-.. _Ruff: https://docs.astral.sh/ruff
-.. _Pylint: https://pylint.readthedocs.io/en/stable/
 .. _Cookiecutter: https://cookiecutter.readthedocs.io/en/stable/
-.. _Mypy: https://mypy.readthedocs.io/en/stable/
 .. _Coverage: https://coverage.readthedocs.io/en/7.13.4/
-.. _Bandit: https://bandit.readthedocs.io/en/latest/
-.. _Sphinx: https://www.sphinx-doc.org/en/master
+.. _Mypy: https://mypy.readthedocs.io/en/stable/
+.. _Nox: https://nox.thea.codes/en/stable/
+.. _Pip Audit: https://pypi.org/project/pip-audit/
+.. _Poetry: https://python-poetry.org
+.. _Pylint: https://pylint.readthedocs.io/en/stable/
+.. _Ruff: https://docs.astral.sh/ruff
 .. _Sonar: https://docs.sonarsource.com/sonarqube-server
+.. _Sphinx: https://www.sphinx-doc.org/en/master

exasol/toolbox/nox/_release.py

@@ -15,7 +15,7 @@
 from exasol.toolbox.nox.plugin import NoxTasks
 from exasol.toolbox.util.dependencies.shared_models import PoetryFiles
 from exasol.toolbox.util.git import Git
-from exasol.toolbox.util.release.changelog import Changelogs
+from exasol.toolbox.util.release.changelog import Changelog
 from exasol.toolbox.util.version import (
     ReleaseTypes,
     Version,
@@ -64,8 +64,8 @@ def _update_project_version(session: Session, version: Version) -> Version:
     return version
 
 
-def _get_changelogs(version: Version) -> Changelogs:
-    return Changelogs(
+def _get_changelogs(version: Version) -> Changelog:
+    return Changelog(
         changes_path=PROJECT_CONFIG.documentation_path / "changes",
         root_path=PROJECT_CONFIG.root_path,
         version=version,

exasol/toolbox/util/dependencies/audit.py

@@ -32,13 +32,22 @@
 
 @dataclass
 class PipAuditException(Exception):
+    command: list[str]
+    cwd: Path
+    env: dict[str, str]
     returncode: int
     stdout: str
     stderr: str
 
     @classmethod
-    def from_subprocess(cls, proc: subprocess.CompletedProcess) -> PipAuditException:
-        return cls(proc.returncode, proc.stdout, proc.stderr)
+    def from_subprocess(
+        cls,
+        proc: subprocess.CompletedProcess,
+        command: list[str],
+        cwd: Path,
+        env: dict[str, str] | None = None,
+    ) -> PipAuditException:
+        return cls(command, cwd, env or {}, proc.returncode, proc.stdout, proc.stderr)
 
 
 class VulnerabilitySource(str, Enum):
@@ -164,24 +173,29 @@ def audit_poetry_files(working_directory: Path) -> str:
     """
 
     requirements_txt = "requirements.txt"
+    command = ["poetry", "export", "--format=requirements.txt"]
     output = subprocess.run(
-        ["poetry", "export", "--format=requirements.txt"],
+        command,
         capture_output=True,
         text=True,
         cwd=working_directory,
     )  # nosec
     if output.returncode != 0:
-        raise PipAuditException.from_subprocess(output)
+        raise PipAuditException.from_subprocess(output, command, cwd=working_directory)
 
     with tempfile.TemporaryDirectory() as path:
         tmpdir = Path(path)
         (tmpdir / requirements_txt).write_text(output.stdout)
 
         # CLI option `--disable-pip` skips dependency resolution in pip.  The
-        # option can be used with hashed requirements files (which is the case
-        # here) to avoid `pip-audit` installing an isolated environment and
-        # speed up the audit significantly.
-        command = ["pip-audit", "--disable-pip", "-r", requirements_txt, "-f", "json"]
+        # option can be used with hashed requirements files to avoid
+        # `pip-audit` installing an isolated environment and speed up the
+        # audit significantly.
+        #
+        # In real use scenarios of the PTB we usually have hashed
+        # requirements. Unfortunately this is not the case for the example
+        # project created in the integration tests.
+        command = ["pip-audit", "-r", requirements_txt, "-f", "json"]
         output = subprocess.run(
             command,
             capture_output=True,
@@ -195,7 +209,7 @@ def audit_poetry_files(working_directory: Path) -> str:
         # they both map to returncode = 1, so we have our own logic to raise errors
         # for the case of 2) and not 1).
         if not search(PIP_AUDIT_VULNERABILITY_PATTERN, output.stderr.strip()):
-            raise PipAuditException.from_subprocess(output)
+            raise PipAuditException.from_subprocess(output, command, cwd=tmpdir)
     return output.stdout
 
 

exasol/toolbox/util/dependencies/track_vulnerabilities.py

@@ -63,8 +63,6 @@ def report_resolved_vulnerabilities(self) -> str:
         if not (resolved := self.resolved_vulnerabilities):
             return ""
         header = cleandoc("""
-            ## Fixed Vulnerabilities
-
             This release fixes vulnerabilities by updating dependencies:
 
             | Dependency | Vulnerability | Affected | Fixed in |