Parser fixes: CycloneDX dict input, Trivy CVE dedup, and test coverage#66
Open
xMinhx wants to merge 12 commits into
Open
Parser fixes: CycloneDX dict input, Trivy CVE dedup, and test coverage#66xMinhx wants to merge 12 commits into
xMinhx wants to merge 12 commits into
Conversation
- conftest.py patches requests.get + time.sleep in cve_fetcher module - Skips mock for tests marked @pytest.mark.nvd_integration - Moves test_cve_fetcher.py module-level code into fixtures - pytest.ini excludes nvd_integration by default 66 tests now run in ~1s vs timing out at >120s
The ParserManager passes request.data as a dict, but cyclonedx_parser called json.loads() directly, which crashes on dict input. Add an isinstance check to handle both string and dict input, matching the trivy parser's behavior.
Trivy reports can list multiple CVEs for the same (pkg, version) pair.
The parser used dependency_name as the dict key, which caused later
entries to overwrite earlier ones for the same dep. Switch the key to
f"{name}:{version}" and skip duplicate CVE IDs so all vulnerabilities
for a dependency are preserved.
Discovered via E2E test: requests@2.32.3 was silently losing CVEs.
Cover the happy path (string + dict input) and the ParserManager dispatch. CycloneDX tests include a regression case for the dict-input crash that was fixed in the previous commit.
Generated by scanning this project with trivy 0.71.2 and cyclonedx-bom 7.3.0 to provide realistic test data for the previously untested parsers. - trivy-report-securechecknext.json (312K, 17 deps, 58 vuln entries) - cyclonedx-report-securechecknext.json (12K, 14 components)
5 tests covering the full upload→parse→DB flow using pre-baked OWASP fixtures (no live NVD calls): - test_large_report_parses_correctly (54 deps, 33 CVEs) - test_small_report_parses_correctly (19 deps, 1 CVE) - test_cve_ids_valid_format (CVE-YYYY-NNNNN pattern) - test_cve_severity_not_null - test_threshold_rejects_when_exceeded (406 on LOW) Marked @pytest.mark.e2e, excluded from default pytest run.
Verify the full upload pipeline for both tools: - Trivy: 17 deps, 56 Reports, 55 unique CVEObjects stored - CycloneDX: 14 components stored, 0 CVEs (clean SBOM) These tests also cover the dedup behavior: trivy's 58 raw vulnerability entries collapse to 56 (dep, cve) pairs because 3 CVEs are shared between deps and 2 are duplicated within the same dep.
…ion now works)" This reverts commit 39ada82.
This was
linked to
issues
Jun 27, 2026
This was
unlinked from
issues
Jun 27, 2026
Retries up to 3 times with delays of 2s, 4s, 8s when NVD returns a server error (5xx). Prevents permanent N/A severity for CVEs that fail due to transient rate limiting or server load.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bug fixes for the CycloneDX and Trivy report parsers, with comprehensive unit and e2e test coverage.
Changes
Notes
Dependencies