Add --cve Flag to Safety Scan Command for CVE Details Reporting

[dylanpulver]

This PR introduces a new --cve flag to the safety scan command, enabling users to fetch and display detailed CVE (Common Vulnerabilities and Exposures) information for identified vulnerabilities in their project dependencies.
Changes Made

1. New --cve Flag

• Added the --cve flag to the safety scan command.
• When enabled, the command fetches detailed CVE data for vulnerabilities and displays the information in JSON format.

2. CVE Data Extraction

• Extracted relevant CVE details for each vulnerability, including:
  • package: The affected package name.
  • vulnerability_id: The unique safety identifier for the vulnerability.
  • CVE: CVE identifiers and associated metadata (e.g., severity scores, vector strings).
  • more_info: Safety URL linking to additional vulnerability details.
  • advisory: A brief description of the vulnerability.
  • severity: The severity level of the vulnerability (CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN).

3. Custom Severity-Based Sorting

• Sorted CVE data by severity in descending order using a custom mapping:
  • CRITICAL > HIGH > MEDIUM > LOW > UNKNOWN.

4. Enhanced Output

• If CVE details are found:
  • Output is displayed in JSON format for easier parsing and integration.
• If no CVE details are found:
  • Displays a user-friendly message indicating no CVE information is available.

5. Fallback Handling for Missing/Unknown Data

• Added default handling for cases where CVE data or severity levels are missing, ensuring graceful degradation.

Example Usage
Run the following command to scan a project and include CVE details in the output:
safety scan --cve

Summary by CodeRabbit

• New Features

  • Introduced a new command-line option --cve for scanning, allowing users to request CVE details during the scan.
  • Enhanced reporting to include CVE information based on the new option.

• Documentation

  • Updated help text for scanning commands to clarify the inclusion of CVE details and the functionality of package updates.

[coderabbitai]

Walkthrough

The changes primarily enhance the scanning functionality within the safety/scan/command.py file by introducing a new command-line option --cve that allows users to request CVE details during scans. This option defaults to False and modifies the report generation process to include CVE information when enabled. Additionally, the help documentation in safety/scan/constants.py has been updated to clarify the new feature and improve existing help texts, thereby enhancing user understanding of the scanning commands.

Changes

File	Change Summary
safety/scan/command.py	- Added --cve option to scan function to request CVE details (default: False). - Updated process_report to handle cve_output parameter. - Minor formatting and organizational adjustments.
safety/scan/constants.py	- Added SCAN_CVE_HELP for CVE details in scan output. - Updated SCAN_APPLY_FIXES help text to clarify its function regarding requirements.txt.

Possibly related PRs

• fix/clarify-vulnerabilities-found/ #608: The changes in safety/scan/command.py related to the process_report function are relevant as both PRs modify this function to enhance reporting capabilities, specifically in how vulnerabilities are displayed.

Poem

🐇 In the land of code where bunnies play,
New options sprout, brightening the day.
With CVEs now in the scan's embrace,
We hop along, keeping pace.
Help texts refined, our tools now shine,
For safer paths, we joyfully align! 🌼

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between bda0f49 and e71a339.

📒 Files selected for processing (1)

• safety/scan/constants.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• safety/scan/constants.py

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[dylanpulver]

Tested locally by running python -m safety scan --cve

Data output looks like the following:

Fetching CVE details...

CVE Details:

{
  "cve_details": [
    {
      "package": "django",
      "affected_version": "==2.2",
      "safety_vulnerability_id": "49733",
      "CVE": [
        "CVE-2022-34265",
        {
          "base_score": 7.5,
          "impact_score": 6.4,
          "vector_string": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
        },
        {
          "base_score": 9.8,
          "impact_score": 5.9,
          "base_severity": "CRITICAL",
          "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "more_info": "https://data.safetycli.com/v/49733/eda",
      "advisory": "Django 3.2.14 and 4.0.6 include a fix for CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments.\r\nhttps://www.djangoproject.com/weblog/2022/jul/04/security-releases",
      "severity": "CRITICAL"
    },
    {
      "package": "django",
      "affected_version": "==2.2",
      "safety_vulnerability_id": "37815",
      "CVE": [
        "CVE-2020-7471",
        {
          "base_score": 7.5,
          "impact_score": 6.4,
          "vector_string": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
        },
        {
          "base_score": 9.8,
          "impact_score": 5.9,
          "base_severity": "CRITICAL",
          "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "more_info": "https://data.safetycli.com/v/37815/eda",
      "advisory": "Django 1.11.28, 2.2.10 and 3.0.3 include a fix for CVE-2020-7471: SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.",
      "severity": "CRITICAL"
    },
...

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (3)

safety/scan/command.py (3)

470-472: Optimize type checking for CVE data

The multiple isinstance checks can be combined for better readability and performance.

-filtered_cve = [
-    cve for cve in vuln.CVE if isinstance(cve, str) or isinstance(cve, dict)
-]
+filtered_cve = [
+    cve for cve in vuln.CVE if isinstance(cve, (str, dict))
+]

🧰 Tools

🪛 Ruff

471-471: Multiple isinstance calls for cve, merge into a single call

Merge isinstance calls for cve

(SIM101)

---

492-498: Consider moving severity order mapping to constants

The severity order mapping should be defined as a constant at the module level for better maintainability and reusability.

+SEVERITY_ORDER = {
+    "CRITICAL": 4,
+    "HIGH": 3,
+    "MEDIUM": 2,
+    "LOW": 1,
+    "UNKNOWN": 0,
+}

-severity_order = {
-    "CRITICAL": 4,
-    "HIGH": 3,
-    "MEDIUM": 2,
-    "LOW": 1,
-    "UNKNOWN": 0,  # Catch-all for unrecognized severities
-}

---

482-487: Simplify severity extraction logic

The nested conditional for severity extraction can be simplified using the get method with a default value.

-"severity": vuln.severity.cvssv3.get(
-    "base_severity", "Unknown"
-)
-if vuln.severity and vuln.severity.cvssv3
-else "Unknown",
+"severity": (vuln.severity and vuln.severity.cvssv3 and 
+            vuln.severity.cvssv3.get("base_severity")) or "Unknown",

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 365ba04 and bda0f49.

📒 Files selected for processing (2)

• safety/scan/command.py (5 hunks)
• safety/scan/constants.py (1 hunks)

🧰 Additional context used

🪛 Ruff

safety/scan/command.py

471-471: Multiple isinstance calls for cve, merge into a single call

Merge isinstance calls for cve

(SIM101)

🔇 Additional comments (3)

safety/scan/constants.py (1)

Line range hint 89-91: LGTM! Clear and consistent help text.

The updated help text for SCAN_APPLY_FIXES follows the established pattern and clearly communicates:

• The scope of supported files
• The impact on requirements.txt files
• Proper formatting using [bold] and [nhc] tags

safety/scan/command.py (2)

244-247: LGTM: Well-structured CLI parameter addition

The new --cve flag follows the established pattern and includes proper type annotations and help text.

---

Line range hint 845-867: LGTM: Well-implemented vulnerability summary function

The function is well-documented, uses proper type hints, and efficiently processes the nested data structure to calculate vulnerability totals.

[SafetyQuincyF]

Tested locally it works for scan but, I didn't see it in safety scan --help.

It populates now, I had to restart my docker container.

[dylanpulver]

Tested locally it works for scan but, I didn't see it in safety scan --help.

It populates now, I had to restart my docker container.

Sounds good! I have it there:

[SafetyQuincyF]

for the launch.json in .vscode can you add the below please?

{
            "name": "Safety Scan --help",
            "type": "debugpy",
            "request": "launch",
            "module": "safety",
            "args": [
                "scan",
                "--help"
            ],
            "console": "integratedTerminal"
        },
        {
            "name": "Safety Scan --cve",
            "type": "debugpy",
            "request": "launch",
            "module": "safety",
            "args": [
                "scan",
                "--cve"
            ],
            "console": "integratedTerminal"
        },

[jakub-safetycli]

It will be worth adding unit tests and assert that the newly added --cve flag actually generates the output that we expect.