From c25b242e338b7244fce600bef91eea4fcabf0edf Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Wed, 29 Apr 2026 09:32:38 +0200 Subject: [PATCH 1/3] When a vulnerable package does NOT have a fix version, do NOT report it as resolved. This is an issue with how pip-audit & git look at the upper limits and assumes the next version will resolve it --- .../util/dependencies/track_vulnerabilities.py | 4 +++- .../dependencies/track_vulnerabilities_test.py | 14 ++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/exasol/toolbox/util/dependencies/track_vulnerabilities.py b/exasol/toolbox/util/dependencies/track_vulnerabilities.py index 04f4497abd..37d72da31e 100644 --- a/exasol/toolbox/util/dependencies/track_vulnerabilities.py +++ b/exasol/toolbox/util/dependencies/track_vulnerabilities.py @@ -56,7 +56,9 @@ def resolved_vulnerabilities(self) -> list[Vulnerability]: """ matcher = VulnerabilityMatcher(self.current_vulnerabilities) return [ - vuln for vuln in self.previous_vulnerabilities if matcher.is_resolved(vuln) + vuln + for vuln in self.previous_vulnerabilities + if vuln.fix_versions and matcher.is_resolved(vuln) ] def report_resolved_vulnerabilities(self) -> str: diff --git a/test/unit/util/dependencies/track_vulnerabilities_test.py b/test/unit/util/dependencies/track_vulnerabilities_test.py index bff6eae71a..71e1ed51ab 100644 --- a/test/unit/util/dependencies/track_vulnerabilities_test.py +++ b/test/unit/util/dependencies/track_vulnerabilities_test.py @@ -117,3 +117,17 @@ def test_resolved_vulnerability(self, sample_vulnerability): current_vulnerabilities=[], ) assert audit.resolved_vulnerabilities == [sample_vulnerability.vulnerability] + + def test_vulnerability_without_fix_version_is_not_reported_as_resolved( + self, sample_vulnerability + ): + vuln = sample_vulnerability.vulnerability.model_copy( + update={"fix_versions": []} + ) + audit = DependenciesAudit( + previous_vulnerabilities=[vuln], + current_vulnerabilities=[], + ) + + assert audit.resolved_vulnerabilities == [] + assert audit.report_resolved_vulnerabilities() == "" From d8491fde9496aad2f760f7bcbb3f1fae072cea3a Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Wed, 29 Apr 2026 09:32:55 +0200 Subject: [PATCH 2/3] Prepare release 7.0.0 --- .github/actions/security-issues/action.yml | 2 +- doc/changes/changelog.md | 2 ++ doc/changes/changes_7.0.0.md | 26 +++++++++++++++++++ doc/changes/unreleased.md | 22 ---------------- .../github/workflows/build-and-publish.yml | 2 +- .../github/workflows/check-release-tag.yml | 2 +- .../templates/github/workflows/checks.yml | 16 ++++++------ .../templates/github/workflows/gh-pages.yml | 2 +- .../templates/github/workflows/matrix-all.yml | 2 +- .../github/workflows/matrix-exasol.yml | 2 +- .../github/workflows/matrix-python.yml | 2 +- .../templates/github/workflows/report.yml | 2 +- .../github/workflows/slow-checks.yml | 2 +- project-template/cookiecutter.json | 2 +- 14 files changed, 46 insertions(+), 40 deletions(-) create mode 100644 doc/changes/changes_7.0.0.md diff --git a/.github/actions/security-issues/action.yml b/.github/actions/security-issues/action.yml index 70a06b4b5e..aa565632d6 100644 --- a/.github/actions/security-issues/action.yml +++ b/.github/actions/security-issues/action.yml @@ -39,7 +39,7 @@ runs: - name: Install Python Toolbox / Security tool shell: bash run: | - pip install exasol-toolbox==6.4.0 + pip install exasol-toolbox==7.0.0 - name: Create Security Issue Report shell: bash diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index a73cd6e31b..be5a0b7165 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,6 +1,7 @@ # Changelog * [unreleased](unreleased.md) +* [7.0.0](changes_7.0.0.md) * [6.4.0](changes_6.4.0.md) * [6.3.0](changes_6.3.0.md) * [6.2.0](changes_6.2.0.md) @@ -63,6 +64,7 @@ hidden: --- unreleased +changes_7.0.0 changes_6.4.0 changes_6.3.0 changes_6.2.0 diff --git a/doc/changes/changes_7.0.0.md b/doc/changes/changes_7.0.0.md new file mode 100644 index 0000000000..c6ad54fe8b --- /dev/null +++ b/doc/changes/changes_7.0.0.md @@ -0,0 +1,26 @@ +# 7.0.0 - 2026-04-29 + +## Summary + +In this major release, support for the `version.py`file has been removed. Users should: + +- delete the `version.py` file +- add in their project's `__init__.py` module + + ```python + from importlib.metadata import version + __version__ = version("") + ``` +This is required for the nox session `docs:multiversion` to successfully complete, +and it is a Python standard for users to check in the terminal which version they are +using. + +## Feature + +* #803: Included other dependencies for local `pip-audit` check + +## Refactoring + +* #800: Removed tbx security pretty-print, tbx lint pretty-print, and creation of .lint.txt, as superseded by Sonar and .lint.json usage +* #791: Resolved Sonar concerns: accepted specific `subprocess` import usage, `subprocess` commands, & improved minor maintainability items +* #629: Replace `version.py` with version from the `__init__.py` diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index edb2b0cca1..fb4737052b 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -1,25 +1,3 @@ # Unreleased ## Summary - -In this major release, support for the `version.py`file has been removed. Users should: -- delete the `version.py` file -- add in their project's `__init__.py` module - - ```python - from importlib.metadata import version - __version__ = version("") - ``` -This is required for the nox session `docs:multiversion` to successfully complete, -and it is a Python standard for users to check in the terminal which version they are -using. - -## Feature - -* #803: Included other dependencies for local `pip-audit` check - -## Refactoring - -* #800: Removed tbx security pretty-print, tbx lint pretty-print, and creation of .lint.txt, as superseded by Sonar and .lint.json usage -* #791: Resolved Sonar concerns: accepted specific `subprocess` import usage, `subprocess` commands, & improved minor maintainability items -* #629: Replace `version.py` with version from the `__init__.py` diff --git a/exasol/toolbox/templates/github/workflows/build-and-publish.yml b/exasol/toolbox/templates/github/workflows/build-and-publish.yml index b52d26a8e2..83877e39d8 100644 --- a/exasol/toolbox/templates/github/workflows/build-and-publish.yml +++ b/exasol/toolbox/templates/github/workflows/build-and-publish.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/check-release-tag.yml b/exasol/toolbox/templates/github/workflows/check-release-tag.yml index 485af3c77b..f9fb6f697a 100644 --- a/exasol/toolbox/templates/github/workflows/check-release-tag.yml +++ b/exasol/toolbox/templates/github/workflows/check-release-tag.yml @@ -17,7 +17,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index d5b99d28c3..ee09b0e9f6 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -16,7 +16,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" @@ -42,7 +42,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" @@ -67,7 +67,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "(( dependency_manager_version ))" @@ -102,7 +102,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "(( dependency_manager_version ))" @@ -128,7 +128,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "(( dependency_manager_version ))" @@ -157,7 +157,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" @@ -179,7 +179,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" @@ -205,7 +205,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml index e0b3b856bb..4341e2316a 100644 --- a/exasol/toolbox/templates/github/workflows/gh-pages.yml +++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/matrix-all.yml b/exasol/toolbox/templates/github/workflows/matrix-all.yml index 53b6b484b3..d78b3e6bb6 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-all.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-all.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml index cf39258755..f630009067 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/matrix-python.yml b/exasol/toolbox/templates/github/workflows/matrix-python.yml index 4cc78207ac..7d091a0788 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-python.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-python.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml index 76a3555d96..54114c0f0a 100644 --- a/exasol/toolbox/templates/github/workflows/report.yml +++ b/exasol/toolbox/templates/github/workflows/report.yml @@ -20,7 +20,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "(( minimum_python_version ))" poetry-version: "(( dependency_manager_version ))" diff --git a/exasol/toolbox/templates/github/workflows/slow-checks.yml b/exasol/toolbox/templates/github/workflows/slow-checks.yml index 48e4912119..d94cf01ad6 100644 --- a/exasol/toolbox/templates/github/workflows/slow-checks.yml +++ b/exasol/toolbox/templates/github/workflows/slow-checks.yml @@ -29,7 +29,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-version }} poetry-version: "(( dependency_manager_version ))" diff --git a/project-template/cookiecutter.json b/project-template/cookiecutter.json index 08df5cac55..2c2914f56a 100644 --- a/project-template/cookiecutter.json +++ b/project-template/cookiecutter.json @@ -9,7 +9,7 @@ "author_email": "opensource@exasol.com", "project_short_tag": "", "python_version_min": "3.10", - "exasol_toolbox_version_range": ">=6.4.0,<7", + "exasol_toolbox_version_range": ">=7.0.0,<8", "license_year": "{% now 'utc', '%Y' %}", "__repo_name_slug": "{{cookiecutter.package_name}}", "__package_name_slug": "{{cookiecutter.package_name}}", From 785350319e5fb6e13935724796d1dc948ff3eaa3 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Wed, 29 Apr 2026 09:39:14 +0200 Subject: [PATCH 3/3] Add to summary --- doc/changes/changes_7.0.0.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/changes/changes_7.0.0.md b/doc/changes/changes_7.0.0.md index c6ad54fe8b..2f4d33aecb 100644 --- a/doc/changes/changes_7.0.0.md +++ b/doc/changes/changes_7.0.0.md @@ -15,6 +15,13 @@ This is required for the nox session `docs:multiversion` to successfully complet and it is a Python standard for users to check in the terminal which version they are using. +The underlying code for the nox sessions `vulnerabilities:resolved` and +`release:prepare` have been modified so that all dependencies (`main`, in `groups`, +and in `optional groups`) are considered for the vulnerability report. Additionally, +we only consider a vulnerability resolved if `pip-audit` includes `fix_versions` +for the dependency. Previously, these nox sessions only reported the dependencies +of `main` and the transitive dependencies of `main`. + ## Feature * #803: Included other dependencies for local `pip-audit` check