Merge pull request #2 from hypothesis/copy-code-from-dependabot-batch…

…-review

Copy code from `dependabot-batch-review`

.cookiecutter/cookiecutter.json

@@ -8,7 +8,7 @@
     "package_name": "dependabot_alerts",
     "slug": "dependabot-alerts",
     "short_description": "Notifications of Dependabot alerts across a GitHub organization.",
-    "python_versions": "3.12.0, 3.11.6, 3.10.13, 3.9.18, 3.8.18",
+    "python_versions": "3.12.0, 3.11.6",
     "github_owner": "hypothesis",
     "copyright_holder": "Hypothesis",
     "visibility": "public",

.cookiecutter/includes/README/head.md

@@ -0,0 +1,10 @@
+`dependabot-alerts` lists Dependabot security alerts for all repos of a GitHub
+user or organization. You can run it from the command line:
+
+```terminal
+$ dependabot-alerts <your_github_user_or_organization>
+```
+
+There's also a [GitHub Actions workflow](.github/workflows/alert.yml) that runs
+automatically on a schedule and notifies us in Slack of any Dependabot alerts
+in the `hypothesis` GitHub organization.

.cookiecutter/includes/setuptools/install_requires

@@ -0,0 +1 @@
+requests

.cookiecutter/includes/tox/passenv

@@ -0,0 +1 @@
+dev: GITHUB_TOKEN

.github/workflows/alert.yml

@@ -0,0 +1,44 @@
+name: Alert
+on:
+  schedule:
+    - cron: '30 10 * * 1'
+  workflow_dispatch:
+jobs:
+  Alert:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.12
+      - name: Install pipx
+        run: python -m pip install pipx
+      - name: Install gha-token
+        run: python -m pipx install "git+https://github.com/hypothesis/gha-token.git"
+      - name: Checkout dependabot-alerts
+      - uses: actions/checkout@v4
+      - name: Install dependabot-alerts
+        run: python -m pipx install .
+      - name: Get GitHub token
+        id: github_token
+        run: echo GITHUB_TOKEN=$(gha-token --app-id 274948 --installation-id 32440510 --private-key "$PRIVATE_KEY") >> $GITHUB_OUTPUT
+        env:
+          PRIVATE_KEY: ${{ secrets.HYPOTHESIS_GITHUB_APP_PRIVATE_KEY }}
+      - name: Check for alerts
+        id: slack_message
+        run: |
+          {
+            echo 'SLACK_MESSAGE<<EOF'
+            dependabot-alerts hypothesis
+            echo EOF
+          } >> "$GITHUB_OUTPUT"
+        env:
+          GITHUB_TOKEN: ${{ steps.github_token.outputs.GITHUB_TOKEN }}
+      - name: Post to Slack
+        uses: slackapi/[email protected]
+        with:
+          channel-id: ${{ vars.SLACK_CHANNEL }}
+          slack-message: ${{ env.SLACK_MESSAGE }}
+        env:
+          SLACK_MESSAGE: ${{ steps.slack_message.outputs.SLACK_MESSAGE }}
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

.github/workflows/ci.yml

@@ -39,7 +39,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ['3.12', '3.11', '3.10', '3.9', '3.8']
+        python-version: ['3.12', '3.11']
     name: Unit tests with Python ${{ matrix.python-version }}
     steps:
       - uses: actions/checkout@v3
@@ -75,7 +75,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ['3.12', '3.11', '3.10', '3.9', '3.8']
+        python-version: ['3.12', '3.11']
     name: Functional tests with Python ${{ matrix.python-version }}
     steps:
       - uses: actions/checkout@v3

.python-version

@@ -1,5 +1,2 @@
 3.12.0
 3.11.6
-3.10.13
-3.9.18
-3.8.18

Makefile

@@ -38,25 +38,10 @@ $(call help,make test-py311,"run the unit tests in Python 3.11")
 test-py311: python
 	@pyenv exec tox -qe py311-tests
 
-.PHONY: test-py310
-$(call help,make test-py310,"run the unit tests in Python 3.10")
-test-py310: python
-	@pyenv exec tox -qe py310-tests
-
-.PHONY: test-py39
-$(call help,make test-py39,"run the unit tests in Python 3.9")
-test-py39: python
-	@pyenv exec tox -qe py39-tests
-
-.PHONY: test-py38
-$(call help,make test-py38,"run the unit tests in Python 3.8")
-test-py38: python
-	@pyenv exec tox -qe py38-tests
-
 .PHONY: coverage
 $(call help,make coverage,"run the tests and print the coverage report")
 coverage: python
-	@pyenv exec tox --parallel -qe 'tests,py{311,310,39,38}-tests,coverage'
+	@pyenv exec tox --parallel -qe 'tests,py{311}-tests,coverage'
 
 .PHONY: functests
 $(call help,make functests,"run the functional tests in Python 3.12")
@@ -68,26 +53,11 @@ $(call help,make functests-py311,"run the functional tests in Python 3.11")
 functests-py311: python
 	@pyenv exec tox -qe py311-functests
 
-.PHONY: functests-py310
-$(call help,make functests-py310,"run the functional tests in Python 3.10")
-functests-py310: python
-	@pyenv exec tox -qe py310-functests
-
-.PHONY: functests-py39
-$(call help,make functests-py39,"run the functional tests in Python 3.9")
-functests-py39: python
-	@pyenv exec tox -qe py39-functests
-
-.PHONY: functests-py38
-$(call help,make functests-py38,"run the functional tests in Python 3.8")
-functests-py38: python
-	@pyenv exec tox -qe py38-functests
-
 .PHONY: sure
 $(call help,make sure,"make sure that the formatting$(comma) linting and tests all pass")
 sure: python
 sure:
-	@pyenv exec tox --parallel -qe 'checkformatting,lint,tests,py{311,310,39,38}-tests,coverage,functests,py{311,310,39,38}-functests'
+	@pyenv exec tox --parallel -qe 'checkformatting,lint,tests,py{311}-tests,coverage,functests,py{311}-functests'
 
 .PHONY: template
 $(call help,make template,"update from the latest cookiecutter template")

README.md

@@ -1,5 +1,5 @@
 <a href="https://github.com/hypothesis/dependabot-alerts/actions/workflows/ci.yml?query=branch%3Amain"><img src="https://img.shields.io/github/actions/workflow/status/hypothesis/dependabot-alerts/ci.yml?branch=main"></a>
-<a><img src="https://img.shields.io/badge/python-3.12 | 3.11 | 3.10 | 3.9 | 3.8-success"></a>
+<a><img src="https://img.shields.io/badge/python-3.12 | 3.11-success"></a>
 <a href="https://github.com/hypothesis/dependabot-alerts/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-BSD--2--Clause-success"></a>
 <a href="https://github.com/hypothesis/cookiecutters/tree/main/pypackage"><img src="https://img.shields.io/badge/cookiecutter-pypackage-success"></a>
 <a href="https://black.readthedocs.io/en/stable/"><img src="https://img.shields.io/badge/code%20style-black-000000"></a>
@@ -8,6 +8,17 @@
 
 Notifications of Dependabot alerts across a GitHub organization.
 
+`dependabot-alerts` lists Dependabot security alerts for all repos of a GitHub
+user or organization. You can run it from the command line:
+
+```terminal
+$ dependabot-alerts <your_github_user_or_organization>
+```
+
+There's also a [GitHub Actions workflow](.github/workflows/alert.yml) that runs
+automatically on a schedule and notifies us in Slack of any Dependabot alerts
+in the `hypothesis` GitHub organization.
+
 ## Installing
 
 We recommend using [pipx](https://pypa.github.io/pipx/) to install

bin/make_python

@@ -8,7 +8,7 @@ if [ -n "${CI+x}" ]; then exit; fi
 
 pyenv_root=$(pyenv root)
 
-for python_version in 3.12.0 3.11.6 3.10.13 3.9.18 3.8.18; do
+for python_version in 3.12.0 3.11.6; do
     bin_dir=$pyenv_root/versions/$python_version/bin
     if [ ! -f "$bin_dir"/tox ]; then
         pyenv install --skip-existing "$python_version"

setup.cfg

@@ -16,8 +16,9 @@ classifiers =
 package_dir =
     = src
 packages = find:
-python_requires = >=3.8
+python_requires = >=3.11
 install_requires =
+    requests
 
 [options.packages.find]
 where = src

src/dependabot_alerts/cli.py

@@ -1,13 +1,49 @@
 from argparse import ArgumentParser
 from importlib.metadata import version
 
+from dependabot_alerts.core import GitHubClient, Vulnerability, fetch_alerts
 
-def cli(_argv=None):  # pylint:disable=inconsistent-return-statements
+
+def cli(_argv=None):  # pragma: no cover
     parser = ArgumentParser()
-    parser.add_argument("-v", "--version", action="store_true")
+    parser.add_argument(
+        "-v", "--version", action="version", version=version("dependabot-alerts")
+    )
+    parser.add_argument("organization", help="GitHub user or organization")
 
     args = parser.parse_args(_argv)
 
-    if args.version:
-        print(version("dependabot-alerts"))
-        return 0
+    gh_client = GitHubClient.init()
+    vulns = fetch_alerts(gh_client, args.organization)
+    print(format_slack_message(args.organization, vulns))
+
+    return 0
+
+
+def format_slack_message(
+    organization: str, vulns: list[Vulnerability]
+) -> str:  # pragma: no cover
+    """
+    Format a Slack status report from a list of vulnerabilities.
+
+    Returns a message using Slack's "mrkdwn" format. See
+    https://api.slack.com/reference/surfaces/formatting.
+    """
+    if not vulns:
+        return "Found no open vulnerabilities."
+
+    n_repos = len(set(vuln.repo for vuln in vulns))
+
+    msg_parts = []
+    msg_parts.append(f"*Found {len(vulns)} vulnerabilities in {n_repos} repositories.*")
+
+    for vuln in vulns:
+        vuln_msg = []
+        vuln_msg.append(
+            f"{organization}/{vuln.repo}: <{vuln.url}|{vuln.package_name} {vuln.severity} - {vuln.title}>"
+        )
+        if vuln.pr:
+            vuln_msg.append(f"  Resolved by {vuln.pr}")
+        msg_parts.append("\n".join(vuln_msg))
+
+    return "\n\n".join(msg_parts)