Open
Conversation
- Add PackageInfo/ChangelogEntry dataclasses replacing monkey-patched dnf objects - Fix list-mutation-during-iteration bug in CVE extraction (silent data loss) - Fix unbound buildTime for edge-case CLI arguments - Replace bare except with except Exception - Add type hints, PEP 257 docstrings, and PEP 8 snake_case naming throughout - Replace wildcard imports with explicit imports - Add lib/__init__.py for proper package structure - Use tempfile.mkdtemp() instead of hardcoded /tmp path - Escape HTML output with html.escape() to prevent XSS - Use csv stdlib module for CSV output - Replace deprecated datetime.utcfromtimestamp with timezone-aware alternative - Fix timezone display (DST-aware tzname selection) - Use with-statements for all file I/O - Replace print-to-stderr with logging module - Remove dead code (unused imports, commented-out debug lines)
Add the ability to read CIQ CSAF advisory JSON files from a local directory (--advisory-dir + --product-codes), generating supplemental CVE data on the fly instead of requiring a pre-built YAML file. CVSS v3 baseScore and baseSeverity are extracted from the advisory JSON and stored in a new CvssInfo dataclass on PackageInfo.cvss_data, while cve_dict remains Dict[str, List[str]] for full backward compatibility with existing YAML files and all output formatters. New files: - lib/advisory_read.py: CSAF JSON reader with CVSS extraction - docs/advisory-dir-option.md: feature documentation Modified: - lib/models.py: add CvssInfo dataclass, cvss_data field on PackageInfo - lib/package_read.py: add cve_data param, _merge_cve_data(), _get_cvss_data(), handle mixed string/dict CVE entries - repovis.py: add --advisory-dir/--product-codes CLI args and wiring
- Remove per-package cvss_data from PackageInfo; build a global cvss_map on PackageRead via _build_global_cvss_map() - Pass cvss_map to Output; add _cvss_label() and _cvss_html_span() helpers - HTML: colour-coded severity spans next to each CVE ID - CSV: new CVSS Scores column with CVE-ID:score:SEVERITY format - YAML-CVE: separate top-level 'cvss' section (plain string CVE lists unchanged) - Add CSS severity classes to html_template.html - Replace implementation plan with docs/cvss-scoring.md - Update docs/advisory-dir-option.md with output format details
There was a problem hiding this comment.
Pull request overview
Refactors RepoVis’ internal data model and ingestion pipeline to support reading CSAF advisory JSON files directly (via --advisory-dir) and to enrich all report formats with CVSS v3 scoring when available.
Changes:
- Replace monkey-patched DNF package objects with explicit dataclasses (
PackageInfo,ChangelogEntry,CvssInfo) and refactor repository reading intolib/package_read.py. - Add CSAF advisory directory ingestion (
lib/advisory_read.py) and wire it into the CLI with--advisory-dir/--product-codes. - Update output generators (HTML/CSV/YAML-CVE) to optionally include CVSS data and refresh docs/README accordingly.
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
repovis.py |
Refactored CLI entrypoint; adds advisory-dir options; integrates new reader/output APIs. |
lib/package_read.py |
New DNF repo reader that builds PackageInfo records and a global CVSS map. |
lib/models.py |
Adds dataclasses for package/changelog/CVSS data. |
lib/advisory_read.py |
New CSAF JSON scanner that produces supplemental CVE/CVSS fix data. |
lib/Output.py |
Refactored HTML/CSV/YAML-CVE writers; adds CVSS enrichment and safer HTML escaping for repo-derived content. |
lib/html/html_template.html |
Adds CSS styling for CVSS severity labels and reformats template markup. |
README.md |
Updates usage docs, CLI reference, and adds advisory-dir/CVSS sections. |
docs/advisory-dir-option.md |
New detailed documentation for --advisory-dir architecture and behavior. |
docs/cvss-scoring.md |
New documentation describing CVSS extraction, global map design, and output formats. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Rename lib/Output.py → lib/output.py to fix case-sensitive filesystem import - Parse --startdate as UTC midnight instead of local time - Guard SRPM name extraction against malformed entries in advisory_read.py - Escape HTML title with html.escape() for XSS consistency - Wrap output generation in try/finally so cleanup always runs - Use logger.exception() to preserve traceback on repo read failure - Replace O(n²) dedup scan with O(1) set lookup in _build_package_list - Enforce --days/--startdate mutual exclusivity via argparse group - Document minimum Python version as ≥ 3.9 in README - Annotate dnf.module.module_base side-effect import with noqa
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add CSAF advisory support with CVSS scoring, refactor data model
Summary
This PR refactors the RepoVis codebase for robustness and correctness, then adds the ability to read CSAF advisory JSON files directly from a local directory — eliminating the need for a separate advisory-parsing script. CVSS v3 scoring data is extracted from advisories and displayed across all output formats.
Changes
Refactor & bug fixes
PackageInfo/ChangelogEntrydataclasses replacing monkey-patched DNF objectsbuildTimefor edge-case CLI argumentshtml.escape()to prevent XSScsvstdlib module for CSV output instead of manual string buildingexceptwithexcept Exception, wildcard imports with explicit importstempfile.mkdtemp()instead of hardcoded/tmppathprint-to-stderr withloggingmodule--advisory-dirfeature--advisory-dirand--product-codesCLI options to read CSAF advisory JSONs on the flylib/advisory_read.pymodule: recursively scans a directory for advisory JSONs, extracts CVE IDs, fix dates, and CVSS v3 scores--cveyaml; full backward compatibility preservedCVSS v3 scoring in output
cvss_map: Dict[str, CvssInfo](CVE scores are CVE-global, not per-package)CVSS Scorescolumn (CVE-ID:score:SEVERITYformat)cvsssection;cve_fixeslists remain plain stringsDocumentation
README.mdwith full CLI reference, refreshed examples, and new sectionsdocs/advisory-dir-option.mdanddocs/cvss-scoring.mdTesting
Tested with CSAF advisory directories for
lts-9.2andrlc-9.2product codes against Rocky Linux 9.2 LTS repositories in all three output formats (HTML, CSV, YAML-CVE).