[ANE-1892] Adds dynamic severity output to fossa test #1562
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
It seems changing the Nix channel to |
james-fossa
approved these changes
Jul 17, 2025
spatten
approved these changes
Jul 17, 2025
|
Thanks y'all, updated the changelog and removed the comment since it's no longer accurate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR updates fossa test to reference an unutilized key in the CLI API response.
Paired with https://github.com/fossas/FOSSA/pull/15973, this change will dynamically print the severity in the fossa test "issue identified" message. In the case that the output is still
null(on older instances), "A vulnerability was identified in x" will be shown.This aligns with the AC in the ticket, though I've removed the hard-coded "Critical vulnerability" reference to avoid confusion.
Acceptance criteria
FOSSA CLI users can now get more accurate information about their projects at a glance when running
fossa test.The fallback also works, on older FOSSA instances
Testing plan
I tested this by compiling the CLI and using the binary on a local project that contained dummy vulnerabilities. Testing was admittedly convoluted, but a reviewer could probably point their local instance to the vulns database and checkout the FOSSA branch from the above PR.
From there, run the CLI from the action and test against a project with vulnerability issues of varying severity.
The output should report the severity of each issue in the identification message.
To confirm the fallback, you can run
fossa teston a project in CORE, or a different branch. You should see the fallback message.Risks
Severity Output Change
I think this has little risk. There's a fallback that also makes the default
fossa testmessage less alarming.Integration Test Update
This PR also introduces a fix for a failing test by changing the nix channel from unstable to the latest stable version. After some testing, it seems like the unstable channel has an issue with jdk8. I'm not sure if this is transient. This was causing two integration tests to fail. Stable is updated every six months, so I think this may come with some risk.
References
ANE-1892
https://teamfossa.slack.com/archives/C043EM3L96Z/p1752593818823499
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an## Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.