Updated the Security Issue comment to the new template

dacoburn · dacoburn · commit d35da29889ff · 2025-04-21T07:31:38.000-07:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.0.53"
+version = "2.0.54"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [
diff --git a/socketsecurity/__init__.py b/socketsecurity/__init__.py
@@ -1,2 +1,2 @@
 __author__ = 'socket.dev'
-__version__ = '2.0.53'
+__version__ = '2.0.54'
diff --git a/socketsecurity/core/messages.py b/socketsecurity/core/messages.py
@@ -302,26 +302,95 @@ def create_security_comment_json(diff: Diff) -> dict:
     @staticmethod
     def security_comment_template(diff: Diff) -> str:
         """
-        Creates the security comment template
-        :param diff: Diff - Diff report with the data needed for the template
-        :return:
+        Generates the security comment template in the new required format.
+        Dynamically determines placement of the alerts table if markers like `<!-- start-socket-alerts-table -->` are used.
+
+        :param diff: Diff - Contains the detected vulnerabilities and warnings.
+        :return: str - The formatted Markdown/HTML string.
         """
-        md = MdUtils(file_name="markdown_security_temp.md")
-        md.new_line("<!-- socket-security-comment-actions -->")
-        md.new_header(level=1, title="Socket Security: Issues Report")
-        md.new_line("Potential security issues detected. Learn more about [socket.dev](https://socket.dev)")
-        md.new_line("To accept the risk, merge this PR and you will not be notified again.")
-        md.new_line()
-        md.new_line("<!-- start-socket-alerts-table -->")
-        md, ignore_commands, next_steps = Messages.create_security_alert_table(diff, md)
-        md.new_line("<!-- end-socket-alerts-table -->")
-        md.new_line()
-        md = Messages.create_next_steps(md, next_steps)
-        md = Messages.create_deeper_look(md)
-        md = Messages.create_remove_package(md)
-        md = Messages.create_acceptable_risk(md, ignore_commands)
-        md.create_md_file()
-        return md.file_data_text.lstrip()
+        # Start of the comment
+        comment = """<!-- socket-security-comment-actions -->
+
+> **❗️ Caution**  
+> **Review the following alerts detected in dependencies.**  
+>  
+> According to your organization’s Security Policy, you **must** resolve all **“Block”** alerts before proceeding. It’s recommended to resolve **“Warn”** alerts too.  
+> Learn more about [Socket for GitHub](https://socket.dev?utm_medium=gh).
+
+<!-- start-socket-updated-alerts-table -->
+<table>
+  <thead>
+    <tr>
+      <th>Action</th>
+      <th>Severity</th>
+      <th align="left">Alert (click for details)</th>
+    </tr>
+  </thead>
+  <tbody>
+    """
+
+        # Loop through alerts, dynamically generating rows
+        for alert in diff.new_alerts:
+            severity_icon = Messages.get_severity_icon(alert.severity)
+            action = "Block" if alert.error else "Warn"
+            details_open = ""
+            # Generate a table row for each alert
+            comment += f"""
+<!-- start-socket-alert-{alert.pkg_name}@{alert.pkg_version} -->
+<tr>
+  <td><strong>{action}</strong></td>
+  <td align="center">
+      <img src="{severity_icon}" alt="{alert.severity}" width="20" height="20">
+  </td>
+  <td>
+    <details {details_open}>
+      <summary>{alert.pkg_name}@{alert.pkg_version} - {alert.title}</summary>
+      <p><strong>Note:</strong> {alert.description}</p>
+      <p><strong>Source:</strong> <a href="{alert.manifests}">Manifest File</a></p>
+      <p>ℹ️ Read more on:  
+      <a href="{alert.purl}">This package</a> |  
+      <a href="{alert.url}">This alert</a> |  
+      <a href="https://socket.dev/alerts/malware">What is known malware?</a></p>
+      <blockquote>
+        <p><em>Suggestion:</em> {alert.suggestion}</p>
+        <p><em>Mark as acceptable risk:</em> To ignore this alert only in this pull request, reply with:<br/>
+        <code>@SocketSecurity ignore {alert.pkg_name}@{alert.pkg_version}</code><br/>
+        Or ignore all future alerts with:<br/>
+        <code>@SocketSecurity ignore-all</code></p>
+      </blockquote>
+    </details>
+  </td>
+</tr>
+<!-- end-socket-alert-{alert.pkg_name}@{alert.pkg_version} -->
+    """
+
+        # Close table and comment
+        comment += """
+  </tbody>
+</table>
+<!-- end-socket-alerts-table -->
+
+[View full report](https://socket.dev/...&action=error%2Cwarn)
+    """
+
+        return comment
+
+    @staticmethod
+    def get_severity_icon(severity: str) -> str:
+        """
+        Maps severity levels to their corresponding badge/icon URLs.
+
+        :param severity: str - Severity level (e.g., "Critical", "High").
+        :return: str - Badge/icon URL.
+        """
+        severity_map = {
+            "critical": "https://github-app-statics.socket.dev/severity-3.svg",
+            "high": "https://github-app-statics.socket.dev/severity-2.svg",
+            "medium": "https://github-app-statics.socket.dev/severity-1.svg",
+            "low": "https://github-app-statics.socket.dev/severity-0.svg",
+        }
+        return severity_map.get(severity.lower(), "https://github-app-statics.socket.dev/severity-0.svg")
+
 
     @staticmethod
     def create_next_steps(md: MdUtils, next_steps: dict):
diff --git a/socketsecurity/core/scm_comments.py b/socketsecurity/core/scm_comments.py
@@ -84,9 +84,22 @@ def is_heading_line(line) -> bool:
 
     @staticmethod
     def process_security_comment(comment: Comment, comments) -> str:
-        lines = []
-        start = False
         ignore_all, ignore_commands = Comments.get_ignore_options(comments)
+        if "start-socket-alerts-table" in "".join(comment.body_list):
+            new_body = Comments.process_original_security_comment(comment, ignore_all, ignore_commands)
+        else:
+            new_body = Comments.process_updated_security_comment(comment, ignore_all, ignore_commands)
+
+        return new_body
+
+    @staticmethod
+    def process_original_security_comment(
+            comment: Comment,
+            ignore_all: bool,
+            ignore_commands: list[tuple[str, str]]
+    ) -> str:
+        start = False
+        lines = []
         for line in comment.body_list:
             line = line.strip()
             if "start-socket-alerts-table" in line:
@@ -110,8 +123,97 @@ def process_security_comment(comment: Comment, comments) -> str:
                 lines.append(line)
             else:
                 lines.append(line)
-        new_body = "\n".join(lines)
-        return new_body
+        return "\n".join(lines)
+
+    @staticmethod
+    def process_updated_security_comment(
+            comment: Comment,
+            ignore_all: bool,
+            ignore_commands: list[tuple[str, str]]
+    ) -> str:
+        """
+        Processes an updated security comment containing an HTML table with alert sections.
+        Removes entire sections marked by start and end hidden comments if the alert matches
+        ignore conditions.
+
+        :param comment: Comment - The raw comment object containing the existing information.
+        :param ignore_all: bool - Flag to ignore all alerts.
+        :param ignore_commands: list of tuples - Specific ignore commands representing (pkg_name, pkg_version).
+        :return: str - The updated comment as a single string.
+        """
+        lines = []
+        ignore_section = False
+        pkg_name = pkg_version = ""  # Track current package and version
+
+        # Loop through the comment lines
+        for line in comment.body_list:
+            line = line.strip()
+
+            # Detect the start of an alert section
+            if line.startswith("<!-- start-socket-alert-"):
+                # Extract package name and version from the comment
+                try:
+                    start_marker = line[len("<!-- start-socket-alert-"):-4]  # Strip the comment markers
+                    pkg_name, pkg_version = start_marker.split("@")  # Extract pkg_name and pkg_version
+                except ValueError:
+                    pkg_name, pkg_version = "", ""
+
+                # Determine if we should ignore this alert
+                ignore_section = ignore_all or any(
+                    Comments.is_ignore(pkg_name, pkg_version, name, version)
+                    for name, version in ignore_commands
+                )
+
+                # If not ignored, include this start marker
+                if not ignore_section:
+                    lines.append(line)
+
+            # Detect the end of an alert section
+            elif line.startswith("<!-- end-socket-alert-"):
+                # Only include if we are not ignoring this section
+                if not ignore_section:
+                    lines.append(line)
+                ignore_section = False  # Reset ignore flag
+
+            # Include lines inside an alert section only if not ignored
+            elif not ignore_section:
+                lines.append(line)
+
+        return "\n".join(lines)
+
+    @staticmethod
+    def extract_alert_details_from_row(row: str, ignore_all: bool, ignore_commands: list[tuple[str, str]]) -> tuple:
+        """
+        Parses an HTML table row (<tr>) to extract alert details and determine if it should be ignored.
+
+        :param row: str - The HTML table row as a string.
+        :param ignore_all: bool - Flag to ignore all alerts.
+        :param ignore_commands: list of tuples - List of (pkg_name, pkg_version) to ignore.
+        :return: tuple - (pkg_name, pkg_version, ignore)
+        """
+        # Extract package details (pkg_name and pkg_version) from the HTML table row
+        try:
+            # Find the relevant <summary> element to extract package information
+            start_index = row.index("<summary>")
+            end_index = row.index("</summary>")
+            summary_content = row[start_index + 9:end_index]  # Extract content between <summary> tags
+
+            # Example: "npm/malicious-package@1.0.0 - Known Malware Alert"
+            pkg_info, _ = summary_content.split(" - ", 1)
+            pkg_name, pkg_version = pkg_info.split("@")
+        except ValueError:
+            # If parsing fails, skip this row
+            return "", "", False
+
+        # Check ignore logic
+        ignore = False
+        for name, version in ignore_commands:
+            if ignore_all or Comments.is_ignore(pkg_name, pkg_version, name, version):
+                ignore = True
+                break
+
+        return pkg_name, pkg_version, ignore
+
 
     @staticmethod
     def check_for_socket_comments(comments: dict):

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`__author__ = 'socket.dev'`
`2`		`-__version__ = '2.0.53'`
	`2`	`+__version__ = '2.0.54'`