Fix Python ecosystem PyPI-to-import name mismatch, Go stdlib handling, and integration test accuracy#243
Open
tmihalac wants to merge 21 commits into
Open
Fix Python ecosystem PyPI-to-import name mismatch, Go stdlib handling, and integration test accuracy#243tmihalac wants to merge 21 commits into
tmihalac wants to merge 21 commits into
Conversation
…low-ups
Python name normalization:
- Add _resolve_tree_key in CCA to fall back to is_same_package for tree
lookups
- Re-key dep tree from PyPI names to import names via
_find_module_dirs/top_level.txt
- Add PEP 503 is_same_package override in PythonLanguageFunctionsParser
- Wire dependency builder into parser via lang_functions_parsers_factory
- Use parser is_same_package in FL _is_package_available instead of inline
lambda
- Use PEP 503 re.sub(r'[-_.]', '-') for root dep matching instead of
replace('-', '_')
- Replace pip install with uv pip install for deptree setup
CCA query parsing:
- Fix dotted function name splitting with rpartition instead of split
- Fix __determine_doc_package_name to use _resolve_tree_key with fallback
JavaScript parser:
- Guard is_function check before get_function_name in
search_for_called_function
Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
Author
|
/test vulnerability-analysis-on-pr |
Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
Author
|
/test vulnerability-analysis-on-pr |
2 similar comments
Author
|
/test vulnerability-analysis-on-pr |
Author
|
/test vulnerability-analysis-on-pr |
…, and integration test accuracy Python CCA name resolution: - Add _resolve_tree_key with is_same_package fallback for normalized tree lookups - Re-key dep tree from PyPI names to import names via _find_module_dirs/top_level.txt - Add PEP 503 is_same_package override in PythonLanguageFunctionsParser - Wire dependency builder into parser via lang_functions_parsers_factory - Use parser is_same_package in FL instead of inline lambda - Invoke deptree as python -m deptree instead of bin/deptree entry point - Replace pip install with uv pip install for deptree setup Go stdlib package selection: - Add _find_go_stdlib_candidate to bypass LLM package filter for Go stdlib packages - Scan both candidate_packages and critical_context hints for stdlib module paths - Use _GO_STDLIB_ROOTS frozenset for reliable detection CCA and parser fixes: - Fix dotted functionion and move Go '/' check into correct bl - Fix Python parser Nt in code_documents - Guard is_function c search_for_called_fun Prompt and rule impro - Merge reachability le Rule 6 (package/function pri - Add patch hint preftry guidance - Reduce rule count: - Update all runtime rtions to match new numbering Patch enrichment: - Add JS/Python test FUNC_NAMES (describe,it, beforeEach, etc.) Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
tmihalac
changed the title
Author
|
/test vulnerability-analysis-on-pr |
Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
Author
|
/test vulnerability-analysis-on-pr |
1 similar comment
Author
|
/test vulnerability-analysis-on-pr |
- build_tree() fails when pickle cache is warm and install_dependencies() is skipped - transitive_env/bin/python is a broken symlink from a previous pod - uv fails with Permission denied on ~/.cache/uv when UV_CACHE_DIR is not set - Empty dep tree causes FL to report "Package not found" for valid packages - Add _ensure_uv_cache_dir: sets UV_CACHE_DIR fallback to writable path in cloned repo - Add _ensure_venv_python: re-creates venv when bin/python is missing or broken - Add _build_flat_tree_from_manifest: fallback flat tree from requirements.txt - Call helpers from both build_tree and install_dependencies - Set UV_CACHE_DIR=/tmp/uv-cache in .tekton sidecar env for on-pull-request and on-cm-runner Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
Author
|
/test vulnerability-analysis-on-pr |
- uv downloaded Python 3.13 but packages live under python3.12 site-packages - Add _detect_existing_site_packages_version: finds installed Python version from transitive_env/lib/python*/ - Prefer detected version over project metadata when re-creating venv Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
Author
|
/test vulnerability-analysis-on-pr |
5 similar comments
Author
|
/test vulnerability-analysis-on-pr |
Author
|
/test vulnerability-analysis-on-pr |
Author
|
/test vulnerability-analysis-on-pr |
Author
|
/test vulnerability-analysis-on-pr |
Author
|
/test vulnerability-analysis-on-pr |
version hint exists - When no existing site-packages and no project metadata, uv downloads latest Python (3.13) - Packages installed by lint-and-test under python3.12 become invisible to python3.13 deptree - Add sys.version_info fallback as last resort so venv matches the running container's Python - Always pass explicit --python to uv venv, never let uv pick the latest Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
Author
|
/test vulnerability-analysis-on-pr |
2 similar comments
Author
|
/test vulnerability-analysis-on-pr |
Author
|
/test vulnerability-analysis-on-pr |
install_dependencies - Extract venv creation from install_dependencies into _ensure_venv with existence check - Both build_tree and install_dependencies now call _ensure_venv for consistent Python version - Remove _detect_existing_site_packages_version — got confused by polluted python3.13 directories - Remove sys.version_info fallback — unnecessary when using determine_python_version consistently - Both lint-and-test (UBI) and integration-test (sidecar) produce same Python version via determine_python_version Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
Author
|
/test vulnerability-analysis-on-pr |
version hint exists - When determine_python_version returns None, uv venv without --python downloads latest Python (3.13) - Sidecar image has no system Python so uv can't find 3.12 on PATH - Add sys.version_info fallback so --python is always passed explicitly - Prevents version mismatch between lint-and-test (python3.12) and sidecar (python3.13) Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
Author
|
/test vulnerability-analysis-on-pr |
Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
symlink breakage - Set UV_PYTHON_INSTALL_DIR on PVC for both lint-and-test and integration-test sidecar - Both containers find Python at the same PVC path, bin/python symlink no longer breaks - lint-and-test: UV_PYTHON_INSTALL_DIR points to .cache/am_cache/python (PVC via symlink) - integration-test sidecar: UV_PYTHON_INSTALL_DIR points to /exploit-iq-data/python (same PVC) Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
Author
|
/test vulnerability-analysis-on-pr |
shared PVC - Replace ubi9/python-312 with ubi9/ubi-minimal (no system Python) - uv downloads standalone Python to UV_PYTHON_INSTALL_DIR on PVC - bin/python symlink points to PVC path, survives across containers Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
- ubi-minimal lacks git, curl, tar, make, gcc needed by the build script - Add microdnf install step before git config Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
curl-minimal which conflicts Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
PATH by default Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
…ests - python-312 image had Node v20 pre-installed, ubi-minimal doesn't - Enable nodejs:20 module stream to match the major version - npm ls --json --all needs Node.js to build JavaScript dependency trees Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
…ted. Fix shared PVC Python path for cross-container venv symlinks - Mount PVC at /exploit-iq-data in lint-test step (same path as sidecar) - Set UV_PYTHON_INSTALL_DIR=/exploit-iq-data/python in both containers - Run uv python install 3.12 explicitly so Python is stored on PVC - uv venv --python 3.12 now symlinks to PVC path that exists in both containers Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
CCA - Agent was calling CCA with formparser.MultiPartParser.parse (method) instead of formparser.MultiPartParser (class) - CCA searches for the last component — parse() isn't directly called from app code, MultiPartParser is - Add REACHABILITY_AGENT_THOUGHT_INSTRUCTIONS_PYTHON with Rule 7: use class name, not method name for CCA - Wire up ecosystem-specific prompt selection: Go, Python, or default Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
Author
|
/test-heavy |
1 similar comment
Author
|
/test-heavy |
dummy-branch warning
- FL tool description: replace static libxml2 example with
{fl_input_format} template
- Add FL_INPUT_FORMATS and FL_EXAMPLES dicts in
prompt_factory.py for per-ecosystem examples
- Substitute ecosystem-specific input format in
_build_tool_guidance_for_ecosystem
- FL error message: use ecosystem-specific example from
FL_EXAMPLES instead of libxml2
- CCA: warn agent when package not in dependency tree
(dummy-branch fallback used)
Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
tree - When CCA falls back to import scanning (package not in tree_dict), prepend NOTE to first result - Helps agent distinguish real call chain analysis from import-based fallback - Applies to all ecosystems: Go stdlib, Java missing source JARs, C/C++ system libs - Prepend to existing entry instead of appending to preserve list length for assertions Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
Author
|
/test vulnerability-analysis-on-pr |
1 similar comment
Author
|
/test vulnerability-analysis-on-pr |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Python CCA name resolution (
chain_of_calls_retriever.py,dep_tree.py,python_functions_parser.py)_resolve_tree_keywithis_same_packagefallback for normalized tree lookups__determine_doc_package_name: exact dict lookup first, thenis_same_packagefallback_get_parentsto useis not Nonecheck instead ofor(empty lists were treated as falsy)_find_module_dirs/top_level.txtis_same_packageoverride inPythonLanguageFunctionsParserget_package_nameandfilter_docs_by_func_pkg_namefor Python name normalizationlang_functions_parsers_factoryis_same_packagein FL instead of inline lambdaPython deptree venv resilience (
dep_tree.py,.tekton/)install_dependencies()is skipped. The venv'sbin/pythonis a symlink to the previous pod's interpreter path, which breaks across pod restarts. Additionally,uvfails withPermission deniedon~/.cache/uvin OpenShift containers whenUV_CACHE_DIRis not set._ensure_uv_cache_dir: setsUV_CACHE_DIRfallback to writable path inside the cloned repo when not already configured. Called from bothbuild_treeandinstall_dependencies._ensure_venv_python: detects broken/missingbin/pythonand re-creates the venv. Uses_detect_existing_site_packages_versionto match the Python version of existing packages (e.g.python3.12/site-packages/) instead of project metadata, preventing version mismatch._build_flat_tree_from_manifest: last-resort fallback that builds a flat dependency tree fromrequirements.txtif deptree still returns empty.UV_CACHE_DIR=/tmp/uv-cachein.tekton/on-pull-request.yamlandon-cm-runner.yamlsidecar env.Deptree invocation fix (
dep_tree.py)python -m deptreeinstead ofbin/deptreeentry point (broken byuv pip install)pip installwithuv pip installfor deptree setupGo stdlib package selection (
base_graph_agent.py)_find_go_stdlib_candidateto bypass LLM package filter for Go stdlib packages (e.g.crypto/x509)candidate_packagesandcritical_contexthints for stdlib module paths_GO_STDLIB_ROOTSfrozenset for reliable detectionCCA and parser fixes
rpartitioninstead ofsplit(chain_of_calls_retriever.py)is_functioncheck beforeget_function_namein JS parsersearch_for_called_functionPrompt and rule improvements (
react_internals.py)Integration test accuracy (
integration-tests-input.json)code_not_reachable(was incorrectlyvulnerable)Patch enrichment (
intel_utils.py)describe,it,beforeEach,expect, etc.)