This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new 3e4c7b8 fix(vulnogram/oauth-api): treat first-time affected[]
population as non-change in merge-mode guard (#366)
3e4c7b8 is described below
commit 3e4c7b858eb6a9378b5adf422020c8fca165bced
Author: Jarek Potiuk <[email protected]>
AuthorDate: Fri May 29 00:40:01 2026 +0200
fix(vulnogram/oauth-api): treat first-time affected[] population as
non-change in merge-mode guard (#366)
A freshly-allocated Vulnogram record carries an empty ``affected[]``
array (RESERVED state, title-only). The first regenerate-and-push that
populates the array was previously misclassified as a product *change*
by ``_diff_affected_products`` and refused unless the caller passed
``--allow-product-change`` — a flag intended for genuine
packageName/product renames, not for the normal first push.
Surface the empty-current case as a non-diff so the guard does not
trip on first-time population.
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
---
.../oauth-api/src/vulnogram_api/merge_mode.py | 6 ++++++
tools/vulnogram/oauth-api/tests/test_merge_mode.py | 19 +++++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/tools/vulnogram/oauth-api/src/vulnogram_api/merge_mode.py
b/tools/vulnogram/oauth-api/src/vulnogram_api/merge_mode.py
index 28ed6be..69586ba 100644
--- a/tools/vulnogram/oauth-api/src/vulnogram_api/merge_mode.py
+++ b/tools/vulnogram/oauth-api/src/vulnogram_api/merge_mode.py
@@ -155,6 +155,12 @@ def _diff_affected_products(
new_sigs = {_product_signature(entry) for entry in new if
isinstance(entry, dict)}
if current_sigs == new_sigs:
return []
+ # First-time population (e.g. a freshly-allocated RESERVED record with an
+ # empty ``affected[]``) is not a product *change* — there is no prior
+ # signature to be renamed away from. Treat it as a non-diff so the guard
+ # does not force --allow-product-change for the normal first push.
+ if not current_sigs:
+ return []
diffs: list[str] = []
for sig in sorted(current_sigs - new_sigs):
package, product = sig
diff --git a/tools/vulnogram/oauth-api/tests/test_merge_mode.py
b/tools/vulnogram/oauth-api/tests/test_merge_mode.py
index 5fc0a28..8918106 100644
--- a/tools/vulnogram/oauth-api/tests/test_merge_mode.py
+++ b/tools/vulnogram/oauth-api/tests/test_merge_mode.py
@@ -270,6 +270,25 @@ class TestProductChangeGuard:
)
assert diffs == []
+ def test_diff_empty_when_current_is_first_time_populated(self):
+ # A freshly-allocated RESERVED record carries an empty ``affected[]``;
+ # the first push that populates it must not be treated as a product
+ # *change* (there is no prior signature to be renamed away from).
+ diffs = _diff_affected_products(
+ current=[],
+ new=[{"packageName": "apache-foo", "product": "Apache Foo"}],
+ )
+ assert diffs == []
+
+ def test_first_time_population_does_not_require_allow_product_change(self):
+ # End-to-end: pushing a populated ``affected[]`` onto a record that
+ # had none before must succeed without ``--allow-product-change``.
+ merged = apply_merge_mode_guards(
+ _current(affected=[]),
+ _new(affected=[{"packageName": "apache-foo", "product": "Apache
Foo"}]),
+ )
+ assert merged["containers"]["cna"]["affected"][0]["packageName"] ==
"apache-foo"
+
# ---------------------------------------------------------------------------
# Composition + edge cases
