Generate versioned vuln scan results when a release is detected (#150)

Author: JonZeolla

easy_infra/utils.py

@@ -180,7 +180,10 @@ def is_status_expected(*, expected: int, response: dict) -> bool:
 
 
 def get_artifact_labels(*, variant: str) -> list[str]:
-    """For the provided variant of easy_infra, return a list of labels to use in the related artifacts"""
+    """
+    For the provided variant of easy_infra, return a list of labels to use in the related artifacts
+    The last element in the returned list MUST be the versioned label, if a release is detected
+    """
     cwd = Path(".").absolute()
     repo = git.Repo(cwd)
     commit_hash = repo.head.object.hexsha
@@ -192,6 +195,7 @@ def get_artifact_labels(*, variant: str) -> list[str]:
         f"v{__version__}" in repo.tags
         and repo.tags[f"v{__version__}"].commit.hexsha == commit_hash
     ):
+        # Release detected; appending a versioned artifact label
         artifact_labels.append(f"{variant}.v{__version__}")
 
     return artifact_labels

tasks.py

@@ -292,8 +292,8 @@ def sbom(_c, stage="all", debug=False):
     variants = process_stages(stage=stage)
 
     for variant in variants:
-        versioned_tag = CONTEXT[variant]["buildargs"]["VERSION"]
-        image_and_tag = f"{constants.IMAGE}:{versioned_tag}"
+        latest_tag = CONTEXT[variant]["buildargs"]["VERSION"]
+        image_and_tag = f"{constants.IMAGE}:{latest_tag}"
 
         try:
             artifact_labels = utils.get_artifact_labels(variant=variant)

tests/test.py

@@ -1041,7 +1041,8 @@ def run_cli(*, image: str):
 def run_security(*, image: str, variant: str):
     """Run the security tests"""
     artifact_labels = utils.get_artifact_labels(variant=variant)
-    label = artifact_labels[0]
+    # This assumes that the last element in the list is versioned, if it is a release
+    label = artifact_labels[-1]
     sbom_file = Path(f"sbom.{label}.json")
 
     if not sbom_file: