Merge pull request #14 from cisagov/lineage/skeleton

⚠️ CONFLICT! Lineage pull request for: skeleton

Author: jsf9k

.github/workflows/build.yml

@@ -100,7 +100,7 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: setup-env
         uses: cisagov/setup-env-github-action@v1
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: setup-python
         uses: actions/setup-python@v6
         with:
@@ -253,7 +253,7 @@ jobs:
           # monitoring configuration *does not* require you to modify
           # this workflow.
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: setup-python
         uses: actions/setup-python@v6
         with:
@@ -326,7 +326,7 @@ jobs:
           # monitoring configuration *does not* require you to modify
           # this workflow.
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Finished coveralls reports
         uses: coverallsapp/github-action@v2
         with:
@@ -378,7 +378,7 @@ jobs:
           # monitoring configuration *does not* require you to modify
           # this workflow.
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: setup-python
         uses: actions/setup-python@v6
         with:
@@ -404,7 +404,7 @@ jobs:
       - name: Build artifacts
         run: python -m build
       - name: Upload artifacts
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: dist-${{ matrix.python-version }}
           path: dist
@@ -465,7 +465,7 @@ jobs:
           # monitoring configuration *does not* require you to modify
           # this workflow.
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: setup-python
         uses: actions/setup-python@v6
         with:
@@ -486,7 +486,7 @@ jobs:
           restore-keys: |
             ${{ env.BASE_CACHE_KEY }}
       - name: Retrieve the built wheel
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: dist-${{ matrix.python-version }}
           path: dist

.github/workflows/codeql-analysis.yml

@@ -114,7 +114,7 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
 
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/dependency-review.yml

@@ -89,7 +89,7 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: checkout-repo
         name: Checkout the repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - id: dependency-review
         name: Review dependency changes for vulnerabilities and license changes
         uses: actions/dependency-review-action@v4

.github/workflows/sync-labels.yml

@@ -84,7 +84,7 @@ jobs:
           # monitoring configuration *does not* require you to modify
           # this workflow.
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Sync repository labels
         if: success()
         uses: crazy-max/ghaction-github-labeler@v5

.pre-commit-config.yaml

@@ -169,8 +169,8 @@ repos:
       - id: mypy
         # IMPORTANT: Keep type hinting-related dependencies of the
         # mypy pre-commit hook additional_dependencies in sync with
-        # the dev section of setup.py to avoid discrepancies in type
-        # checking between environments.
+        # the dev section of pyproject.toml to avoid discrepancies in
+        # type checking between environments.
         additional_dependencies:
           - types-jsonschema
   - repo: https://github.com/pypa/pip-audit
@@ -189,10 +189,16 @@ repos:
     rev: v3.21.1
     hooks:
       - id: pyupgrade
+        args:
+          # Python 3.10 is currently the oldest non-EOL version of
+          # Python, so we want to apply all rules that apply to this
+          # version or later.  See here for more details:
+          # https://www.gyford.com/phil/writing/2025/08/26/how-to-use-pyupgrade/
+          - --py310-plus
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v25.11.0
+    rev: v25.11.1
     hooks:
       - id: ansible-lint
         additional_dependencies:
@@ -208,31 +214,13 @@ repos:
           # hook identifies a vulnerability in ansible-core 2.16.13,
           # but all versions of ansible 9 have a dependency on
           # ~=2.16.X.
-          #
-          # It is also a good idea to go ahead and upgrade to version
-          # 10 since version 9 is going EOL at the end of November:
-          # https://endoflife.date/ansible
           # - ansible>=10,<11
-          # ansible-core 2.16.3 through 2.16.6 suffer from the bug
-          # discussed in ansible/ansible#82702, which breaks any
-          # symlinked files in vars, tasks, etc. for any Ansible role
-          # installed via ansible-galaxy.  Hence we never want to
-          # install those versions.
-          #
-          # Note that the pip-audit pre-commit hook identifies a
-          # vulnerability in ansible-core 2.16.13.  The pin of
-          # ansible-core to >=2.17 effectively also pins ansible to
-          # >=10.
-          #
-          # It is also a good idea to go ahead and upgrade to
-          # ansible-core 2.17 since security support for ansible-core
-          # 2.16 ends this month:
-          # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
+          # ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78.
           #
           # Note that any changes made to this dependency must also be
           # made in requirements.txt in cisagov/skeleton-packer and
           # requirements-test.txt in cisagov/skeleton-ansible-role.
-          - ansible-core>=2.17
+          - ansible-core>=2.17.7
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform

pyproject.toml

@@ -3,7 +3,17 @@
 # https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html
 [build-system]
 build-backend = "setuptools.build_meta"
-requires = ["setuptools"]
+requires = [
+    # 61.0.0 was the first version of setuptools to offer a full-fledged
+    # backend that uses pyproject.toml for metadata configuration (in
+    # compliance with PEP 621):
+    # https://setuptools.pypa.io/en/stable/history.html#v61-0-0
+    #
+    # 77.0.0 was the first version of setuptools to support license
+    # expressions (in compliance with PEP 639):
+    # https://setuptools.pypa.io/en/stable/history.html#v77-0-0
+    "setuptools>=77.0.0"
+]
 
 [project]
 authors = [
@@ -53,6 +63,8 @@ requires-python = ">=3.12"
 # field of the mypy pre-commit hook to avoid discrepancies in type
 # checking between environments.
 dev = [
+    "build",
+    "twine",
     "types-jsonschema",
 ]
 test = [

src/cyhy_cvesync/cve_sync.py

@@ -6,7 +6,6 @@
 from io import BytesIO
 import json
 import logging
-from typing import Dict, List, Tuple
 import urllib.request
 
 # Third-Party Libraries
@@ -24,15 +23,15 @@
 PREFERRED_CVSS_METRICS = ["cvssMetricV31", "cvssMetricV30", "cvssMetricV2"]
 
 # Map to track existing CVE documents that were not updated
-cve_map: Dict[str, CVEDoc] = {}
+cve_map: dict[str, CVEDoc] = {}
 cve_map_lock = asyncio.Lock()
 
 logger = logging.getLogger(f"{CYHY_ROOT_LOGGER}.{__name__}")
 
 
 async def process_cve_json(
     cve_json: dict, cve_authoritative_source: str
-) -> Tuple[int, int]:
+) -> tuple[int, int]:
     """
     Process the provided CVEs JSON and update the database with their contents.
 
@@ -186,11 +185,11 @@ async def fetch_cve_data(session: ClientSession, cve_url: str, gzipped: bool) ->
 
 
 async def process_urls(
-    cve_urls: List[str],
+    cve_urls: list[str],
     cve_data_gzipped: bool,
     concurrency: int,
     cve_authoritative_source: str,
-) -> Tuple[int, int, int]:
+) -> tuple[int, int, int]:
     """
     Process URLs containing CVE data.
 

src/cyhy_cvesync/main.py

@@ -5,7 +5,6 @@
 import asyncio
 import logging
 import sys
-from typing import Optional
 
 # Third-Party Libraries
 from cyhy_config import get_config
@@ -33,7 +32,7 @@ def generate_urls(url_pattern: str) -> list[str]:
 
 
 async def do_cve_sync(
-    config_file: Optional[str] = None, arg_log_level: Optional[str] = None
+    config_file: str | None = None, arg_log_level: str | None = None
 ) -> None:
     """Perform the CVE synchronization."""
     setup_logging(arg_log_level)

src/cyhy_cvesync/models/config_model.py

@@ -1,8 +1,5 @@
 """Model definitions for the configuration."""
 
-# Standard Python Libraries
-from typing import Optional
-
 # Third-Party Libraries
 from pydantic import BaseModel, ConfigDict, Field
 
@@ -31,7 +28,7 @@ class CVESync(BaseModel):
         default=DEFAULT_CVE_URL_PATTERN,
         description="URL pattern for the CVE JSON file; note that {year} in the pattern will be substituted with each valid year",
     )
-    log_level: Optional[str] = Field(
+    log_level: str | None = Field(
         None,
         description="Logging level",
     )