Scope issue creation and deletion within provided 'category'

Prevents Snyk scans from removing issues created by other Snyk runs.

Author: pvannierop

entrypoint.py

@@ -50,9 +50,13 @@ def create_new_issues(
         time.sleep(random.randint(pause_lowerbound_sec, pause_upperbound_sec)) # to prevent rate limiting
         title = '{} {}'.format(vulnerability['title'], vulnerability['id'])
         issues_found_in_current_run.add(title)
-        issues_found_in_current_run.add(title)
+        # When an issue is already open (for a specific category when provided), we don't want to create a new one.
         if title in open_issues:
-            continue
+            if category is None:
+                continue
+            issues_with_category = [issue for issue in open_issues[title] if issue.get("category") == category]
+            if len(issues_with_category) > 0:
+                continue
         payload = {
             'title': title,
             'body': vulnerability['description'],
@@ -61,7 +65,7 @@ def create_new_issues(
             ],
         }
         if category is not None:
-            payload['labels'].append(category)
+            payload['labels'].append(f"Snyk-category:{category}")
         r = requests.post(url, data=json.dumps(payload), headers=headers)
         if r.ok:
             new_issue = r.json()
@@ -72,6 +76,7 @@ def create_new_issues(
                 'title': title,
                 'url': new_issue['url'],
                 'number': new_issue['number'],
+                'category': category,
                 'timestamp': timestamp,
             }]
         else:
@@ -87,15 +92,13 @@ def close_old_issues(
         headers: Headers,
 ):
     for title, open_issue_list in open_issues.items():
-        if title not in found_issues:
-            for open_issue in open_issue_list:
-                # Only close issues when the open issue is not of the same meta Snyk run
-                # i.e. does not have the same Snyk-timestamp label (only if provided).
+        # Only check issues for the category when defined (ternary operator)
+        open_issues = open_issue_list if category is None else [issue for issue in open_issue_list if issue.get("category") == category]
+        for open_issue in open_issues:
+            if open_issue.get("title") not in found_issues:
                 time.sleep(random.randint(pause_lowerbound_sec, pause_upperbound_sec)) # to prevent rate limiting
-                if (timestamp is not None and
-                        timestamp is not open_issue.get('timestamp')):
-                    print(f"Closing issue {open_issue['title']} - #{open_issue['number']}")
-                    close_issue(open_issue, headers)
+                print(f"Closing issue {open_issue['title']} - #{open_issue['number']}")
+                close_issue(open_issue, headers)
 
 
 def fetch_open_issues(url: str, headers: Headers) -> OpenIssues:
@@ -138,14 +141,19 @@ def fetch_open_issues(url: str, headers: Headers) -> OpenIssues:
                 open_issues[title] = []
             # Get the timestamp label if it exists
             issue_timestamp = None
+            issue_category = None
             for label in open_issue['labels']:
                 if label['name'].startswith('Snyk-timestamp:'):
                     issue_timestamp = label['name'].split(':')[1]
                     break
+                if label['name'].startswith('Snyk-category:'):
+                    issue_category = label['name'].split(':')[1]
+                    break
             open_issues[title].append({
                 'title': open_issue['title'],
                 'url': open_issue['url'],
                 'number': open_issue['number'],
+                'category': issue_category,
                 'timestamp': issue_timestamp,
             })
         next_link = r.links.get('next')
@@ -160,8 +168,8 @@ def fetch_open_issues(url: str, headers: Headers) -> OpenIssues:
 def main():
     parser = argparse.ArgumentParser(description="Parse the report file")
     parser.add_argument("report_file", type=str, help="a name of the report file")
-    parser.add_argument("-t", "--timestamp", type=str, help="a timestamp of the run. When passed, will cause combine results of multiple runs when the runs have the same timestamp.", default=datetime.now(), required=False)
-    parser.add_argument("-c", "--category", type=str, help="a category label to add to the issue.", required=False)
+    parser.add_argument("-c", "--category", type=str, help="category of the Snyk run. When defined, reported issues will be scoped within the category i.e., will not be closed by scans running on other categories. Also added as label to created issues.", required=False)
+    parser.add_argument("-t", "--timestamp", type=str, help="a timestamp of the run (added as label to ceated issues)", default=datetime.now(), required=False)
     args = parser.parse_args()
 
     global timestamp