Skip to content

Add links to uv audit output#18392

Merged
woodruffw merged 3 commits intomainfrom
ww/uv-audit-link
Mar 10, 2026
Merged

Add links to uv audit output#18392
woodruffw merged 3 commits intomainfrom
ww/uv-audit-link

Conversation

@woodruffw
Copy link
Copy Markdown
Member

@woodruffw woodruffw commented Mar 10, 2026
edited
Loading

Summary

This adds links to uv audit's outputs. This required adding links to the backing (common) Vulnerability type and pulling them from the OSV service. OSV will always produce a link for a Vulnerability (since the ID itself can be turned into a link), but Vulnerability::link itself is optional since other services may not necessarily guarantee this.

Follows #18193.

Test Plan

None yet.

@woodruffw
Add Vulnerability::link and populate via OSV
b511adc 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw
Plumb link into render
ce11d3a 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw woodruffw requested a review from konstin March 10, 2026 06:59
@woodruffw woodruffw self-assigned this Mar 10, 2026
@woodruffw woodruffw added the preview Experimental behavior label Mar 10, 2026
@woodruffw
Copy link
Copy Markdown
Member Author

woodruffw commented Mar 10, 2026

Example render:

warning: `uv audit` is experimental and may change without warning. Pass `--preview-features audit` to disable this warning.
Resolved 71 packages in 27ms
Found 7 known vulnerabilities and no adverse project statuses in 70 packages

Vulnerabilities:

cryptography 46.0.3 has 1 known vulnerability:

- GHSA-r6ph-v2qm-q3c2: cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

  Fixed in: 46.0.5

  Advisory information: https://nvd.nist.gov/vuln/detail/CVE-2026-26007


filelock 3.20.0 has 2 known vulnerabilities:

- GHSA-qmgc-5h2g-mvrw: filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock

  Fixed in: 3.20.3

  Advisory information: https://nvd.nist.gov/vuln/detail/CVE-2026-22701

- GHSA-w853-jp5j-5j7f: filelock has a TOCTOU race condition which allows symlink attacks during lock file creation

  Fixed in: 3.20.1

  Advisory information: https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f


jaraco-context 6.0.1 has 1 known vulnerability:

- GHSA-58pv-8j8x-9vj2: jaraco.context Has a Path Traversal Vulnerability

  Fixed in: 6.1.0

  Advisory information: https://nvd.nist.gov/vuln/detail/CVE-2026-23949


urllib3 2.5.0 has 3 known vulnerabilities:

- GHSA-2xpw-w6gg-jr37: urllib3 streaming API improperly handles highly compressed data

  Fixed in: 2.6.0

  Advisory information: https://nvd.nist.gov/vuln/detail/CVE-2025-66471

- GHSA-38jv-5279-wg99: Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)

  Fixed in: 2.6.3

  Advisory information: https://nvd.nist.gov/vuln/detail/CVE-2026-21441

- GHSA-gm62-xv2j-4w53: urllib3 allows an unbounded number of links in the decompression chain

  Fixed in: 2.6.0

  Advisory information: https://nvd.nist.gov/vuln/detail/CVE-2025-66418

woodruffw
woodruffw commented Mar 10, 2026
View reviewed changes
crates/uv-audit/src/service/osv.rs
Comment on lines +259 to +276
let link = vuln
.references
.as_ref()
.and_then(|references| {
references
.iter()
.find(|reference| matches!(reference.reference_type, ReferenceType::Advisory))
.or_else(|| {
references.iter().find(|reference| {
matches!(reference.reference_type, ReferenceType::Web)
})
})
.map(|reference| reference.url.clone())
})
.unwrap_or_else(|| {
DisplaySafeUrl::parse(&format!("https://osv.dev/vulnerability/{}", vuln.id))
.expect("impossible: synthesized URL is invalid")
});
Copy link
Copy Markdown
Member Author

@woodruffw woodruffw Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flagging: IME this is a reasonable hierarchy/order of preference -- ADVISORY is semantically the "best" thing, whereas WEB usually refers to a detailed blog post or similar. If neither is present we fall back to the OSV URL itself for the vulnerability, which will include a render of all links of all types for the user to peruse.

(That said, we could drop the WEB fallback here to make things a bit shorter/terser.)

@woodruffw
Box a chunky variant
21de756 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw woodruffw mentioned this pull request Mar 10, 2026
Merged
10 tasks
@woodruffw woodruffw merged commit d313481 into main Mar 10, 2026
54 checks passed
@woodruffw woodruffw deleted the ww/uv-audit-link branch March 10, 2026 09:58
@BrewTestBot BrewTestBot mentioned this pull request Mar 13, 2026
Merged
@woodruffw woodruffw mentioned this pull request Mar 16, 2026
Open
21 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@konstin konstin konstin approved these changes

Assignees

@woodruffw woodruffw

Labels

preview Experimental behavior

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@woodruffw @konstin