diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index a1bc81a..bab69c3 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -145,16 +145,6 @@ jobs: tools: bandit setup: "" - - id: "13" - working_directory: integration-tests/cases/13-requirements-unfixable - package_manager: requirements - requirements_file: requirements.txt - bandit_scan_dirs: "." - bandit_severity_threshold: high - pip_audit_block_on: fixable - tools: "bandit,pip-audit" - setup: "" - - id: "14" working_directory: integration-tests/cases/14-uv-low-threshold package_manager: uv diff --git a/integration-tests/cases/13-requirements-unfixable/README.md b/integration-tests/cases/13-requirements-unfixable/README.md deleted file mode 100644 index bf592e6..0000000 --- a/integration-tests/cases/13-requirements-unfixable/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# 13 · requirements · flat · unfixable vulns (should pass) - -**Package manager**: `requirements` -**Source layout**: flat -**Expected outcome**: PASS — vulnerabilities exist but have no fix versions; `pip_audit_block_on: fixable` should not block - -## What this tests -- `pip_audit_block_on: fixable` only blocks when fix versions are available -- Unfixable vulnerabilities are reported but don't fail the workflow - -## Intentional issues - -| Package | Version | CVE | Fix Available | -|---------|---------|-----|---------------| -| pygments | 2.19.2 | GHSA-5239-wwwm-4pmq (CVE-2026-4539) | No — Patched versions: None | - -ReDoS in `AdlLexer` (archetype.py) via inefficient GUID regex. Low severity. Affects all -versions `<= 2.19.2`. No patched release as of March 2026. diff --git a/integration-tests/cases/13-requirements-unfixable/app.py b/integration-tests/cases/13-requirements-unfixable/app.py deleted file mode 100644 index db51439..0000000 --- a/integration-tests/cases/13-requirements-unfixable/app.py +++ /dev/null @@ -1,4 +0,0 @@ -"""Clean app — no bandit issues.""" - -def process(data: str) -> str: - return data.upper() diff --git a/integration-tests/cases/13-requirements-unfixable/osv-scanner.toml b/integration-tests/cases/13-requirements-unfixable/osv-scanner.toml deleted file mode 100644 index 66a91c1..0000000 --- a/integration-tests/cases/13-requirements-unfixable/osv-scanner.toml +++ /dev/null @@ -1,3 +0,0 @@ -[[PackageOverrides]] -ignore = true -reason = "Synthetic fixture for python-security-auditing integration tests; vulnerable pins are intentional to exercise pip-audit and the composite action." diff --git a/integration-tests/cases/13-requirements-unfixable/requirements.txt b/integration-tests/cases/13-requirements-unfixable/requirements.txt deleted file mode 100644 index 3b09dd7..0000000 --- a/integration-tests/cases/13-requirements-unfixable/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -pygments==2.19.2 diff --git a/integration-tests/expected_results.yml b/integration-tests/expected_results.yml index c40c70f..6bfd7c6 100644 --- a/integration-tests/expected_results.yml +++ b/integration-tests/expected_results.yml @@ -117,14 +117,6 @@ tests: level: note pip_audit_findings: [] - "13": - name: "requirements · flat · unfixable vulns (should pass)" - expected_conclusion: success - bandit_findings: [] - pip_audit_findings: - - package: pygments - has_fix: false - "14": name: "uv · flat · low threshold (B101 assert)" expected_conclusion: failure diff --git a/integration-tests/validate_results.py b/integration-tests/validate_results.py index 26f36dc..6b2d740 100644 --- a/integration-tests/validate_results.py +++ b/integration-tests/validate_results.py @@ -1,4 +1,4 @@ -"""Validate that all 14 test workflows produced the expected outcomes. +"""Validate that all 13 test workflows produced the expected outcomes. Reads job conclusions from the NEEDS_JSON env var (set by integration-tests.yml via ``${{ toJSON(needs) }}``) and parses @@ -23,7 +23,7 @@ # Configuration # --------------------------------------------------------------------------- -EXPECTED_COUNT = 14 +EXPECTED_COUNT = 13 ARTIFACTS_DIR = Path("artifacts") EXPECTED_RESULTS_PATH = Path(__file__).parent / "expected_results.yml"