Implement C-043: release-gate CVE check via pip-audit

[spoorcc]

Add a pip-audit step to the publish workflow that audits dfetch's
runtime dependencies against the OSV database before the build
proceeds; the workflow fails if any known vulnerability is found.

Update compliance_data.py to mark SO.VulnerabilityManagementProcess
as implemented (was partially-implemented), add C-043 to its controls,
and remove the now-resolved gap note. Regenerate the OSCAL component
definition to reflect the new status.

Update compliance_track.rst and control_register.rst to remove the
"planned CI addition" language and show ECR-A as fully implemented.

https://claude.ai/code/session_01EoHvc3bxdr9rpkKHGcpqdr

Summary by CodeRabbit

• New Features

  • Added a release-time CVE audit gate using pip-audit against the OSV database, blocking publishing when runtime dependency vulnerabilities are detected.

• Documentation

  • Updated compliance materials to reflect full implementation of the CVE release-gate control, including alignment across the compliance tracking pages.

• Chores

  • Improved the development environment and CI workflow setup to support CVE auditing (including a new optional dependency for pip-audit).

[coderabbitai]

Warning

Review limit reached

@spoorcc, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 48 minutes and 43 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 24a8d84d-a4a5-48be-8995-897c8985f014

📥 Commits

Reviewing files that changed from the base of the PR and between 4ddbb45 and f27cba7.

📒 Files selected for processing (8)

• .devcontainer/devcontainer.json
• .github/workflows/python-publish.yml
• CHANGELOG.rst
• doc/explanation/compliance_track.rst
• doc/explanation/control_register.rst
• pyproject.toml
• security/compliance_data.py
• security/dfetch.component-definition.json

Walkthrough

Adds pip-audit==2.10.1 as a new cve-audit optional dependency, inserts an OSV-based CVE audit step into the release workflow that blocks publishing on vulnerabilities, and updates all associated compliance records, OSCAL JSON assertions, documentation, and changelog to reflect control C-043 as fully implemented.

Changes

C-043 CVE Gate: Dependency, Workflow, and Compliance

Layer / File(s)	Summary
cve-audit dependency and publish workflow audit step pyproject.toml, .github/workflows/python-publish.yml, .devcontainer/devcontainer.json	Adds pip-audit==2.10.1 under the new cve-audit optional dependency group, allows api.osv.dev:443 egress in runner hardening, inserts the "Audit runtime dependencies for CVEs (C-043)" step before artifact build, and registers the extra in the devcontainer postCreateCommand.
Compliance data: C-043 and so-vulnerability-management-process security/compliance_data.py	Updates C-043 control narrative to describe the active pip-audit/OSV gate and updates so-vulnerability-management-process to include C-043, switch status to implemented, and remove the prior gap about missing a release-time CVE gate.
OSCAL component-definition JSON assertions security/dfetch.component-definition.json	Bumps last-modified, changes implementation-status to implemented for so-vulnerability-management-process, so-data-minimization, and so-reduce-impact-of-incident, extends dfetch-controls with C-043, removes all planned/gap wording, and fixes trailing JSON formatting.
Documentation and changelog doc/explanation/compliance_track.rst, doc/explanation/control_register.rst, CHANGELOG.rst	Marks ECR-A as ✓ Implemented in the CRA compliance track table, updates the C-043 control register reference from "planned CI addition" to "Audit runtime dependencies for CVEs step", and adds a 0.15.0 changelog entry.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• dfetch-org/dfetch#1275: Modifies the same compliance documentation files (doc/explanation/compliance_track.rst, doc/explanation/control_register.rst) for the same C-043 control status/reference updates.
• dfetch-org/dfetch#1271: Introduces Track B compliance data for C-043 in security/compliance_data.py, directly overlapping with this PR's refinement of that same control entry.

Suggested labels

development, github_actions, documentation

Suggested reviewers

• ben-edna

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Implement C-043: release-gate CVE check via pip-audit' directly and clearly describes the primary change—adding a release-gate CVE check (C-043) using pip-audit. The title is specific, concise, and accurately reflects the main objective of the pull request across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/c-043-docs-update-keexx3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/python-publish.yml:
- Around line 50-55: The pip-audit command at line 55 is auditing all installed
packages in the environment rather than only runtime dependencies as required by
control C-043. To fix this, modify the pip-audit invocation to include the `-r`
flag followed by a path to a file containing only runtime dependencies (not
build or development dependencies). This ensures the CVE audit gate correctly
validates only the runtime dependency vulnerabilities, excluding build tools
like the wheel package and the cve-audit audit tools themselves.

In `@doc/explanation/compliance_track.rst`:
- Around line 123-125: The document contains a contradiction where line 125
marks ECR-A as "✓ Implemented" but the Gap Analysis paragraph later contradicts
this by stating there is no release gate and C-043 is "planned." Update the Gap
Analysis paragraph that discusses ECR-A to use active-state wording consistent
with the "Implemented" status shown earlier in the document, replacing the
"planned" language and removing or revising any statements that suggest the
implementation is incomplete or that a release gate does not exist.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8ad11d64-7166-4b58-8dec-c45f78da4da1

📥 Commits

Reviewing files that changed from the base of the PR and between bb1c171 and df3ece5.

📒 Files selected for processing (8)

• .devcontainer/devcontainer.json
• .github/workflows/python-publish.yml
• CHANGELOG.rst
• doc/explanation/compliance_track.rst
• doc/explanation/control_register.rst
• pyproject.toml
• security/compliance_data.py
• security/dfetch.component-definition.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For pip-audit 2.10.1, when pip-auditis run without-r/--requirement, what dependency set is audited? What is the recommended way to audit only runtime dependencies declared by a pyproject.toml project?

💡 Result:

When pip-audit 2.10.1 is run without the -r/--requirement flag, it defaults to auditing the packages currently installed in the active local Python environment [1][2][3]. In this mode, it scans the environment as if it were running pip list to identify the installed dependencies and their versions [4]. To audit only the runtime dependencies declared in a pyproject.toml file, the recommended approach is to ensure those dependencies are resolved into a lock file or a requirements file that specifically contains only those runtime dependencies, and then point pip-audit to that file using the -r flag [1][2][3]. Because pip-audit's automatic project scanning (which detects pyproject.toml) typically evaluates the project's state or dependencies as they are currently configured or installed, there is no direct flag within pip-audit to filter the audit to exclusively "runtime" dependencies if the pyproject.toml contains mixed dependencies (such as development or test groups). You should use your project's build backend or dependency manager (such as pip-compile, Poetry, or PDM) to generate a requirements file containing only the desired runtime dependencies, and then audit that file [1][4].

Citations:

• 1: https://pypi.org/project/pip-audit/2.10.1/
• 2: https://github.com/pypa/pip-audit/blob/main/README.md
• 3: https://pypi.org/project/pip-audit/2.10.0/
• 4: https://deepwiki.com/pypa/pip-audit/2.1-dependency-sources

---

🏁 Script executed:

# Search for C-043 reference in repo
rg "C-043" --type yaml --type md --type txt -A 2 -B 2

Repository: dfetch-org/dfetch

Length of output: 43

---

🏁 Script executed:

# Check pyproject.toml for dependency structure
fd -e "pyproject.toml" -o -e "setup.py" -o -e "setup.cfg" | head -5 | xargs -I {} sh -c 'echo "=== {} ===" && cat {}'

Repository: dfetch-org/dfetch

Length of output: 178

---

🏁 Script executed:

# Examine the full workflow file for context
cat -n .github/workflows/python-publish.yml

Repository: dfetch-org/dfetch

Length of output: 7129

---

🏁 Script executed:

# Find and read pyproject.toml
fd -e pyproject.toml | xargs cat -n

Repository: dfetch-org/dfetch

Length of output: 43

---

🏁 Script executed:

# Search for C-043 control definition in repo
rg "C-043" -A 5 -B 2 --type md --type json --type txt --type yaml

Repository: dfetch-org/dfetch

Length of output: 1453

---

🏁 Script executed:

# Also check if there's any compliance or security documentation
fd -e "*.md" | xargs rg "runtime.*dependencies|audit.*runtime" -l

Repository: dfetch-org/dfetch

Length of output: 308

---

🏁 Script executed:

# Read pyproject.toml
cat pyproject.toml

Repository: dfetch-org/dfetch

Length of output: 7519

---

🏁 Script executed:

# Also check compliance.py for more details
cat security/compliance.py | head -100

Repository: dfetch-org/dfetch

Length of output: 3271

---

Audit scope doesn't match stated "runtime dependencies" gate (C-043).

The C-043 control explicitly requires auditing "runtime dependencies" for known vulnerabilities. However, the workflow at line 55 runs pip-audit --vulnerability-service osv without the -r flag, which audits all packages currently installed in the environment—including the build tool (.[wheel] from line 50) and pip-audit itself (.[cve-audit] from line 54). This can cause the gate to fail on non-runtime packages rather than only on runtime vulnerabilities.

To align with the control definition, either:

• Pass pip-audit a runtime-only requirements file via the -r flag, or
• Update the C-043 wording to match the actual behavior (auditing all installed packages).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-publish.yml around lines 50 - 55, The pip-audit
command at line 55 is auditing all installed packages in the environment rather
than only runtime dependencies as required by control C-043. To fix this, modify
the pip-audit invocation to include the `-r` flag followed by a path to a file
containing only runtime dependencies (not build or development dependencies).
This ensures the CVE audit gate correctly validates only the runtime dependency
vulnerabilities, excluding build tools like the wheel package and the cve-audit
audit tools themselves.