Ceng 728 add command to return vulnerability results

.envrc

@@ -35,7 +35,7 @@ fi
 if [ ! -d ".venv" ]; then
   if "$PYTHON_BIN" -c 'import uv' >/dev/null 2>&1; then
     # uv accepts a path for --python; avoids version mismatch
-    "$PYTHON_BIN" -m uv venv .venv --python "$PYTHON_BIN"
+    "$PYTHON_BIN" -m uv venv .venv --python "$PYTHON_BIN" --seed
   else
     "$PYTHON_BIN" -m venv .venv
   fi
@@ -51,8 +51,11 @@ python -m pip install -U uv
 # --- Install the project in editable mode (prefer uv pip; fallback to pip)
 if python -m uv --help >/dev/null 2>&1; then
   python -m uv pip install -e .
+  # Install dev dependencies
+  [ -f requirements.in ] && python -m uv pip install -r requirements.in
 else
   pip install -e .
+  [ -f requirements.in ] && pip install -r requirements.in
 fi
 
 # --- Load environment variables from .env (create from example if missing)

CHANGELOG.md

@@ -9,6 +9,22 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Added `--tag` option to `download` command for filtering packages by tags
 - Added download command documentation to README with comprehensive usage examples
 
+## [1.14.0] - 2026-03-11
+
+### Added
+
+- Added `vulnerabilities` command to retrieve security scan results for a package
+  - Summary View (Default): Displays a high-level count of vulnerabilities broken down by severity (Critical, High, Medium, Low, Unknown).
+  - Assessment View `--show-assessment` (`-A`): Provides a detailed breakdown where vulnerabilities are:
+    - Grouped by the specific affected upstream package / dependency.
+    - Sorted by severity (Critical first).
+    - Richly formatted tables.
+  - Filtering Capabilities:
+    - By Severity: `--severity` Show only specific levels (e.g., just Critical and High).
+    - By Status: `--fixable | --non-fixable` Filter to show only "Fixable" vulnerabilities (where a patch exists) or "Non-Fixable" ones.
+  - Supports `--output-format json | pretty_json` for programmatic usage
+
+
 ## [1.13.0] - 2026-02-16
 
 ### Added

README.md

@@ -114,6 +114,7 @@ The CLI currently supports the following commands (and sub-commands):
   - `rpm`:                  Manage rpm upstreams for a repository.
   - `ruby`:                 Manage ruby upstreams for a repository.
   - `swift`:                Manage swift upstreams for a repository.
+- `vulnerabilities`:      Retrieve vulnerability results for a package.
 - `whoami`:               Retrieve your current authentication status.
 
 ## Installation

cloudsmith_cli/cli/commands/__init__.py

@@ -26,5 +26,6 @@
     tags,
     tokens,
     upstream,
+    vulnerabilities,
     whoami,
 )

cloudsmith_cli/cli/commands/vulnerabilities.py

@@ -0,0 +1,141 @@
+"""CLI/Commands - Vulnerabilities."""
+
+import click
+
+from ...core.api.vulnerabilities import (
+    _print_vulnerabilities_assessment_table,
+    _print_vulnerabilities_summary_table,
+    get_package_scan_result,
+)
+from .. import decorators, utils, validators
+from ..exceptions import handle_api_exceptions
+from .main import main
+
+
+@main.command()
+@decorators.common_cli_config_options
+@decorators.common_cli_output_options
+@decorators.common_api_auth_options
+@decorators.initialise_api
+@click.argument(
+    "owner_repo_package",
+    metavar="OWNER/REPO/PACKAGE",
+    callback=validators.validate_owner_repo_package,
+)
+@click.option(
+    "-A",
+    "--show-assessment",
+    is_flag=True,
+    help="Show assessment with vulnerability details.",
+)
+@click.option(
+    "--fixable/--non-fixable",
+    is_flag=True,
+    default=None,  # Changed to allow None (Show All) vs True/False
+    help="Filter by fixable status (only fixable vs only non-fixable).",
+)
+@click.option(
+    "--severity",
+    "severity_filter",
+    help="Filter by severities (e.g., 'CRITICAL', 'HIGH', 'MEDIUM', 'LOW').",
+)
+@click.pass_context
+def vulnerabilities(
+    ctx, opts, owner_repo_package, show_assessment, fixable, severity_filter
+):
+    """
+    Retrieve vulnerability scan results for a package.
+
+    \b
+    Usage:
+        cloudsmith vulnerabilities myorg/repo/pkg_identifier [flags]
+
+    \b
+    Aliases:
+        vulnerabilities, vuln
+
+    Examples:
+
+    \b
+    # Display the vulnerability summary
+    cloudsmith vulnerabilities myorg/repo/pkg_identifier
+
+    \b
+    # Display detailed vulnerability assessment
+    cloudsmith vulnerabilities myorg/repo/pkg_identifier -A / --show-assessment
+
+    \b
+    # Filter the result by severity
+    cloudsmith vulnerabilities myorg/repo/pkg_identifier --severity critical,high
+
+    \b
+    # Filter by fixable or non-fixable vulnerabilities
+    cloudsmith vulnerabilities myorg/repo/pkg_identifier --fixable / --non-fixable
+
+
+    """
+    use_stderr = utils.should_use_stderr(opts)
+
+    owner, repo, slug = owner_repo_package
+
+    total_filtered_vulns = 0
+
+    context_msg = "Failed to retrieve vulnerability report!"
+    with handle_api_exceptions(ctx, opts=opts, context_msg=context_msg):
+        with utils.maybe_spinner(opts):
+            data = get_package_scan_result(
+                opts=opts,
+                owner=owner,
+                repo=repo,
+                package=slug,
+                show_assessment=show_assessment,
+                severity_filter=severity_filter,
+                fixable=fixable,
+            )
+
+    click.secho("OK", fg="green", err=use_stderr)
+
+    # Filter results if severity or fixable flags are active
+    if severity_filter or fixable is not None:
+        scans = getattr(data, "scans", [])
+
+        allowed_severities = (
+            [s.strip().lower() for s in severity_filter.split(",")]
+            if severity_filter
+            else None
+        )
+
+        for scan in scans:
+            results = getattr(scan, "results", [])
+
+            # 1. Filter by Severity
+            if allowed_severities:
+                results = [
+                    res
+                    for res in results
+                    if getattr(res, "severity", "unknown").lower() in allowed_severities
+                ]
+
+            # 2. Filter by Fixable Status
+            # fixable=True: Keep only if has fix_version
+            # fixable=False: Keep only if NO fix_version
+            if fixable is not None:
+                results = [
+                    res
+                    for res in results
+                    if bool(
+                        getattr(res, "fix_version", getattr(res, "fixed_version", None))
+                    )
+                    is fixable
+                ]
+
+            scan.results = results
+            total_filtered_vulns += len(results)
+
+    if utils.maybe_print_as_json(opts, data):
+        return
+
+    _print_vulnerabilities_summary_table(data, severity_filter, total_filtered_vulns)
+
+    if show_assessment:
+        _print_vulnerabilities_assessment_table(data, severity_filter)

cloudsmith_cli/cli/tests/commands/test_vulnerabilities.py

@@ -0,0 +1,112 @@
+import unittest
+from unittest.mock import patch
+
+from click.testing import CliRunner
+
+from cloudsmith_cli.cli.commands.vulnerabilities import vulnerabilities
+
+
+class TestVulnerabilitiesCommand(unittest.TestCase):
+    def setUp(self):
+        self.runner = CliRunner()
+
+    @patch("cloudsmith_cli.cli.commands.vulnerabilities.get_package_scan_result")
+    def test_vulnerabilities_basic(self, mock_get_scan):
+        """Test basic vulnerabilities command invocation."""
+        result = self.runner.invoke(
+            vulnerabilities,
+            [
+                "testorg/testrepo/pkg-slug",
+            ],
+        )
+
+        self.assertEqual(result.exit_code, 0)
+        mock_get_scan.assert_called_once()
+
+        # Verify args passed to core logic
+        args = mock_get_scan.call_args[1]
+        self.assertEqual(args["owner"], "testorg")
+        self.assertEqual(args["repo"], "testrepo")
+        self.assertEqual(args["package"], "pkg-slug")
+        self.assertFalse(args["show_assessment"])
+        self.assertIsNone(args["severity_filter"])
+
+    @patch("cloudsmith_cli.cli.commands.vulnerabilities.get_package_scan_result")
+    def test_vulnerabilities_show_assessment(self, mock_get_scan):
+        """Test vulnerabilities command with --show-assessment flag."""
+        result = self.runner.invoke(
+            vulnerabilities,
+            [
+                "testorg/testrepo/pkg-slug",
+                "--show-assessment",
+            ],
+        )
+
+        self.assertEqual(result.exit_code, 0)
+        args = mock_get_scan.call_args[1]
+        self.assertTrue(args["show_assessment"])
+
+    @patch("cloudsmith_cli.cli.commands.vulnerabilities.get_package_scan_result")
+    def test_vulnerabilities_alias_flags(self, mock_get_scan):
+        """Test vulnerabilities command with short flags (-A)."""
+        result = self.runner.invoke(
+            vulnerabilities,
+            [
+                "testorg/testrepo/pkg-slug",
+                "-A",
+            ],
+        )
+
+        self.assertEqual(result.exit_code, 0)
+        args = mock_get_scan.call_args[1]
+        self.assertTrue(args["show_assessment"])
+
+    @patch("cloudsmith_cli.cli.commands.vulnerabilities.get_package_scan_result")
+    def test_vulnerabilities_severity_filter(self, mock_get_scan):
+        """Test vulnerabilities command with --severity filter."""
+        result = self.runner.invoke(
+            vulnerabilities,
+            [
+                "testorg/testrepo/pkg-slug",
+                "--severity",
+                "CRITICAL,HIGH",
+            ],
+        )
+
+        self.assertEqual(result.exit_code, 0)
+        args = mock_get_scan.call_args[1]
+        self.assertEqual(args["severity_filter"], "CRITICAL,HIGH")
+
+    @patch("cloudsmith_cli.cli.commands.vulnerabilities.get_package_scan_result")
+    def test_vulnerabilities_fixable_filter(self, mock_get_scan):
+        """Test vulnerabilities command with --fixable filter."""
+        result = self.runner.invoke(
+            vulnerabilities,
+            [
+                "testorg/testrepo/pkg-slug",
+                "--fixable",
+            ],
+        )
+
+        self.assertEqual(result.exit_code, 0)
+        args = mock_get_scan.call_args[1]
+        self.assertTrue(args["fixable"])
+
+    @patch("cloudsmith_cli.cli.commands.vulnerabilities.get_package_scan_result")
+    def test_vulnerabilities_non_fixable_filter(self, mock_get_scan):
+        """Test vulnerabilities command with --non-fixable filter."""
+        result = self.runner.invoke(
+            vulnerabilities,
+            [
+                "testorg/testrepo/pkg-slug",
+                "--non-fixable",
+            ],
+        )
+
+        self.assertEqual(result.exit_code, 0)
+        args = mock_get_scan.call_args[1]
+        self.assertFalse(args["fixable"])
+
+
+if __name__ == "__main__":
+    unittest.main()

cloudsmith_cli/cli/utils.py

@@ -7,6 +7,8 @@
 
 import click
 from click_spinner import spinner
+from rich.console import Console
+from rich.table import Table
 
 from ..core.api.version import get_version as get_api_version
 from ..core.version import get_version as get_cli_version
@@ -89,6 +91,28 @@ def pretty_print_row(styled, plain):
         pretty_print_row(row, table.plain_rows[k])
 
 
+def rich_print_table(headers, rows, title=None, show_lines=False):
+    """Rich table from headers and rows."""
+    console = Console()
+    table = Table(title=title, show_lines=show_lines)
+
+    for header in headers:
+        if isinstance(header, dict):
+            table.add_column(
+                header.get("header", ""),
+                justify=header.get("justify", "left"),
+                style=header.get("style", "none"),
+                no_wrap=header.get("no_wrap", False),
+            )
+        else:
+            table.add_column(str(header))
+
+    for row in rows:
+        table.add_row(*row)
+
+    console.print(table)
+
+
 def print_rate_limit_info(opts, rate_info):
     """Tell the user when we're being rate limited."""
     if not rate_info: