LCORE-2631: Generate HTML page with vulnerability report

[tisnik]

Description

LCORE-2631: Generate HTML page with vulnerability report

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement
• Helper scripts

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-2631

Summary by CodeRabbit

• New Features
  • Generated vulnerability reports now render as a complete HTML page with proper document structure and page metadata.
  • Reports now include summary graphs and display average and median age metrics for easier review.

[coderabbitai]

Walkthrough

The generate_page() function in scripts/vulnerability_report.py receives a filled HTML template: a full <!DOCTYPE html> document with <head> metadata, a stylesheet link, body headings, average/median days statistics from stat["days"], and five <img> elements referencing the expected SVG graph artifacts.

Changes

Vulnerability Report HTML Template

Layer / File(s)

Summary

generate_page() HTML document template scripts/vulnerability_report.py

Fills in the HTML template string with <!DOCTYPE html> structure, <head> metadata (title, author, content-type, stylesheet), body headings for repo/org, paragraphs rendering stat["days"]["avg"] and stat["days"]["median"], and <img> tags for {prefix}_state.svg, {prefix}_severity.svg, {prefix}_days.svg, {prefix}_packages.svg, and {prefix}_timeline.svg. Contains a content-type charset typo (urf-8) and a minor whitespace inconsistency in one image tag.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• lightspeed-core/lightspeed-stack#1973: Computes stat["days"]["avg"] and stat["days"]["median"] in process_dependabot_file(), which are the exact fields now rendered in this HTML template.
• lightspeed-core/lightspeed-stack#2003: Adds generate_graphs() and Matplotlib helpers that produce the SVG artifacts ({prefix}_*.svg) referenced by the <img> elements in this template.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: generating an HTML page for the vulnerability report.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/vulnerability_report.py`:
- Line 587: The HTML header in vulnerability_report.py has a charset typo that
makes the generated document declare the wrong encoding. Update the meta tag
inside the report generation flow so the content-type header uses utf-8 instead
of urf-8, and keep it consistent with the encoding used when the file is written
later in the same script.
- Around line 597-616: The page template in generate_page() always embeds SVG
filenames, but those assets are only written when SVG output is enabled. Update
generate_page() and its call site so page generation either requires the SVG
format or uses the selected output format consistently when referencing the
graph assets. Make sure the logic tied to the graph writer and the template
rendering stay aligned so the page never points to missing files.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0ce94e98-9955-4e99-aa19-1a538c8df844

📥 Commits

Reviewing files that changed from the base of the PR and between 3e060c2 and 80a9513.

📒 Files selected for processing (1)

• scripts/vulnerability_report.py

📜 Review details

⏰ Context from checks skipped due to timeout. (17)

• GitHub Check: mypy
• GitHub Check: integration_tests (3.12)
• GitHub Check: build-pr
• GitHub Check: integration_tests (3.13)
• GitHub Check: spectral
• GitHub Check: Pylinter
• GitHub Check: unit_tests (3.12)
• GitHub Check: unit_tests (3.13)
• GitHub Check: E2E Tests for Lightspeed Evaluation job
• GitHub Check: E2E: server mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 1
• GitHub Check: E2E: server mode / ci / group 1
• GitHub Check: E2E: library mode / ci / group 3
• GitHub Check: E2E: server mode / ci / group 3
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-0-6-on-pull-request

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-06-24T13:45:37.249Z

Learnt from: Jdubrick
Repo: lightspeed-core/lightspeed-stack PR: 1971
File: src/utils/markdown_repair.py:31-36
Timestamp: 2026-06-24T13:45:37.249Z
Learning: In the lightspeed-stack repository, docstrings must use the section header name "Parameters:" (not "Args:") for function arguments, even if the project references Google Python docstring conventions. Ensure docstrings follow the project’s established "Parameters:" header format for any documented function parameters.

Applied to files:

• scripts/vulnerability_report.py

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fix the charset typo in the HTML header.

charset=urf-8 is invalid, so the generated file no longer declares the same encoding it is written with on Line 621 (utf-8). Use utf-8 here.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/vulnerability_report.py` at line 587, The HTML header in
vulnerability_report.py has a charset typo that makes the generated document
declare the wrong encoding. Update the meta tag inside the report generation
flow so the content-type header uses utf-8 instead of urf-8, and keep it
consistent with the encoding used when the file is written later in the same
script.

[tisnik]

@coderabbitai create issue

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="lightspeed-core/lightspeed-stack"
requester="tisnik"
pr_url="https://github.com/lightspeed-core/lightspeed-stack/pull/2010"
comment_url="https://github.com/lightspeed-core/lightspeed-stack/pull/2010#discussion_r3487545749"

title="Fix invalid UTF-8 charset declaration in vulnerability report HTML output"

body=$(cat <<'EOF'
## Summary
The HTML page generated by `scripts/vulnerability_report.py` declares an invalid charset value in `generate_page()`:

- current: `charset=urf-8`
- expected: `charset=utf-8`

This makes the generated document declare an encoding that does not match the encoding used when the file is written.

## Rationale
The report file is written with `encoding="utf-8"`, so the generated HTML should declare the same encoding in its `<meta http-equiv="content-type">` tag. Keeping these consistent avoids incorrect or ambiguous character encoding behavior in browsers and tools consuming the generated report.

## Affected area
- `scripts/vulnerability_report.py`
- Function: `generate_page()`

## Required change
Update the HTML header in the generated page so the charset is `utf-8` instead of `urf-8`.

## Acceptance criteria
- The generated HTML contains `charset=utf-8`.
- The declared charset matches the file write encoding (`utf-8`).
- No other report content or generation flow changes.

## Backlinks
- Follow-up from PR `#2010`: https://github.com/lightspeed-core/lightspeed-stack/pull/2010
- Review comment: https://github.com/lightspeed-core/lightspeed-stack/pull/2010#discussion_r3487545749

Requested by: `@tisnik`
EOF
)

gh issue create \
  --repo "$repo" \
  --title "$title" \
  --body "$body" \
  --assignee "$requester"

Length of output: 2080

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="lightspeed-core/lightspeed-stack"

title="Fix invalid UTF-8 charset declaration in vulnerability report HTML output"

body=$(cat <<'EOF'
## Summary
The HTML page generated by `scripts/vulnerability_report.py` declares an invalid charset value in `generate_page()`:

- current: `charset=urf-8`
- expected: `charset=utf-8`

This makes the generated document declare an encoding that does not match the encoding used when the file is written.

## Rationale
The report file is written with `encoding="utf-8"`, so the generated HTML should declare the same encoding in its `<meta http-equiv="content-type">` tag. Keeping these consistent avoids incorrect or ambiguous character encoding behavior in browsers and tools consuming the generated report.

## Affected area
- `scripts/vulnerability_report.py`
- Function: `generate_page()`

## Required change
Update the HTML header in the generated page so the charset is `utf-8` instead of `urf-8`.

## Acceptance criteria
- The generated HTML contains `charset=utf-8`.
- The declared charset matches the file write encoding (`utf-8`).
- No other report content or generation flow changes.

## Backlinks
- Follow-up from PR `#2010`: https://github.com/lightspeed-core/lightspeed-stack/pull/2010
- Review comment: https://github.com/lightspeed-core/lightspeed-stack/pull/2010#discussion_r3487545749

Requested by: `@tisnik`
EOF
)

gh issue create \
  --repo "$repo" \
  --title "$title" \
  --body "$body"

Length of output: 1681

---

---

@tisnik Created follow-up issue: #2014

#2014

I had to create it without an assignee because the GitHub integration does not have permission to assign issues in this repo.

---

🧠 Learnings used

Learnt from: Jdubrick
Repo: lightspeed-core/lightspeed-stack PR: 1971
File: src/utils/markdown_repair.py:31-36
Timestamp: 2026-06-24T13:45:37.249Z
Learning: In the lightspeed-stack repository, docstrings must use the section header name "Parameters:" (not "Args:") for function arguments, even if the project references Google Python docstring conventions. Ensure docstrings follow the project’s established "Parameters:" header format for any documented function parameters.

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect how generate_page() is called and how output flags are parsed/propagated.
ast-grep outline scripts/vulnerability_report.py --lang python --view expanded
rg -n -C3 'generate_page\s*\(|svg_output|png_output' scripts/vulnerability_report.py
rg -n -C3 'generate_page\s*\(' --type=py .

Repository: lightspeed-core/lightspeed-stack

Length of output: 8532

---

Make page generation depend on SVG assets
generate_page() always references *.svg, but the graph writer only emits SVG when --svg-output is enabled. Page-only runs, or PNG-only runs, can therefore produce links to files that were never written. Require SVG for page generation or pass the selected format into the template.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/vulnerability_report.py` around lines 597 - 616, The page template in
generate_page() always embeds SVG filenames, but those assets are only written
when SVG output is enabled. Update generate_page() and its call site so page
generation either requires the SVG format or uses the selected output format
consistently when referencing the graph assets. Make sure the logic tied to the
graph writer and the template rendering stay aligned so the page never points to
missing files.

[tisnik]

@coderabbitai create issue

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="lightspeed-core/lightspeed-stack"
title="Follow up: align vulnerability report HTML asset references with selected graph output format"

cat > /tmp/issue_body.md <<'EOF'
## Summary
The vulnerability report page generator currently hardcodes SVG asset references in the generated HTML, but the graph generator only writes SVG files when `--svg-output` is enabled.

This can produce broken image links in at least two cases:
- page generation runs without SVG graph generation
- graphs are generated with PNG output only

## Rationale
The HTML template and the graph writer should stay aligned so the generated page never points to files that were not created.

## Affected area
- `scripts/vulnerability_report.py`
  - `generate_page()`
  - `main()` / page-generation call site
  - related argument validation in `check_args()` if SVG must be required for page generation

## Required changes
Implement one of the following approaches:
1. Require SVG output whenever page generation is requested, or
2. Pass the selected output format into the page template and reference the generated asset type consistently

Also ensure page-only runs cannot emit HTML that references missing graph files.

## Acceptance criteria
- The generated HTML references files that are actually produced by the selected graph output settings
- `--generate-page` cannot succeed with broken graph links caused by format mismatch
- The logic between graph generation and page rendering is consistent and easy to follow

## Backlinks
- Reported from PR `#2010`: https://github.com/lightspeed-core/lightspeed-stack/pull/2010
- Review comment: https://github.com/lightspeed-core/lightspeed-stack/pull/2010#discussion_r3487545752

Requested by: `@tisnik`
EOF

gh issue create \
  --repo "$repo" \
  --title "$title" \
  --body-file /tmp/issue_body.md \
  --assignee "tisnik"

Length of output: 2260

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="lightspeed-core/lightspeed-stack"
title="Follow up: align vulnerability report HTML asset references with selected graph output format"

cat > /tmp/issue_body.md <<'EOF'
## Summary
The vulnerability report page generator currently hardcodes SVG asset references in the generated HTML, but the graph generator only writes SVG files when `--svg-output` is enabled.

This can produce broken image links in at least two cases:
- page generation runs without SVG graph generation
- graphs are generated with PNG output only

## Rationale
The HTML template and the graph writer should stay aligned so the generated page never points to files that were not created.

## Affected area
- `scripts/vulnerability_report.py`
  - `generate_page()`
  - `main()` / page-generation call site
  - related argument validation in `check_args()` if SVG must be required for page generation

## Required changes
Implement one of the following approaches:
1. Require SVG output whenever page generation is requested, or
2. Pass the selected output format into the page template and reference the generated asset type consistently

Also ensure page-only runs cannot emit HTML that references missing graph files.

## Acceptance criteria
- The generated HTML references files that are actually produced by the selected graph output settings
- `--generate-page` cannot succeed with broken graph links caused by format mismatch
- The logic between graph generation and page rendering is consistent and easy to follow

## Backlinks
- Reported from PR `#2010`: https://github.com/lightspeed-core/lightspeed-stack/pull/2010
- Review comment: https://github.com/lightspeed-core/lightspeed-stack/pull/2010#discussion_r3487545752

Requested by: `@tisnik`
EOF

gh issue create \
  --repo "$repo" \
  --title "$title" \
  --body-file /tmp/issue_body.md

Length of output: 2054

---

---

@tisnik Created: #2013 — #2013

I had to create it without an assignee because the GitHub integration doesn’t have permission to assign issues in this repo.

---

🧠 Learnings used

Learnt from: Jdubrick
Repo: lightspeed-core/lightspeed-stack PR: 1971
File: src/utils/markdown_repair.py:31-36
Timestamp: 2026-06-24T13:45:37.249Z
Learning: In the lightspeed-stack repository, docstrings must use the section header name "Parameters:" (not "Args:") for function arguments, even if the project references Google Python docstring conventions. Ensure docstrings follow the project’s established "Parameters:" header format for any documented function parameters.