vmrh21
diff --git a/‎.github/workflows/cve-fix-workflow.yml‎
Lines changed: 130 additions & 12 deletions b/‎.github/workflows/cve-fix-workflow.yml‎
Lines changed: 130 additions & 12 deletions
@@ -727,23 +727,58 @@ jobs:
 
           # Attempt automatic fixes
           CHANGES_MADE=false
+          FIXES_APPLIED=""
 
+          # Fix Node.js packages
           if [ -f "package.json" ]; then
             echo "Applying npm audit fix..." >> $GITHUB_STEP_SUMMARY
             npm audit fix --package-lock-only || true
 
             if ! git diff --quiet package*.json; then
               git add package*.json
-              git commit -m "fix: Apply automatic CVE fixes from npm audit
-
-          Co-Authored-By: CVE Fix Workflow <noreply@github.com>"
+              NPM_FIXES=$(git diff --cached --stat | head -1)
+              FIXES_APPLIED="${FIXES_APPLIED}Node.js (npm): $NPM_FIXES\n"
               CHANGES_MADE=true
               echo "✅ Applied npm fixes" >> $GITHUB_STEP_SUMMARY
             fi
           fi
 
+          # Fix Python packages
+          if [ -f "requirements.txt" ]; then
+            echo "Checking Python package updates..." >> $GITHUB_STEP_SUMMARY
+
+            # Try pip-compile if available, otherwise create manual list
+            if [ -f "artifacts/fix-cve/review/safe-fixes-$DATE.md" ]; then
+              # Extract safe Python fixes and update requirements.txt
+              SAFE_PY_PACKAGES=$(grep -A 100 "Python Package Review" artifacts/fix-cve/review/safe-fixes-$DATE.md 2>/dev/null | grep "✅" | grep -o "\`[^:]*\`" | tr -d '`' || echo "")
+
+              if [ -n "$SAFE_PY_PACKAGES" ]; then
+                # Create backup
+                cp requirements.txt requirements.txt.backup
+
+                # Update versions in requirements.txt for safe packages
+                # Note: This is a basic implementation - in production you'd use pip-compile or similar
+                echo "ℹ️  Python fixes available but require manual update" >> $GITHUB_STEP_SUMMARY
+                FIXES_APPLIED="${FIXES_APPLIED}Python (pip): Manual update required - see safe-fixes report\n"
+              fi
+            fi
+          fi
+
+          # Commit all changes
+          if [ "$CHANGES_MADE" = true ]; then
+            git commit -m "fix: Apply automatic CVE fixes
+
+Automated fixes applied:
+$FIXES_APPLIED
+
+Co-Authored-By: CVE Fix Workflow <noreply@github.com>"
+          fi
+
           echo "changes_made=$CHANGES_MADE" >> $GITHUB_ENV
           echo "branch_name=$BRANCH_NAME" >> $GITHUB_ENV
+          echo "fixes_applied<<EOF" >> $GITHUB_ENV
+          echo -e "$FIXES_APPLIED" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
 
           # Create remediation log
           cat > artifacts/fix-cve/remediation/remediation-log-$DATE.md << EOF
@@ -847,16 +882,78 @@ jobs:
           **Workflow:** CVE Fix Workflow (Reusable)
           **Run:** ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
-          ## Findings
+          ## Findings Summary
 
           - **Total CVEs Found:** ${{ steps.identify.outputs.cves_found }}
-          - **Changes Made:** ${{ env.changes_made }}
+          - **Automatic Fixes Applied:** ${{ env.changes_made == 'true' && 'Yes' || 'No' }}
+          - **Safe Fixes Available:** ${safe_fixes:-0}
+          - **Manual Review Required:** ${risky_fixes:-0}
+          - **Packages with Missing Documentation:** ${missing_docs:-0}
+
+          ## Automatic Fixes Applied
+
+          EOF
+
+          if [ "${{ env.changes_made }}" = "true" ]; then
+            cat >> artifacts/fix-cve/docs/executive-summary-$DATE.md << EOF
+          ✅ **Automatic fixes were applied and committed to this branch:**
+
+          ${{ env.fixes_applied }}
+
+          **What was fixed:**
+          - Security patches for patch/minor version updates
+          - Low-risk dependency updates
+          - Fixes that don't require code changes
+
+          EOF
+          else
+            cat >> artifacts/fix-cve/docs/executive-summary-$DATE.md << EOF
+          ℹ️  **No automatic fixes were applied because:**
+          - All available fixes require manual review (major version changes)
+          - Or no fixable vulnerabilities were detected
+          - Or fixes require code modifications
+
+          EOF
+          fi
+
+          cat >> artifacts/fix-cve/docs/executive-summary-$DATE.md << EOF
+
+          ## Manual Review Required
+
+          EOF
+
+          if [ "${risky_fixes:-0}" -gt 0 ]; then
+            cat >> artifacts/fix-cve/docs/executive-summary-$DATE.md << EOF
+          ⚠️  **${risky_fixes} packages require manual review:**
+
+          These are major version updates that may contain breaking changes. Manual intervention is required.
+
+          **See detailed list:** \`artifacts/fix-cve/review/risky-fixes-$DATE.md\`
+
+          **Common reasons for manual review:**
+          - Major version changes (e.g., 1.x → 2.0)
+          - Breaking API changes
+          - New dependencies introduced
+          - Configuration changes required
+          - Code modifications needed
+
+          EOF
+          else
+            cat >> artifacts/fix-cve/docs/executive-summary-$DATE.md << EOF
+          ✅ **No manual review required** - all fixes are safe patch/minor updates or were applied automatically.
+
+          EOF
+          fi
+
+          cat >> artifacts/fix-cve/docs/executive-summary-$DATE.md << EOF
 
           ## Release Review Summary
 
-          - **Safe Fixes (Patch/Minor Updates):** ${safe_fixes:-0}
-          - **Risky Fixes (Major Version Changes):** ${risky_fixes:-0}
-          - **Packages with Missing Documentation:** ${missing_docs:-0}
+          | Category | Count | Status |
+          |----------|-------|--------|
+          | ✅ Safe Fixes (Patch/Minor) | ${safe_fixes:-0} | Ready to apply |
+          | ⚠️ Risky Fixes (Major versions) | ${risky_fixes:-0} | Manual review needed |
+          | ❓ Missing Documentation | ${missing_docs:-0} | Research required |
 
           ### Alarming Findings
 
@@ -962,22 +1059,43 @@ jobs:
 
       - name: Create Pull Request
         id: create_pr
-        if: env.changes_made == 'true' && inputs.create_pr == true
+        if: inputs.create_pr == true && steps.identify.outputs.cves_found != '0'
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
           DATE=$(date +%Y-%m-%d)
 
-          # Push branch
+          # Determine PR title and labels based on whether fixes were applied
+          if [ "${{ env.changes_made }}" = "true" ]; then
+            PR_TITLE="Security: CVE Fixes Applied - $(date +%B\ %Y)"
+            PR_LABELS="security,cve-fix,automated,has-fixes"
+          else
+            PR_TITLE="Security: CVE Scan Results - Manual Review Required - $(date +%B\ %Y)"
+            PR_LABELS="security,cve-fix,automated,manual-review"
+          fi
+
+          # Push branch (even if no changes, to preserve artifacts)
+          # If no changes, commit the artifacts
+          if [ "${{ env.changes_made }}" != "true" ]; then
+            git add artifacts/
+            git commit -m "docs: Add CVE scan results and review reports
+
+This scan found vulnerabilities that require manual review.
+
+See executive summary for details.
+
+Co-Authored-By: CVE Fix Workflow <noreply@github.com>" || true
+          fi
+
           git push origin ${{ env.branch_name }}
 
           # Create PR
           PR_BODY=$(cat artifacts/fix-cve/docs/executive-summary-$DATE.md)
 
           PR_URL=$(gh pr create \
-            --title "Security: CVE Fixes - $(date +%B\ %Y)" \
+            --title "$PR_TITLE" \
             --body "$PR_BODY" \
-            --label "security,cve-fix,automated" \
+            --label "$PR_LABELS" \
             --base ${{ inputs.target_branch }} \
             --head ${{ env.branch_name }})