feat: add latest upstream stable version in CPE summary

[ffontaine]

CPE summary table is updated to display the latest upstream stable version (retrieved thanks to release-monitoring project).

This first iteration doesn't use a local cache and so only works in online mode.

[terriko]

Does https://release-monitoring.org/ have any sort of data license? I can see that the code is GPLv2 but I'm not sure if that's intended to carry over to the data or not.

[ffontaine]

Infrastructure code is indeed licensed in GPLv2. However, I don't know what is the "license" of the data stored on release-monitoring.org. If this is an issue, a lawyer will probably have to reach this Fedora project.

[codecov-commenter]

Codecov Report

Merging #3267 (f0e577e) into main (9b23ea9) will increase coverage by 0.38%.
The diff coverage is 66.66%.

@@            Coverage Diff             @@
##             main    #3267      +/-   ##
==========================================
+ Coverage   79.67%   80.06%   +0.38%     
==========================================
  Files         758      758              
  Lines       11596    11616      +20     
  Branches     1568     1571       +3     
==========================================
+ Hits         9239     9300      +61     
+ Misses       1932     1897      -35     
+ Partials      425      419       -6     

Flag	Coverage Δ
longtests	79.55% <66.66%> (+4.72%)	⬆️
win-longtests	77.89% <66.66%> (+0.23%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
cve_bin_tool/cli.py	66.48% <ø> (-0.56%)	⬇️
cve_bin_tool/output_engine/__init__.py	62.74% <100.00%> (+0.38%)	⬆️
test/test_output_engine.py	96.82% <ø> (ø)
cve_bin_tool/output_engine/console.py	93.26% <60.00%> (-0.92%)	⬇️
cve_bin_tool/output_engine/util.py	84.69% <66.66%> (-3.26%)	⬇️

... and 6 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[ffontaine]

I can split this PR in two if needed: a first one to add CPE summary with the count of CVEs for each package and an other one that adds "latest upstream version"

[terriko]

I happened to chat with someone who is not a lawyer but works in similar compliance problems, and he suspects that the data we're using is too simple and machine-translatable to carry a copyright, which is maybe why it doesn't have one. But it doesn't absolve me of the responsibility of checking with our own compliance team and seeing if they want to reach out to fedora to clarify, so I'm going to flag this like a requirements change and plan to open a ticket with the right people to ask later today.

[ffontaine]

Understood, then I opened #3277 to hopefully merge the addition of CPE summary table (but without the information on the latest stable version retrieved from release-monitoring)

[terriko]

Quick update on this: licensing didn't say no but they did ask me to update a bunch of paperwork, then it got put on hold while I was out sick. But it's in process, I just need to prompt them to keep it moving.

[terriko]

I got a random "ok" with no explanation on my new licensing paperwork, so I think we're good to merge this. I'm going to update the branch to make sure nothing has gone awry before I do so, though.

[terriko]

Looks like tests are mostly behaving (the fails were in the may-fail tests and a whitespace issue in gitlint that I'll fix during merge). Thank you again for this one and sorry it took so long to sort out whether I could merge it! I think a number of people will find this version info useful.