fix: properly calculate the direct highestVulnerability

ruromero · ruromero · commit cebbcd11e251 · 2024-01-08T14:17:32.000+01:00
Signed-off-by: Ruben Romero Montes &lt;rromerom@redhat.com&gt;
diff --git a/src/main/java/com/redhat/exhort/integration/providers/ProviderResponseHandler.java b/src/main/java/com/redhat/exhort/integration/providers/ProviderResponseHandler.java
@@ -247,7 +247,7 @@ public Source buildReportForSource(
                   && !depEntry.getKey().isCoordinatesEquals(recommendation.packageName())) {
                 directReport.recommendation(recommendation.packageName());
               }
-              directReport.setHighestVulnerability(issues.stream().findFirst().orElse(null));
+              directReport.setHighestVulnerability(directReport.getIssues().stream().findFirst().orElse(null));
               List<TransitiveDependencyReport> transitiveReports =
                   depEntry.getValue().transitive().stream()
                       .map(
diff --git a/src/test/java/com/redhat/exhort/integration/providers/ProviderResponseHandlerTest.java b/src/test/java/com/redhat/exhort/integration/providers/ProviderResponseHandlerTest.java
@@ -209,6 +209,40 @@ public void testSorted() throws IOException {
     assertEquals("aa", reportLowest.getRef().name());
     assertEquals("aaa", reportLowest.getTransitive().get(0).getRef().name());
     assertEquals("aab", reportLowest.getTransitive().get(1).getRef().name());
+
+    assertEquals("ISSUE-006", reportHighest.getHighestVulnerability().getId());
+    assertEquals("ISSUE-001", reportLowest.getHighestVulnerability().getId());
+  }
+
+  @Test
+  public void testHighestVulnerabilityInDirectDependency() throws IOException {
+    Map<String, List<Issue>> issues = Map.of(
+        "pkg:npm/aa@1", List.of(buildIssue(1, 4f),buildIssue(2, 9f),buildIssue(3, 1f)));
+    ProviderResponseHandler handler = new TestResponseHandler();
+
+    ProviderReport response = handler.buildReport(
+        new ProviderResponse(issues, null), buildTree(), null, EMPTY_TRUSTED_CONTENT_RESPONSE);
+
+    assertOkStatus(response);
+    DependencyReport highest = getValidSource(response).getDependencies().get(0);
+    assertEquals("ISSUE-002", highest.getHighestVulnerability().getId());
+    assertEquals(9f, highest.getHighestVulnerability().getCvssScore());
+  }
+
+  @Test
+  public void testHighestVulnerabilityInTransitiveDependency() throws IOException {
+    Map<String, List<Issue>> issues = Map.of(
+        "pkg:npm/aa@1", Collections.emptyList(),
+        "pkg:npm/aaa@1", List.of(buildIssue(1, 4f),buildIssue(2, 9f),buildIssue(3, 1f)));
+    ProviderResponseHandler handler = new TestResponseHandler();
+
+    ProviderReport response = handler.buildReport(
+        new ProviderResponse(issues, null), buildTree(), null, EMPTY_TRUSTED_CONTENT_RESPONSE);
+
+    assertOkStatus(response);
+    DependencyReport highest = getValidSource(response).getDependencies().get(0);
+    assertEquals("ISSUE-002", highest.getHighestVulnerability().getId());
+    assertEquals(9f, highest.getHighestVulnerability().getCvssScore());
   }
 
   @Test

Original file line number	Diff line number	Diff line change
`@@ -247,7 +247,7 @@ public Source buildReportForSource(`
`247`	`247`	`&& !depEntry.getKey().isCoordinatesEquals(recommendation.packageName())) {`
`248`	`248`	`directReport.recommendation(recommendation.packageName());`
`249`	`249`	`}`
`250`		`- directReport.setHighestVulnerability(issues.stream().findFirst().orElse(null));`
	`250`	`+ directReport.setHighestVulnerability(directReport.getIssues().stream().findFirst().orElse(null));`
`251`	`251`	`List<TransitiveDependencyReport> transitiveReports =`
`252`	`252`	`depEntry.getValue().transitive().stream()`
`253`	`253`	`.map(`