From 972992a7355a6003118352b585cdd221e5ed61e1 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Mon, 8 Jan 2024 14:20:11 +0100 Subject: [PATCH] fix: properly calculate the direct highestVulnerability Signed-off-by: Ruben Romero Montes --- .../providers/ProviderResponseHandler.java | 3 +- .../ProviderResponseHandlerTest.java | 37 +++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/redhat/exhort/integration/providers/ProviderResponseHandler.java b/src/main/java/com/redhat/exhort/integration/providers/ProviderResponseHandler.java index ee2b303c..811d3ec8 100644 --- a/src/main/java/com/redhat/exhort/integration/providers/ProviderResponseHandler.java +++ b/src/main/java/com/redhat/exhort/integration/providers/ProviderResponseHandler.java @@ -247,7 +247,8 @@ public Source buildReportForSource( && !depEntry.getKey().isCoordinatesEquals(recommendation.packageName())) { directReport.recommendation(recommendation.packageName()); } - directReport.setHighestVulnerability(issues.stream().findFirst().orElse(null)); + directReport.setHighestVulnerability( + directReport.getIssues().stream().findFirst().orElse(null)); List transitiveReports = depEntry.getValue().transitive().stream() .map( diff --git a/src/test/java/com/redhat/exhort/integration/providers/ProviderResponseHandlerTest.java b/src/test/java/com/redhat/exhort/integration/providers/ProviderResponseHandlerTest.java index e83ccefe..63df62b6 100644 --- a/src/test/java/com/redhat/exhort/integration/providers/ProviderResponseHandlerTest.java +++ b/src/test/java/com/redhat/exhort/integration/providers/ProviderResponseHandlerTest.java @@ -209,6 +209,43 @@ public void testSorted() throws IOException { assertEquals("aa", reportLowest.getRef().name()); assertEquals("aaa", reportLowest.getTransitive().get(0).getRef().name()); assertEquals("aab", reportLowest.getTransitive().get(1).getRef().name()); + + assertEquals("ISSUE-006", reportHighest.getHighestVulnerability().getId()); + assertEquals("ISSUE-001", reportLowest.getHighestVulnerability().getId()); + } + + @Test + public void testHighestVulnerabilityInDirectDependency() throws IOException { + Map> issues = + Map.of("pkg:npm/aa@1", List.of(buildIssue(1, 4f), buildIssue(2, 9f), buildIssue(3, 1f))); + ProviderResponseHandler handler = new TestResponseHandler(); + + ProviderReport response = + handler.buildReport( + new ProviderResponse(issues, null), buildTree(), null, EMPTY_TRUSTED_CONTENT_RESPONSE); + + assertOkStatus(response); + DependencyReport highest = getValidSource(response).getDependencies().get(0); + assertEquals("ISSUE-002", highest.getHighestVulnerability().getId()); + assertEquals(9f, highest.getHighestVulnerability().getCvssScore()); + } + + @Test + public void testHighestVulnerabilityInTransitiveDependency() throws IOException { + Map> issues = + Map.of( + "pkg:npm/aa@1", Collections.emptyList(), + "pkg:npm/aaa@1", List.of(buildIssue(1, 4f), buildIssue(2, 9f), buildIssue(3, 1f))); + ProviderResponseHandler handler = new TestResponseHandler(); + + ProviderReport response = + handler.buildReport( + new ProviderResponse(issues, null), buildTree(), null, EMPTY_TRUSTED_CONTENT_RESPONSE); + + assertOkStatus(response); + DependencyReport highest = getValidSource(response).getDependencies().get(0); + assertEquals("ISSUE-002", highest.getHighestVulnerability().getId()); + assertEquals(9f, highest.getHighestVulnerability().getCvssScore()); } @Test