From 9401c665da60b6103dbe39d850715314790b1a01 Mon Sep 17 00:00:00 2001
From: Ruben Romero Montes <rromerom@redhat.com>
Date: Tue, 5 Mar 2024 22:15:31 +0100
Subject: [PATCH] fix: avoid duplicated CVE recommendations

Signed-off-by: Ruben Romero Montes <rromerom@redhat.com>
---
 .../trustedcontent/TcResponseHandler.java          | 14 +++++++++++++-
 .../resources/__files/trustedcontent/simple.json   |  7 ++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/redhat/exhort/integration/trustedcontent/TcResponseHandler.java b/src/main/java/com/redhat/exhort/integration/trustedcontent/TcResponseHandler.java
index 53790b60..7c68458c 100644
--- a/src/main/java/com/redhat/exhort/integration/trustedcontent/TcResponseHandler.java
+++ b/src/main/java/com/redhat/exhort/integration/trustedcontent/TcResponseHandler.java
@@ -42,6 +42,7 @@
 import com.redhat.exhort.model.trustedcontent.Recommendations;
 import com.redhat.exhort.model.trustedcontent.TcRecommendation;
 import com.redhat.exhort.model.trustedcontent.TrustedContentResponse;
+import com.redhat.exhort.model.trustedcontent.Vulnerability;
 
 import io.quarkus.runtime.annotations.RegisterForReflection;
 
@@ -53,6 +54,10 @@
 @RegisterForReflection
 public class TcResponseHandler extends ProviderResponseHandler {
 
+  // Other values are Affected and UnderInvestigation
+  // see https://www.cisa.gov/sites/default/files/2023-01/VEX_Status_Justification_Jun22.pdf
+  private static final List<String> FIXED_STATUSES = List.of("NotAffected", "Fixed");
+
   @Inject ObjectMapper mapper;
 
   @ConfigProperty(name = "trustedcontent.recommended.ubi")
@@ -91,7 +96,7 @@ private IndexedRecommendation aggregateRecommendations(List<TcRecommendation> re
         recommendations.stream()
             .map(TcRecommendation::vulnerabilities)
             .flatMap(List::stream)
-            .collect(Collectors.toMap(v -> v.getId().toUpperCase(), v -> v)));
+            .collect(Collectors.toMap(v -> v.getId().toUpperCase(), v -> v, this::filterFixed)));
   }
 
   private PackageRef getHighestRemediationRecommendation(List<TcRecommendation> tcRecommendations) {
@@ -138,4 +143,11 @@ public ProviderResponse responseToIssues(
       byte[] response, String privateProviders, DependencyTree tree) throws IOException {
     throw new UnsupportedOperationException("Not yet implemented");
   }
+
+  private Vulnerability filterFixed(Vulnerability a, Vulnerability b) {
+    if (!FIXED_STATUSES.contains(a.getStatus())) {
+      return a;
+    }
+    return b;
+  }
 }
diff --git a/src/test/resources/__files/trustedcontent/simple.json b/src/test/resources/__files/trustedcontent/simple.json
index 5b8f250a..a90ae3c4 100644
--- a/src/test/resources/__files/trustedcontent/simple.json
+++ b/src/test/resources/__files/trustedcontent/simple.json
@@ -28,7 +28,7 @@
                 "vulnerabilities": [
                     {
                         "id": "cve-2020-36518",
-                        "status": "NotAffected",
+                        "status": "Affected",
                         "justification": "VulnerableCodeNotPresent"
                     }
                 ]
@@ -40,6 +40,11 @@
                         "id": "cve-2023-44487",
                         "status": "NotAffected",
                         "justification": "VulnerableCodeNotPresent"
+                    },
+                    {
+                      "id": "cve-2020-36518",
+                      "status": "NotAffected",
+                      "justification": "VulnerableCodeNotPresent"
                     }
                 ]
             },