fix: account for uncalled vulnerabilities

google · Jul 10, 2024 · c8358d4 · c8358d4
1 parent 6c0936c
commit c8358d4
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 35 deletions.
diff --git a/internal/output/__snapshots__/vertical_test.snap b/internal/output/__snapshots__/vertical_test.snap
@@ -204,11 +204,7 @@ path/to/my/second/lockfile: found 1 package with issues
 
 [TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]
 path/to/my/first/lockfile: found 1 package with issues
-
-  mine1@1.2.3 is affected by the following vulnerabilities:
-    OSV-1: Something scary! (https://osv.dev/OSV-1)
-
-  1 known vulnerability found in path/to/my/first/lockfile
+  no known vulnerabilities found
 
   license violations found:
     mine1@1.2.3 (MIT)
@@ -224,11 +220,7 @@ path/to/my/second/lockfile: found 2 packages with issues
   no license violations found
 
 path/to/my/third/lockfile: found 2 packages with issues
-
-  mine1@1.2.3 is affected by the following vulnerabilities:
-    OSV-1: Something scary! (https://osv.dev/OSV-1)
-
-  1 known vulnerability found in path/to/my/third/lockfile
+  no known vulnerabilities found
 
   license violations found:
     mine1@1.3.5 (MIT)
@@ -291,11 +283,7 @@ path/to/my/first/lockfile: found 1 package with issues
 
 [TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]
 path/to/my/first/lockfile: found 1 package with issues
-
-  mine1@1.2.3 is affected by the following vulnerabilities:
-    OSV-1: Something scary! (https://osv.dev/OSV-1)
-
-  1 known vulnerability found in path/to/my/first/lockfile
+  no known vulnerabilities found
 
   license violations found:
     mine1@1.2.3 (MIT)
@@ -447,12 +435,11 @@ path/to/my/second/lockfile: found 2 packages with issues
 path/to/my/first/lockfile: found 2 packages with issues
 
   author1/mine1@1.2.3 is affected by the following vulnerabilities:
-    OSV-1: Something scary! (https://osv.dev/OSV-1)
     OSV-5: Something scarier! (https://osv.dev/OSV-5)
   mine1@1.2.2 is affected by the following vulnerabilities:
     OSV-1: Something scary! (https://osv.dev/OSV-1)
 
-  3 known vulnerabilities found in path/to/my/first/lockfile
+  2 known vulnerabilities found in path/to/my/first/lockfile
 
 path/to/my/second/lockfile: found 2 packages with issues
 
@@ -499,9 +486,8 @@ path/to/my/first/lockfile: found 1 package with issues
 
   mine1@1.2.3 is affected by the following vulnerabilities:
     OSV-1: Something scary! (https://osv.dev/OSV-1)
-    GHSA-123: Something scarier! (https://osv.dev/GHSA-123)
 
-  2 known vulnerabilities found in path/to/my/first/lockfile
+  1 known vulnerability found in path/to/my/first/lockfile
 
 ---
 
@@ -517,11 +503,7 @@ path/to/my/first/lockfile: found 1 package with issues
 
 [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]
 path/to/my/first/lockfile: found 1 package with issues
-
-  mine1@1.2.3 is affected by the following vulnerabilities:
-    OSV-1: Something scary! (https://osv.dev/OSV-1)
-
-  1 known vulnerability found in path/to/my/first/lockfile
+  no known vulnerabilities found
 
 ---
 
@@ -547,12 +529,7 @@ path/to/my/first/lockfile: found 1 package with issues
 
 [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]
 path/to/my/first/lockfile: found 1 package with issues
-
-  mine1@1.2.3 is affected by the following vulnerabilities:
-    OSV-1: Something scary! (https://osv.dev/OSV-1)
-    GHSA-123: Something scary! (https://osv.dev/GHSA-123)
-
-  2 known vulnerabilities found in path/to/my/first/lockfile
+  no known vulnerabilities found
 
 ---
 

diff --git a/internal/output/vertical.go b/internal/output/vertical.go
@@ -13,7 +13,7 @@ import (
 func PrintVerticalResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) {
 	for i, result := range vulnResult.Results {
 		printVerticalHeader(result, outputWriter)
-		printVerticalVulnerabilities(result, outputWriter)
+		printVerticalVulnerabilities(result, outputWriter, true)
 
 		if len(vulnResult.ExperimentalAnalysisConfig.Licenses.Allowlist) > 0 {
 			printVerticalLicenseViolations(result, outputWriter)
@@ -35,7 +35,27 @@ func printVerticalHeader(result models.PackageSource, out io.Writer) {
 	)
 }
 
-func printVerticalVulnerabilities(result models.PackageSource, out io.Writer) {
+func collectVulns(pkg models.PackageVulns, called bool) []models.Vulnerability {
+	vulns := make([]models.Vulnerability, 0)
+
+	for _, group := range pkg.Groups {
+		if group.IsCalled() != called {
+			continue
+		}
+
+		for _, ids := range group.IDs {
+			for _, v := range pkg.Vulnerabilities {
+				if v.ID == ids {
+					vulns = append(vulns, v)
+				}
+			}
+		}
+	}
+
+	return vulns
+}
+
+func printVerticalVulnerabilities(result models.PackageSource, out io.Writer, called bool) {
 	count := countVulnerabilities(result)
 
 	if count == 0 {
@@ -51,7 +71,9 @@ func printVerticalVulnerabilities(result models.PackageSource, out io.Writer) {
 	fmt.Fprintln(out)
 
 	for _, pkg := range result.Packages {
-		if len(pkg.Vulnerabilities) == 0 {
+		vulns := collectVulns(pkg, called)
+
+		if len(vulns) == 0 {
 			continue
 		}
 
@@ -61,7 +83,7 @@ func printVerticalVulnerabilities(result models.PackageSource, out io.Writer) {
 			text.FgRed.Sprintf("is affected by the following vulnerabilities:"),
 		)
 
-		for _, vulnerability := range pkg.Vulnerabilities {
+		for _, vulnerability := range vulns {
 			fmt.Fprintf(out,
 				"    %s %s\n",
 				text.FgCyan.Sprintf("%s:", vulnerability.ID),
@@ -126,7 +148,11 @@ func countVulnerabilities(result models.PackageSource) int {
 	count := 0
 
 	for _, pkg := range result.Packages {
-		count += len(pkg.Vulnerabilities)
+		for _, g := range pkg.Groups {
+			if g.IsCalled() {
+				count += len(g.IDs)
+			}
+		}
 	}
 
 	return count