Merge pull request #145 from ruromero/sort-direct

fix: sort direct vulnerabilities
RHEcosystemAppEng · Sep 7, 2023 · d989a84 · d989a84
2 parents 3abb1fa + fb69c1a
commit d989a84
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/src/main/java/com/redhat/exhort/integration/report/ReportTransformer.java b/src/main/java/com/redhat/exhort/integration/report/ReportTransformer.java
@@ -79,7 +79,8 @@ public AnalysisReport transform(@Body GraphRequest request) {
           List<TransitiveDependencyReport> transitiveReport =
               getTransitiveDependenciesReport(d, request);
           updateVulnerabilitySummary(issues, transitiveReport, counter, uniqueDeps);
-          Optional<Issue> highestVulnerability = issues.stream().findFirst();
+          Optional<Issue> highestVulnerability =
+              issues.stream().max(Comparator.comparing(Issue::getCvssScore));
           Optional<Issue> highestTransitive =
               transitiveReport.stream()
                   .map(TransitiveDependencyReport::getHighestVulnerability)

diff --git a/src/test/java/com/redhat/exhort/integration/report/ReportTransformerTest.java b/src/test/java/com/redhat/exhort/integration/report/ReportTransformerTest.java
@@ -22,13 +22,15 @@
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
 import org.junit.jupiter.api.Test;
 
 import com.redhat.exhort.api.AnalysisReport;
+import com.redhat.exhort.api.DependencyReport;
 import com.redhat.exhort.api.Issue;
 import com.redhat.exhort.api.PackageRef;
 import com.redhat.exhort.api.Severity;
@@ -132,6 +134,30 @@ public void testFilterRecommendations() {
     assertTrue(report.getDependencies().isEmpty());
   }
 
+  @Test
+  public void testHighestVulnerability() {
+    Map<String, List<Issue>> issues = new HashMap<>();
+    issues.put("aa", List.of(buildIssue(1, 4.5f), buildIssue(2, 8.7f)));
+    issues.put("aaa", List.of(buildIssue(3, 8.6f)));
+    issues.put("abc", List.of(buildIssue(4, 9f), buildIssue(5, 8.9f)));
+    GraphRequest req =
+        new GraphRequest.Builder(Constants.NPM_PKG_MANAGER, List.of(Constants.SNYK_PROVIDER))
+            .tree(buildTree())
+            .issues(issues)
+            .build();
+    AnalysisReport report = new ReportTransformer().transform(req);
+    Issue highestVulnerability = report.getDependencies().get(0).getHighestVulnerability();
+    assertNotNull(highestVulnerability);
+    List<DependencyReport> sortedDeps =
+        report.getDependencies().stream()
+            .sorted(
+                (a, b) ->
+                    a.getRef().purl().canonicalize().compareTo(b.getRef().purl().canonicalize()))
+            .toList();
+    assertEquals(8.7f, sortedDeps.get(0).getHighestVulnerability().getCvssScore());
+    assertEquals(9f, sortedDeps.get(1).getHighestVulnerability().getCvssScore());
+  }
+
   private DependencyTree buildTree() {
     Map<PackageRef, DirectDependency> direct =
         Map.of(