fix: avoid duplicated CVE recommendations (#301)

Signed-off-by: Ruben Romero Montes <rromerom@redhat.com>
RHEcosystemAppEng · Mar 5, 2024 · bcc41f6 · bcc41f6
1 parent adce51f
commit bcc41f6
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/src/main/java/com/redhat/exhort/integration/trustedcontent/TcResponseHandler.java b/src/main/java/com/redhat/exhort/integration/trustedcontent/TcResponseHandler.java
@@ -42,6 +42,7 @@
 import com.redhat.exhort.model.trustedcontent.Recommendations;
 import com.redhat.exhort.model.trustedcontent.TcRecommendation;
 import com.redhat.exhort.model.trustedcontent.TrustedContentResponse;
+import com.redhat.exhort.model.trustedcontent.Vulnerability;
 
 import io.quarkus.runtime.annotations.RegisterForReflection;
 
@@ -53,6 +54,10 @@
 @RegisterForReflection
 public class TcResponseHandler extends ProviderResponseHandler {
 
+  // Other values are Affected and UnderInvestigation
+  // see https://www.cisa.gov/sites/default/files/2023-01/VEX_Status_Justification_Jun22.pdf
+  private static final List<String> FIXED_STATUSES = List.of("NotAffected", "Fixed");
+
   @Inject ObjectMapper mapper;
 
   @ConfigProperty(name = "trustedcontent.recommended.ubi")
@@ -91,7 +96,7 @@ private IndexedRecommendation aggregateRecommendations(List<TcRecommendation> re
         recommendations.stream()
             .map(TcRecommendation::vulnerabilities)
             .flatMap(List::stream)
-            .collect(Collectors.toMap(v -> v.getId().toUpperCase(), v -> v)));
+            .collect(Collectors.toMap(v -> v.getId().toUpperCase(), v -> v, this::filterFixed)));
   }
 
   private PackageRef getHighestRemediationRecommendation(List<TcRecommendation> tcRecommendations) {
@@ -138,4 +143,11 @@ public ProviderResponse responseToIssues(
       byte[] response, String privateProviders, DependencyTree tree) throws IOException {
     throw new UnsupportedOperationException("Not yet implemented");
   }
+
+  private Vulnerability filterFixed(Vulnerability a, Vulnerability b) {
+    if (!FIXED_STATUSES.contains(a.getStatus())) {
+      return a;
+    }
+    return b;
+  }
 }
diff --git a/src/test/resources/__files/trustedcontent/simple.json b/src/test/resources/__files/trustedcontent/simple.json
@@ -28,7 +28,7 @@
                 "vulnerabilities": [
                     {
                         "id": "cve-2020-36518",
-                        "status": "NotAffected",
+                        "status": "Affected",
                         "justification": "VulnerableCodeNotPresent"
                     }
                 ]
@@ -40,6 +40,11 @@
                         "id": "cve-2023-44487",
                         "status": "NotAffected",
                         "justification": "VulnerableCodeNotPresent"
+                    },
+                    {
+                      "id": "cve-2020-36518",
+                      "status": "NotAffected",
+                      "justification": "VulnerableCodeNotPresent"
                     }
                 ]
             },