fix(models): include CPE vulns in total, set "unknown" patch status (#2460)

Previously, FormatFixedStatus skipped CPE vulnerabilities entirely, and
PatchStatus returned an empty string for them. This made CPE-related
vulnerabilities invisible in fix status summaries and inconsistent with
other patch status values (fixed, unfixed, unknown).

Author: MaineK00n

models/vulninfos.go

@@ -190,9 +190,6 @@ func (v VulnInfos) FormatCveSummary() string {
 func (v VulnInfos) FormatFixedStatus(packs Packages) string {
 	total, fixed := 0, 0
 	for _, vInfo := range v {
-		if len(vInfo.CpeURIs) != 0 {
-			continue
-		}
 		total++
 		if vInfo.PatchStatus(packs) == "fixed" {
 			fixed++
@@ -731,7 +728,7 @@ func (v VulnInfo) PatchStatus(packs Packages) string {
 
 	// Vuls don't know patch status of the CPE
 	if len(v.CpeURIs) > 0 {
-		return ""
+		return "unknown"
 	}
 
 	for _, p := range v.AffectedPackages {

models/vulninfos_test.go

@@ -1825,7 +1825,7 @@ func TestVulnInfo_PatchStatus(t *testing.T) {
 			fields: fields{
 				CpeURIs: []string{"cpe:/a:microsoft:internet_explorer:10"},
 			},
-			want: "",
+			want: "unknown",
 		},
 		{
 			name: "package unfixed",
@@ -2082,3 +2082,90 @@ func TestVulnInfo_MaxCvss40Score(t *testing.T) {
 		})
 	}
 }
+
+func TestVulnInfos_FormatFixedStatus(t *testing.T) {
+	type args struct {
+		packs Packages
+	}
+	tests := []struct {
+		name string
+		v    VulnInfos
+		args args
+		want string
+	}{
+		{
+			name: "empty",
+			v:    VulnInfos{},
+			want: "0/0 Fixed",
+		},
+		{
+			name: "package fixed",
+			v: VulnInfos{
+				"CVE-2024-0001": {
+					CveID: "CVE-2024-0001",
+					AffectedPackages: PackageFixStatuses{
+						{Name: "bash", NotFixedYet: false},
+					},
+				},
+			},
+			args: args{
+				packs: Packages{"bash": {Name: "bash", Version: "5.0-4", NewVersion: "5.1-1"}},
+			},
+			want: "1/1 Fixed",
+		},
+		{
+			name: "package unfixed",
+			v: VulnInfos{
+				"CVE-2024-0001": {
+					CveID: "CVE-2024-0001",
+					AffectedPackages: PackageFixStatuses{
+						{Name: "bash", NotFixedYet: true},
+					},
+				},
+			},
+			want: "0/1 Fixed",
+		},
+		{
+			name: "cpe counted as unknown",
+			v: VulnInfos{
+				"CVE-2024-0001": {
+					CveID:   "CVE-2024-0001",
+					CpeURIs: []string{"cpe:/a:vendor:product:1.0"},
+				},
+			},
+			want: "0/1 Fixed",
+		},
+		{
+			name: "mixed: package fixed + package unfixed + cpe",
+			v: VulnInfos{
+				"CVE-2024-0001": {
+					CveID: "CVE-2024-0001",
+					AffectedPackages: PackageFixStatuses{
+						{Name: "bash", NotFixedYet: false},
+					},
+				},
+				"CVE-2024-0002": {
+					CveID: "CVE-2024-0002",
+					AffectedPackages: PackageFixStatuses{
+						{Name: "vim", NotFixedYet: true},
+					},
+				},
+				"CVE-2024-0003": {
+					CveID:   "CVE-2024-0003",
+					CpeURIs: []string{"cpe:/a:vendor:product:1.0"},
+				},
+			},
+			args: args{
+				packs: Packages{"bash": {Name: "bash", Version: "5.0-4", NewVersion: "5.1-1"}},
+			},
+			want: "1/3 Fixed",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.v.FormatFixedStatus(tt.args.packs); got != tt.want {
+				t.Errorf("VulnInfos.FormatFixedStatus() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}