fixes license risks not getting closed correctly, adds tests, fixes packagist dto

Author: timbastin

dtos/packagist_dto.go

@@ -28,8 +28,7 @@ type PackagistPackageVersion struct {
 
 	Type string `json:"type,omitempty"`
 
-	Support *PackagistSupport  `json:"support,omitempty"`
-	Funding []PackagistFunding `json:"funding,omitempty"`
+	Support *PackagistSupport `json:"support,omitempty"`
 
 	Require    StringMapField `json:"require,omitempty"`
 	RequireDev StringMapField `json:"require-dev,omitempty"`
@@ -79,10 +78,6 @@ type PackagistSupport struct {
 	Security string `json:"security,omitempty"`
 }
 
-type PackagistFunding struct {
-	Type string `json:"type,omitempty"`
-	URL  string `json:"url,omitempty"`
-}
 
 type StringMapField struct {
 	Map map[string]any

dtos/vulnevent_dto.go

@@ -58,7 +58,7 @@ type VulnEventDTO struct {
 	ArbitraryJSONData map[string]any `json:"arbitraryJSONData"`
 
 	CreatedAt                time.Time `json:"createdAt"`
-	OriginalAssetVersionName *string   `json:"originalAssetVersionName,omitempty"`
+	OriginalAssetVersionName *string   `json:"originalAssetVersionName"`
 	VulnerabilityName        string    `json:"vulnerabilityName"`
 	PackageName              string    `json:"packageName"`
 	URI                      string    `json:"uri"`

services/license_risk_service.go

@@ -351,8 +351,8 @@ func (s *LicenseRiskService) UserFixedLicenseRisksByAutomaticRefresh(ctx context
 	for i := range licenseRisks {
 		ev := models.NewLicenseDecisionEvent(licenseRisks[i].CalculateHash(), dtos.VulnTypeLicenseRisk, userID, "Automatically fixed by license refresh", artifactName, licenseRisks[i].NewFinalLicense, userAgent)
 		events[i] = ev
-		licenseRisksToSave[i] = licenseRisks[i].LicenseRisk
 		statemachine.Apply(&licenseRisks[i].LicenseRisk, ev)
+		licenseRisksToSave[i] = licenseRisks[i].LicenseRisk
 	}
 	if err := s.licenseRiskRepository.SaveBatch(ctx, tx, licenseRisksToSave); err != nil {
 		return err

services/open_source_insight_service.go

@@ -17,16 +17,18 @@ import (
 )
 
 type openSourceInsightService struct {
-	httpClient  *http.Client
-	rateLimiter rate.Limiter
+	httpClient           *http.Client
+	depsDevRateLimiter   rate.Limiter
+	packagistRateLimiter rate.Limiter
 }
 
 var _ shared.OpenSourceInsightService = (*openSourceInsightService)(nil) // Ensure openSourceInsightService implements shared.OpenSourceInsightService interface
 
 func NewOpenSourceInsightService() *openSourceInsightService {
 	return &openSourceInsightService{
-		httpClient:  &http.Client{Transport: utils.EgressTransport},
-		rateLimiter: *rate.NewLimiter(rate.Every(100*time.Millisecond), 5),
+		httpClient:           &http.Client{Transport: utils.EgressTransport},
+		depsDevRateLimiter:   *rate.NewLimiter(rate.Every(100*time.Millisecond), 5),
+		packagistRateLimiter: *rate.NewLimiter(rate.Every(100*time.Millisecond), 5),
 	}
 }
 
@@ -37,7 +39,7 @@ func (s *openSourceInsightService) GetProject(ctx context.Context, projectID str
 	// make sure the projectID (which is usually a github repository url) is url encoded
 	projectID = url.PathEscape(projectID)
 
-	if err := s.rateLimiter.Wait(ctx); err != nil {
+	if err := s.depsDevRateLimiter.Wait(ctx); err != nil {
 		return dtos.OpenSourceInsightsProjectResponse{}, err
 	}
 
@@ -124,9 +126,6 @@ func (s *openSourceInsightService) getGoVersion(ctx context.Context, ecosystem,
 func (s *openSourceInsightService) getVersion(ctx context.Context, ecosystem, packageName, version string) (dtos.OpenSourceInsightsVersionResponse, error) {
 	// make sure the package name is url encoded
 	packageName = url.PathEscape(packageName)
-	if err := s.rateLimiter.Wait(ctx); err != nil {
-		return dtos.OpenSourceInsightsVersionResponse{}, err
-	}
 
 	var req *http.Request
 	var res *http.Response
@@ -135,6 +134,9 @@ func (s *openSourceInsightService) getVersion(ctx context.Context, ecosystem, pa
 
 	switch ecosystem {
 	case "composer":
+		if err := s.packagistRateLimiter.Wait(ctx); err != nil {
+			return dtos.OpenSourceInsightsVersionResponse{}, err
+		}
 		packageNameDecoded, err := url.PathUnescape(packageName)
 		if err != nil {
 			return dtos.OpenSourceInsightsVersionResponse{}, fmt.Errorf("invalid packageName for packagist alternative, could not get version information: %s", packageName)

tests/license_risk_integration_test.go

@@ -99,6 +99,65 @@ func TestLicenseRiskArtifactAssociation(t *testing.T) {
 	})
 }
 
+func TestLicenseRiskClosedByRefresh(t *testing.T) {
+	mockOpenSourceInsightService := mocks.NewOpenSourceInsightService(t)
+
+	WithTestAppOptions(t, "../initdb.sql", TestAppOptions{
+		SuppressLogs: true,
+		ExtraOptions: []fx.Option{
+			fx.Decorate(func() shared.OpenSourceInsightService {
+				return mockOpenSourceInsightService
+			}),
+		},
+	}, func(f *TestFixture) {
+		_, _, asset, assetVersion := f.CreateOrgProjectAssetAndVersion()
+
+		// Component starts with an invalid license
+		comp := models.Component{
+			ID:      "pkg:npm/bad-license-package@1.0.0",
+			License: utils.Ptr("PROPRIETARY"),
+		}
+		assert.NoError(t, f.DB.Create(&comp).Error)
+
+		artifact := models.Artifact{
+			ArtifactName:     "test-artifact",
+			AssetVersionName: assetVersion.Name,
+			AssetID:          assetVersion.AssetID,
+		}
+		assert.NoError(t, f.DB.Create(&artifact).Error)
+
+		// Wire the component into the SBOM graph so GetAndSaveLicenseInformation can find it
+		artifactRoot := "artifact:" + artifact.ArtifactName
+		infoSourceID := "sbom:DEFAULT@" + artifact.ArtifactName
+		assert.NoError(t, f.DB.Create(&models.Component{ID: artifactRoot}).Error)
+		assert.NoError(t, f.DB.Create(&models.Component{ID: infoSourceID}).Error)
+		assert.NoError(t, f.DB.Create(&models.ComponentDependency{AssetID: assetVersion.AssetID, AssetVersionName: assetVersion.Name, ComponentID: "ROOT", DependencyID: artifactRoot}).Error)
+		assert.NoError(t, f.DB.Create(&models.ComponentDependency{AssetID: assetVersion.AssetID, AssetVersionName: assetVersion.Name, ComponentID: artifactRoot, DependencyID: infoSourceID}).Error)
+		assert.NoError(t, f.DB.Create(&models.ComponentDependency{AssetID: assetVersion.AssetID, AssetVersionName: assetVersion.Name, ComponentID: infoSourceID, DependencyID: comp.ID}).Error)
+
+		// Open the license risk
+		err := f.App.LicenseRiskService.FindLicenseRisksInComponents(context.Background(), nil, "system", nil, assetVersion, []models.Component{comp}, artifact.ArtifactName)
+		assert.NoError(t, err)
+
+		risks, err := f.App.LicenseRiskRepository.GetByAssetID(context.Background(), nil, asset.ID)
+		assert.NoError(t, err)
+		assert.Len(t, risks, 1)
+		assert.Equal(t, dtos.VulnStateOpen, risks[0].State)
+
+		// Refresh returns a valid license now
+		mockOpenSourceInsightService.On("GetVersion", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			Return(dtos.OpenSourceInsightsVersionResponse{Licenses: []string{"MIT"}}, nil)
+
+		_, err = f.App.ComponentService.GetAndSaveLicenseInformation(context.Background(), nil, assetVersion, nil, true)
+		assert.NoError(t, err)
+
+		risks, err = f.App.LicenseRiskRepository.GetByAssetID(context.Background(), nil, asset.ID)
+		assert.NoError(t, err)
+		assert.Len(t, risks, 1)
+		assert.Equal(t, dtos.VulnStateFixed, risks[0].State, "license risk should be closed after refresh returns a valid license")
+	})
+}
+
 func getSBOMWithWithLicenseRisk() io.Reader {
 	file, err := os.Open("testdata/sbom-with-license-risk.json")
 	if err != nil {