fixes bug, that a scanner will get removed all the time since we are appending another scanner with a colon

Author: timbastin

internal/core/assetversion/asset_version_service.go

@@ -368,7 +368,7 @@ func diffScanResults(currentScanner string, foundVulnerabilities []models.Depend
 
 	// Now we work on the vulnerabilities found in both sets -> has the vulnerability this scanner id already in his scanner_ids
 	for i := range foundByScannerAndExisting {
-		if !strings.Contains(foundByScannerAndExisting[i].ScannerIDs, currentScanner) {
+		if !utils.ContainsInWhitespaceSeparatedStringList(foundByScannerAndExisting[i].ScannerIDs, currentScanner) {
 			detectedByOtherScanner = append(detectedByOtherScanner, foundByScannerAndExisting[i])
 		}
 	}
@@ -377,7 +377,7 @@ func diffScanResults(currentScanner string, foundVulnerabilities []models.Depend
 	for i := range notFoundByScannerAndExisting {
 		if strings.TrimSpace(notFoundByScannerAndExisting[i].ScannerIDs) == currentScanner {
 			fixedVulns = append(fixedVulns, notFoundByScannerAndExisting[i])
-		} else if strings.Contains(notFoundByScannerAndExisting[i].ScannerIDs, currentScanner) {
+		} else if utils.ContainsInWhitespaceSeparatedStringList(notFoundByScannerAndExisting[i].ScannerIDs, currentScanner) {
 			notDetectedByScannerAnymore = append(notDetectedByScannerAnymore, notFoundByScannerAndExisting[i])
 		}
 	}

internal/core/assetversion/asset_version_service_test.go

@@ -245,6 +245,25 @@ func TestDiffScanResults(t *testing.T) {
 		assert.Empty(t, detectedByCurrentScanner)
 		assert.Empty(t, notDetectedByCurrentScannerAnymore)
 	})
+
+	t.Run("BUG: should NOT incorrectly identify scanner removal when scanner ID contains colon and is substring of existing scanner", func(t *testing.T) {
+
+		currentScanner := "container-scanning"
+		foundVulnerabilities := []models.DependencyVuln{
+			{CVEID: utils.Ptr("CVE-1234")},
+		}
+
+		existingDependencyVulns := []models.DependencyVuln{
+			{CVEID: utils.Ptr("CVE-1234"), Vulnerability: models.Vulnerability{ScannerIDs: "github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner"}},
+		}
+
+		foundByScannerAndNotExisting, fixedVulns, detectedByCurrentScanner, notDetectedByCurrentScannerAnymore := diffScanResults(currentScanner, foundVulnerabilities, existingDependencyVulns)
+
+		assert.Empty(t, foundByScannerAndNotExisting, "Should be empty - this is a new detection by current scanner")
+		assert.Empty(t, fixedVulns, "Should be empty - no vulnerabilities are fixed")
+		assert.Equal(t, 1, len(detectedByCurrentScanner), "Should detect that current scanner found existing vulnerability for first time")
+		assert.Empty(t, notDetectedByCurrentScannerAnymore, "BUG: Should be empty - current scanner was never detecting this vulnerability before!")
+	})
 }
 
 func TestYamlMetadata(t *testing.T) {

internal/database/repositories/component_repository.go

@@ -336,7 +336,7 @@ func (c *componentRepository) HandleStateDiff(tx core.DB, assetVersionName strin
 
 		//Next step is adding the scanner id to all existing component dependencies we just found
 		for i := range needToBeChanged {
-			if !strings.Contains(needToBeChanged[i].ScannerIDs, scannerID) {
+			if !utils.ContainsInWhitespaceSeparatedStringList(needToBeChanged[i].ScannerIDs, scannerID) {
 				needToBeChanged[i].ScannerIDs = utils.AddToWhitespaceSeparatedStringList(needToBeChanged[i].ScannerIDs, scannerID)
 			}
 		}

internal/utils/common.go

@@ -172,6 +172,11 @@ func RemoveFromWhitespaceSeparatedStringList(s string, item string) string {
 	return strings.Join(res, " ")
 }
 
+func ContainsInWhitespaceSeparatedStringList(s string, item string) bool {
+	els := strings.Fields(s)
+	return slices.Contains(els, item)
+}
+
 func CompareFirstTwoDecimals(a, b float64) bool {
 
 	aRounded := math.Round(a*100) / 100

internal/utils/common_test.go

@@ -32,6 +32,18 @@ func TestAddToWhitespaceSeparatedStringList(t *testing.T) {
 			item:     "item1",
 			expected: "item1 item2",
 		},
+		{
+			name:     "Add scanner ID with colon",
+			input:    "scanner1",
+			item:     "github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+			expected: "scanner1 github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+		},
+		{
+			name:     "Should not add duplicate scanner ID with colon",
+			input:    "github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+			item:     "github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+			expected: "github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+		},
 	}
 
 	for _, tt := range tests {
@@ -75,6 +87,18 @@ func TestRemoveFromWhitespaceSeparatedStringList(t *testing.T) {
 			item:     "item1",
 			expected: "",
 		},
+		{
+			name:     "Remove scanner ID with colon from list",
+			input:    "github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+			item:     "github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+			expected: "",
+		},
+		{
+			name:     "Should not remove partial match with colon",
+			input:    "container-scanning github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+			item:     "container-scanning:scanner",
+			expected: "container-scanning github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+		},
 	}
 
 	for _, tt := range tests {
@@ -86,6 +110,68 @@ func TestRemoveFromWhitespaceSeparatedStringList(t *testing.T) {
 		})
 	}
 }
+
+func TestContainsInWhitespaceSeparatedStringList(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		item     string
+		expected bool
+	}{
+		{
+			name:     "Item exists in list",
+			input:    "item1 item2 item3",
+			item:     "item2",
+			expected: true,
+		},
+		{
+			name:     "Item does not exist in list",
+			input:    "item1 item2 item3",
+			item:     "item4",
+			expected: false,
+		},
+		{
+			name:     "Item exists in single-item list",
+			input:    "item1",
+			item:     "item1",
+			expected: true,
+		},
+		{
+			name:     "Item does not exist in empty list",
+			input:    "",
+			item:     "item1",
+			expected: false,
+		},
+		{
+			name:     "Scanner ID with colon exists in list",
+			input:    "github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+			item:     "github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+			expected: true,
+		},
+		{
+			name:     "Should not match partial scanner ID with colon",
+			input:    "github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+			item:     "container-scanning",
+			expected: false,
+		},
+		{
+			name:     "Should not match partial scanner ID with colon (reverse)",
+			input:    "container-scanning github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning:scanner",
+			item:     "container-scanning:scanner",
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := ContainsInWhitespaceSeparatedStringList(tt.input, tt.item)
+			if result != tt.expected {
+				t.Errorf("expected %t, got %t", tt.expected, result)
+			}
+		})
+	}
+}
+
 func TestShannonEntropy(t *testing.T) {
 	tests := []struct {
 		name     string