Stashing changes for now

Author: patrick.rissmann@l3montree.com

internal/core/assetversion/asset_version_service.go

@@ -72,7 +72,7 @@ func (s *service) HandleFirstPartyVulnResult(asset models.Asset, assetVersion *m
 					AssetVersionName: assetVersion.Name,
 					AssetID:          asset.ID,
 					Message:          &result.Message.Text,
-					ScannerID:        scannerID,
+					ScannerIDs:       scannerID,
 				},
 				RuleID:      result.RuleId,
 				Uri:         result.Locations[0].PhysicalLocation.ArtifactLocation.Uri,
@@ -183,7 +183,7 @@ func (s *service) HandleScanResult(asset models.Asset, assetVersion *models.Asse
 			Vulnerability: models.Vulnerability{
 				AssetVersionName: assetVersion.Name,
 				AssetID:          asset.ID,
-				ScannerID:        scannerID,
+				ScannerIDs:       scannerID,
 			},
 			CVEID:                 utils.Ptr(v.CVEID),
 			ComponentPurl:         utils.Ptr(v.Purl),
@@ -221,11 +221,12 @@ func (s *service) HandleScanResult(asset models.Asset, assetVersion *models.Asse
 
 func (s *service) handleScanResult(userID string, scannerID string, assetVersion *models.AssetVersion, dependencyVulns []models.DependencyVuln, doRiskManagement bool, asset models.Asset) (int, int, []models.DependencyVuln, error) {
 	// get all existing dependencyVulns from the database - this is the old state
-	existingDependencyVulns, err := s.dependencyVulnRepository.ListByScanner(assetVersion.Name, assetVersion.AssetID, scannerID)
+	existingDependencyVulns, err := s.dependencyVulnRepository.ListByAssetAndAssetVersion(assetVersion.Name, assetVersion.AssetID)
 	if err != nil {
 		slog.Error("could not get existing dependencyVulns", "err", err)
 		return 0, 0, []models.DependencyVuln{}, err
 	}
+
 	// remove all fixed dependencyVulns from the existing dependencyVulns
 	existingDependencyVulns = utils.Filter(existingDependencyVulns, func(dependencyVuln models.DependencyVuln) bool {
 		return dependencyVuln.State != models.VulnStateFixed
@@ -235,26 +236,24 @@ func (s *service) handleScanResult(userID string, scannerID string, assetVersion
 		return dependencyVuln.CalculateHash()
 	})
 
-	for _, vuln := range dependencyVulns {
-		for _, vuln_existing := range existingDependencyVulns {
-			if vuln.CalculateHash() == vuln_existing.CalculateHash() {
-				if !strings.Contains(vuln_existing.ScannerID, vuln.ScannerID) {
-					vuln_existing.ScannerID = vuln_existing.ScannerID + " " + vuln.ScannerID
-				}
-			}
-		}
-	}
-
-	fixedDependencyVulns := comparison.OnlyInA
-	newDependencyVulns := comparison.OnlyInB
+	foundByScannerAndNotExisting := comparison.OnlyInB //We want to create new vulnerabilities for these
+	foundByScannerAndExisting := comparison.InBoth     //We have to check if it was already found by this scanner or only by other scanners
+	notFoundByScannerAndExisting := comparison.OnlyInA //We have to update all vulnerabilities which were previously found by this scanner and now aren't
 
 	// get a transaction
 	if err := s.dependencyVulnRepository.Transaction(func(tx core.DB) error {
-		if err := s.dependencyVulnService.UserDetectedDependencyVulns(tx, userID, newDependencyVulns, *assetVersion, asset, true); err != nil {
-
-			// this will cancel the transaction
-			return err
+		// We can create the newly found one without checking anything
+		if err := s.dependencyVulnService.UserDetectedDependencyVulns(tx, userID, foundByScannerAndNotExisting, *assetVersion, asset, true); err != nil {
+			return err // this will cancel the transaction
 		}
+		// Now we work on the vulnerabilities found in both sets -> has the vulnerability this scanner id already in his scanner_ids
+		for _, existingVulnerability := range foundByScannerAndExisting {
+			if !strings.Contains(existingVulnerability.ScannerID, scannerID) {
+				existingVulnerability.ScannerID = existingVulnerability.ScannerID + " " + scannerID
+			}
+		}
+		s.dependencyVulnRepository.ApplyAndSave(tx, &existingDependencyVulns)
+
 		return s.dependencyVulnService.UserFixedDependencyVulns(tx, userID, fixedDependencyVulns, *assetVersion, asset, true)
 	}); err != nil {
 		slog.Error("could not save dependencyVulns", "err", err)
@@ -265,7 +264,7 @@ func (s *service) handleScanResult(userID string, scannerID string, assetVersion
 	fixedDependencyVulns = utils.Filter(fixedDependencyVulns, func(dependencyVuln models.DependencyVuln) bool {
 		return dependencyVuln.State == models.VulnStateOpen
 	})
-	return len(newDependencyVulns), len(fixedDependencyVulns), append(newDependencyVulns, comparison.InBoth...), nil
+	return len(foundByScannerAndNotExisting), len(fixedDependencyVulns), append(foundByScannerAndNotExisting, comparison.InBoth...), nil
 }
 
 func recursiveBuildBomRefMap(component cdx.Component) map[string]cdx.Component {

internal/core/common_interfaces.go

@@ -108,6 +108,7 @@ type DependencyVulnRepository interface {
 	GetDefaultDependencyVulnsByProjectIdPaged(tx DB, projectID uuid.UUID, pageInfo PageInfo, search string, filter []FilterQuery, sort []SortQuery) (Paged[models.DependencyVuln], error)
 	GetDependencyVulnsByAssetVersionPagedAndFlat(tx DB, assetVersionName string, assetVersionID uuid.UUID, pageInfo PageInfo, search string, filter []FilterQuery, sort []SortQuery) (Paged[models.DependencyVuln], error)
 	ListByScanner(assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error)
+	ListByAssetAndAssetVersion(assetVersionName string, assetID uuid.UUID) ([]models.DependencyVuln, error)
 	GetDependencyVulnsByPurl(tx DB, purls []string) ([]models.DependencyVuln, error)
 	ApplyAndSave(tx DB, dependencyVuln *models.DependencyVuln, vulnEvent *models.VulnEvent) error
 }

internal/core/component/component_dto.go

@@ -6,15 +6,15 @@ import (
 )
 
 type componentDTO struct {
-	ID uuid.UUID `gorm:"primarykey;type:uuid;default:gen_random_uuid()" json:"id"`
+	ID uuid.UUID `json:"id"`
 
 	// the provided sbom from cyclondx only contains the transitive dependencies, which do really get used
 	// this means, that the dependency graph between people using the same library might differ, since they use it differently
 	// we use edges, which provide the information, that a component is used by another component in one asset
 	Dependency     models.Component `json:"dependency"`
 	DependencyPurl string           `json:"dependencyPurl"` // will be nil, for direct dependencies
 	AssetID        uuid.UUID        `json:"assetVersionId"`
-	ScannerID      string           `json:"scannerId" gorm:"column:scanner_id"` // the id of the scanner
+	ScannerID      string           `json:"scannerId"` // the id of the scanner
 }
 
 func toDTO(m models.ComponentDependency) componentDTO {

internal/core/daemon/flaw_daemon.go

@@ -74,15 +74,15 @@ func UpdateComponentProperties(db core.DB) error {
 			// group by scanner id
 			groups := make(map[string]map[string][]models.DependencyVuln)
 			for _, f := range dependencyVulns {
-				if _, ok := groups[f.ScannerID]; !ok {
-					groups[f.ScannerID] = make(map[string][]models.DependencyVuln)
+				if _, ok := groups[f.ScannerIDs]; !ok {
+					groups[f.ScannerIDs] = make(map[string][]models.DependencyVuln)
 				}
 
-				if _, ok := groups[f.ScannerID][f.AssetVersionName]; !ok {
-					groups[f.ScannerID][f.AssetVersionName] = make([]models.DependencyVuln, 0)
+				if _, ok := groups[f.ScannerIDs][f.AssetVersionName]; !ok {
+					groups[f.ScannerIDs][f.AssetVersionName] = make([]models.DependencyVuln, 0)
 				}
 
-				groups[f.ScannerID][f.AssetVersionName] = append(groups[f.ScannerID][f.AssetVersionName], f)
+				groups[f.ScannerIDs][f.AssetVersionName] = append(groups[f.ScannerIDs][f.AssetVersionName], f)
 			}
 
 			// group the dependencyVulns by scanner id

internal/core/dependency_vuln/dependency_vuln_controller.go

@@ -136,7 +136,7 @@ func (c dependencyVulnHttpController) ListPaged(ctx core.Context) error {
 		// append the dependencyVuln to the package
 		dependencyVulnsByPackage.DependencyVulns = append(res[*dependencyVuln.ComponentPurl].DependencyVulns, DependencyVulnDTO{
 			ID:                    dependencyVuln.ID,
-			ScannerID:             dependencyVuln.ScannerID,
+			ScannerID:             dependencyVuln.ScannerIDs,
 			Message:               dependencyVuln.Message,
 			AssetVersionName:      dependencyVuln.AssetVersionName,
 			AssetID:               dependencyVuln.AssetID.String(),
@@ -297,7 +297,7 @@ func convertToDetailedDTO(dependencyVuln models.DependencyVuln) detailedDependen
 			Priority:              dependencyVuln.Priority,
 			LastDetected:          dependencyVuln.LastDetected,
 			CreatedAt:             dependencyVuln.CreatedAt,
-			ScannerID:             dependencyVuln.ScannerID,
+			ScannerID:             dependencyVuln.ScannerIDs,
 			TicketID:              dependencyVuln.TicketID,
 			TicketURL:             dependencyVuln.TicketURL,
 			RiskRecalculatedAt:    dependencyVuln.RiskRecalculatedAt,

internal/core/dependency_vuln/dependency_vuln_dto.go

@@ -55,7 +55,7 @@ func DependencyVulnToDto(f models.DependencyVuln) DependencyVulnDTO {
 
 	return DependencyVulnDTO{
 		ID:                    f.ID,
-		ScannerID:             f.ScannerID,
+		ScannerID:             f.ScannerIDs,
 		Message:               f.Message,
 		AssetVersionName:      f.AssetVersionName,
 		AssetID:               f.AssetID.String(),

internal/core/dependency_vuln/first_party_vuln_controller.go

@@ -204,7 +204,7 @@ func convertFirstPartyVulnToDetailedDTO(firstPartyVuln models.FirstPartyVulnerab
 	return detailedFirstPartyVulnDTO{
 		FirstPartyVulnDTO: FirstPartyVulnDTO{
 			ID:          firstPartyVuln.ID,
-			ScannerID:   firstPartyVuln.ScannerID,
+			ScannerID:   firstPartyVuln.ScannerIDs,
 			Message:     firstPartyVuln.Message,
 			AssetID:     firstPartyVuln.AssetID.String(),
 			State:       firstPartyVuln.State,

internal/core/dependency_vuln/first_party_vuln_dto.go

@@ -38,7 +38,7 @@ func FirstPartyVulnToDto(f models.FirstPartyVulnerability) FirstPartyVulnDTO {
 
 	return FirstPartyVulnDTO{
 		ID:          f.ID,
-		ScannerID:   f.ScannerID,
+		ScannerID:   f.ScannerIDs,
 		Message:     f.Message,
 		AssetID:     f.AssetID.String(),
 		State:       f.State,

internal/core/risk/risk_explaination.go

@@ -300,7 +300,7 @@ func Explain(dependencyVuln models.DependencyVuln, asset models.Asset, vector st
 		cveDescription: dependencyVuln.CVE.Description,
 
 		affectedComponentName: utils.SafeDereference(dependencyVuln.ComponentPurl),
-		scanner:               dependencyVuln.ScannerID,
+		scanner:               dependencyVuln.ScannerIDs,
 		fixedVersion:          dependencyVuln.ComponentFixedVersion,
 	}
 }

internal/database/models/first_party_vuln_model.go

@@ -48,7 +48,7 @@ func (m *FirstPartyVulnerability) CalculateHash() string {
 	startColumnStr := strconv.Itoa(m.StartColumn)
 	endColumnStr := strconv.Itoa(m.EndColumn)
 
-	hash := utils.HashString(startLineStr + endLineStr + startColumnStr + endColumnStr + m.RuleID + m.Uri + m.ScannerID + m.AssetID.String() + m.AssetVersionName)
+	hash := utils.HashString(startLineStr + endLineStr + startColumnStr + endColumnStr + m.RuleID + m.Uri + m.ScannerIDs + m.AssetID.String() + m.AssetVersionName)
 	m.ID = hash
 	return hash
 }