first code review

Author: Hubtrick-Git

cmd/devguard/api/api.go

@@ -682,7 +682,7 @@ func BuildRouter(db core.DB) *echo.Echo {
 	licenseRiskRouter.GET("/:licenseRiskID/", licenseRiskController.Read)
 	licenseRiskRouter.POST("/:licenseRiskID/", licenseRiskController.CreateEvent, neededScope([]string{"manage"}), projectScopedRBAC(core.ObjectAsset, core.ActionUpdate))
 	licenseRiskRouter.POST("/:licenseRiskID/mitigate", licenseRiskController.Mitigate, neededScope([]string{"manage"}), projectScopedRBAC(core.ObjectAsset, core.ActionUpdate))
-
+	licenseRiskRouter.POST("/:licenseRiskID/finalLicenseDecision", licenseRiskController.MakeFinalLicenseDecision, neededScope([]string{"manage"}), projectScopedRBAC(core.ObjectAsset, core.ActionUpdate))
 	routes := server.Routes()
 	sort.Slice(routes, func(i, j int) bool {
 		return routes[i].Path < routes[j].Path

internal/core/component/component_controller.go

@@ -5,16 +5,16 @@ import (
 )
 
 type httpController struct {
-	componentRepository        core.ComponentRepository
-	assetVersionRepository     core.AssetVersionRepository
-	licenseOverwriteRepository core.LicenseRiskRepository
+	componentRepository    core.ComponentRepository
+	assetVersionRepository core.AssetVersionRepository
+	licenseRiskRepository  core.LicenseRiskRepository
 }
 
 func NewHTTPController(componentRepository core.ComponentRepository, assetVersionRepository core.AssetVersionRepository, licenseOverwriteRepository core.LicenseRiskRepository) *httpController {
 	return &httpController{
-		componentRepository:        componentRepository,
-		assetVersionRepository:     assetVersionRepository,
-		licenseOverwriteRepository: licenseOverwriteRepository,
+		componentRepository:    componentRepository,
+		assetVersionRepository: assetVersionRepository,
+		licenseRiskRepository:  licenseOverwriteRepository,
 	}
 }
 
@@ -74,7 +74,7 @@ func (httpController httpController) ListPaged(ctx core.Context) error {
 	search := ctx.QueryParam("search")
 	sort := core.GetSortQuery(ctx)
 
-	overwrittenLicense, err := httpController.licenseOverwriteRepository.GetAllOverwrittenLicensesForAssetVersion(assetVersion.AssetID, assetVersion.Name)
+	overwrittenLicense, err := httpController.licenseRiskRepository.GetAllOverwrittenLicensesForAssetVersion(assetVersion.AssetID, assetVersion.Name)
 	if err != nil {
 		return err
 	}

internal/core/component/component_service.go

@@ -178,27 +178,27 @@ func (s *service) GetAndSaveLicenseInformation(assetVersion models.AssetVersion,
 		})
 	}
 
-	// wait for all updatedComponents to be processed
-	updatedComponents, err := errGroup.WaitAndCollect()
+	// wait for all components to be processed
+	components, err := errGroup.WaitAndCollect()
 	if err != nil {
 		return nil, err
 	}
 
 	// save the components
-	if err := s.componentRepository.SaveBatch(nil, updatedComponents); err != nil {
+	if err := s.componentRepository.SaveBatch(nil, components); err != nil {
 		return nil, err
 	}
 
 	// find potential license risks for the components which had no prior license
-	if len(updatedComponents) > 0 {
-		err = s.licenseRiskService.FindLicenseRisksInComponents(assetVersion, updatedComponents, scannerID)
+	if len(components) > 0 {
+		err = s.licenseRiskService.FindLicenseRisksInComponents(assetVersion, components, scannerID)
 		if err != nil {
 			return nil, err
 		}
 	}
 
 	// now return all components - each one should have the best license information available
-	allComponents := updatedComponents
+	allComponents := components
 	for _, componentDependency := range componentDependencies {
 		allComponents = append(allComponents, componentDependency.Dependency)
 	}

internal/core/integrations/githubint/github_integration.go

@@ -67,6 +67,7 @@ type GithubIntegration struct {
 	assetRepository                 core.AssetRepository
 	assetVersionRepository          core.AssetVersionRepository
 	componentRepository             core.ComponentRepository
+	licenseRiskRepository           core.LicenseRiskRepository
 
 	orgRepository       core.OrganizationRepository
 	projectRepository   core.ProjectRepository
@@ -87,6 +88,7 @@ func NewGithubIntegration(db core.DB) *GithubIntegration {
 	projectRepository := repositories.NewProjectRepository(db)
 	orgRepository := repositories.NewOrgRepository(db)
 	firstPartyVulnRepository := repositories.NewFirstPartyVulnerabilityRepository(db)
+	licenseRiskRepository := repositories.NewLicenseRiskRepository(db)
 
 	frontendURL := os.Getenv("FRONTEND_URL")
 	if frontendURL == "" {
@@ -106,6 +108,7 @@ func NewGithubIntegration(db core.DB) *GithubIntegration {
 		componentRepository:             componentRepository,
 		projectRepository:               projectRepository,
 		orgRepository:                   orgRepository,
+		licenseRiskRepository:           licenseRiskRepository,
 
 		githubClientFactory: func(repoID string) (githubClientFacade, error) {
 			return NewGithubClient(installationIDFromRepositoryID(repoID))
@@ -574,6 +577,12 @@ func (githubIntegration *GithubIntegration) HandleEvent(event any) error {
 				return err
 			}
 			vuln = &v
+		case models.VulnTypeLicenseRisk:
+			v, err := githubIntegration.licenseRiskRepository.Read(vulnID)
+			if err != nil {
+				return err
+			}
+			vuln = &v
 		}
 
 		orgSlug, err := core.GetOrgSlug(event.Ctx)
@@ -604,6 +613,12 @@ func (githubIntegration *GithubIntegration) HandleEvent(event any) error {
 				return err
 			}
 			vuln = &v
+		case models.VulnTypeLicenseRisk:
+			v, err := githubIntegration.licenseRiskRepository.Read(ev.VulnID)
+			if err != nil {
+				return err
+			}
+			vuln = &v
 		}
 
 		if vuln.GetTicketID() == nil {

internal/database/models/vulnevent_model.go

@@ -39,8 +39,6 @@ const (
 
 	EventTypeAddedScanner   VulnEventType = "addedScanner"
 	EventTypeRemovedScanner VulnEventType = "removedScanner"
-
-	EventTypeFinalLicenseDecision VulnEventType = "finalLicenseDecision"
 )
 
 type MechanicalJustificationType string
@@ -150,8 +148,6 @@ func (event VulnEvent) Apply(vuln Vuln) {
 		}
 		vuln.SetRawRiskAssessment(f)
 		vuln.SetRiskRecalculatedAt(time.Now())
-	case EventTypeFinalLicenseDecision:
-		vuln.SetState(VulnStateFixed)
 	}
 
 }
@@ -297,17 +293,6 @@ func NewRemovedScannerEvent(vulnID string, vulnType VulnType, userID string, sca
 	return ev
 }
 
-func NewFinalLicenseDecisionEvent(vulnID string, vulnType VulnType, userID string, scannerID string) VulnEvent {
-	ev := VulnEvent{
-		Type:     EventTypeFinalLicenseDecision,
-		VulnID:   vulnID,
-		VulnType: vulnType,
-		UserID:   userID,
-	}
-	ev.SetArbitraryJSONData(map[string]any{"scannerIds": scannerID})
-	return ev
-}
-
 func (event VulnEvent) IsScanUnreleatedEvent() bool {
 	switch event.Type {
 	case EventTypeAddedScanner, EventTypeRemovedScanner, EventTypeDetectedOnAnotherBranch, EventTypeRawRiskAssessmentUpdated:

internal/database/repositories/component_repository.go

@@ -179,22 +179,22 @@ func (c *componentRepository) GetLicenseDistribution(tx core.DB, assetVersionNam
 	RIGHT JOIN component_dependencies as cd 
 	ON c.purl = cd.dependency_purl 
 	WHERE EXISTS 
-	(SELECT final_license_decision FROM license_risks as lr WHERE lr.component_purl = c.purl)
+	(SELECT final_license_decision FROM license_risks as lr WHERE lr.component_purl = c.purl AND lr.state = ?)
 	AND asset_version_name = ?
 	AND asset_id = ? 
 	GROUP BY c.license`,
-		assetVersionName, assetID)
+		models.VulnStateFixed, assetVersionName, assetID)
 	//Components WITHOUT an overwrite
 	otherLicensesQuery := c.GetDB(tx).Raw(`SELECT c.license , COUNT(c.license) as count 
 	FROM components as c 
 	RIGHT JOIN component_dependencies as cd 
 	ON c.purl = cd.dependency_purl 
 	WHERE NOT EXISTS 
-	(SELECT final_license_decision FROM license_risks as lr WHERE lr.component_purl = c.purl)
+	(SELECT final_license_decision FROM license_risks as lr WHERE lr.component_purl = c.purl AND lr.state = ?)
 	AND asset_version_name = ?
 	AND asset_id = ? 
 	GROUP BY c.license`,
-		assetVersionName, assetID)
+		models.VulnStateFixed, assetVersionName, assetID)
 
 	//We then still need to filter for the right scanner
 	if scannerID != "" {