fixes pipeline failing even if cve is accepted

timbastin · timbastin · commit 8cb0a57b6b93 · 2025-08-01T16:22:52.000+02:00
diff --git a/cmd/devguard-scanner/commands/sca.go b/cmd/devguard-scanner/commands/sca.go
@@ -115,10 +115,15 @@ func generateSBOM(path string) (*os.File, error) {
 
 // Function to dynamically change the format of the table row depending on the input parameters
 func dependencyVulnToTableRow(pURL packageurl.PackageURL, v vuln.DependencyVulnDTO) table.Row {
+	var cvss float32 = 0.0
+	if v.CVE != nil {
+		cvss = v.CVE.CVSS
+	}
+
 	if pURL.Namespace == "" { //Remove the second slash if the second parameter is empty to avoid double slashes
-		return table.Row{fmt.Sprintf("pkg:%s/%s", pURL.Type, pURL.Name), utils.SafeDereference(v.CVEID), utils.OrDefault(v.RawRiskAssessment, 0), v.CVE.CVSS, strings.TrimPrefix(pURL.Version, "v"), utils.SafeDereference(v.ComponentFixedVersion), v.State}
+		return table.Row{fmt.Sprintf("pkg:%s/%s", pURL.Type, pURL.Name), utils.SafeDereference(v.CVEID), utils.OrDefault(v.RawRiskAssessment, 0), cvss, strings.TrimPrefix(pURL.Version, "v"), utils.SafeDereference(v.ComponentFixedVersion), v.State}
 	} else {
-		return table.Row{fmt.Sprintf("pkg:%s/%s/%s", pURL.Type, pURL.Namespace, pURL.Name), utils.SafeDereference(v.CVEID), utils.OrDefault(v.RawRiskAssessment, 0), v.CVE.CVSS, strings.TrimPrefix(pURL.Version, "v"), utils.SafeDereference(v.ComponentFixedVersion), v.State}
+		return table.Row{fmt.Sprintf("pkg:%s/%s/%s", pURL.Type, pURL.Namespace, pURL.Name), utils.SafeDereference(v.CVEID), utils.OrDefault(v.RawRiskAssessment, 0), cvss, strings.TrimPrefix(pURL.Version, "v"), utils.SafeDereference(v.ComponentFixedVersion), v.State}
 	}
 }
 
@@ -171,6 +176,12 @@ func printScaResults(scanResponse scan.ScanResponse, failOnRisk, failOnCVSS, ass
 		return utils.OrDefault(f.RawRiskAssessment, 0)
 	})
 
+	openCVSS := utils.Map(utils.Filter(scanResponse.DependencyVulns, func(f vuln.DependencyVulnDTO) bool {
+		return f.State == "open" && f.CVE != nil
+	}), func(f vuln.DependencyVulnDTO) float32 {
+		return f.CVE.CVSS
+	})
+
 	maxRisk := 0.
 	for _, risk := range openRisks {
 		if risk > maxRisk {
@@ -179,9 +190,9 @@ func printScaResults(scanResponse scan.ScanResponse, failOnRisk, failOnCVSS, ass
 	}
 
 	var maxCVSS float32
-	for _, v := range scanResponse.DependencyVulns {
-		if v.CVE != nil && v.CVE.CVSS > maxCVSS {
-			maxCVSS = v.CVE.CVSS
+	for _, v := range openCVSS {
+		if v > maxCVSS {
+			maxCVSS = v
 		}
 	}
 
diff --git a/cmd/devguard-scanner/commands/sca_test.go b/cmd/devguard-scanner/commands/sca_test.go
@@ -19,7 +19,9 @@ import (
 	"testing"
 
 	"github.com/l3montree-dev/devguard/internal/core/vuln"
+	"github.com/l3montree-dev/devguard/internal/core/vulndb/scan"
 	"github.com/l3montree-dev/devguard/internal/database/models"
+	"github.com/l3montree-dev/devguard/internal/utils"
 	"github.com/package-url/packageurl-go"
 	"github.com/stretchr/testify/assert"
 )
@@ -79,3 +81,288 @@ func TestDependencyVulnToTableRow(t *testing.T) {
 	})
 
 }
+
+func TestPrintScaResults(t *testing.T) {
+	assetName := "test-asset"
+	webUI := "https://app.devguard.org"
+
+	t.Run("should return nil when no vulnerabilities found", func(t *testing.T) {
+		scanResponse := scan.ScanResponse{
+			DependencyVulns: []vuln.DependencyVulnDTO{},
+			AmountOpened:    0,
+			AmountClosed:    0,
+		}
+
+		err := printScaResults(scanResponse, "critical", "critical", assetName, webUI)
+		assert.Nil(t, err)
+	})
+
+	t.Run("should not fail when all vulnerabilities are closed/accepted - even with high risk/CVSS", func(t *testing.T) {
+		scanResponse := scan.ScanResponse{
+			DependencyVulns: []vuln.DependencyVulnDTO{
+				{
+					CVEID:             utils.Ptr("CVE-2023-12345"),
+					ComponentPurl:     utils.Ptr("pkg:golang/github.com/example/lib@v1.0.0"),
+					State:             "closed",       // CLOSED vulnerability should not cause failure
+					RawRiskAssessment: utils.Ptr(9.5), // High risk but closed
+					AssetVersionName:  "main",
+					CVE: &models.CVE{
+						CVE:  "CVE-2023-12345",
+						CVSS: 9.0, // High CVSS but closed
+					},
+				},
+				{
+					CVEID:             utils.Ptr("CVE-2023-67890"),
+					ComponentPurl:     utils.Ptr("pkg:golang/github.com/example/lib2@v1.0.0"),
+					State:             "accepted",      // ACCEPTED vulnerability should not cause failure
+					RawRiskAssessment: utils.Ptr(10.0), // High risk but accepted
+					AssetVersionName:  "main",
+					CVE: &models.CVE{
+						CVE:  "CVE-2023-67890",
+						CVSS: 9.8, // High CVSS but accepted
+					},
+				},
+			},
+			AmountOpened: 0,
+			AmountClosed: 2,
+		}
+
+		// Should pass even with low thresholds because vulnerabilities are closed/accepted
+		err := printScaResults(scanResponse, "low", "low", assetName, webUI)
+		assert.Nil(t, err)
+	})
+
+	// Test failOnRisk conditions - consolidated table-driven test
+	t.Run("failOnRisk thresholds", func(t *testing.T) {
+		testCases := []struct {
+			name          string
+			risk          float64
+			threshold     string
+			shouldFail    bool
+			expectedError string
+		}{
+			{"low threshold pass", 0.05, "low", false, ""},
+			{"low threshold fail", 0.2, "low", true, "max risk exceeds threshold 0.20"},
+			{"medium threshold pass", 3.9, "medium", false, ""},
+			{"medium threshold fail", 4.5, "medium", true, "max risk exceeds threshold 4.50"},
+			{"high threshold pass", 6.9, "high", false, ""},
+			{"high threshold fail", 7.2, "high", true, "max risk exceeds threshold 7.20"},
+			{"critical threshold pass", 8.9, "critical", false, ""},
+			{"critical threshold fail", 9.5, "critical", true, "max risk exceeds threshold 9.50"},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				scanResponse := scan.ScanResponse{
+					DependencyVulns: []vuln.DependencyVulnDTO{
+						{
+							CVEID:             utils.Ptr("CVE-2023-12345"),
+							ComponentPurl:     utils.Ptr("pkg:golang/github.com/example/lib@v1.0.0"),
+							State:             "open",
+							RawRiskAssessment: utils.Ptr(tc.risk),
+							AssetVersionName:  "main",
+							CVE: &models.CVE{
+								CVE:  "CVE-2023-12345",
+								CVSS: 5.0,
+							},
+						},
+					},
+					AmountOpened: 1,
+					AmountClosed: 0,
+				}
+
+				err := printScaResults(scanResponse, tc.threshold, "critical", assetName, webUI)
+				if tc.shouldFail {
+					assert.NotNil(t, err)
+					assert.Contains(t, err.Error(), tc.expectedError)
+				} else {
+					assert.Nil(t, err)
+				}
+			})
+		}
+	})
+
+	// Test failOnCVSS conditions - consolidated table-driven test
+	t.Run("failOnCVSS thresholds", func(t *testing.T) {
+		testCases := []struct {
+			name          string
+			cvss          float32
+			threshold     string
+			shouldFail    bool
+			expectedError string
+		}{
+			{"low threshold pass", 0.05, "low", false, ""},
+			{"low threshold fail", 0.2, "low", true, "max CVSS exceeds threshold 0.20"},
+			{"medium threshold pass", 3.9, "medium", false, ""},
+			{"medium threshold fail", 4.5, "medium", true, "max CVSS exceeds threshold 4.50"},
+			{"high threshold pass", 6.9, "high", false, ""},
+			{"high threshold fail", 7.2, "high", true, "max CVSS exceeds threshold 7.20"},
+			{"critical threshold pass", 8.9, "critical", false, ""},
+			{"critical threshold fail", 9.5, "critical", true, "max CVSS exceeds threshold 9.50"},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				scanResponse := scan.ScanResponse{
+					DependencyVulns: []vuln.DependencyVulnDTO{
+						{
+							CVEID:             utils.Ptr("CVE-2023-12345"),
+							ComponentPurl:     utils.Ptr("pkg:golang/github.com/example/lib@v1.0.0"),
+							State:             "open",
+							RawRiskAssessment: utils.Ptr(1.0),
+							AssetVersionName:  "main",
+							CVE: &models.CVE{
+								CVE:  "CVE-2023-12345",
+								CVSS: tc.cvss,
+							},
+						},
+					},
+					AmountOpened: 1,
+					AmountClosed: 0,
+				}
+
+				err := printScaResults(scanResponse, "critical", tc.threshold, assetName, webUI)
+				if tc.shouldFail {
+					assert.NotNil(t, err)
+					assert.Contains(t, err.Error(), tc.expectedError)
+				} else {
+					assert.Nil(t, err)
+				}
+			})
+		}
+	})
+
+	// Test edge cases
+	t.Run("should handle vulnerabilities without CVE (no CVSS)", func(t *testing.T) {
+		scanResponse := scan.ScanResponse{
+			DependencyVulns: []vuln.DependencyVulnDTO{
+				{
+					CVEID:             nil, // No CVE ID
+					ComponentPurl:     utils.Ptr("pkg:golang/github.com/example/lib@v1.0.0"),
+					State:             "open",
+					RawRiskAssessment: utils.Ptr(5.0),
+					AssetVersionName:  "main",
+					CVE:               nil, // No CVE data - should default CVSS to 0.0
+				},
+			},
+			AmountOpened: 1,
+			AmountClosed: 0,
+		}
+
+		// Should fail on risk but pass on CVSS (defaults to 0.0)
+		err := printScaResults(scanResponse, "medium", "critical", assetName, webUI)
+		assert.NotNil(t, err)
+		assert.Contains(t, err.Error(), "max risk exceeds threshold 5.00")
+	})
+
+	t.Run("should only consider OPEN vulnerabilities - mixed states scenario", func(t *testing.T) {
+		scanResponse := scan.ScanResponse{
+			DependencyVulns: []vuln.DependencyVulnDTO{
+				{
+					CVEID:             utils.Ptr("CVE-2023-12345"),
+					ComponentPurl:     utils.Ptr("pkg:golang/github.com/example/lib1@v1.0.0"),
+					State:             "open", // OPEN - should be considered
+					RawRiskAssessment: utils.Ptr(3.0),
+					AssetVersionName:  "main",
+					CVE: &models.CVE{
+						CVE:  "CVE-2023-12345",
+						CVSS: 5.0,
+					},
+				},
+				{
+					CVEID:             utils.Ptr("CVE-2023-67890"),
+					ComponentPurl:     utils.Ptr("pkg:golang/github.com/example/lib2@v2.0.0"),
+					State:             "open",         // OPEN - should be considered (highest values)
+					RawRiskAssessment: utils.Ptr(8.5), // Higher risk
+					AssetVersionName:  "main",
+					CVE: &models.CVE{
+						CVE:  "CVE-2023-67890",
+						CVSS: 7.8, // Higher CVSS
+					},
+				},
+				{
+					CVEID:             utils.Ptr("CVE-2023-11111"),
+					ComponentPurl:     utils.Ptr("pkg:golang/github.com/example/lib3@v3.0.0"),
+					State:             "closed",        // CLOSED - should be IGNORED even though it has highest values
+					RawRiskAssessment: utils.Ptr(10.0), // Highest risk but closed
+					AssetVersionName:  "main",
+					CVE: &models.CVE{
+						CVE:  "CVE-2023-11111",
+						CVSS: 10.0, // Highest CVSS but closed
+					},
+				},
+				{
+					CVEID:             utils.Ptr("CVE-2023-22222"),
+					ComponentPurl:     utils.Ptr("pkg:golang/github.com/example/lib4@v4.0.0"),
+					State:             "accepted",     // ACCEPTED - should be IGNORED even though it has highest values
+					RawRiskAssessment: utils.Ptr(9.8), // Very high risk but accepted
+					AssetVersionName:  "main",
+					CVE: &models.CVE{
+						CVE:  "CVE-2023-22222",
+						CVSS: 9.9, // Very high CVSS but accepted
+					},
+				},
+			},
+			AmountOpened: 2,
+			AmountClosed: 2,
+		}
+
+		// Should fail on high risk threshold (8.5 >= 7) - only considering open vulns
+		err := printScaResults(scanResponse, "high", "critical", assetName, webUI)
+		assert.NotNil(t, err)
+		assert.Contains(t, err.Error(), "max risk exceeds threshold 8.50")
+
+		// Should fail on high CVSS threshold (7.8 >= 7) - only considering open vulns
+		err = printScaResults(scanResponse, "critical", "high", assetName, webUI)
+		assert.NotNil(t, err)
+		assert.Contains(t, err.Error(), "max CVSS exceeds threshold 7.80")
+	})
+
+	t.Run("should handle nil RawRiskAssessment gracefully", func(t *testing.T) {
+		scanResponse := scan.ScanResponse{
+			DependencyVulns: []vuln.DependencyVulnDTO{
+				{
+					CVEID:             utils.Ptr("CVE-2023-12345"),
+					ComponentPurl:     utils.Ptr("pkg:golang/github.com/example/lib@v1.0.0"),
+					State:             "open",
+					RawRiskAssessment: nil, // Should default to 0
+					AssetVersionName:  "main",
+					CVE: &models.CVE{
+						CVE:  "CVE-2023-12345",
+						CVSS: 5.0,
+					},
+				},
+			},
+			AmountOpened: 1,
+			AmountClosed: 0,
+		}
+
+		// Should pass all risk thresholds (defaults to 0)
+		err := printScaResults(scanResponse, "low", "critical", assetName, webUI)
+		assert.Nil(t, err)
+	})
+
+	t.Run("should handle unknown failOn values gracefully", func(t *testing.T) {
+		scanResponse := scan.ScanResponse{
+			DependencyVulns: []vuln.DependencyVulnDTO{
+				{
+					CVEID:             utils.Ptr("CVE-2023-12345"),
+					ComponentPurl:     utils.Ptr("pkg:golang/github.com/example/lib@v1.0.0"),
+					State:             "open",
+					RawRiskAssessment: utils.Ptr(10.0),
+					AssetVersionName:  "main",
+					CVE: &models.CVE{
+						CVE:  "CVE-2023-12345",
+						CVSS: 10.0,
+					},
+				},
+			},
+			AmountOpened: 1,
+			AmountClosed: 0,
+		}
+
+		// Unknown failOn values should not cause failures
+		err := printScaResults(scanResponse, "unknown", "invalid", assetName, webUI)
+		assert.Nil(t, err)
+	})
+}
