Add method to retrieve vulnerabilities from other asset versions

refoo0 · refoo0 · commit c375e3283b77 · 2025-08-08T14:12:05.000+02:00
Signed-off-by: Rafi &lt;refaei.shikho@hotmail.com&gt;
diff --git a/internal/core/assetversion/asset_version_service.go b/internal/core/assetversion/asset_version_service.go
@@ -428,13 +428,13 @@ func (s *service) handleScanResult(userID string, scannerID string, assetVersion
 		slog.Error("could not get existing dependencyVulns", "err", err)
 		return []models.DependencyVuln{}, []models.DependencyVuln{}, []models.DependencyVuln{}, err
 	}
-	// get all vulns from the default branch
-	existingVulnsOnDefaultBranch, err := s.dependencyVulnRepository.GetDependencyVulnsByDefaultAssetVersion(nil, assetVersion.AssetID, "")
+	// get all vulns from other branches
+	existingVulnsOnOtherBranch, err := s.dependencyVulnRepository.GetDependencyVulnsByOtherAssetVersions(nil, assetVersion.Name, assetVersion.AssetID, scannerID)
 	if err != nil {
 		slog.Error("could not get existing dependencyVulns on default branch", "err", err)
 		return []models.DependencyVuln{}, []models.DependencyVuln{}, []models.DependencyVuln{}, err
 	}
-	existingVulnsOnDefaultBranch = utils.Filter(existingVulnsOnDefaultBranch, func(dependencyVuln models.DependencyVuln) bool {
+	existingVulnsOnOtherBranch = utils.Filter(existingVulnsOnOtherBranch, func(dependencyVuln models.DependencyVuln) bool {
 		return dependencyVuln.State != models.VulnStateFixed
 	})
 
@@ -445,10 +445,10 @@ func (s *service) handleScanResult(userID string, scannerID string, assetVersion
 
 	newDetectedVulns, fixedVulns, firstTimeDetectedByCurrentScanner, notDetectedByCurrentScannerAnymore := diffScanResults(scannerID, dependencyVulns, existingDependencyVulns)
 
-	newDetectedVulnsNotOnDefaultBranch, newDetectedButOnDefaultBranchExisting, existingEvents := diffVulnsBetweenBranches(scannerID, newDetectedVulns, existingVulnsOnDefaultBranch)
+	newDetectedVulnsNotOnDefaultBranch, newDetectedButOnOtherBranchExisting, existingEvents := diffVulnsBetweenBranches(scannerID, newDetectedVulns, existingVulnsOnOtherBranch)
 
 	if err := s.dependencyVulnRepository.Transaction(func(tx core.DB) error {
-		if err := s.dependencyVulnService.UserDetectedExistingVulnOnDifferentBranch(tx, scannerID, newDetectedButOnDefaultBranchExisting, existingEvents, *assetVersion, asset); err != nil {
+		if err := s.dependencyVulnService.UserDetectedExistingVulnOnDifferentBranch(tx, scannerID, newDetectedButOnOtherBranchExisting, existingEvents, *assetVersion, asset); err != nil {
 			slog.Error("error when trying to add events for existing vulnerability on different branch")
 			return err // this will cancel the transaction
 		}
diff --git a/internal/core/common_interfaces.go b/internal/core/common_interfaces.go
@@ -151,6 +151,7 @@ type DependencyVulnRepository interface {
 	ListUnfixedByAssetAndAssetVersionAndScannerID(assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error)
 	GetHintsInOrganizationForVuln(tx DB, orgID uuid.UUID, pURL string, cveID string) (common.DependencyVulnHints, error)
 	GetAllByAssetIDAndState(tx DB, assetID uuid.UUID, state models.VulnState, durationSinceStateChange time.Duration) ([]models.DependencyVuln, error)
+	GetDependencyVulnsByOtherAssetVersions(tx DB, assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error)
 }
 
 type FirstPartyVulnRepository interface {
diff --git a/internal/database/repositories/dependency_vuln_repository.go b/internal/database/repositories/dependency_vuln_repository.go
@@ -71,6 +71,22 @@ func (repository *dependencyVulnRepository) GetDependencyVulnsByAssetVersion(tx
 	return dependencyVulns, nil
 }
 
+func (repository *dependencyVulnRepository) GetDependencyVulnsByOtherAssetVersions(tx core.DB, assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error) {
+	var dependencyVulns = []models.DependencyVuln{}
+
+	q := repository.Repository.GetDB(tx).Preload("Events").Preload("CVE").Preload("CVE.Exploits").Where("asset_id = ? AND asset_version_name != ?", assetID, assetVersionName)
+
+	if scannerID != "" {
+		// scanner ids is a string array separated by whitespaces
+		q = q.Where("? = ANY(string_to_array(scanner_ids, ' '))", scannerID)
+	}
+
+	if err := q.Find(&dependencyVulns).Error; err != nil {
+		return nil, err
+	}
+	return dependencyVulns, nil
+}
+
 func (repository *dependencyVulnRepository) GetDependencyVulnsByDefaultAssetVersion(tx core.DB, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error) {
 	subQuery := repository.Repository.GetDB(tx).Model(&models.AssetVersion{}).Select("name").Where("asset_id IN (?) AND default_branch = ?", assetID, true)
 

Original file line number	Diff line number	Diff line change
`@@ -151,6 +151,7 @@ type DependencyVulnRepository interface {`
`151`	`151`	`ListUnfixedByAssetAndAssetVersionAndScannerID(assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error)`
`152`	`152`	`GetHintsInOrganizationForVuln(tx DB, orgID uuid.UUID, pURL string, cveID string) (common.DependencyVulnHints, error)`
`153`	`153`	`GetAllByAssetIDAndState(tx DB, assetID uuid.UUID, state models.VulnState, durationSinceStateChange time.Duration) ([]models.DependencyVuln, error)`
	`154`	`+ GetDependencyVulnsByOtherAssetVersions(tx DB, assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.DependencyVuln, error)`
`154`	`155`	`}`
`155`	`156`
`156`	`157`	`type FirstPartyVulnRepository interface {`