microsoft
diff --git a/‎src/upgrade/assessmentManager.ts‎
Lines changed: 13 additions & 24 deletions b/‎src/upgrade/assessmentManager.ts‎
Lines changed: 13 additions & 24 deletions
diff --git a/‎src/upgrade/cve.ts‎
Lines changed: 158 additions & 123 deletions b/‎src/upgrade/cve.ts‎
Lines changed: 158 additions & 123 deletions
@@ -10,7 +10,7 @@ import { Upgrade } from '../constants';
 import { buildPackageId } from './utility';
 import metadataManager from './metadataManager';
 import { sendInfo } from 'vscode-extension-telemetry-wrapper';
-import { batchGetCVEs } from './cve';
+import { batchGetCVEIssues } from './cve';
 
 function packageNodeToDescription(node: INodeData): PackageDescription | null {
     const version = node.metaData?.["maven.version"];
@@ -122,11 +122,10 @@ function getDependencyIssue(pkg: PackageDescription): UpgradeIssue | null {
     return getUpgradeForDependency(version, supportedVersionDefinition, packageId);
 }
 
-async function getDependencyIssues(projectNode: INodeData): Promise<UpgradeIssue[]> {
-    const packages = await getAllDependencies(projectNode);
+async function getDependencyIssues(dependencies: PackageDescription[]): Promise<UpgradeIssue[]> {
 
-    const issues = packages.map(getDependencyIssue).filter((x): x is UpgradeIssue => Boolean(x));
-    const versionRangeByGroupId = collectVersionRange(packages.filter(pkg => getPackageUpgradeMetadata(pkg)));
+    const issues = dependencies.map(getDependencyIssue).filter((x): x is UpgradeIssue => Boolean(x));
+    const versionRangeByGroupId = collectVersionRange(dependencies.filter(pkg => getPackageUpgradeMetadata(pkg)));
     if (Object.keys(versionRangeByGroupId).length > 0) {
         sendInfo("", {
             operationName: "java.dependency.assessmentManager.getDependencyVersionRange",
@@ -138,16 +137,13 @@ async function getDependencyIssues(projectNode: INodeData): Promise<UpgradeIssue
 }
 
 async function getProjectIssues(projectNode: INodeData): Promise<UpgradeIssue[]> {
-    const cveIssues = await getCVEIssues(projectNode);
-    if (cveIssues.length > 0) {
-        return cveIssues;
-    }
-    const javaIssues = getJavaIssues(projectNode);
-    if (javaIssues.length > 0) {
-        return javaIssues;
-    }
-    const dependencyIssues = await getDependencyIssues(projectNode);
-    return dependencyIssues;
+    const issues: UpgradeIssue[] = [];
+    const dependencies = await getAllDependencies(projectNode);
+    issues.push(...await getCVEIssues(dependencies));
+    issues.push(...getJavaIssues(projectNode));
+    issues.push(...await getDependencyIssues(dependencies));
+
+    return issues;
 
 }
 
@@ -200,16 +196,9 @@ async function getAllDependencies(projectNode: INodeData): Promise<PackageDescri
         .flat();
 }
 
-async function getCVEIssues(projectNode: INodeData): Promise<UpgradeIssue[]> {
-
-    // 1. Getting all dependencies from the project
-    const dependencies = await getAllDependencies(projectNode);
-    // 2. Convert to GAV (groupId:artifactId:version) format
+async function getCVEIssues(dependencies: PackageDescription[]): Promise<UpgradeIssue[]> {
     const gavCoordinates = dependencies.map(pkg => `${pkg.groupId}:${pkg.artifactId}:${pkg.version}`);
-    // 3. Checking them against a CVE database to find known vulnerabilities
-    const cveResults = await batchGetCVEs(gavCoordinates);
-
-    return cveResults;
+    return batchGetCVEIssues(gavCoordinates);
 }
 
 export default {
 
@@ -1,154 +1,189 @@
 import { UpgradeIssue, UpgradeReason } from "./type";
 import { Octokit } from "@octokit/rest";
-import * as semver from 'semver';
+import * as semver from "semver";
 
 /**
  * Severity levels ordered by criticality (higher number = more critical)
  * The official doc about the severity levels can be found at:
  * https://docs.github.com/en/rest/security-advisories/global-advisories?apiVersion=2022-11-28
  */
-export const severityOrder = {
-    critical: 4,
-    high: 3,
-    medium: 2,
-    low: 1,
-    unknown: 0,
-} as const;
-
-export type Severity = keyof typeof severityOrder;
+export enum Severity {
+  unknown = 0,
+  low = 1,
+  medium = 2,
+  high = 3,
+  critical = 4,
+}
 
 export interface CVE {
-    id: string;
-    ghsa_id: string;
-    severity: Severity;
-    summary: string;
-    description: string;
-    html_url: string;
-    affectedDeps: {
-        name?: string | null;
-        vulVersions?: string | null;
-        patchedVersion?: string | null;
-    }[];
+  id: string;
+  ghsa_id: string;
+  severity: keyof typeof Severity;
+  summary: string;
+  description: string;
+  html_url: string;
+  affectedDeps: {
+    name?: string | null;
+    vulVersions?: string | null;
+    patchedVersion?: string | null;
+  }[];
 }
 
-export type CveUpgradeIssue = UpgradeIssue & { reason: UpgradeReason.CVE; severity: string; link: string };
+export type CveUpgradeIssue = UpgradeIssue & {
+  reason: UpgradeReason.CVE;
+  severity: string;
+  link: string;
+};
 
-export async function batchGetCVEs(
+export async function batchGetCVEIssues(
   coordinates: string[]
 ): Promise<CveUpgradeIssue[]> {
-
   // Split dependencies into smaller batches to avoid URL length limit
   const BATCH_SIZE = 30;
-  const allCVEDeps: CveUpgradeIssue[] = [];
+  const allCVEUpgradeIssues: CveUpgradeIssue[] = [];
 
   // Process dependencies in batches
   for (let i = 0; i < coordinates.length; i += BATCH_SIZE) {
     const batchCoordinates = coordinates.slice(i, i + BATCH_SIZE);
-    const batchCVEDeps = await getCVEs(batchCoordinates);
-    allCVEDeps.push(...batchCVEDeps);
+    const cveUpgradeIssues = await getCveUpgradeIssues(batchCoordinates);
+    allCVEUpgradeIssues.push(...cveUpgradeIssues);
   }
 
-  return allCVEDeps;
+  return allCVEUpgradeIssues;
 }
 
-async function getCVEs(
-    coordinates: string[]
+async function getCveUpgradeIssues(
+  coordinates: string[]
 ): Promise<CveUpgradeIssue[]> {
-    try {
-        const octokit = new Octokit();
-
-        const deps = coordinates
-            .map((d) => d.split(':', 3))
-            .map((p) => ({ name: `${p[0]}:${p[1]}`, version: p[2] }))
-            .filter((d) => d.version);
-        const response = await octokit.securityAdvisories.listGlobalAdvisories({
-            ecosystem: 'maven',
-            affects: deps.map((p) => `${p.name}@${p.version}`),
-            direction: 'asc',
-            sort: 'published',
-            per_page: 100
-        });
-
-        const allCves: CVE[] = response.data
-            .filter((c) => !c.withdrawn_at?.trim() &&
-                (c.severity === 'critical' || c.severity === 'high')) // only consider critical and high severity CVEs
-            .map((cve) => ({
-                id: cve.cve_id || cve.ghsa_id,
-                ghsa_id: cve.ghsa_id,
-                severity: cve.severity,
-                summary: cve.summary,
-                description: cve.description || cve.summary,
-                html_url: cve.html_url,
-                affectedDeps: (cve.vulnerabilities ?? []).map((v) => ({
-                    name: v.package?.name,
-                    vulVersions: v.vulnerable_version_range,
-                    patchedVersion: v.first_patched_version
-                }))
-            }));
-
-        // group the cves by coordinate
-        const depsCves: { dep: string; cves: CVE[]; minVersion?: string | null }[] = [];
-        for (const dep of deps) {
-            const depCves: CVE[] = allCves.filter((cve) => cve.affectedDeps.some((d) => d.name === dep.name));
-            if (depCves.length < 1) {
-                continue;
-            }
-            // find the min patched version for each coordinate
-            let maxPatchedVersion: string | undefined | null;
-            for (const cve of depCves) {
-                const patchedVersion = cve.affectedDeps.find((d) => d.name === dep.name && d.patchedVersion)?.patchedVersion;
-                const coercedPatchedVersion = semver.coerce(patchedVersion);
-                const coercedMaxPatchedVersion = semver.coerce(maxPatchedVersion);
-                if (
-                    !maxPatchedVersion ||
-                    (coercedPatchedVersion &&
-                        coercedMaxPatchedVersion &&
-                        semver.gt(coercedPatchedVersion, coercedMaxPatchedVersion))
-                ) {
-                    maxPatchedVersion = patchedVersion;
-                }
-            }
-
-            depsCves.push({
-                dep: dep.name,
-                cves: depCves,
-                minVersion: maxPatchedVersion
-            });
-        }
-
-        const upgradeIssues =  depsCves.map(depCve => {
-            const currentDep = deps.find(d => d.name === depCve.dep);
-            const mostCriticalCve = findMostCriticalCve(depCve.cves);
-            return {
-                packageId: depCve.dep,
-                packageDisplayName: depCve.dep,
-                currentVersion: currentDep?.version || 'unknown',
-                name: `${mostCriticalCve.id || 'CVE'}`,
-                reason: UpgradeReason.CVE as const,
-                suggestedVersion: {
-                    name: depCve.minVersion || 'unknown',
-                    description: mostCriticalCve.description || mostCriticalCve.summary || 'Security vulnerability detected'
-                },
-                severity: mostCriticalCve.severity,
-                description: mostCriticalCve.description || mostCriticalCve.summary || 'Security vulnerability detected',
-                link: mostCriticalCve.html_url,
-            };
-        });
-        return upgradeIssues;
-    } catch (error) {
-        throw error;
-    }
+  const deps = coordinates
+    .map((d) => d.split(":", 3))
+    .map((p) => ({ name: `${p[0]}:${p[1]}`, version: p[2] }))
+    .filter((d) => d.version);
+
+  const depsCves = await fetchCves(deps);
+  return mapCvesToUpgradeIssues(depsCves, deps);
 }
 
-function findMostCriticalCve(depCves: CVE[]) {
-    let mostCriticalSeverity: Severity = 'unknown';
-    let mostCriticalCve = depCves[0];
+async function fetchCves(deps: { name: string; version: string }[]) {
+  const allCves: CVE[] = await retrieveVulnerabilityData(deps);
 
-    for (const cve of depCves) {
-        if (severityOrder[cve.severity] > severityOrder[mostCriticalSeverity]) {
-            mostCriticalSeverity = cve.severity;
-            mostCriticalCve = cve;
-        }
+  // group the cves by coordinate
+  const depsCves: { dep: string; cves: CVE[]; minVersion?: string | null }[] =
+    [];
+
+  for (const dep of deps) {
+    const depCves: CVE[] = allCves.filter((cve) =>
+      cve.affectedDeps.some((d) => d.name === dep.name)
+    );
+
+    if (depCves.length < 1) {
+      continue;
     }
-    return mostCriticalCve;
+
+    // find the min patched version for each coordinate
+    const maxPatchedVersion = calculateMaxPatchedVersion(depCves, dep);
+
+    depsCves.push({
+      dep: dep.name,
+      cves: depCves,
+      minVersion: maxPatchedVersion,
+    });
+  }
+
+  return depsCves;
+}
+
+function calculateMaxPatchedVersion(
+  depCves: CVE[],
+  dep: { name: string; version: string }
+) {
+  let maxPatchedVersion: string | undefined | null;
+
+  for (const cve of depCves) {
+    const patchedVersion = cve.affectedDeps.find(
+      (d) => d.name === dep.name && d.patchedVersion
+    )?.patchedVersion;
+
+    const coercedPatchedVersion = semver.coerce(patchedVersion);
+    const coercedMaxPatchedVersion = semver.coerce(maxPatchedVersion);
+
+    if (
+      !maxPatchedVersion ||
+      (coercedPatchedVersion &&
+        coercedMaxPatchedVersion &&
+        semver.gt(coercedPatchedVersion, coercedMaxPatchedVersion))
+    ) {
+      maxPatchedVersion = patchedVersion;
+    }
+  }
+
+  return maxPatchedVersion;
+}
+
+async function retrieveVulnerabilityData(
+  deps: { name: string; version: string }[]
+) {
+  const octokit = new Octokit();
+
+  const response = await octokit.securityAdvisories.listGlobalAdvisories({
+    ecosystem: "maven",
+    affects: deps.map((p) => `${p.name}@${p.version}`),
+    direction: "asc",
+    sort: "published",
+    per_page: 100,
+  });
+
+  const allCves: CVE[] = response.data
+    .filter(
+      (c) =>
+        !c.withdrawn_at?.trim() &&
+        (c.severity === "critical" || c.severity === "high")
+    ) // only consider critical and high severity CVEs
+    .map((cve) => ({
+      id: cve.cve_id || cve.ghsa_id,
+      ghsa_id: cve.ghsa_id,
+      severity: cve.severity,
+      summary: cve.summary,
+      description: cve.description || cve.summary,
+      html_url: cve.html_url,
+      affectedDeps: (cve.vulnerabilities ?? []).map((v) => ({
+        name: v.package?.name,
+        vulVersions: v.vulnerable_version_range,
+        patchedVersion: v.first_patched_version,
+      })),
+    }));
+  return allCves;
+}
+
+function mapCvesToUpgradeIssues(
+  depsCves: { dep: string; cves: CVE[]; minVersion?: string | null }[],
+  deps: { name: string; version: string }[]
+) {
+  const upgradeIssues = depsCves.map((depCve) => {
+    const currentDep = deps.find((d) => d.name === depCve.dep);
+    const mostCriticalCve = [...depCve.cves].sort(
+      (a, b) => Severity[b.severity] - Severity[a.severity]
+    )[0];
+    return {
+      packageId: depCve.dep,
+      packageDisplayName: depCve.dep,
+      currentVersion: currentDep?.version || "unknown",
+      name: `${mostCriticalCve.id || "CVE"}`,
+      reason: UpgradeReason.CVE as const,
+      suggestedVersion: {
+        name: depCve.minVersion || "unknown",
+        description:
+          mostCriticalCve.description ||
+          mostCriticalCve.summary ||
+          "Security vulnerability detected",
+      },
+      severity: mostCriticalCve.severity,
+      description:
+        mostCriticalCve.description ||
+        mostCriticalCve.summary ||
+        "Security vulnerability detected",
+      link: mostCriticalCve.html_url,
+    };
+  });
+  return upgradeIssues;
 }