Skip to content

PR Decorator Fix - Same CVEs should be aggregated in the same record #1067

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
orto17 wants to merge 6 commits into
base: v3_er
Choose a base branch
from
Open

PR Decorator Fix - Same CVEs should be aggregated in the same record #1067

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7d3e789
grouping same cves into the same record
orto17 Feb 22, 2026
97cefd4
after pr
orto17 Mar 1, 2026
e901bb9
fix for go sec
orto17 Mar 1, 2026
539ffda
getAbsolutePathUnderWd
orto17 Mar 1, 2026
6dd17ac
getAbsolutePathUnderWd
orto17 Mar 1, 2026
0ebb33d
Merge branch 'v3_er' into fix-pr-decorators
orto17 Mar 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 50 additions & 2 deletions utils/outputwriter/outputcontent.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -421,12 +421,60 @@ func getScaLicenseViolationDetails(violation formats.LicenseViolationRow, writer

// Sca Vulnerabilities

func vulnerabilitySummaryKey(v formats.VulnerabilityOrViolationRow) string {
ids := make([]string, 0, len(v.Cves)+1)
for _, cve := range v.Cves {
ids = append(ids, cve.Id)
}
sort.Strings(ids)
return v.IssueId + "|" + strings.Join(ids, ",")
Comment thread
orto17 marked this conversation as resolved.
Outdated
}

func aggregateVulnerabilitiesByCve(vulnerabilities []formats.VulnerabilityOrViolationRow) []formats.VulnerabilityOrViolationRow {
Comment thread
orto17 marked this conversation as resolved.
Outdated
if len(vulnerabilities) == 0 {
return vulnerabilities
}
byKey := make(map[string]*formats.VulnerabilityOrViolationRow)
for i := range vulnerabilities {
v := &vulnerabilities[i]
key := vulnerabilitySummaryKey(*v)
if existing, ok := byKey[key]; ok {
existing.ImpactPaths = append(existing.ImpactPaths, v.ImpactPaths...)
if len(v.FixedVersions) > 0 {
existing.FixedVersions = append(existing.FixedVersions, v.FixedVersions...)
Comment thread
orto17 marked this conversation as resolved.
Outdated
}
} else {
agg := *v
Comment thread
orto17 marked this conversation as resolved.
agg.ImpactPaths = append([][]formats.ComponentRow(nil), v.ImpactPaths...)
agg.FixedVersions = append([]string(nil), v.FixedVersions...)
byKey[key] = &agg
}
}
result := make([]formats.VulnerabilityOrViolationRow, 0, len(byKey))
for _, v := range byKey {
result = append(result, *v)
}
// Preserve relative order by first occurrence
order := make(map[string]int)
for i, v := range vulnerabilities {
key := vulnerabilitySummaryKey(v)
if _, ok := order[key]; !ok {
order[key] = i
}
}
sort.Slice(result, func(i, j int) bool {

@eranturgeman eranturgeman Mar 11, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The order-preservation pass re-iterates vulnerabilities to build the
order map after the aggregation map is already built. This can be
folded into the first loop (track first-seen index inside the main loop)
to avoid the second O(n) scan — minor but cleaner.

return order[vulnerabilitySummaryKey(result[i])] < order[vulnerabilitySummaryKey(result[j])]
})
return result
}

func GetVulnerabilitiesContent(vulnerabilities []formats.VulnerabilityOrViolationRow, writer OutputWriter) (content []string) {
if len(vulnerabilities) == 0 {
return []string{}
}
content = append(content, getVulnerabilitiesSummaryTable(vulnerabilities, writer))
content = append(content, getScaSecurityIssueDetailsContent(vulnerabilities, false, writer)...)
aggregated := aggregateVulnerabilitiesByCve(vulnerabilities)
content = append(content, getVulnerabilitiesSummaryTable(aggregated, writer))
content = append(content, getScaSecurityIssueDetailsContent(aggregated, false, writer)...)
return ConvertContentToComments(content, writer, getDecoratorWithScaVulnerabilitiesTitle(writer))
}

Expand Down
38 changes: 38 additions & 0 deletions utils/outputwriter/outputcontent_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package outputwriter

import (
"path/filepath"
"strings"
"testing"

"github.com/jfrog/froggit-go/vcsutils"
Expand Down Expand Up @@ -431,6 +432,43 @@ func TestVulnerabilitiesContent(t *testing.T) {
}
}

func TestVulnerabilitiesContent_aggregatesSameCveIntoOneRow(t *testing.T) {
Comment thread
orto17 marked this conversation as resolved.
sameCve := "CVE-2017-1000487"
vulnerabilities := []formats.VulnerabilityOrViolationRow{
{
ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
SeverityDetails: formats.SeverityDetails{Severity: "Critical"},
ImpactedDependencyName: "org.codehaus.plexus:plexus-utils",
ImpactedDependencyVersion: "1.5.15",
},
Applicable: "Not Applicable",
ImpactPaths: [][]formats.ComponentRow{
{{Name: "root", Version: "1.0.0"}, {Name: "some-dep", Version: "1.0.0"}, {Name: "org.codehaus.plexus:plexus-utils", Version: "1.5.15"}},
},
Cves: []formats.CveRow{{Id: sameCve}},
},
{
ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
SeverityDetails: formats.SeverityDetails{Severity: "Critical"},
ImpactedDependencyName: "org.codehaus.plexus:plexus-utils",
ImpactedDependencyVersion: "1.5.1",
},
Applicable: "Not Applicable",
ImpactPaths: [][]formats.ComponentRow{
{{Name: "root", Version: "1.0.0"}, {Name: "other-dep", Version: "1.0.0"}, {Name: "org.codehaus.plexus:plexus-utils", Version: "1.5.1"}},
},
Cves: []formats.CveRow{{Id: sameCve}},
},
}
content := GetVulnerabilitiesContent(vulnerabilities, &SimplifiedOutput{})
assert.NotEmpty(t, content)
tableSection := content[0]
assert.Contains(t, tableSection, sameCve, "output should mention the CVE")
assert.Contains(t, tableSection, "2 Transitive", "same CVE in two transitive paths should be aggregated and show 2 Transitive")
// CVE should appear only once in the table (one row), not twice
assert.Equal(t, 1, strings.Count(tableSection, sameCve), "CVE should appear once in the summary table (one aggregated row)")
}

func TestSecurityViolationsContent(t *testing.T) {
testCases := []struct {
name string
Expand Down
Loading