fix: deduplicate (advisory,version range)

Strum355 · Strum355 · commit cca77830a2db · 2025-11-10T14:48:36.000Z
diff --git a/modules/fundamental/src/vulnerability/service/mod.rs b/modules/fundamental/src/vulnerability/service/mod.rs
@@ -120,7 +120,7 @@ impl VulnerabilityService {
         // Extract advisory IDs from JSONB array
         #[derive(serde::Deserialize)]
         struct AdvisoryEntry {
-            id: Uuid,
+            advisory_id: Uuid,
         }
         impl sea_orm::TryGetableFromJson for AdvisoryEntry {}
 
@@ -136,7 +136,7 @@ impl VulnerabilityService {
             if let Some(advisories) = purl_with_vulnerabilities
                 .try_get_by::<Option<Vec<AdvisoryEntry>>, _>("advisories")?
             {
-                advisory_ids_set.extend(advisories.into_iter().map(|e| e.id));
+                advisory_ids_set.extend(advisories.into_iter().map(|e| e.advisory_id));
             }
         }
 
@@ -262,9 +262,9 @@ SELECT
   vulnerability.withdrawn,
   vulnerability.cwes,
   jsonb_agg(
-    jsonb_build_object(
+    DISTINCT jsonb_build_object(
         'status', status.slug,
-        'id', purl_status.advisory_id,
+        'advisory_id', purl_status.advisory_id,
         'version_range', jsonb_build_object(
             'version_scheme_id', version_range.version_scheme_id,
             'left', version_range.low_version,
@@ -356,7 +356,7 @@ GROUP BY
         #[derive(Debug, serde::Deserialize)]
         struct RowEntry {
             status: String,
-            id: Uuid,
+            advisory_id: Uuid,
             version_range: VersionRange,
         }
         impl sea_orm::TryGetableFromJson for RowEntry {}
@@ -369,7 +369,7 @@ GROUP BY
         let statuses = advisories.into_iter().flatten().fold(
             BTreeMap::new(),
             |mut acc: BTreeMap<Uuid, Vec<RowEntry>>, entry| {
-                match acc.entry(entry.id) {
+                match acc.entry(entry.advisory_id) {
                     Entry::Occupied(mut occupied_entry) => {
                         occupied_entry.get_mut().push(entry);
                     }
@@ -383,18 +383,18 @@ GROUP BY
 
         let mut purl_statuses = Vec::new();
 
-        for (advisory_id, statuses) in &statuses {
+        for (advisory_id, entries) in &statuses {
             let score = Score::from_iter(
                 cvss3_map
                     .get(&(*advisory_id, vulnerability.id.clone()))
                     .cloned()
                     .unwrap_or_default(),
             );
-            for status in statuses {
+            for entry in entries {
                 let purl_status = PurlStatus::from_head(
                     head.clone(),
-                    status.status.clone(),
-                    Some(status.version_range.clone()),
+                    entry.status.clone(),
+                    Some(entry.version_range.clone()),
                     None,
                     score,
                 )?;
diff --git a/modules/fundamental/tests/advisory/osv/reingest.rs b/modules/fundamental/tests/advisory/osv/reingest.rs
@@ -132,7 +132,7 @@ async fn withdrawn(ctx: &TrustifyContext) -> anyhow::Result<()> {
             status: "affected".to_string(),
             context: None,
             version_range: Some(VersionRange::Full {
-                version_scheme_id: "cran".into(),
+                version_scheme_id: "generic".into(),
                 left: "1.0".into(),
                 left_inclusive: true,
                 right: "1.0".into(),
@@ -153,7 +153,7 @@ async fn withdrawn(ctx: &TrustifyContext) -> anyhow::Result<()> {
             status: "affected".to_string(),
             context: None,
             version_range: Some(VersionRange::Full {
-                version_scheme_id: "cran".into(),
+                version_scheme_id: "generic".into(),
                 left: "1.0".into(),
                 left_inclusive: true,
                 right: "1.0".into(),
diff --git a/modules/fundamental/tests/vuln/mod.rs b/modules/fundamental/tests/vuln/mod.rs
@@ -57,10 +57,33 @@ async fn issue_1840(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
         .filter(|status| status.status == "affected")
         .collect();
 
-    assert_eq!(status_entries.len(), 1);
+    assert_eq!(status_entries.len(), 2);
     let json = serde_json::to_value(status_entries).expect("must serialize");
     assert!(
         json.contains_subset(json!([{
+            "vulnerability": {
+                "normative": true,
+                "identifier": "CVE-2024-28834",
+                "title": "Gnutls: vulnerable to minerva side-channel information leak",
+                "description": "A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.",
+                "reserved": "2024-03-11T14:43:43.973Z",
+                "published": "2024-03-21T13:29:11.532Z",
+                "modified": "2024-11-25T02:45:53.454Z",
+                "withdrawn": null,
+                "discovered": null,
+                "released": null,
+                "cwes": ["CWE-327"]
+            },
+            "average_severity": "medium",
+            "average_score": 5.3,
+            "status": "affected",
+            "context": null,
+            "version_range": {
+                "version_scheme_id": "rpm",
+                "right": "3.7.6-23.el9_3.4",
+                "right_inclusive": false,
+            }
+        }, {
             "vulnerability": {
                 "normative": true,
                 "identifier": "CVE-2024-28834",
