CVE report should include changed requirements.

mitchell-as · mitchell-as · commit 110c0db277e1 · 2024-11-07T10:54:25.000-05:00
Previously it would only show for added requirements. If a requirement changes versions, we should include it in the CVE report.
diff --git a/internal/runbits/cves/cves.go b/internal/runbits/cves/cves.go
@@ -77,7 +77,7 @@ func (c *CveReport) Report(newBuildPlan *buildplan.BuildPlan, oldBuildPlan *buil
 		}
 	}
 
-	names := addedRequirements(oldBuildPlan, newBuildPlan)
+	names := changedRequirements(oldBuildPlan, newBuildPlan)
 	pg := output.StartSpinner(c.prime.Output(), locale.Tr("progress_cve_search", strings.Join(names, ", ")), constants.TerminalAnimationInterval)
 
 	ingredientVulnerabilities, err := model.FetchVulnerabilitiesForIngredients(c.prime.Auth(), ingredients)
@@ -235,21 +235,24 @@ func (c *CveReport) promptForSecurity() (bool, error) {
 	return confirm, nil
 }
 
-func addedRequirements(oldBuildPlan *buildplan.BuildPlan, newBuildPlan *buildplan.BuildPlan) []string {
+func changedRequirements(oldBuildPlan *buildplan.BuildPlan, newBuildPlan *buildplan.BuildPlan) []string {
 	var names []string
 	var oldRequirements buildplan.Requirements
 	if oldBuildPlan != nil {
 		oldRequirements = oldBuildPlan.Requirements()
 	}
 	newRequirements := newBuildPlan.Requirements()
 
-	oldReqs := make(map[string]bool)
+	oldReqs := make(map[string]string)
 	for _, req := range oldRequirements {
-		oldReqs[qualifiedName(req)] = true
+		oldReqs[qualifiedName(req)] = req.Ingredient.Version
 	}
 
 	for _, req := range newRequirements {
-		if oldReqs[qualifiedName(req)] || req.Namespace == buildplan.NamespaceInternal {
+		if req.Namespace == buildplan.NamespaceInternal {
+			continue
+		}
+		if version, exists := oldReqs[qualifiedName(req)]; exists && version == req.Ingredient.Version {
 			continue
 		}
 		names = append(names, req.Name)

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ func (c CveReport) Report(newBuildPlan buildplan.BuildPlan, oldBuildPlan *buil`
`77`	`77`	`}`
`78`	`78`	`}`
`79`	`79`
`80`		`- names := addedRequirements(oldBuildPlan, newBuildPlan)`
	`80`	`+ names := changedRequirements(oldBuildPlan, newBuildPlan)`
`81`	`81`	`pg := output.StartSpinner(c.prime.Output(), locale.Tr("progress_cve_search", strings.Join(names, ", ")), constants.TerminalAnimationInterval)`
`82`	`82`
`83`	`83`	`ingredientVulnerabilities, err := model.FetchVulnerabilitiesForIngredients(c.prime.Auth(), ingredients)`
`@@ -235,21 +235,24 @@ func (c *CveReport) promptForSecurity() (bool, error) {`
`235`	`235`	`return confirm, nil`
`236`	`236`	`}`
`237`	`237`
`238`		`-func addedRequirements(oldBuildPlan buildplan.BuildPlan, newBuildPlan buildplan.BuildPlan) []string {`
	`238`	`+func changedRequirements(oldBuildPlan buildplan.BuildPlan, newBuildPlan buildplan.BuildPlan) []string {`
`239`	`239`	`var names []string`
`240`	`240`	`var oldRequirements buildplan.Requirements`
`241`	`241`	`if oldBuildPlan != nil {`
`242`	`242`	`oldRequirements = oldBuildPlan.Requirements()`
`243`	`243`	`}`
`244`	`244`	`newRequirements := newBuildPlan.Requirements()`
`245`	`245`
`246`		`- oldReqs := make(map[string]bool)`
	`246`	`+ oldReqs := make(map[string]string)`
`247`	`247`	`for _, req := range oldRequirements {`
`248`		`- oldReqs[qualifiedName(req)] = true`
	`248`	`+ oldReqs[qualifiedName(req)] = req.Ingredient.Version`
`249`	`249`	`}`
`250`	`250`
`251`	`251`	`for _, req := range newRequirements {`
`252`		`- if oldReqs[qualifiedName(req)] \|\| req.Namespace == buildplan.NamespaceInternal {`
	`252`	`+ if req.Namespace == buildplan.NamespaceInternal {`
	`253`	`+ continue`
	`254`	`+ }`
	`255`	`+ if version, exists := oldReqs[qualifiedName(req)]; exists && version == req.Ingredient.Version {`
`253`	`256`	`continue`
`254`	`257`	`}`
`255`	`258`	`names = append(names, req.Name)`