wip

CalamarBicefalo · paulrosca-snyk · commit ed6afd2b481f · 2025-10-01T11:32:13.000+03:00
diff --git a/internal/remediation/model.go b/internal/remediation/model.go
@@ -2,26 +2,31 @@ package remediation
 
 // Input
 
+/**
+* Finding represents a vulnerability for a given package & version.
+*
+* If a finding is introduced through multiple paths, a single finding with several `DependencyPath` entries must be constructed.
+ */
 type Finding struct {
-	Package        Package
-	Severity       Severity
-	Title          string
-	DependencyPath DependencyPath
-
-	// Snyk vuln ID
-	VulnId string
+	Package         Package
+	Vulnerability   Vulnerability
+	DependencyPaths []DependencyPath
 
 	// All versions containing a fix for this problem
 	InitiallyFixedInVersions []string
 	Fix                      Fix
+	PackageManager           PackageManager
 }
+
+type PackageManager string
+
 type Fix interface {
 	Outcome() Outcome
 }
 
 type PinFix struct {
 	outcome   Outcome
-	pinAction PinAction
+	PinAction PinAction
 }
 
 func (pf PinFix) Outcome() Outcome {
@@ -31,7 +36,7 @@ func (pf PinFix) Outcome() Outcome {
 func NewPinFix(outcome Outcome, action PinAction) Fix {
 	return PinFix{
 		outcome:   outcome,
-		pinAction: action,
+		PinAction: action,
 	}
 }
 
@@ -75,7 +80,7 @@ type Upgrade struct {
 	From Package
 	To   Package
 
-	Fixes []*VulnerabilityInPackage
+	Fixes []VulnerabilityInPackage
 }
 
 type VulnerabilityInPackage struct {
@@ -89,6 +94,7 @@ type Package struct {
 	Name    string
 	Version string
 }
+
 type Vulnerability struct {
 	ID       string
 	Name     string
diff --git a/internal/remediation/remediation_new.go b/internal/remediation/remediation_new.go
@@ -1,164 +1,172 @@
 package remediation
 
 import (
-	"errors"
 	"fmt"
-	"slices"
 
-	"github.com/snyk/go-application-framework/pkg/apiclients/testapi"
-
-	"github.com/snyk/cli-extension-os-flows/internal/legacy/definitions"
-	"github.com/snyk/cli-extension-os-flows/internal/semver/shared"
+	"github.com/snyk/cli-extension-os-flows/internal/semver"
 )
 
-func FixesToRemediationSummary(findings []Finding, semver shared.Runtime) Summary {
-	calculatePins(findings, semver)
-	return Summary{}
-}
-
-func getDepedencyPathEvidence(finding testapi.FindingData) (*testapi.DependencyPathEvidence, error) {
-	for _, ev := range finding.Attributes.Evidence {
-		disc, err := ev.Discriminator()
-		if err != nil {
-			return nil, err
-		}
-
-		if disc != string(testapi.DependencyPath) {
-			continue
-		}
-
-		depPath, err := ev.AsDependencyPathEvidence()
-		if err != nil {
-			return nil, err
-		}
-
-		return &depPath, nil
+func FixesToRemediationSummary(findings []Finding) (Summary, error) {
+	pins, err := calculatePins(findings)
+	if err != nil {
+		return Summary{}, err
 	}
-	return nil, fmt.Errorf("no depedency path evidence was found for finding: %s", finding.Id)
+	return Summary{Pins: pins}, err
 }
 
-func getSnykVuln(finding testapi.FindingData) (*testapi.SnykVulnProblem, error) {
-	for _, prob := range finding.Attributes.Problems {
-		disc, err := prob.Discriminator()
-		if err != nil {
-			return nil, err
-		}
+type packageKey string
 
-		if disc != string(testapi.SnykVuln) {
-			continue
-		}
-
-		vuln, err := prob.AsSnykVulnProblem()
-		if err != nil {
-			return nil, err
-		}
-
-		return &vuln, nil
-	}
-	return nil, nil
+func NewPackageKey(p Package) packageKey {
+	return packageKey(fmt.Sprintf("%s@%s", p.Name, p.Version))
 }
 
-func calculatePins(findings []Finding, semver shared.Runtime) (map[string]definitions.PinRemediation, error) {
-	pin := make(map[string]Upgrade)
+func calculatePins(findings []Finding) ([]Upgrade, error) {
+	var output []Upgrade
+	var pinMap = make(map[packageKey]Upgrade)
 	for _, finding := range findings {
-		if len(finding.DependencyPath) < 2 {
-			continue
-		}
+		vulnerablePackage := finding.Package
+		key := NewPackageKey(vulnerablePackage)
 
-		// vuln, err := getSnykVuln(finding)
-		// if err != nil {
-		// 	return nil, err
-		// }
-		//
-		// if vuln == nil {
-		// 	continue
-		// }
-
-		key := fmt.Sprintf("%s@%s", finding.Package.Name, finding.Package.Version)
-
-		var currentUpgradeToVersion string
-		vulnPin, pinExistsForPkg := pin[key]
-		if pinExistsForPkg {
-			currentUpgradeToVersion = vulnPin.To.Version
-		}
-
-		if len(finding.InitiallyFixedInVersions) == 0 {
-			continue
-		}
+		upgrade, upgradeExists := pinMap[key]
 
-		var sortErr error
-		slices.SortStableFunc(finding.InitiallyFixedInVersions, func(a, b string) int {
-			comp, err := semver.Compare(a, b)
-			if err != nil {
-				sortErr = errors.Join(sortErr, err)
-			}
-			return comp
-		})
-		if sortErr != nil {
-			return nil, fmt.Errorf("failed to sort fixedIn values: %w", sortErr)
+		vulnerabilityInPackage := VulnerabilityInPackage{
+			VulnerablePackage: vulnerablePackage,
+			Vulnerability:     finding.Vulnerability,
+			IntroducedThrough: finding.DependencyPaths,
 		}
 
-		var newVersion string
-		for _, fixVersion := range finding.InitiallyFixedInVersions {
-			comp, err := semver.Compare(fixVersion, finding.Package.Version)
+		if upgradeExists {
+			highestVersion, err := getMaxVersion(finding.PackageManager, upgrade.To.Version, finding.Fix.(PinFix).PinAction.Package.Version)
 			if err != nil {
 				return nil, err
 			}
+			upgrade.To.Version = highestVersion
+			upgrade.Fixes = append(upgrade.Fixes, vulnerabilityInPackage)
 
-			if comp > 0 {
-				newVersion = fixVersion
-				break
-			}
-		}
-
-		if newVersion == "" {
-			continue
-		}
-
-		if !pinExistsForPkg {
-			pin[key] = Upgrade{
-				From: finding.Package,
-				To: Package{
-					Name: finding.Package.Name,
-					Version: newVersion,
-				},
-				Fixes: []*VulnerabilityInPackage{
-					{
-						VulnerablePackage: finding.Package,
-						Vulnerability: Vulnerability{
-							ID: finding.VulnId,
-							Name: finding.Title,
-							Severity: finding.Severity,
-						},
-						IntroducedThrough: []DependencyPath{finding.DependencyPath},
-					},
-				},
-			}
+			pinMap[key] = upgrade
 		} else {
-			var fixForVuln *VulnerabilityInPackage
-			for _, vulnInPkg := range vulnPin.Fixes {
-				if vulnInPkg.Vulnerability.ID == finding.VulnId {
-					fixForVuln := vulnInPkg
-					break
-				}
-			}
-			if fixForVuln {
-				fixForVuln.IntroducedThrough = append(fixForVuln.IntroducedThrough, fi)
-			}
-			vulnPin.Vulns = append(vulnPin.Vulns, vuln.Id)
 
-			v, err := semver.Compare(newVersion, currentUpgradeToVersion)
-			if err != nil {
-				return nil, err
-			}
-			if v > 0 {
-				vulnPin.UpgradeTo = fmt.Sprintf("%s@%s", vuln.PackageName, newVersion)
+			pinMap[key] = Upgrade{
+				From:  vulnerablePackage,
+				To:    finding.Fix.(PinFix).PinAction.Package,
+				Fixes: []VulnerabilityInPackage{vulnerabilityInPackage},
 			}
-
-			// vulnPin is a copy of the value from the map,
-			// so we need to store it back after modifying it
-			pin[key] = vulnPin
 		}
 	}
-	return pin, nil
+
+	for _, pin := range pinMap {
+		output = append(output, pin)
+	}
+	return output, nil
+	//pin := make(map[string]Upgrade)
+	//for _, finding := range findings {
+	//	if len(finding.DependencyPath) < 2 {
+	//		continue
+	//	}
+	//
+	//	key := fmt.Sprintf("%s@%s", finding.Package.Name, finding.Package.Version)
+	//
+	//	var currentUpgradeToVersion string
+	//	vulnPin, pinExistsForPkg := pin[key]
+	//	if pinExistsForPkg {
+	//		currentUpgradeToVersion = vulnPin.To.Version
+	//	}
+	//
+	//	if len(finding.InitiallyFixedInVersions) == 0 {
+	//		continue
+	//	}
+	//
+	//	var sortErr error
+	//	slices.SortStableFunc(finding.InitiallyFixedInVersions, func(a, b string) int {
+	//		comp, err := semver.Compare(a, b)
+	//		if err != nil {
+	//			sortErr = errors.Join(sortErr, err)
+	//		}
+	//		return comp
+	//	})
+	//	if sortErr != nil {
+	//		return nil, fmt.Errorf("failed to sort fixedIn values: %w", sortErr)
+	//	}
+	//
+	//	var newVersion string
+	//	for _, fixVersion := range finding.InitiallyFixedInVersions {
+	//		comp, err := semver.Compare(fixVersion, finding.Package.Version)
+	//		if err != nil {
+	//			return nil, err
+	//		}
+	//
+	//		if comp > 0 {
+	//			newVersion = fixVersion
+	//			break
+	//		}
+	//	}
+	//
+	//	if newVersion == "" {
+	//		continue
+	//	}
+	//
+	//	if !pinExistsForPkg {
+	//		pin[key] = Upgrade{
+	//			From: finding.Package,
+	//			To: Package{
+	//				Name:    finding.Package.Name,
+	//				Version: newVersion,
+	//			},
+	//			Fixes: []*VulnerabilityInPackage{
+	//				{
+	//					VulnerablePackage: finding.Package,
+	//					Vulnerability: Vulnerability{
+	//						ID:       finding.VulnId,
+	//						Name:     finding.Title,
+	//						Severity: finding.Severity,
+	//					},
+	//					IntroducedThrough: []DependencyPath{finding.DependencyPath},
+	//				},
+	//			},
+	//		}
+	//	} else {
+	//		var fixForVuln *VulnerabilityInPackage
+	//		for _, vulnInPkg := range vulnPin.Fixes {
+	//			if vulnInPkg.Vulnerability.ID == finding.VulnId {
+	//				fixForVuln := vulnInPkg
+	//				break
+	//			}
+	//		}
+	//		if fixForVuln {
+	//			fixForVuln.IntroducedThrough = append(fixForVuln.IntroducedThrough, fi)
+	//		}
+	//		vulnPin.Vulns = append(vulnPin.Vulns, vuln.Id)
+	//
+	//		v, err := semver.Compare(newVersion, currentUpgradeToVersion)
+	//		if err != nil {
+	//			return nil, err
+	//		}
+	//		if v > 0 {
+	//			vulnPin.UpgradeTo = fmt.Sprintf("%s@%s", vuln.PackageName, newVersion)
+	//		}
+	//
+	//		// vulnPin is a copy of the value from the map,
+	//		// so we need to store it back after modifying it
+	//		pin[key] = vulnPin
+	//	}
+	//}
+	//return pin, nil
+}
+
+func getMaxVersion(packageManager PackageManager, v1 string, v2 string) (string, error) {
+	semverResolver, err := semver.GetSemver(string(packageManager))
+	if err != nil {
+		return "", err
+	}
+	var version string
+	compare, err := semverResolver.Compare(v1, v2)
+	if err != nil {
+		return "", err
+	}
+	if compare >= 0 {
+		version = v1
+	} else {
+		version = v2
+	}
+	return version, nil
 }
diff --git a/internal/remediation/remediation_test.go b/internal/remediation/remediation_test.go
