feat: compute pin advice in --json output

Author: paulrosca-snyk

internal/legacy/definitions/legacy-json.tsp

@@ -200,10 +200,16 @@ model RemediationUpgradeInfo {
   vulns: string[];
 }
 
+model PinRemediation {
+  isTransitive: boolean;
+  vulns: string[];
+  upgradeTo: string;
+}
+
 model Remediation {
   ignore: Record<string>;
   patch: Record<string>;
-  pin: Record<string>;
+  pin: Record<PinRemediation>;
   unresolved: Vulnerability[];
   upgrade: Record<RemediationUpgradeInfo>;
 }

internal/legacy/definitions/oapi.gen.go

@@ -306,6 +306,21 @@ components:
             type: string
         version:
           type: string
+    PinRemediation:
+      type: object
+      required:
+        - isTransitive
+        - vulns
+        - upgradeTo
+      properties:
+        isTransitive:
+          type: boolean
+        vulns:
+          type: array
+          items:
+            type: string
+        upgradeTo:
+          type: string
     Reachability:
       type: string
       enum:
@@ -341,7 +356,7 @@ components:
         pin:
           type: object
           additionalProperties:
-            type: string
+            $ref: '#/components/schemas/PinRemediation'
         unresolved:
           type: array
           items:

internal/legacy/definitions/spec.yaml

@@ -1,16 +1,98 @@
 package transform
 
 import (
+	"errors"
 	"fmt"
+	"slices"
 	"strings"
 
 	"github.com/rs/zerolog"
 	"github.com/snyk/go-application-framework/pkg/apiclients/testapi"
 
 	"github.com/snyk/cli-extension-os-flows/internal/legacy/definitions"
+	"github.com/snyk/cli-extension-os-flows/internal/semver/shared"
 	"github.com/snyk/cli-extension-os-flows/internal/util"
 )
 
+func CalculatePin(vulns []definitions.Vulnerability, semver shared.Runtime) (map[string]definitions.PinRemediation, error) {
+	pin := make(map[string]definitions.PinRemediation)
+	for _, vuln := range vulns {
+		if len(vuln.From) < 2 {
+			continue
+		}
+
+		key := fmt.Sprintf("%s@%s", vuln.Name, vuln.Version)
+
+		var currentUpgradeToVersion string
+		vulnPin, pinExistsForVuln := pin[key]
+		if pinExistsForVuln {
+			currentUpgradeToVersion = vulnPin.UpgradeTo[len(vuln.Name)+1:]
+		}
+
+		if vuln.FixedIn == nil || len(*vuln.FixedIn) == 0 {
+			continue
+		}
+
+		var sortErr error
+		slices.SortStableFunc(*vuln.FixedIn, func(a, b string) int {
+			comp, err := semver.Compare(a, b)
+			if err != nil {
+				sortErr = errors.Join(sortErr, err)
+			}
+			return comp
+		})
+		if sortErr != nil {
+			return nil, fmt.Errorf("failed to sort fixedIn values: %w", sortErr)
+		}
+
+		isTransitive := len(vuln.From) > 2
+
+		var newVersion string
+		for _, fixVersion := range *vuln.FixedIn {
+			comp, err := semver.Compare(fixVersion, vuln.Version)
+			if err != nil {
+				return nil, err
+			}
+
+			if comp > 0 {
+				newVersion = fixVersion
+				break
+			}
+		}
+
+		if newVersion == "" {
+			continue
+		}
+
+		if !pinExistsForVuln {
+			pin[key] = definitions.PinRemediation{
+				UpgradeTo:    fmt.Sprintf("%s@%s", vuln.Name, newVersion),
+				Vulns:        []string{vuln.Id},
+				IsTransitive: isTransitive,
+			}
+		} else {
+			vulnPin.Vulns = append(vulnPin.Vulns, vuln.Id)
+
+			v, err := semver.Compare(newVersion, currentUpgradeToVersion)
+			if err != nil {
+				return nil, err
+			}
+			if v > 0 {
+				vulnPin.UpgradeTo = fmt.Sprintf("%s@%s", vuln.Name, newVersion)
+			}
+
+			if !isTransitive {
+				vulnPin.IsTransitive = false
+			}
+
+			// vulnPin is a copy of the value from the map,
+			// so we need to store it back after modifying it
+			pin[key] = vulnPin
+		}
+	}
+	return pin, nil
+}
+
 func getNameFromStringPath(path string) string {
 	lastIndx := strings.LastIndex(path, "@")
 	return path[:lastIndx]

internal/legacy/transform/remediation.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/snyk/cli-extension-os-flows/internal/errors"
 	"github.com/snyk/cli-extension-os-flows/internal/legacy/definitions"
+	"github.com/snyk/cli-extension-os-flows/internal/semver"
 	"github.com/snyk/cli-extension-os-flows/internal/util"
 )
 
@@ -447,6 +448,22 @@ func ConvertSnykSchemaFindingsToLegacy(params *SnykSchemaToLegacyParams) (*defin
 		}
 	}
 
+	if semver, err := semver.GetSemver(params.PackageManager); err == nil {
+		pin, err := CalculatePin(res.Vulnerabilities, semver)
+		if err != nil {
+			return nil, params.ErrFactory.NewLegacyJSONTransformerError(fmt.Errorf("calculating pin remediation: %w", err))
+		}
+		res.Remediation = &definitions.Remediation{Pin: pin}
+	} else {
+		// This will be the case for the sbom test as long
+		// as long as we don't get the package manager back from the server
+		params.
+			Logger.
+			Warn().
+			Str("package manager", params.PackageManager).
+			Msg("skipping remediation computation as no semver runtime could be retrieved for the package manager")
+	}
+
 	return &res, nil
 }