Skip to content

Fix vulnerability count #7196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 26, 2023
Merged

Fix vulnerability count #7196

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4f9f7df
fix(advisor-command): Print the correct number of vulnerable packages
mnonnenmacher Jun 24, 2023
ce15cc8
fix(advisor-command): Count vulnerabilities only for included packages
mnonnenmacher Jun 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions plugins/commands/advisor/src/main/kotlin/AdvisorCommand.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,12 +140,16 @@ class AdvisorCommand : OrtCommand(
println("The advice took $duration.")

with(advisorRun.results.getVulnerabilities()) {
val totalPackageCount = ortResultOutput.getPackages(omitExcluded = true).size
val vulnerabilityCount = values.sumOf { it.size }
val includedPackages = ortResultOutput.getPackages(omitExcluded = true).map { it.metadata.id }
Copy link
Member

@sschuberth sschuberth Jun 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The map returned by getVulnerabilities() contains entries for all
packages, also those that do not have any vulnerabilities.

BTW, this is something that also occurred to me in the context of #6613: The advisor's retrievePackageFindings() API definition does not make clear whether the returned map should contain entries for packages that have empty defects and vulnerabilities as part of the AdvisorResult. Should it? Just to get the AdvisorDetails and AdvisorSummary returned?

Copy link
Member Author

@mnonnenmacher mnonnenmacher Jun 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this as well, in some situations like package curations we decided that it has benefits to have explicit empty results to document that something was requested.

Copy link
Member

@sschuberth sschuberth Jun 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed as part of the Kotlin developer meeting.

val totalPackageCount = includedPackages.size
val vulnerablePackageCount = count { (id, vulnerabilities) ->
id in includedPackages && vulnerabilities.isNotEmpty()
}
val vulnerabilityCount = filterKeys { it in includedPackages }.values.sumOf { it.size }

println(
"$size of $totalPackageCount package(s) (not counting excluded ones) are vulnerable, with " +
"$vulnerabilityCount vulnerabilities in total."
"$vulnerablePackageCount of $totalPackageCount package(s) (not counting excluded ones) are " +
"vulnerable, with $vulnerabilityCount vulnerabilities in total."
)
}

Expand Down