CVE report should include changed requirements.

Previously it would only show for added requirements. If a requirement changes versions, we should include it in the CVE report.
ActiveState · Nov 7, 2024 · 110c0db · 110c0db
1 parent 0100fab
commit 110c0db
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/internal/runbits/cves/cves.go b/internal/runbits/cves/cves.go
@@ -77,7 +77,7 @@ func (c *CveReport) Report(newBuildPlan *buildplan.BuildPlan, oldBuildPlan *buil
 		}
 	}
 
-	names := addedRequirements(oldBuildPlan, newBuildPlan)
+	names := changedRequirements(oldBuildPlan, newBuildPlan)
 	pg := output.StartSpinner(c.prime.Output(), locale.Tr("progress_cve_search", strings.Join(names, ", ")), constants.TerminalAnimationInterval)
 
 	ingredientVulnerabilities, err := model.FetchVulnerabilitiesForIngredients(c.prime.Auth(), ingredients)
@@ -235,21 +235,24 @@ func (c *CveReport) promptForSecurity() (bool, error) {
 	return confirm, nil
 }
 
-func addedRequirements(oldBuildPlan *buildplan.BuildPlan, newBuildPlan *buildplan.BuildPlan) []string {
+func changedRequirements(oldBuildPlan *buildplan.BuildPlan, newBuildPlan *buildplan.BuildPlan) []string {
 	var names []string
 	var oldRequirements buildplan.Requirements
 	if oldBuildPlan != nil {
 		oldRequirements = oldBuildPlan.Requirements()
 	}
 	newRequirements := newBuildPlan.Requirements()
 
-	oldReqs := make(map[string]bool)
+	oldReqs := make(map[string]string)
 	for _, req := range oldRequirements {
-		oldReqs[qualifiedName(req)] = true
+		oldReqs[qualifiedName(req)] = req.Ingredient.Version
 	}
 
 	for _, req := range newRequirements {
-		if oldReqs[qualifiedName(req)] || req.Namespace == buildplan.NamespaceInternal {
+		if req.Namespace == buildplan.NamespaceInternal {
+			continue
+		}
+		if version, exists := oldReqs[qualifiedName(req)]; exists && version == req.Ingredient.Version {
 			continue
 		}
 		names = append(names, req.Name)