Merge pull request #3582 from ActiveState/mitchell/dx-3150

CVE report should include changed requirements.
ActiveState · Nov 7, 2024 · 4e15f20 · 4e15f20
2 parents 0100fab + 110c0db
commit 4e15f20
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/internal/runbits/cves/cves.go b/internal/runbits/cves/cves.go
@@ -77,7 +77,7 @@ func (c *CveReport) Report(newBuildPlan *buildplan.BuildPlan, oldBuildPlan *buil
 		}
 	}
 
-	names := addedRequirements(oldBuildPlan, newBuildPlan)
+	names := changedRequirements(oldBuildPlan, newBuildPlan)
 	pg := output.StartSpinner(c.prime.Output(), locale.Tr("progress_cve_search", strings.Join(names, ", ")), constants.TerminalAnimationInterval)
 
 	ingredientVulnerabilities, err := model.FetchVulnerabilitiesForIngredients(c.prime.Auth(), ingredients)
@@ -235,21 +235,24 @@ func (c *CveReport) promptForSecurity() (bool, error) {
 	return confirm, nil
 }
 
-func addedRequirements(oldBuildPlan *buildplan.BuildPlan, newBuildPlan *buildplan.BuildPlan) []string {
+func changedRequirements(oldBuildPlan *buildplan.BuildPlan, newBuildPlan *buildplan.BuildPlan) []string {
 	var names []string
 	var oldRequirements buildplan.Requirements
 	if oldBuildPlan != nil {
 		oldRequirements = oldBuildPlan.Requirements()
 	}
 	newRequirements := newBuildPlan.Requirements()
 
-	oldReqs := make(map[string]bool)
+	oldReqs := make(map[string]string)
 	for _, req := range oldRequirements {
-		oldReqs[qualifiedName(req)] = true
+		oldReqs[qualifiedName(req)] = req.Ingredient.Version
 	}
 
 	for _, req := range newRequirements {
-		if oldReqs[qualifiedName(req)] || req.Namespace == buildplan.NamespaceInternal {
+		if req.Namespace == buildplan.NamespaceInternal {
+			continue
+		}
+		if version, exists := oldReqs[qualifiedName(req)]; exists && version == req.Ingredient.Version {
 			continue
 		}
 		names = append(names, req.Name)