refactor: precompute package graph; extract chainBuilder dfs

andrzej-janczak · claude · andrzej-janczak · commit 4c82892b266d · 2026-05-28T15:23:59.000+02:00
Address PR review comments on #296: - Precompute pkgByUID and parentsByUID once per result via buildPackageGraph, avoiding O(N*M) reconstruction inside the vulnerability loop. - buildDependencyChains now takes a targetUID + packageGraph; the call site uses vuln.PkgIdentifier.UID (with PURL fallback). - Extract the DFS into a chainBuilder struct with nodeName/tryRecord helpers, dropping the closure's cyclomatic complexity below the threshold. - tryRecord enforces maxDependencyChains for the cycle-fallback branch too, preventing one extra chain past the cap. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
diff --git a/internal/tool/tool.go b/internal/tool/tool.go
@@ -196,6 +196,9 @@ func (t codacyTrivy) getVulnerabilities(ctx context.Context, report ptypes.Repor
 			lineNumberByPurl[pkg.Identifier.PURL.ToString()] = lineNumber
 		}
 
+		// Precompute the package graph once per result; reused for every vulnerability's chain lookup.
+		graph := buildPackageGraph(result.Packages)
+
 		// Ensure Trivy only produces results with severities matching the specified patterns.
 		// Due to the way we invoke Trivy, this won't happen by simply setting it in the config.
 		if err := tresult.FilterResult(ctx, &result, tresult.IgnoreConfig{}, tresult.FilterOptions{Severities: trivySeverities}); err != nil {
@@ -233,7 +236,11 @@ func (t codacyTrivy) getVulnerabilities(ctx context.Context, report ptypes.Repor
 				return nil, err
 			}
 
-			chains := buildDependencyChains(purl, result.Packages)
+			targetUID := vuln.PkgIdentifier.UID
+			if targetUID == "" {
+				targetUID = graph.uidByPURL[purl]
+			}
+			chains := buildDependencyChains(targetUID, graph)
 			extraFields, err := json.Marshal(map[string]any{
 				"dependenciesChains": chains,
 				"CVE":                vuln.VulnerabilityID,
@@ -515,75 +522,98 @@ func unencodeComponents(bom *cdx.BOM) {
 	}
 }
 
-// buildDependencyChains enumerates root-to-vulnerable chains for a vulnerable PURL via DFS.
-// Each chain is ordered root-most first, vulnerable package last.
-// DependsOn in Trivy lists a package's children (what it depends on). To find parents
-// (what depends on the vulnerable package), we build an inverted map keyed by UID.
-// Limits: max maxDependencyChains chains; per-chain length capped at maxDependencyChainLen (tail kept).
-func buildDependencyChains(targetPURL string, packages []ftypes.Package) [][]string {
-	// Map from UID to package for name resolution.
-	pkgByUID := make(map[string]ftypes.Package, len(packages))
-	// Inverted map: child UID -> parent UIDs (packages that depend on this child).
-	parentsByUID := make(map[string][]string)
-	targetUID := ""
+// packageGraph holds precomputed lookups over a result's packages. Building it once
+// per result avoids O(N*M) reconstruction inside the vulnerability loop.
+type packageGraph struct {
+	// pkgByUID resolves a UID to its package (for display-name lookup).
+	pkgByUID map[string]ftypes.Package
+	// parentsByUID is the inverted dependency map: child UID -> UIDs that depend on it.
+	// DependsOn in Trivy lists a package's children; we invert it to walk upward.
+	parentsByUID map[string][]string
+	// uidByPURL is a fallback for vulnerabilities that carry a PURL but no UID.
+	uidByPURL map[string]string
+}
 
+func buildPackageGraph(packages []ftypes.Package) packageGraph {
+	g := packageGraph{
+		pkgByUID:     make(map[string]ftypes.Package, len(packages)),
+		parentsByUID: make(map[string][]string),
+		uidByPURL:    make(map[string]string, len(packages)),
+	}
 	for _, pkg := range packages {
 		uid := pkg.Identifier.UID
-		pkgByUID[uid] = pkg
-		if pkg.Identifier.PURL != nil && pkg.Identifier.PURL.ToString() == targetPURL {
-			targetUID = uid
+		g.pkgByUID[uid] = pkg
+		if pkg.Identifier.PURL != nil {
+			g.uidByPURL[pkg.Identifier.PURL.ToString()] = uid
 		}
 		for _, depUID := range pkg.DependsOn {
-			parentsByUID[depUID] = append(parentsByUID[depUID], uid)
+			g.parentsByUID[depUID] = append(g.parentsByUID[depUID], uid)
 		}
 	}
+	return g
+}
 
-	if targetUID == "" {
+// buildDependencyChains enumerates root-to-vulnerable chains for the package identified
+// by targetUID via DFS. Each chain is ordered root-most first, vulnerable package last.
+// Limits: max maxDependencyChains chains; per-chain length capped at maxDependencyChainLen (tail kept).
+func buildDependencyChains(targetUID string, graph packageGraph) [][]string {
+	if _, ok := graph.pkgByUID[targetUID]; !ok {
 		return nil
 	}
+	b := chainBuilder{graph: graph}
+	b.dfs(targetUID, nil, map[string]bool{})
+	return b.out
+}
 
-	var out [][]string
+// chainBuilder isolates DFS state and helpers so the traversal stays modular and
+// each method has a low cyclomatic complexity.
+type chainBuilder struct {
+	graph packageGraph
+	out   [][]string
+}
 
-	var dfs func(currentUID string, path []string, visited map[string]bool)
-	dfs = func(currentUID string, path []string, visited map[string]bool) {
-		if len(out) >= maxDependencyChains {
-			return
-		}
-		if visited[currentUID] {
-			return
-		}
-		visited[currentUID] = true
-		defer delete(visited, currentUID)
-
-		pkg, ok := pkgByUID[currentUID]
-		var name string
-		if ok && pkg.Identifier.PURL != nil {
-			name = purlPrettyPrint(*pkg.Identifier.PURL)
-		} else {
-			name = currentUID
-		}
-		path = append([]string{name}, path...)
+func (b *chainBuilder) nodeName(uid string) string {
+	if pkg, ok := b.graph.pkgByUID[uid]; ok && pkg.Identifier.PURL != nil {
+		return purlPrettyPrint(*pkg.Identifier.PURL)
+	}
+	return uid
+}
+
+// tryRecord appends a chain unless the per-vulnerability chain cap is reached.
+// Returns true when a chain was recorded.
+func (b *chainBuilder) tryRecord(chain []string) bool {
+	if len(b.out) >= maxDependencyChains {
+		return false
+	}
+	b.out = append(b.out, trimChainTail(chain, maxDependencyChainLen))
+	return true
+}
+
+func (b *chainBuilder) dfs(currentUID string, path []string, visited map[string]bool) {
+	if visited[currentUID] {
+		return
+	}
+	visited[currentUID] = true
+	defer delete(visited, currentUID)
 
-		parents := parentsByUID[currentUID]
-		if len(parents) == 0 {
-			out = append(out, trimChainTail(path, maxDependencyChainLen))
+	path = append([]string{b.nodeName(currentUID)}, path...)
+
+	parents := b.graph.parentsByUID[currentUID]
+	if len(parents) == 0 {
+		b.tryRecord(path)
+		return
+	}
+	before := len(b.out)
+	for _, parentUID := range parents {
+		if len(b.out) >= maxDependencyChains {
 			return
 		}
-		before := len(out)
-		for _, parentUID := range parents {
-			if len(out) >= maxDependencyChains {
-				return
-			}
-			dfs(parentUID, path, visited)
-		}
-		// All parent branches were blocked by cycle detection — treat current node as root.
-		if len(out) == before {
-			out = append(out, trimChainTail(path, maxDependencyChainLen))
-		}
+		b.dfs(parentUID, path, visited)
+	}
+	// All parent branches were blocked by cycle detection — treat current node as root.
+	if len(b.out) == before {
+		b.tryRecord(path)
 	}
-
-	dfs(targetUID, nil, map[string]bool{})
-	return out
 }
 
 func trimChainTail(chain []string, max int) []string {
diff --git a/internal/tool/tool_test.go b/internal/tool/tool_test.go
@@ -925,9 +925,9 @@ func newPURL(pkgType, namespace, name, version string) *packageurl.PackageURL {
 
 func TestBuildDependencyChains(t *testing.T) {
 	type testData struct {
-		packages    []ftypes.Package
-		targetPURL  string
-		expected    [][]string
+		packages  []ftypes.Package
+		targetUID string
+		expected  [][]string
 	}
 
 	vulnPURL := newPURL("npm", "", "vuln-pkg", "1.0.0")
@@ -947,33 +947,33 @@ func TestBuildDependencyChains(t *testing.T) {
 			packages: []ftypes.Package{
 				makePkg(vulnUID, vulnPURL),
 			},
-			targetPURL: vulnUID,
-			expected:   [][]string{{"npm/vuln-pkg@1.0.0"}},
+			targetUID: vulnUID,
+			expected:  [][]string{{"npm/vuln-pkg@1.0.0"}},
 		},
 		"single transitive chain — one parent": {
 			packages: []ftypes.Package{
 				makePkg(vulnUID, vulnPURL),
 				makePkg(parentUID, parentPURL, vulnUID),
 			},
-			targetPURL: vulnUID,
-			expected:   [][]string{{"npm/parent-pkg@2.0.0", "npm/vuln-pkg@1.0.0"}},
+			targetUID: vulnUID,
+			expected:  [][]string{{"npm/parent-pkg@2.0.0", "npm/vuln-pkg@1.0.0"}},
 		},
 		"deep transitive chain — two ancestors": {
 			packages: []ftypes.Package{
 				makePkg(vulnUID, vulnPURL),
 				makePkg(parentUID, parentPURL, vulnUID),
 				makePkg(grandparentUID, grandparentPURL, parentUID),
 			},
-			targetPURL: vulnUID,
-			expected:   [][]string{{"npm/grandparent-pkg@3.0.0", "npm/parent-pkg@2.0.0", "npm/vuln-pkg@1.0.0"}},
+			targetUID: vulnUID,
+			expected:  [][]string{{"npm/grandparent-pkg@3.0.0", "npm/parent-pkg@2.0.0", "npm/vuln-pkg@1.0.0"}},
 		},
 		"multiple paths to root — two chains": {
 			packages: []ftypes.Package{
 				makePkg(vulnUID, vulnPURL),
 				makePkg(sibling1UID, sibling1PURL, vulnUID),
 				makePkg(sibling2UID, sibling2PURL, vulnUID),
 			},
-			targetPURL: vulnUID,
+			targetUID: vulnUID,
 			expected: [][]string{
 				{"npm/sibling-1@1.0.0", "npm/vuln-pkg@1.0.0"},
 				{"npm/sibling-2@1.0.0", "npm/vuln-pkg@1.0.0"},
@@ -983,16 +983,16 @@ func TestBuildDependencyChains(t *testing.T) {
 			packages: []ftypes.Package{
 				makePkg(parentUID, parentPURL, vulnUID),
 			},
-			targetPURL: vulnUID,
-			expected:   nil,
+			targetUID: vulnUID,
+			expected:  nil,
 		},
 		"package without PURL — falls back to UID as name": {
 			packages: []ftypes.Package{
 				makePkg(vulnUID, vulnPURL),
 				makePkg("no-purl-root", nil, vulnUID),
 			},
-			targetPURL: vulnUID,
-			expected:   [][]string{{"no-purl-root", "npm/vuln-pkg@1.0.0"}},
+			targetUID: vulnUID,
+			expected:  [][]string{{"no-purl-root", "npm/vuln-pkg@1.0.0"}},
 		},
 		"max chains limit — stops at 10": {
 			packages: func() []ftypes.Package {
@@ -1003,7 +1003,7 @@ func TestBuildDependencyChains(t *testing.T) {
 				}
 				return pkgs
 			}(),
-			targetPURL: vulnUID,
+			targetUID: vulnUID,
 			expected: func() [][]string {
 				var chains [][]string
 				for i := 0; i < maxDependencyChains; i++ {
@@ -1016,7 +1016,7 @@ func TestBuildDependencyChains(t *testing.T) {
 
 	for testName, testData := range testSet {
 		t.Run(testName, func(t *testing.T) {
-			result := buildDependencyChains(testData.targetPURL, testData.packages)
+			result := buildDependencyChains(testData.targetUID, buildPackageGraph(testData.packages))
 			assert.Equal(t, testData.expected, result)
 		})
 	}
@@ -1037,7 +1037,7 @@ func TestBuildDependencyChains_CycleTerminates(t *testing.T) {
 		makePkg(sibling2UID, sibling2PURL, vulnUID, sibling1UID),
 	}
 
-	result := buildDependencyChains(vulnUID, packages)
+	result := buildDependencyChains(vulnUID, buildPackageGraph(packages))
 
 	// Cycle guard must prevent infinite loop; exactly 2 finite chains produced
 	assert.Len(t, result, 2)
@@ -1062,7 +1062,7 @@ func TestBuildDependencyChains_ChainLengthTrimmed(t *testing.T) {
 		prevUID = uid
 	}
 
-	result := buildDependencyChains(vulnUID, packages)
+	result := buildDependencyChains(vulnUID, buildPackageGraph(packages))
 	if assert.Len(t, result, 1) {
 		chain := result[0]
 		assert.Len(t, chain, maxDependencyChainLen, "chain should be trimmed to maxDependencyChainLen")
