fix: deduplicate vulnerabilities in recommend endpoint [Backport release/0.4.z]

etc/test-data/osv/RUSTSEC-2021-0079-DUPLICATE.json

@@ -0,0 +1,30 @@
+{
+  "id": "DUPLICATE",
+  "modified": "2021-10-19T22:14:35Z",
+  "published": "2021-07-07T12:00:00Z",
+  "aliases": [
+    "CVE-2021-32714"
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "hyper",
+        "purl": "pkg:cargo/hyper"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.0.0-0"
+            },
+            {
+              "fixed": "0.14.10"
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

modules/fundamental/src/purl/endpoints/test.rs

@@ -379,3 +379,108 @@ async fn get_recommendations_no_version(ctx: &TrustifyContext) -> Result<(), any
 
     Ok(())
 }
+
+#[test_context(TrustifyContext)]
+#[test(actix_web::test)]
+async fn get_recommendations_dedup(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
+    ctx.ingestor
+        .graph()
+        .ingest_qualified_package(
+            &Purl::from_str("pkg:cargo/hyper@0.14.1-redhat-00001")?,
+            &ctx.db,
+        )
+        .await?;
+
+    ctx.ingest_documents([
+        "osv/RUSTSEC-2021-0079.json",
+        "osv/RUSTSEC-2021-0079-DUPLICATE.json",
+    ])
+    .await?;
+
+    let app = caller(ctx).await?;
+    let recommendations: Value = app
+        .call_and_read_body_json(
+            TestRequest::post()
+                .uri("/api/v2/purl/recommend")
+                .set_json(json!({"purls": ["pkg:cargo/hyper@0.14.1"]}))
+                .to_request(),
+        )
+        .await;
+
+    log::info!("{recommendations:#?}");
+
+    let entry =
+        &recommendations["recommendations"].as_object().unwrap()["pkg:cargo/hyper@0.14.1"][0];
+    assert_eq!(entry["vulnerabilities"].as_array().unwrap().len(), 1);
+    assert_eq!(
+        entry["vulnerabilities"].as_array().unwrap()[0]["id"]
+            .as_str()
+            .unwrap(),
+        "CVE-2021-32714"
+    );
+
+    Ok(())
+}
+
+#[test_context(TrustifyContext)]
+#[test(actix_web::test)]
+async fn get_recommendations_other_status(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
+    use sea_orm::{ActiveModelTrait, ColumnTrait, EntityTrait, QueryFilter, Set};
+    use trustify_entity::{purl_status, status};
+
+    ctx.ingestor
+        .graph()
+        .ingest_qualified_package(
+            &Purl::from_str("pkg:cargo/hyper@0.14.1-redhat-00001")?,
+            &ctx.db,
+        )
+        .await?;
+
+    ctx.ingest_documents(["osv/RUSTSEC-2021-0079.json"]).await?;
+
+    let custom_status_id = Uuid::new_v4();
+    let custom_status = status::ActiveModel {
+        id: Set(custom_status_id),
+        slug: Set("custom_status".to_string()),
+        name: Set("Custom Status".to_string()),
+        description: Set(Some("A custom status for testing".to_string())),
+    };
+    status::Entity::insert(custom_status).exec(&ctx.db).await?;
+
+    let purl_statuses = purl_status::Entity::find()
+        .filter(purl_status::Column::VulnerabilityId.eq("CVE-2021-32714"))
+        .all(&ctx.db)
+        .await?;
+
+    assert!(!purl_statuses.is_empty());
+
+    for ps in purl_statuses {
+        let mut active: purl_status::ActiveModel = ps.into();
+        active.status_id = Set(custom_status_id);
+        active.update(&ctx.db).await?;
+    }
+
+    let app = caller(ctx).await?;
+    let recommendations: Value = app
+        .call_and_read_body_json(
+            TestRequest::post()
+                .uri("/api/v2/purl/recommend")
+                .set_json(json!({"purls": ["pkg:cargo/hyper@0.14.1"]}))
+                .to_request(),
+        )
+        .await;
+
+    log::info!("{recommendations:#?}");
+
+    let entry =
+        &recommendations["recommendations"].as_object().unwrap()["pkg:cargo/hyper@0.14.1"][0];
+    let vulns = entry["vulnerabilities"].as_array().unwrap();
+    let vuln = vulns
+        .iter()
+        .find(|v| v["id"].as_str().unwrap() == "CVE-2021-32714")
+        .unwrap();
+
+    assert_eq!(vuln["status"], "custom_status");
+
+    Ok(())
+}

modules/fundamental/src/purl/model/mod.rs

@@ -156,6 +156,7 @@ pub enum VexStatus {
     NotAffected,
     UnderInvestigation,
     Recommended,
+    #[serde(untagged)]
     Other(String),
 }
 

modules/fundamental/src/purl/service/mod.rs

@@ -11,6 +11,7 @@ use crate::{
         summary::{base_purl::BasePurlSummary, purl::PurlSummary, r#type::TypeSummary},
     },
 };
+use itertools::Itertools;
 use regex::Regex;
 use sea_orm::{
     ColumnTrait, ConnectionTrait, DbBackend, EntityTrait, FromQueryResult, QueryFilter, QueryOrder,
@@ -509,12 +510,12 @@ impl PurlService {
                     vulnerabilities: purl_details
                         .advisories
                         .iter()
-                        .flat_map(|advisory| {
-                            advisory.status.iter().map(|status| VulnerabilityStatus {
-                                id: status.vulnerability.identifier.clone(),
-                                status: Some(status.into()),
-                                justification: None,
-                            })
+                        .flat_map(|advisory| &advisory.status)
+                        .unique_by(|status| &status.vulnerability.identifier)
+                        .map(|status| VulnerabilityStatus {
+                            id: status.vulnerability.identifier.clone(),
+                            status: Some(status.into()),
+                            justification: None,
                         })
                         .collect(),
                 });