endpoint card

sbtaylor15 · sbtaylor15 · commit 6c43e68d3002 · 2026-02-11T14:39:59.000-07:00
diff --git a/graphql/modules/endpoints/resolvers.go b/graphql/modules/endpoints/resolvers.go
@@ -394,7 +394,6 @@ func ResolveEndpointDetails(db database.DBConnection, endpointName string) (map[
 }
 
 // ResolveSyncedEndpoints fetches a list of endpoints that have been synced.
-// REFACTORED: Now uses release2cve materialized edges instead of complex AQL filtering
 func ResolveSyncedEndpoints(db database.DBConnection, limit int, org string) ([]map[string]interface{}, error) {
 	ctx := context.Background()
 
@@ -605,10 +604,19 @@ func ResolveSyncedEndpoints(db database.DBConnection, limit int, org string) ([]
 				continue
 			}
 
-			// NO VALIDATION NEEDED - edges are pre-validated during ingestion
+			// LOGIC MATCH: Deduplicate per RELEASE (just like ResolveEndpointDetails)
 			var validVulns []map[string]interface{}
+			seen := make(map[string]bool)
 
 			for _, v := range res.Vulns {
+				// Local deduplication for this release (CVE + Package)
+				// This handles duplicate edges in the DB for the same release
+				key := v.CveID + ":" + v.Package
+				if seen[key] {
+					continue
+				}
+				seen[key] = true
+
 				validVulns = append(validVulns, map[string]interface{}{
 					"cve_id":          v.CveID,
 					"severity_rating": v.SeverityRating,
@@ -634,30 +642,14 @@ func ResolveSyncedEndpoints(db database.DBConnection, limit int, org string) ([]
 		prevCounts := map[string]int{"critical": 0, "high": 0, "medium": 0, "low": 0}
 
 		for _, svc := range ep.Services {
-			// FIX: Move deduplication maps INSIDE the service loop to deduplicate per service (matches Details view)
-			seen := make(map[string]bool)
-			seenPrev := make(map[string]bool)
+			// LOGIC MATCH: Sum across all services WITHOUT further deduplication
+			// This counts instances (e.g. Vuln X in Service A and Service B counts as 2)
 
 			// 1. Current Vulnerabilities
 			currKey := svc.Name + ":" + svc.Current.Version
 			currVulns := releaseVulnMap[currKey]
 
 			for _, v := range currVulns {
-				cveID := v["cve_id"].(string)
-
-				// Ensure we handle package info for deduplication
-				pkg := ""
-				if p, ok := v["package"].(string); ok {
-					pkg = p
-				}
-				// Use composite key to count Instances (matching Details view)
-				dedupKey := cveID + ":" + pkg
-
-				if seen[dedupKey] {
-					continue
-				}
-				seen[dedupKey] = true
-
 				rating := v["severity_rating"].(string)
 				switch rating {
 				case "CRITICAL":
@@ -677,19 +669,6 @@ func ResolveSyncedEndpoints(db database.DBConnection, limit int, org string) ([]
 				prevVulns := releaseVulnMap[prevKey]
 
 				for _, v := range prevVulns {
-					cveID := v["cve_id"].(string)
-
-					pkg := ""
-					if p, ok := v["package"].(string); ok {
-						pkg = p
-					}
-					dedupKey := cveID + ":" + pkg
-
-					if seenPrev[dedupKey] {
-						continue
-					}
-					seenPrev[dedupKey] = true
-
 					rating := v["severity_rating"].(string)
 					switch rating {
 					case "CRITICAL":
diff --git a/graphql/modules/releases/resolvers.go b/graphql/modules/releases/resolvers.go
@@ -4,7 +4,6 @@ package releases
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"net/url"
 
 	"github.com/arangodb/go-driver/v2/arangodb"
@@ -473,15 +472,17 @@ func convertToModelsAffected(allAffected []map[string]interface{}) []models.Affe
 	return result
 }
 
+// filepath: graphql/modules/releases/resolvers.go
+
 // ResolveOrgAggregatedReleases aggregates release data by organization
-// FIXED: Removed runtime toLowerCase() conversion - org names are now stored lowercase
+// FIXED: Deduplicates vulnerability matches BEFORE calculating severity counts to ensure totals match
 func ResolveOrgAggregatedReleases(db database.DBConnection, severity string, username string) ([]interface{}, error) {
 	ctx := context.Background()
 	severityScore := util.GetSeverityScore(severity)
 
 	// Determine org filter based on authentication status
-	userOrgs := []string{} // Initialize as empty slice, not nil
-	filterByPublic := true // Default to public only
+	userOrgs := []string{}
+	filterByPublic := true
 
 	if username != "" {
 		// User is authenticated - fetch their orgs from database
@@ -495,18 +496,14 @@ func ResolveOrgAggregatedReleases(db database.DBConnection, severity string, use
 				var orgs []string
 				_, readErr := cursor.ReadDocument(ctx, &orgs)
 				if readErr == nil && orgs != nil {
-					// Orgs are already stored lowercase - no conversion needed
 					userOrgs = orgs
 				}
 			}
 		}
-
-		// If user has no orgs specified, they have global access (empty orgs = see all)
+		// If user has no orgs specified, they have global access
 		filterByPublic = false
 	}
 
-	fmt.Printf("User=%s\nOrgs=%v\n", username, userOrgs)
-
 	query := `
 		FOR r IN release
 			FILTER (
@@ -569,15 +566,19 @@ func ResolveOrgAggregatedReleases(db database.DBConnection, severity string, use
 							}
 					)
 					
-					LET uniqueInstances = (
+					// FIX: Deduplicate (CVE+Package) matches FIRST
+					LET uniqueMatches = (
 						FOR match IN cveMatches
-							COLLECT cveId = match.cve_id, package = match.package
-							RETURN 1
+							COLLECT cveId = match.cve_id, package = match.package INTO groups = match
+							// Since cveId is the same, the severity_rating will be the same for all in the group
+							LET severity = groups[0].severity_rating
+							RETURN { cveId, package, severity }
 					)
 					
+					// FIX: Calculate severity counts from the UNIQUE list, not the raw list
 					LET severityCounts = (
-						FOR match IN cveMatches
-							COLLECT severity = match.severity_rating WITH COUNT INTO count
+						FOR match IN uniqueMatches
+							COLLECT severity = match.severity WITH COUNT INTO count
 							RETURN { severity, count }
 					)
 					
@@ -610,8 +611,8 @@ func ResolveOrgAggregatedReleases(db database.DBConnection, severity string, use
 					RETURN {
 						dependency_count: LENGTH(dependencyCount),
 						synced_endpoint_count: syncCount,
-						vulnerability_count: LENGTH(uniqueInstances),
-						vulnerability_count_delta: prevVulnCount != null ? (LENGTH(uniqueInstances) - prevVulnCount) : null,
+						vulnerability_count: LENGTH(uniqueMatches),
+						vulnerability_count_delta: prevVulnCount != null ? (LENGTH(uniqueMatches) - prevVulnCount) : null,
 						max_severity: LENGTH(cveMatches) > 0 ? MAX(cveMatches[*].severity_score) : 0,
 						scorecard_score: latest.openssf_scorecard_score,
 						severity_counts: severityCounts
