chore(component-status):SP-4012 include component status in vulnerabi…#33
Merged
agustingroh merged 1 commit intomainfrom Mar 2, 2026
Merged
Conversation
📝 WalkthroughWalkthroughMigrates local component resolution and DTOs to the external Changes
Sequence DiagramsequenceDiagram
participant Client
participant Adapter as Adapter Layer
participant UseCase as Vulnerability UseCase
participant CompHelper as Component Helper
participant VulnDB as Vulnerability Store
participant OSV as OSV Service
Client->>Adapter: VulnerabilityRequest (raw components)
Adapter->>Adapter: FromVulnerabilityRequestToComponentDTO
Adapter-->>UseCase: []compHelper.ComponentDTO
UseCase->>CompHelper: GetComponentsVersion(cfg, componentDTOs)
CompHelper-->>UseCase: []compHelper.Component (statuses & versions)
UseCase->>UseCase: Classify components (switch on StatusCode)
alt Success
UseCase->>VulnDB: Query vulnerabilities (trim 'v' from version)
VulnDB-->>UseCase: Vulnerability data
else ComponentNotFound / VersionNotFound
alt No semver operator
UseCase->>UseCase: Promote requirement as version -> treat as valid
UseCase->>VulnDB: Query vulnerabilities
VulnDB-->>UseCase: Vulnerability data
else
UseCase->>UseCase: Emit not-found output (no CPEs)
end
else InvalidPurl / InvalidSemver / ComponentWithoutInfo
UseCase->>UseCase: Emit invalid component output
end
UseCase->>OSV: Process OSV requests for valid components
OSV-->>UseCase: OSV vulnerabilities
UseCase-->>Client: Combined VulnerabilityOutput
Estimated Code Review Effort🎯 4 (Complex) | ⏱️ ~50 minutes Possibly Related PRs
Suggested Labels
Suggested Reviewers
Poem
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
pkg/usecase/cpe.go (1)
69-93: Add a default status branch to prevent silent drops.Any unhandled status currently disappears from the response. A default branch keeps output stable as statuses evolve.
♻️ Suggested hardening
case domain.InvalidPurl, domain.ComponentWithoutInfo, domain.InvalidSemver: out = append(out, dtos.CpeComponentOutput{ Requirement: c.Requirement, Version: c.Requirement, Purl: c.Purl, Cpes: []string{}, ComponentStatus: c.Status, }) + default: + out = append(out, dtos.CpeComponentOutput{ + Requirement: c.Requirement, + Version: c.Version, + Purl: c.Purl, + Cpes: []string{}, + ComponentStatus: c.Status, + }) }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/usecase/cpe.go` around lines 69 - 93, The switch on c.Status.StatusCode in pkg/usecase/cpe.go currently omits a default branch so unknown statuses are dropped; add a default: case that mirrors the existing error handling (append a dtos.CpeComponentOutput to out using c.Requirement as Version, empty Cpes, Purl c.Purl and ComponentStatus c.Status) so that any unrecognized status will be returned instead of silently ignored; update the switch containing variables out, validComponents, and struct dtos.CpeComponentOutput to include this default branch.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pkg/usecase/cpe.go`:
- Around line 70-82: The code currently treats empty c.Requirement as having no
semver operator and falls back to setting c.Version = c.Requirement and adding
it to validComponents; update the guard around HasSemverOperator(c.Requirement)
to first check that c.Requirement is non-empty (e.g., len(c.Requirement) > 0)
before applying the fallback. Specifically, in the case block handling
domain.ComponentNotFound and domain.VersionNotFound, only perform the fallback
assignment to c.Version and append to validComponents when c.Requirement is not
empty and HasSemverOperator(c.Requirement) returns false; otherwise treat the
item as unresolved and append the existing dtos.CpeComponentOutput to out
(preserving empty Cpes and original ComponentStatus). This change touches the
logic around HasSemverOperator, c.Requirement, c.Version, validComponents, and
dtos.CpeComponentOutput.
In `@pkg/usecase/vulnerability_use_case.go`:
- Line 52: The interface IVulnerabilityUseCase must be updated to match the
concrete method signature of VulnerabilityUseCase.Execute: change the Execute
method on IVulnerabilityUseCase to accept []compHelper.ComponentDTO (instead of
[]dtos.ComponentDTO) and return (dtos.VulnerabilityOutput, error), or
alternatively change VulnerabilityUseCase.Execute to use []dtos.ComponentDTO so
both signatures match; update the method declaration in the
IVulnerabilityUseCase interface to reference the same parameter type
(compHelper.ComponentDTO) and return types as in VulnerabilityUseCase.Execute to
restore interface compliance.
---
Nitpick comments:
In `@pkg/usecase/cpe.go`:
- Around line 69-93: The switch on c.Status.StatusCode in pkg/usecase/cpe.go
currently omits a default branch so unknown statuses are dropped; add a default:
case that mirrors the existing error handling (append a dtos.CpeComponentOutput
to out using c.Requirement as Version, empty Cpes, Purl c.Purl and
ComponentStatus c.Status) so that any unrecognized status will be returned
instead of silently ignored; update the switch containing variables out,
validComponents, and struct dtos.CpeComponentOutput to include this default
branch.
ℹ️ Review info
Configuration used: defaults
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (17)
CHANGELOG.mdMakefilego.modpkg/adapters/vulnerability_support.gopkg/helpers/component_helper.gopkg/helpers/component_helper_test.gopkg/models/cpe_purl.gopkg/models/cpe_purl_test.gopkg/service/vulnerability_service.gopkg/usecase/OSV_use_case.gopkg/usecase/OSV_use_case_test.gopkg/usecase/cpe.gopkg/usecase/cpe_test.gopkg/usecase/local_use_case.gopkg/usecase/local_use_case_test.gopkg/usecase/vulnerability_use_case.gopkg/usecase/vulnerability_use_case_test.go
💤 Files with no reviewable changes (2)
- pkg/helpers/component_helper_test.go
- pkg/helpers/component_helper.go
agustingroh
force-pushed
the
chore/SP-4012-add-component-status-in-responses
branch
from
8db12b4 to
1f64c95
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
pkg/adapters/vulnerability_support.go (1)
108-131:⚠️ Potential issue | 🟠 MajorGuard request pointers before dereferencing and indexing.
At line 110,
request.Componentsis accessed without checking ifrequestis nil, which will cause a panic. Additionally, at line 124, the check forcomponentDTOs == nilis insufficient—a nil slice and an empty slice are different in Go. If the slice is empty (len == 0), the nil check passes but indexing atcomponentDTOs[0]will panic. Both functions should also validate their input parameters to prevent unexpected nil values from being processed.💡 Proposed fix
func FromComponentsRequestToComponentDTO(request *common.ComponentsRequest) ([]compHelper.ComponentDTO, error) { + if request == nil { + return nil, errors.New("components request is required") + } if request.Components == nil { return nil, errors.New("'components' key is missing") } var componentDTOs []compHelper.ComponentDTO if err := convertViaJSON(request.Components, &componentDTOs, "components request"); err != nil { return nil, err } return componentDTOs, nil } func FromComponentRequestToComponentDTO(request *common.ComponentRequest) (compHelper.ComponentDTO, error) { + if request == nil { + return compHelper.ComponentDTO{}, errors.New("component request is required") + } componentDTOs, err := FromComponentsRequestToComponentDTO( &common.ComponentsRequest{Components: []*common.ComponentRequest{request}}) if err != nil { return compHelper.ComponentDTO{}, err } - if componentDTOs == nil { + if len(componentDTOs) == 0 { return compHelper.ComponentDTO{}, errors.New("no valid components supplied to parse") } return componentDTOs[0], nil }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/adapters/vulnerability_support.go` around lines 108 - 131, Guard against nil request pointers and empty slices: in FromComponentsRequestToComponentDTO check that the incoming request itself is not nil before accessing request.Components and return a clear error if it is nil; also ensure convertViaJSON is only called when request.Components is present. In FromComponentRequestToComponentDTO validate the input request before wrapping it, and after calling FromComponentsRequestToComponentDTO check len(componentDTOs) > 0 (not just nil) before returning componentDTOs[0], returning a descriptive error when the slice is empty. Reference the functions FromComponentsRequestToComponentDTO and FromComponentRequestToComponentDTO and the variable componentDTOs when making these guards.
♻️ Duplicate comments (1)
pkg/usecase/cpe.go (1)
70-82:⚠️ Potential issue | 🟠 MajorPrevent empty-requirement fallback from clobbering
Version.At Line 71,
Requirement == ""can still pass into the fallback path, and Line 72 then overwritesc.Versionwith empty. That can trigger an unscoped CPE lookup downstream. Guard fallback with non-empty requirement and preservec.Versionin unresolved output.🐛 Proposed fix
case domain.ComponentNotFound, domain.VersionNotFound: - if !compoHelperUtils.HasSemverOperator(c.Requirement) { + if c.Requirement != "" && !compoHelperUtils.HasSemverOperator(c.Requirement) { c.Version = c.Requirement validComponents = append(validComponents, c) } else { + version := c.Requirement + if version == "" { + version = c.Version + } out = append(out, dtos.CpeComponentOutput{ Requirement: c.Requirement, - Version: c.Requirement, + Version: version, Purl: c.Purl, Cpes: []string{}, ComponentStatus: c.Status, }) }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/usecase/cpe.go` around lines 70 - 82, The fallback branch is overwriting c.Version when c.Requirement may be empty; update the branch handling domain.ComponentNotFound and domain.VersionNotFound to first check that c.Requirement is non-empty before assigning c.Version = c.Requirement (use compoHelperUtils.HasSemverOperator(c.Requirement) only after confirming non-empty), and when emitting the unresolved dtos.CpeComponentOutput preserve the existing c.Version (do not set Version to an empty Requirement) while still populating Requirement and other fields; ensure validComponents is only appended when a non-empty requirement is used to set Version.
🧹 Nitpick comments (1)
pkg/models/cpe_purl.go (1)
146-146: Minor stylistic inconsistency with other slice initializations in this file.The change is functionally correct, but the rest of the file uses
[]CpePurl{}for empty slice initialization (lines 51, 55, 79, 96, 111, 125, 134). Consider keeping the style consistent throughout the file—either approach works, but uniformity aids readability.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/models/cpe_purl.go` at line 146, Replace the slice initialization for variable `output` in pkg/models/cpe_purl.go from make([]CpePurl, 0) to the literal form []CpePurl{} to match the existing stylistic convention used elsewhere in this file (see other initializations such as the ones around the functions that initialize slices at the top of the file); this keeps slice creation consistent and improves readability.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pkg/usecase/cpe.go`:
- Around line 85-92: The current error branch for statuses domain.InvalidPurl,
domain.ComponentWithoutInfo, and domain.InvalidSemver sets Version to
c.Requirement which drops the original version for version-only inputs; update
the construction of dtos.CpeComponentOutput in that case to set Version using
c.Version (or fallback to c.Requirement if c.Version is empty) while leaving
Requirement as-is, i.e. ensure the object uses c.Version for the Version field
and still sets Requirement to c.Requirement so version-only inputs are
preserved.
In `@pkg/usecase/vulnerability_use_case.go`:
- Around line 75-89: The switch on c.Status.StatusCode can silently drop unknown
statuses; add a default case that appends the component c to notValidComponents
(so it’s not lost) and emit a debug/warn log including c.Status.StatusCode and
identifying info (e.g., c.Purl or c.Requirement) to aid troubleshooting; update
the switch that uses compoHelperUtils.HasSemverOperator, validComponents, and
notValidComponents to include this default, and apply the same change to the
analogous switch handling c.Status.StatusCode in the CPE use case.
---
Outside diff comments:
In `@pkg/adapters/vulnerability_support.go`:
- Around line 108-131: Guard against nil request pointers and empty slices: in
FromComponentsRequestToComponentDTO check that the incoming request itself is
not nil before accessing request.Components and return a clear error if it is
nil; also ensure convertViaJSON is only called when request.Components is
present. In FromComponentRequestToComponentDTO validate the input request before
wrapping it, and after calling FromComponentsRequestToComponentDTO check
len(componentDTOs) > 0 (not just nil) before returning componentDTOs[0],
returning a descriptive error when the slice is empty. Reference the functions
FromComponentsRequestToComponentDTO and FromComponentRequestToComponentDTO and
the variable componentDTOs when making these guards.
---
Duplicate comments:
In `@pkg/usecase/cpe.go`:
- Around line 70-82: The fallback branch is overwriting c.Version when
c.Requirement may be empty; update the branch handling domain.ComponentNotFound
and domain.VersionNotFound to first check that c.Requirement is non-empty before
assigning c.Version = c.Requirement (use
compoHelperUtils.HasSemverOperator(c.Requirement) only after confirming
non-empty), and when emitting the unresolved dtos.CpeComponentOutput preserve
the existing c.Version (do not set Version to an empty Requirement) while still
populating Requirement and other fields; ensure validComponents is only appended
when a non-empty requirement is used to set Version.
---
Nitpick comments:
In `@pkg/models/cpe_purl.go`:
- Line 146: Replace the slice initialization for variable `output` in
pkg/models/cpe_purl.go from make([]CpePurl, 0) to the literal form []CpePurl{}
to match the existing stylistic convention used elsewhere in this file (see
other initializations such as the ones around the functions that initialize
slices at the top of the file); this keeps slice creation consistent and
improves readability.
ℹ️ Review info
Configuration used: defaults
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (17)
CHANGELOG.mdMakefilego.modpkg/adapters/vulnerability_support.gopkg/helpers/component_helper.gopkg/helpers/component_helper_test.gopkg/models/cpe_purl.gopkg/models/cpe_purl_test.gopkg/service/vulnerability_service.gopkg/usecase/OSV_use_case.gopkg/usecase/OSV_use_case_test.gopkg/usecase/cpe.gopkg/usecase/cpe_test.gopkg/usecase/local_use_case.gopkg/usecase/local_use_case_test.gopkg/usecase/vulnerability_use_case.gopkg/usecase/vulnerability_use_case_test.go
💤 Files with no reviewable changes (2)
- pkg/helpers/component_helper.go
- pkg/helpers/component_helper_test.go
🚧 Files skipped from review as they are similar to previous changes (4)
- Makefile
- pkg/usecase/OSV_use_case_test.go
- pkg/usecase/local_use_case_test.go
- pkg/usecase/cpe_test.go
scanoss-qg
approved these changes
Mar 2, 2026
pkg/usecase/cpe.go
Outdated
| case domain.InvalidPurl, domain.ComponentWithoutInfo, domain.InvalidSemver: | ||
| out = append(out, dtos.CpeComponentOutput{ | ||
| Requirement: c.Requirement, | ||
| Version: c.Requirement, |
…lity and CPEs responses
agustingroh
force-pushed
the
chore/SP-4012-add-component-status-in-responses
branch
from
1f64c95 to
1cc5f89
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (2)
pkg/usecase/cpe.go (1)
70-82:⚠️ Potential issue | 🟠 MajorGuard fallback-to-requirement when requirement is empty.
When
c.Requirementis empty,HasSemverOperator("")returnsfalse, causing the code to enter theifbranch at line 71-73. This setsc.Version = c.Requirement(empty string) and adds tovalidComponents, which may result in an unscoped CPE lookup with an empty version.🐛 Proposed fix
case domain.ComponentNotFound, domain.VersionNotFound: - if !compoHelperUtils.HasSemverOperator(c.Requirement) { + if c.Requirement != "" && !compoHelperUtils.HasSemverOperator(c.Requirement) { c.Version = c.Requirement validComponents = append(validComponents, c) } else { out = append(out, dtos.CpeComponentOutput{ Requirement: c.Requirement, Version: c.Version, Purl: c.Purl, Cpes: []string{}, ComponentStatus: c.Status, }) }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/usecase/cpe.go` around lines 70 - 82, The fallback that assigns c.Version = c.Requirement must be guarded against empty requirements: change the branch that currently checks compoHelperUtils.HasSemverOperator(c.Requirement) to also ensure c.Requirement is non-empty (e.g., require c.Requirement != "" && !compoHelperUtils.HasSemverOperator(...)) so you only set c.Version and append to validComponents when there is a non-empty requirement; if the requirement is empty, treat it like the current else-path and append a dtos.CpeComponentOutput with empty Cpes and preserve ComponentStatus (use the existing symbols compoHelperUtils.HasSemverOperator, c.Requirement, c.Version, validComponents, and dtos.CpeComponentOutput to locate and update the code).pkg/usecase/vulnerability_use_case.go (1)
75-89:⚠️ Potential issue | 🟠 MajorUnhandled status codes are still silently dropped.
The switch still has no
defaultbranch, so unexpectedStatusCodevalues won’t be appended to eithervalidComponentsornotValidComponents, and can disappear from the final response.Proposed fix
case domain.Success: validComponents = append(validComponents, c) case domain.InvalidPurl, domain.ComponentWithoutInfo, domain.InvalidSemver: notValidComponents = append(notValidComponents, c) + default: + us.s.Warnf("Unhandled component status '%s' for purl '%s'", c.Status.StatusCode, c.Purl) + notValidComponents = append(notValidComponents, c) }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/usecase/vulnerability_use_case.go` around lines 75 - 89, The switch on c.Status.StatusCode in the processing loop (referenced by c.Status.StatusCode, validComponents and notValidComponents) lacks a default branch so unexpected status codes are silently dropped; add a default case that appends the component c to notValidComponents (and optionally log or annotate the unexpected status) so every component is classified and no items are lost from the final response.
🧹 Nitpick comments (2)
pkg/usecase/vulnerability_use_case_test.go (1)
24-24: Consider using consistent import alias across the codebase.This file uses
componentHelperas the alias, while other files in this PR usecompHelper(e.g.,vulnerability_service.go,OSV_use_case.go,cpe.go). While functional, consistent aliasing improves readability.♻️ Suggested fix for consistency
- componentHelper "github.com/scanoss/go-component-helper/componenthelper" + compHelper "github.com/scanoss/go-component-helper/componenthelper"Then update usages from
componentHelper.ComponentDTOtocompHelper.ComponentDTO.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/usecase/vulnerability_use_case_test.go` at line 24, Update the import alias from componentHelper to compHelper in this test file and change all usages accordingly (e.g., componentHelper.ComponentDTO -> compHelper.ComponentDTO) so the alias matches other files like vulnerability_service.go, OSV_use_case.go and cpe.go; update the import line and all references in pkg/usecase/vulnerability_use_case_test.go and run gofmt/goimports to ensure imports and formatting are correct.pkg/usecase/vulnerability_use_case.go (1)
53-53: Prefer count-based logs over full slice dumps.These
Debugf("%+v", ...)logs can get very large and noisy with bigger requests. Consider logging counts (and maybe a small sample) instead of entire component arrays.Refactor example
- us.s.Debugf("Processing Vulnerabilities request: %v", componentDTOs) + us.s.Debugf("Processing vulnerabilities request. components=%d", len(componentDTOs)) - us.s.Debugf("Processed Components: %+v\n", processedComponents) + us.s.Debugf("Processed components count=%d", len(processedComponents)) - us.s.Debugf("Valid Components: %+v\n", validComponents) - us.s.Debugf("Invalid Components: %+v\n", notValidComponents) + us.s.Debugf("Valid components count=%d", len(validComponents)) + us.s.Debugf("Invalid components count=%d", len(notValidComponents))Also applies to: 73-73, 91-92
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/usecase/vulnerability_use_case.go` at line 53, Replace verbose slice dumps in the Debugf logs with count-based (and optional small sample) logging: instead of logging componentDTOs directly in the us.s.Debugf call, log the length (len(componentDTOs)) and, if helpful, include a deterministic small sample (e.g., componentDTOs[:min(3, len(...))]) or the first/last item; apply the same change to the other occurrences referenced (the Debugf at lines that log componentDTOs around 73 and the logs at 91-92) so the statements still convey useful info but avoid printing entire slices.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pkg/usecase/OSV_use_case.go`:
- Line 308: The cvss variable was changed to a nil slice (var cvss []dtos.CVSS)
which causes JSON to emit "cvss": null instead of an empty array; to fix,
initialize cvss as an empty slice (cvss := []dtos.CVSS{}) where it’s declared in
OSV_use_case.go (refer to the cvss variable in the function around that diff) to
preserve previous JSON shape, or alternatively update the DTO's Cvss field tag
to include `omitempty` if null should be omitted—choose the empty-slice
initialization for backward compatibility unless you intentionally want
omitempty behavior.
---
Duplicate comments:
In `@pkg/usecase/cpe.go`:
- Around line 70-82: The fallback that assigns c.Version = c.Requirement must be
guarded against empty requirements: change the branch that currently checks
compoHelperUtils.HasSemverOperator(c.Requirement) to also ensure c.Requirement
is non-empty (e.g., require c.Requirement != "" &&
!compoHelperUtils.HasSemverOperator(...)) so you only set c.Version and append
to validComponents when there is a non-empty requirement; if the requirement is
empty, treat it like the current else-path and append a dtos.CpeComponentOutput
with empty Cpes and preserve ComponentStatus (use the existing symbols
compoHelperUtils.HasSemverOperator, c.Requirement, c.Version, validComponents,
and dtos.CpeComponentOutput to locate and update the code).
In `@pkg/usecase/vulnerability_use_case.go`:
- Around line 75-89: The switch on c.Status.StatusCode in the processing loop
(referenced by c.Status.StatusCode, validComponents and notValidComponents)
lacks a default branch so unexpected status codes are silently dropped; add a
default case that appends the component c to notValidComponents (and optionally
log or annotate the unexpected status) so every component is classified and no
items are lost from the final response.
---
Nitpick comments:
In `@pkg/usecase/vulnerability_use_case_test.go`:
- Line 24: Update the import alias from componentHelper to compHelper in this
test file and change all usages accordingly (e.g., componentHelper.ComponentDTO
-> compHelper.ComponentDTO) so the alias matches other files like
vulnerability_service.go, OSV_use_case.go and cpe.go; update the import line and
all references in pkg/usecase/vulnerability_use_case_test.go and run
gofmt/goimports to ensure imports and formatting are correct.
In `@pkg/usecase/vulnerability_use_case.go`:
- Line 53: Replace verbose slice dumps in the Debugf logs with count-based (and
optional small sample) logging: instead of logging componentDTOs directly in the
us.s.Debugf call, log the length (len(componentDTOs)) and, if helpful, include a
deterministic small sample (e.g., componentDTOs[:min(3, len(...))]) or the
first/last item; apply the same change to the other occurrences referenced (the
Debugf at lines that log componentDTOs around 73 and the logs at 91-92) so the
statements still convey useful info but avoid printing entire slices.
ℹ️ Review info
Configuration used: defaults
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (17)
CHANGELOG.mdMakefilego.modpkg/adapters/vulnerability_support.gopkg/helpers/component_helper.gopkg/helpers/component_helper_test.gopkg/models/cpe_purl.gopkg/models/cpe_purl_test.gopkg/service/vulnerability_service.gopkg/usecase/OSV_use_case.gopkg/usecase/OSV_use_case_test.gopkg/usecase/cpe.gopkg/usecase/cpe_test.gopkg/usecase/local_use_case.gopkg/usecase/local_use_case_test.gopkg/usecase/vulnerability_use_case.gopkg/usecase/vulnerability_use_case_test.go
💤 Files with no reviewable changes (2)
- pkg/helpers/component_helper.go
- pkg/helpers/component_helper_test.go
🚧 Files skipped from review as they are similar to previous changes (5)
- pkg/models/cpe_purl.go
- pkg/usecase/cpe_test.go
- Makefile
- pkg/models/cpe_purl_test.go
- go.mod
| } | ||
|
|
||
| cvss := []dtos.CVSS{} | ||
| var cvss []dtos.CVSS |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, find the CVSS DTO definition and its JSON tags
rg -n 'Cvss.*\[\]' --type=go -C2Repository: scanoss/vulnerabilities
Length of output: 398
🏁 Script executed:
# Check the context around line 308 in OSV_use_case.go
sed -n '300,320p' pkg/usecase/OSV_use_case.goRepository: scanoss/vulnerabilities
Length of output: 603
🏁 Script executed:
# Search for the CVSS type definition in dtos
fd -e go | xargs grep -l "type CVSS" | head -5Repository: scanoss/vulnerabilities
Length of output: 117
This initialization change alters JSON serialization of the cvss field.
The change from cvss := []dtos.CVSS{} to var cvss []dtos.CVSS switches the JSON output from an empty array to null when no CVSS data exists. The Cvss field in the DTO has no omitempty tag, so the nil value will be included as "cvss": null instead of "cvss": []. This could break downstream consumers expecting an empty array. Consider either:
- Reverting to empty slice initialization for backward compatibility, or
- Adding
omitemptyto the Cvss field tag if null is acceptable
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@pkg/usecase/OSV_use_case.go` at line 308, The cvss variable was changed to a
nil slice (var cvss []dtos.CVSS) which causes JSON to emit "cvss": null instead
of an empty array; to fix, initialize cvss as an empty slice (cvss :=
[]dtos.CVSS{}) where it’s declared in OSV_use_case.go (refer to the cvss
variable in the function around that diff) to preserve previous JSON shape, or
alternatively update the DTO's Cvss field tag to include `omitempty` if null
should be omitted—choose the empty-slice initialization for backward
compatibility unless you intentionally want omitempty behavior.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…lity and CPEs responses
Summary by CodeRabbit
New Features
Improvements