Promote CVE canonical as Cve.Id for GHSA findings to fix FK violations#187
Open
Promote CVE canonical as Cve.Id for GHSA findings to fix FK violations#187
Conversation
…olations For GITHUB-sourced findings whose vulnId is a GHSA, promote the lexicographically first CVE canonical from the references map to Cve.Id. This ensures v13s upserts a cve row for the canonical, satisfying the cve_alias_canonical_fkey FK constraint. - Guard promotion with strings.HasPrefix(vulnId, "GHSA-") to avoid overwriting Cve.Id when vulnId is already a CVE - Trim references to the promoted canonical only; remaining CVE keys would have no cve row and would also violate the FK constraint - Link updated to NVD URL for the promoted canonical - Add sort.Strings for deterministic behaviour when a GHSA maps to multiple CVE IDs - Add/update 13 test cases covering all promotion and edge case paths
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates ParseFinding’s alias handling for Dependency-Track findings so that GITHUB-sourced GHSA vulnerabilities promote a deterministic “canonical” CVE into Cve.Id, avoiding foreign key violations caused by multiple CVE aliases. Tests are expanded to cover promotion behavior, reference trimming, and link selection.
Changes:
- Promote the lexicographically first alias key to
Cve.Idforsource == "GITHUB"findings whosevulnIdis aGHSA-*, and trim references down to only the promoted canonical. - Update promoted findings’
Cve.Linkto the NVD CVE detail page. - Expand/adjust unit tests to validate
Cve.Id,Cve.Link, andReferencesacross multiple alias scenarios.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pkg/dependencytrack/finding.go | Adds canonical CVE promotion + reference trimming for GITHUB GHSA findings; updates link for promoted canonicals. |
| pkg/dependencytracktest/finding_test.go | Updates and expands tests to assert promoted Cve.Id, updated link behavior, and trimmed references. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
When trimming references to the promoted canonical, use references[canonical] rather than vulnId — if the alias entry's ghsaId differs from vulnId the original association was being silently rewritten. Add test case: GITHUB finding where ghsaId differs from vulnId.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
cveId was initialised from vulnId (which can be GHSA-prefixed) and only promoted to a CVE string on the happy path. primaryId makes clear it is the final Cve.Id value regardless of whether promotion occurred, and avoids shadowing the alias-field local also named cveId.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request improves the handling of vulnerability alias promotion for GITHUB-sourced findings in the
dependencytrackpackage. The main change ensures that when a GITHUB finding references multiple CVE aliases, the lexicographically first CVE is promoted to be the primary canonical identifier (Cve.Id), and related references are trimmed to avoid foreign key violations. The test suite is expanded and updated to cover these new behaviors comprehensively.Vulnerability alias handling improvements:
pkg/dependencytrack/finding.go, added logic to promote the lexicographically first CVE alias toCve.Idfor GITHUB findings with aGHSA-vulnId, ensuring deterministic and FK-safe canonical selection. References are trimmed to only include the promoted CVE.Test suite enhancements:
pkg/dependencytracktest/finding_test.goto verify correct promotion of CVE aliases, proper trimming of references, and accurate setting ofCve.IdandCve.Linkfor various combinations of GITHUB and NVD findings with aliases. [1] [2] [3] [4] [5] [6] [7]Internal code maintenance:
sortpackage inpkg/dependencytrack/finding.goto support deterministic selection of the canonical CVE alias.