Fix vulnerability duplication in session metadata filtering (mcp-oj2)

Problem:
- When filtering by sessionMetadataName, vulnerabilities appearing in multiple
  sessions were added to results multiple times
- Caused inflated totals, broken pagination, and duplicate entries
- Common scenario: vuln found in both "main" and "develop" branches

Root Cause:
- Nested loop used `break` which only exited innermost loop
- Code continued iterating over remaining SessionMetadata objects
- Same vulnerability added multiple times if it matched in multiple sessions

Solution:
- Added labeled break `sessionLoop:` on SessionMetadata loop
- Changed `break` to `break sessionLoop` to exit both inner loops
- Ensures each vulnerability appears at most once in results
- Continues processing other vulnerabilities correctly

Test Coverage:
- Added test case for vulnerability with 2 matching session metadata objects
- Verifies vulnerability appears exactly once (not duplicated)
- All existing tests pass (62 tests total)

Benefits:
- Accurate pagination counts
- No duplicate vulnerabilities in results
- Slight performance improvement (stops after first match per vuln)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: ChrisEdwards

src/main/java/com/contrast/labs/ai/mcp/contrast/AssessService.java

@@ -788,6 +788,7 @@ public PaginatedResponse<VulnLight> searchAppVulnerabilities(
         var filteredVulns = new ArrayList<VulnLight>();
         for (VulnLight vuln : vulnerabilities) {
           if (vuln.sessionMetadata() != null) {
+            sessionLoop:
             for (SessionMetadata sm : vuln.sessionMetadata()) {
               for (MetadataItem metadataItem : sm.getMetadata()) {
                 // Match on display label (required)
@@ -808,7 +809,7 @@ public PaginatedResponse<VulnLight> searchAppVulnerabilities(
                       vuln.vulnID(),
                       sessionMetadataName,
                       sessionMetadataValue);
-                  break;
+                  break sessionLoop;
                 }
               }
             }

src/test/java/com/contrast/labs/ai/mcp/contrast/AnonymousLibraryExtendedBuilder.java

@@ -0,0 +1,223 @@
+package com.contrast.labs.ai.mcp.contrast;
+
+import static org.mockito.Mockito.lenient;
+import static org.mockito.Mockito.mock;
+
+import com.contrast.labs.ai.mcp.contrast.sdkextension.data.LibraryExtended;
+import com.contrast.labs.ai.mcp.contrast.sdkextension.data.LibraryVulnerabilityExtended;
+import com.contrastsecurity.models.Application;
+import com.contrastsecurity.models.Server;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.UUID;
+
+/**
+ * Builder for creating anonymous LibraryExtended mocks with sensible defaults. Only override fields
+ * that matter for your specific test.
+ *
+ * <p>Example usage:
+ *
+ * <pre>
+ * LibraryExtended lib = AnonymousLibraryExtendedBuilder.validLibrary()
+ *     .withFilename("log4j-core-2.14.1.jar")
+ *     .withVersion("2.14.1")
+ *     .withClassCount(100)
+ *     .build();
+ * </pre>
+ */
+public class AnonymousLibraryExtendedBuilder {
+  private final LibraryExtended library;
+  private String filename = "library-" + UUID.randomUUID().toString().substring(0, 8) + ".jar";
+  private String version = "1.0." + UUID.randomUUID().toString().substring(0, 4);
+  private String hash = "hash-" + UUID.randomUUID().toString().substring(0, 16);
+  private String group = "com.example";
+  private String grade = "B";
+  private String manifest = "Manifest-Version: 1.0";
+  private String fileVersion = "1.0.0";
+  private String appId = "app-" + UUID.randomUUID().toString().substring(0, 8);
+  private String appName = "TestApp";
+  private String appContextPath = "/app";
+  private String appLanguage = "Java";
+  private String latestVersion = "1.1.0";
+  private long libraryId = Math.abs(UUID.randomUUID().getLeastSignificantBits());
+  private int classCount = 100;
+  private int classedUsed = 50;
+  private long releaseDate = System.currentTimeMillis();
+  private long latestReleaseDate = System.currentTimeMillis();
+  private int totalVulnerabilities = 0;
+  private int highVulnerabilities = 0;
+  private boolean custom = false;
+  private double libScore = 75.0;
+  private int monthsOutdated = 0;
+  private List<Application> applications = new ArrayList<>();
+  private List<Server> servers = new ArrayList<>();
+  private List<LibraryVulnerabilityExtended> vulnerabilities = new ArrayList<>();
+
+  private AnonymousLibraryExtendedBuilder() {
+    this.library = mock(LibraryExtended.class);
+  }
+
+  /** Create a builder with valid defaults for all required fields. */
+  public static AnonymousLibraryExtendedBuilder validLibrary() {
+    return new AnonymousLibraryExtendedBuilder();
+  }
+
+  public AnonymousLibraryExtendedBuilder withFilename(String filename) {
+    this.filename = filename;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withVersion(String version) {
+    this.version = version;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withHash(String hash) {
+    this.hash = hash;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withGroup(String group) {
+    this.group = group;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withGrade(String grade) {
+    this.grade = grade;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withManifest(String manifest) {
+    this.manifest = manifest;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withFileVersion(String fileVersion) {
+    this.fileVersion = fileVersion;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withAppId(String appId) {
+    this.appId = appId;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withAppName(String appName) {
+    this.appName = appName;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withAppContextPath(String appContextPath) {
+    this.appContextPath = appContextPath;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withAppLanguage(String appLanguage) {
+    this.appLanguage = appLanguage;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withLatestVersion(String latestVersion) {
+    this.latestVersion = latestVersion;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withLibraryId(long libraryId) {
+    this.libraryId = libraryId;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withClassCount(int classCount) {
+    this.classCount = classCount;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withClassedUsed(int classedUsed) {
+    this.classedUsed = classedUsed;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withReleaseDate(long releaseDate) {
+    this.releaseDate = releaseDate;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withLatestReleaseDate(long latestReleaseDate) {
+    this.latestReleaseDate = latestReleaseDate;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withTotalVulnerabilities(int totalVulnerabilities) {
+    this.totalVulnerabilities = totalVulnerabilities;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withHighVulnerabilities(int highVulnerabilities) {
+    this.highVulnerabilities = highVulnerabilities;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withCustom(boolean custom) {
+    this.custom = custom;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withLibScore(double libScore) {
+    this.libScore = libScore;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withMonthsOutdated(int monthsOutdated) {
+    this.monthsOutdated = monthsOutdated;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withApplications(List<Application> applications) {
+    this.applications = applications;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withServers(List<Server> servers) {
+    this.servers = servers;
+    return this;
+  }
+
+  public AnonymousLibraryExtendedBuilder withVulnerabilities(
+      List<LibraryVulnerabilityExtended> vulnerabilities) {
+    this.vulnerabilities = vulnerabilities;
+    return this;
+  }
+
+  /**
+   * Build the LibraryExtended mock with all configured values. Uses lenient stubbing to avoid
+   * UnnecessaryStubbingException for fields not accessed in specific tests.
+   */
+  public LibraryExtended build() {
+    lenient().when(library.getFilename()).thenReturn(filename);
+    lenient().when(library.getVersion()).thenReturn(version);
+    lenient().when(library.getHash()).thenReturn(hash);
+    lenient().when(library.getGroup()).thenReturn(group);
+    lenient().when(library.getGrade()).thenReturn(grade);
+    lenient().when(library.getManifest()).thenReturn(manifest);
+    lenient().when(library.getFileVersion()).thenReturn(fileVersion);
+    lenient().when(library.getAppId()).thenReturn(appId);
+    lenient().when(library.getAppName()).thenReturn(appName);
+    lenient().when(library.getAppContextPath()).thenReturn(appContextPath);
+    lenient().when(library.getAppLanguage()).thenReturn(appLanguage);
+    lenient().when(library.getLatestVersion()).thenReturn(latestVersion);
+    lenient().when(library.getLibraryId()).thenReturn(libraryId);
+    lenient().when(library.getClassCount()).thenReturn(classCount);
+    lenient().when(library.getClassedUsed()).thenReturn(classedUsed);
+    lenient().when(library.getReleaseDate()).thenReturn(releaseDate);
+    lenient().when(library.getLatestReleaseDate()).thenReturn(latestReleaseDate);
+    lenient().when(library.getTotalVulnerabilities()).thenReturn(totalVulnerabilities);
+    lenient().when(library.getHighVulnerabilities()).thenReturn(highVulnerabilities);
+    lenient().when(library.isCustom()).thenReturn(custom);
+    lenient().when(library.getLibScore()).thenReturn(libScore);
+    lenient().when(library.getMonthsOutdated()).thenReturn(monthsOutdated);
+    lenient().when(library.getApplications()).thenReturn(applications);
+    lenient().when(library.getServers()).thenReturn(servers);
+    lenient().when(library.getVulnerabilities()).thenReturn(vulnerabilities);
+    return library;
+  }
+}

src/test/java/com/contrast/labs/ai/mcp/contrast/AnonymousScanBuilder.java

@@ -0,0 +1,109 @@
+package com.contrast.labs.ai.mcp.contrast;
+
+import static org.mockito.Mockito.lenient;
+import static org.mockito.Mockito.mock;
+
+import com.contrastsecurity.sdk.scan.Scan;
+import com.contrastsecurity.sdk.scan.ScanStatus;
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.util.UUID;
+
+/**
+ * Builder for creating anonymous Scan mocks with sensible defaults. Only override fields that
+ * matter for your specific test.
+ *
+ * <p>Note: Scan is an interface, so this builder mocks the interface methods (not getters).
+ *
+ * <p>Example usage:
+ *
+ * <pre>
+ * Scan scan = AnonymousScanBuilder.validScan()
+ *     .withId("scan-123")
+ *     .withStatus(ScanStatus.COMPLETED)
+ *     .withSarif("{\"version\":\"2.1.0\"}")
+ *     .build();
+ * </pre>
+ */
+public class AnonymousScanBuilder {
+  private final Scan scan;
+  private String id = "scan-" + UUID.randomUUID().toString().substring(0, 8);
+  private String projectId = "project-" + UUID.randomUUID().toString().substring(0, 8);
+  private String organizationId = "org-" + UUID.randomUUID().toString().substring(0, 8);
+  private ScanStatus status = ScanStatus.COMPLETED;
+  private String errorMessage = null;
+  private boolean isFinished = true;
+  private InputStream sarif =
+      new ByteArrayInputStream(
+          "{\"version\":\"2.1.0\",\"runs\":[]}".getBytes(StandardCharsets.UTF_8));
+
+  private AnonymousScanBuilder() {
+    this.scan = mock(Scan.class);
+  }
+
+  /** Create a builder with valid defaults for all required fields. */
+  public static AnonymousScanBuilder validScan() {
+    return new AnonymousScanBuilder();
+  }
+
+  public AnonymousScanBuilder withId(String id) {
+    this.id = id;
+    return this;
+  }
+
+  public AnonymousScanBuilder withProjectId(String projectId) {
+    this.projectId = projectId;
+    return this;
+  }
+
+  public AnonymousScanBuilder withOrganizationId(String organizationId) {
+    this.organizationId = organizationId;
+    return this;
+  }
+
+  public AnonymousScanBuilder withStatus(ScanStatus status) {
+    this.status = status;
+    return this;
+  }
+
+  public AnonymousScanBuilder withErrorMessage(String errorMessage) {
+    this.errorMessage = errorMessage;
+    return this;
+  }
+
+  public AnonymousScanBuilder withIsFinished(boolean isFinished) {
+    this.isFinished = isFinished;
+    return this;
+  }
+
+  public AnonymousScanBuilder withSarif(InputStream sarif) {
+    this.sarif = sarif;
+    return this;
+  }
+
+  /**
+   * Convenience method to set SARIF content from a String.
+   *
+   * @param sarifContent the SARIF JSON as a string
+   */
+  public AnonymousScanBuilder withSarif(String sarifContent) {
+    this.sarif = new ByteArrayInputStream(sarifContent.getBytes(StandardCharsets.UTF_8));
+    return this;
+  }
+
+  /**
+   * Build the Scan mock with all configured values. Uses lenient stubbing to avoid
+   * UnnecessaryStubbingException for fields not accessed in specific tests.
+   */
+  public Scan build() throws java.io.IOException {
+    lenient().when(scan.id()).thenReturn(id);
+    lenient().when(scan.projectId()).thenReturn(projectId);
+    lenient().when(scan.organizationId()).thenReturn(organizationId);
+    lenient().when(scan.status()).thenReturn(status);
+    lenient().when(scan.errorMessage()).thenReturn(errorMessage);
+    lenient().when(scan.isFinished()).thenReturn(isFinished);
+    lenient().when(scan.sarif()).thenReturn(sarif);
+    return scan;
+  }
+}