fix: only use the commit in api queries if the package does not have other info (#349)

G-Rath · web-flow · commit 9893aa8efdcd · 2025-11-27T14:44:02.000+13:00
* fix: only use the commit in api queries if the package does not have other info

* test: update tests
diff --git a/pkg/database/api-check.go b/pkg/database/api-check.go
@@ -17,11 +17,12 @@ import (
 func (db APIDB) buildAPIPayload(pkg internal.PackageDetails) apiQuery {
 	var query apiQuery
 
-	if pkg.Commit == "" {
+	// this mirrors the logic used by the osv-scalibr vulnmatch enricher
+	if pkg.Name != "" && pkg.Ecosystem != "" && pkg.Version != "" {
 		query.Package.Name = pkg.Name
 		query.Package.Ecosystem = pkg.Ecosystem
 		query.Version = pkg.Version
-	} else {
+	} else if pkg.Commit != "" {
 		query.Commit = pkg.Commit
 	}
 
diff --git a/pkg/database/api-check_test.go b/pkg/database/api-check_test.go
@@ -431,7 +431,12 @@ func TestAPIDB_Check_WithCommit(t *testing.T) {
 	mux := http.NewServeMux()
 
 	mux.HandleFunc("/querybatch", func(w http.ResponseWriter, r *http.Request) {
-		expectRequestPayload(t, r, []apiQuery{{Commit: "abc123"}})
+		expectRequestPayload(t, r, []apiQuery{
+			{
+				Version: "1.0.0",
+				Package: apiPackage{Name: "my-package", Ecosystem: lockfile.NpmEcosystem},
+			},
+		})
 
 		jsonData := jsonMarshalQueryBatchResponse(t, []objectsWithIDs{{}})
 
@@ -464,6 +469,80 @@ func TestAPIDB_Check_WithCommit(t *testing.T) {
 	}
 }
 
+func TestAPIDB_Check_WithCommitOnly(t *testing.T) {
+	t.Parallel()
+
+	mux := http.NewServeMux()
+
+	mux.HandleFunc("/querybatch", func(w http.ResponseWriter, r *http.Request) {
+		expectRequestPayload(t, r, []apiQuery{{Commit: "abc123"}})
+
+		jsonData := jsonMarshalQueryBatchResponse(t, []objectsWithIDs{{}})
+
+		_, _ = w.Write(jsonData)
+	})
+
+	ts := httptest.NewServer(mux)
+	t.Cleanup(ts.Close)
+
+	db, err := database.NewAPIDB(database.Config{URL: ts.URL}, false, 1)
+
+	if err != nil {
+		t.Fatalf("Check() unexpected error \"%v\"", err)
+	}
+
+	vulns, err := db.Check([]internal.PackageDetails{{Commit: "abc123"}})
+
+	if err != nil {
+		t.Fatalf("unexpected error \"%v\"", err)
+	}
+
+	if len(vulns) != 1 {
+		t.Fatalf("expected to get 1 package but got %d", len(vulns))
+	}
+
+	if len(vulns[0]) != 0 {
+		t.Fatalf("expected to get 0 vulnerabilities but got %d", len(vulns[0]))
+	}
+}
+
+func TestAPIDB_Check_WithCommitAndSomeFields(t *testing.T) {
+	t.Parallel()
+
+	mux := http.NewServeMux()
+
+	mux.HandleFunc("/querybatch", func(w http.ResponseWriter, r *http.Request) {
+		expectRequestPayload(t, r, []apiQuery{{Commit: "abc123"}})
+
+		jsonData := jsonMarshalQueryBatchResponse(t, []objectsWithIDs{{}})
+
+		_, _ = w.Write(jsonData)
+	})
+
+	ts := httptest.NewServer(mux)
+	t.Cleanup(ts.Close)
+
+	db, err := database.NewAPIDB(database.Config{URL: ts.URL}, false, 1)
+
+	if err != nil {
+		t.Fatalf("Check() unexpected error \"%v\"", err)
+	}
+
+	vulns, err := db.Check([]internal.PackageDetails{{Commit: "abc123", Ecosystem: "npm"}})
+
+	if err != nil {
+		t.Fatalf("unexpected error \"%v\"", err)
+	}
+
+	if len(vulns) != 1 {
+		t.Fatalf("expected to get 1 package but got %d", len(vulns))
+	}
+
+	if len(vulns[0]) != 0 {
+		t.Fatalf("expected to get 0 vulnerabilities but got %d", len(vulns[0]))
+	}
+}
+
 func TestAPIDB_Check_Batches(t *testing.T) {
 	t.Parallel()
 
