fix: provide all relevant patch recommendations

Ilona Shishov · Ilona Shishov · commit 130d70ea8c9b · 2026-01-01T16:51:54.000+02:00
Signed-off-by: Ilona Shishov &lt;ishishov@ishishov-thinkpadp1gen7.raanaii.csb&gt;
diff --git a/src/vuln_analysis/utils/vex/implementations/csaf_generator.py b/src/vuln_analysis/utils/vex/implementations/csaf_generator.py
@@ -92,26 +92,18 @@ def _build_patch_recommendation(ci: CveIntel, sbom_package_names: set[str] | Non
 
     vulns = ci.ghsa.vulnerabilities
 
-    # SBOM
-    if sbom_package_names is not None:
-        return next(
-            (
-                f"{name}:{patch}"
-                for v in vulns
-                for (name, patch) in [(_get_patched_package(v))]
-                if name and patch and name in sbom_package_names
-            ),
-            ""
-        )
-
-    # No SBOM
     name_to_version: dict[str, str] = {}
     for v in vulns:
         name, patch = _get_patched_package(v)
         if not name or not patch:
             continue
-        if name not in name_to_version:
-            name_to_version[name] = patch
+        if name in name_to_version:
+            continue
+        # If SBOM provided, only include packages that are in the SBOM
+        if sbom_package_names is not None and name not in sbom_package_names:
+            continue
+        name_to_version[name] = patch
+
     if not name_to_version:
         return ""
     return ", ".join(f"{name}:{patch}" for name, patch in name_to_version.items())
