fix: provide all relevant patch recommendations

Signed-off-by: Ilona Shishov <ishishov@ishishov-thinkpadp1gen7.raanaii.csb>

Author: Ilona Shishov

src/vuln_analysis/utils/vex/implementations/csaf_generator.py

@@ -84,34 +84,26 @@ def _get_patched_package(v: dict) -> tuple[str | None, str | None]:
 def _build_patch_recommendation(ci: CveIntel, sbom_package_names: set[str] | None) -> str:
     """
     Build a patch recommendation from the GHSA data.
-    - If SBOM provided: return the first matching 'name:first_patched_version' where name is in SBOM, else return "".
+    - If SBOM provided: return all unique 'name:first_patched_version' pairs where name is in SBOM as list, else return "".
     - If no SBOM: return all unique 'name:first_patched_version' pairs as list, else return "".
     """
     if not ci or not ci.ghsa or not ci.ghsa.vulnerabilities:
         return ""
 
     vulns = ci.ghsa.vulnerabilities
 
-    # SBOM
-    if sbom_package_names is not None:
-        return next(
-            (
-                f"{name}:{patch}"
-                for v in vulns
-                for (name, patch) in [(_get_patched_package(v))]
-                if name and patch and name in sbom_package_names
-            ),
-            ""
-        )
-
-    # No SBOM
     name_to_version: dict[str, str] = {}
     for v in vulns:
         name, patch = _get_patched_package(v)
         if not name or not patch:
             continue
-        if name not in name_to_version:
-            name_to_version[name] = patch
+        if name in name_to_version:
+            continue
+        # If SBOM provided, only include packages that are in the SBOM
+        if sbom_package_names is not None and name not in sbom_package_names:
+            continue
+        name_to_version[name] = patch
+
     if not name_to_version:
         return ""
     return ", ".join(f"{name}:{patch}" for name, patch in name_to_version.items())