feat: include all scores in PurlStatus

Author: Strum355

modules/fundamental/src/purl/model/details/purl.rs

@@ -1,7 +1,7 @@
 use crate::{
     Error,
     advisory::model::AdvisoryHead,
-    common::{LicenseInfo, LicenseRefMapping, license_filtering},
+    common::{LicenseInfo, LicenseRefMapping, license_filtering, model::Score},
     purl::model::{
         BasePurlHead, PurlHead, VersionedPurlHead, details::version_range::VersionRange,
     },
@@ -22,7 +22,7 @@ use trustify_common::{
     memo::Memo,
     purl::Purl,
 };
-use trustify_cvss::cvss3::{Cvss3Base, score::Score, severity::Severity};
+use trustify_cvss::cvss3::{Cvss3Base, score::Score as Cvss3Score, severity::Severity};
 use trustify_entity::{
     advisory, base_purl, cpe, cvss3, license, organization, product, product_status,
     product_version, product_version_range, purl_status, qualified_purl, sbom, sbom_package,
@@ -312,7 +312,11 @@ impl PurlAdvisory {
 pub struct PurlStatus {
     pub vulnerability: VulnerabilityHead,
     pub advisory: AdvisoryHead,
+    /// All CVSS scores associated with the vulnerability
+    pub scores: Vec<Score>,
+    #[deprecated(since = "0.5.0", note = "Please use `scores` instead")]
     pub average_severity: Severity,
+    #[deprecated(since = "0.5.0", note = "Please use `scores` instead")]
     pub average_score: f64,
     pub status: String,
     #[schema(required)]
@@ -336,9 +340,14 @@ impl PurlStatus {
         cpe: Option<String>,
         tx: &C,
     ) -> Result<Self, Error> {
-        let cvss3 = vuln.find_related(cvss3::Entity).all(tx).await?;
-        let average_score = Score::from_iter(cvss3.iter().map(Cvss3Base::from));
         let issuer = Memo::Provided(advisory.find_related(organization::Entity).one(tx).await?);
+        let cvss3 = vuln.find_related(cvss3::Entity).all(tx).await?;
+        let average_score = Cvss3Score::from_iter(cvss3.iter().map(Cvss3Base::from));
+        let all_scores = cvss3
+            .iter()
+            .cloned()
+            .filter_map(|cvss3| Score::try_from(cvss3).ok())
+            .collect();
 
         Ok(Self {
             vulnerability: VulnerabilityHead::from_vulnerability_entity(
@@ -348,8 +357,11 @@ impl PurlStatus {
             )
             .await?,
             advisory: AdvisoryHead::from_advisory(advisory, issuer, tx).await?,
+            #[allow(deprecated)]
             average_severity: average_score.severity(),
+            #[allow(deprecated)]
             average_score: average_score.value(),
+            scores: all_scores,
             status,
             context: cpe.map(StatusContext::Cpe),
             version_range,
@@ -362,13 +374,23 @@ impl PurlStatus {
         status: String,
         version_range: Option<VersionRange>,
         cpe: Option<String>,
-        score: Score,
+        scores: &[cvss3::Model],
     ) -> Result<Self, Error> {
+        let average_score = Cvss3Score::from_iter(scores.iter().map(Cvss3Base::from));
+        let all_scores = scores
+            .iter()
+            .cloned()
+            .filter_map(|cvss3| Score::try_from(cvss3).ok())
+            .collect();
+
         Ok(Self {
             vulnerability: vuln_head,
             advisory: advisory_head,
-            average_severity: score.severity(),
-            average_score: score.value(),
+            #[allow(deprecated)]
+            average_severity: average_score.severity(),
+            #[allow(deprecated)]
+            average_score: average_score.value(),
+            scores: all_scores,
             status,
             context: cpe.map(StatusContext::Cpe),
             version_range,

modules/fundamental/src/vulnerability/endpoints/mod.rs

@@ -6,8 +6,8 @@ use crate::{
     endpoints::Deprecation,
     vulnerability::{
         model::{
-            AnalysisRequest, AnalysisResponse, VulnerabilityDetails, VulnerabilitySummary,
-            v2::AnalysisResponseV2,
+            AnalysisRequest, AnalysisResponseV3, VulnerabilityDetails, VulnerabilitySummary,
+            v2::AnalysisResponse,
         },
         service::VulnerabilityService,
     },
@@ -111,7 +111,7 @@ pub async fn get(
   tag = "vulnerability",
   request_body = AnalysisRequest,
   responses(
-      (status = 200, description = "Analyze the provided purls to search for known vulnerabilities", body = AnalysisResponseV2),
+      (status = 200, description = "Analyze the provided purls to search for known vulnerabilities", body = AnalysisResponse),
   ),
 )]
 #[post("/v2/vulnerability/analyze")]
@@ -133,7 +133,7 @@ pub async fn analyze(
     tag = "vulnerability",
     request_body = AnalysisRequest,
     responses(
-        (status = 200, description = "Analyze the provided purls to search for known vulnerabilities", body = AnalysisResponse),
+        (status = 200, description = "Analyze the provided purls to search for known vulnerabilities", body = AnalysisResponseV3),
     ),
 )]
 #[post("/v3/vulnerability/analyze")]
@@ -144,7 +144,7 @@ pub async fn analyze_v3(
     _: Require<ReadAdvisory>,
 ) -> actix_web::Result<impl Responder> {
     let tx = db.begin_read().await?;
-    let details = service.analyze_purls(purls, &tx).await?;
+    let details = service.analyze_purls_v3(purls, &tx).await?;
 
     Ok(HttpResponse::Ok().json(details))
 }

modules/fundamental/src/vulnerability/model/analyze.rs

@@ -1,4 +1,4 @@
-use crate::{purl::model::details::purl::PurlStatus, vulnerability::model::VulnerabilityHead};
+use crate::purl::model::details::purl::PurlStatus;
 use serde::{Deserialize, Serialize};
 use std::{collections::BTreeMap, ops::Deref};
 use utoipa::ToSchema;
@@ -9,25 +9,22 @@ pub struct AnalysisRequest {
 }
 
 #[derive(Serialize, Deserialize, Debug, ToSchema, Default)]
-pub struct AnalysisResult {
-    pub details: Vec<AnalysisDetails>,
+pub struct AnalysisResultV3 {
+    pub details: Vec<AnalysisDetailsV3>,
     pub warnings: Vec<String>,
 }
 
 #[derive(Serialize, Deserialize, Debug, ToSchema)]
-pub struct AnalysisDetails {
-    #[serde(flatten)]
-    pub head: VulnerabilityHead,
-
+pub struct AnalysisDetailsV3 {
     /// List of purl statuses
     pub purl_statuses: Vec<PurlStatus>,
 }
 
 #[derive(Serialize, Deserialize, Debug, ToSchema)]
-pub struct AnalysisResponse(pub BTreeMap<String, AnalysisResult>);
+pub struct AnalysisResponseV3(pub BTreeMap<String, AnalysisResultV3>);
 
-impl Deref for AnalysisResponse {
-    type Target = BTreeMap<String, AnalysisResult>;
+impl Deref for AnalysisResponseV3 {
+    type Target = BTreeMap<String, AnalysisResultV3>;
 
     fn deref(&self) -> &Self::Target {
         &self.0

modules/fundamental/src/vulnerability/model/v2.rs

@@ -6,13 +6,13 @@ use std::{collections::BTreeMap, ops::Deref};
 use utoipa::ToSchema;
 
 #[derive(Serialize, Deserialize, Debug, ToSchema, Default)]
-pub struct AnalysisResultV2 {
-    pub details: Vec<AnalysisDetailsV2>,
+pub struct AnalysisResult {
+    pub details: Vec<AnalysisDetails>,
     pub warnings: Vec<String>,
 }
 
 #[derive(Serialize, Deserialize, Debug, ToSchema)]
-pub struct AnalysisDetailsV2 {
+pub struct AnalysisDetails {
     #[serde(flatten)]
     pub head: VulnerabilityHead,
 
@@ -30,10 +30,10 @@ pub struct AnalysisAdvisory {
 }
 
 #[derive(Serialize, Deserialize, Debug, ToSchema)]
-pub struct AnalysisResponseV2(pub BTreeMap<String, AnalysisResultV2>);
+pub struct AnalysisResponse(pub BTreeMap<String, AnalysisResult>);
 
-impl Deref for AnalysisResponseV2 {
-    type Target = BTreeMap<String, AnalysisResultV2>;
+impl Deref for AnalysisResponse {
+    type Target = BTreeMap<String, AnalysisResult>;
 
     fn deref(&self) -> &Self::Target {
         &self.0