feat(frontend): scope Fix available tag to active ecosystem filter (#3784)

ashmod · web-flow · commit db6cf9184770 · 2025-08-14T12:56:01.000+10:00
Accurately displays the `Fix Available` tag in the [vulnerability list](https://osv.dev/list) page when filtering by a specific ecosystem. Fixes #2491
diff --git a/gcp/website/frontend_emulator.py b/gcp/website/frontend_emulator.py
@@ -80,6 +80,43 @@ def setUp():
               package=osv.Package(ecosystem='Ecosystem3', name='proj3'))
       ],
   ).put()
+
+  osv.Bug(
+      id='MULTI-ECO-FIX-DEMO',
+      db_id='MULTI-ECO-FIX-DEMO',
+      status=1,
+      source='test',
+      public=True,
+      import_last_modified=datetime.datetime(2025, 3, 1, tzinfo=datetime.UTC),
+      timestamp=datetime.datetime(2025, 3, 1, tzinfo=datetime.UTC),
+      summary='Demo vuln with fix only in PyPI ecosystem',
+      affected_packages=[
+          osv.AffectedPackage(
+              package=osv.Package(ecosystem='PyPI', name='demo-lib'),
+              ranges=[
+                  osv.AffectedRange2(
+                      type='SEMVER',
+                      events=[
+                          osv.AffectedEvent(type='introduced', value='0'),
+                          osv.AffectedEvent(type='fixed', value='1.2.0'),
+                      ],
+                  )
+              ],
+          ),
+          osv.AffectedPackage(
+              package=osv.Package(ecosystem='npm', name='demo-lib'),
+              ranges=[
+                  osv.AffectedRange2(
+                      type='SEMVER',
+                      events=[
+                          osv.AffectedEvent(type='introduced', value='0'),
+                      ],
+                  )
+              ],
+          ),
+      ],
+  ).put()
+
   osv.Bug(
       id='CVE-3',
       db_id='CVE-3',
diff --git a/gcp/website/frontend_handlers.py b/gcp/website/frontend_handlers.py
@@ -616,6 +616,14 @@ def osv_query(search_string, page, affected_only, ecosystem):
     # yapf: enable
   result_items = [bug_to_response(bug, detailed=False) for bug in bugs]
 
+  # Filter isFixed flag to apply only for selected ecosystem.
+  if ecosystem:
+    eco_variants = osv.ecosystems.add_matching_ecosystems({ecosystem})
+    eco_variants.add(osv.ecosystems.normalize(ecosystem))
+
+    for item, bug_obj in zip(result_items, bugs):
+      item['isFixed'] = _is_fixed_in_ecosystem(bug_obj, eco_variants)
+
   results = {
       'total': total_future.get_result(),
       'items': result_items,
@@ -624,6 +632,26 @@ def osv_query(search_string, page, affected_only, ecosystem):
   return results
 
 
+def _is_fixed_in_ecosystem(bug: osv.Bug, eco_variants: set[str]) -> bool:
+  """Determine if a bug has a fix within the specified ecosystem variants.
+
+  Args:
+    bug: The Bug entity.
+    eco_variants: Set of ecosystem names (including variants) to match.
+
+  Returns:
+    True if any affected package in the ecosystem has a fixed/limit event.
+  """
+  for affected_pkg in getattr(bug, 'affected_packages', []):
+    pkg = affected_pkg.package
+    if not pkg or pkg.ecosystem not in eco_variants:
+      continue
+    for r in affected_pkg.ranges or []:
+      if any(evt.type in ('fixed', 'limit') for evt in (r.events or [])):
+        return True
+  return False
+
+
 def get_vuln_count_for_ecosystem(ecosystem: str) -> int:
   ecosystem_counts = osv_get_ecosystem_counts_cached()
   if not ecosystem:
