fix: reject empty cweIds/credits on advisory update

Array Fleet · cursoragent · Array Fleet · commit 895cff97339c · 2026-06-10T16:59:48.000Z
Empty slices are omitted from PATCH JSON due to omitempty, so update
calls with only cweIds: [] or credits: [] silently sent {} and appeared
to succeed validation. Reject explicitly with a clear error message.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/pkg/github/security_advisories_test.go b/pkg/github/security_advisories_test.go
@@ -1066,6 +1066,34 @@ func Test_UpdateRepositorySecurityAdvisory(t *testing.T) {
 			expectError:    true,
 			expectedErrMsg: "invalid cweIds: value must not be null",
 		},
+		{
+			name: "reject empty cweIds only",
+			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+				PatchReposSecurityAdvisoriesByOwnerByRepoByGhsaID: mockResponse(t, http.StatusOK, mockAdvisory),
+			}),
+			requestArgs: map[string]any{
+				"owner":  "octo",
+				"repo":   "hello-world",
+				"ghsaId": "GHSA-xxxx-xxxx-xxxx",
+				"cweIds": []any{},
+			},
+			expectError:    true,
+			expectedErrMsg: "invalid cweIds: at least one CWE ID must be provided when cweIds is specified",
+		},
+		{
+			name: "reject empty credits only",
+			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+				PatchReposSecurityAdvisoriesByOwnerByRepoByGhsaID: mockResponse(t, http.StatusOK, mockAdvisory),
+			}),
+			requestArgs: map[string]any{
+				"owner":   "octo",
+				"repo":    "hello-world",
+				"ghsaId":  "GHSA-xxxx-xxxx-xxxx",
+				"credits": []any{},
+			},
+			expectError:    true,
+			expectedErrMsg: "invalid credits: at least one credit must be provided when credits is specified",
+		},
 		{
 			name: "successful update with credits and cweIds",
 			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
diff --git a/pkg/github/security_advisories_write.go b/pkg/github/security_advisories_write.go
@@ -621,6 +621,9 @@ func UpdateRepositorySecurityAdvisory(t translations.TranslationHelperFunc) inve
 				hasUpdate = true
 			}
 			if _, ok := args["cweIds"]; ok {
+				if len(cweIDs) == 0 {
+					return utils.NewToolResultError("invalid cweIds: at least one CWE ID must be provided when cweIds is specified"), nil, nil
+				}
 				requestBody.CWEIDs = cweIDs
 				hasUpdate = true
 			}
@@ -633,6 +636,9 @@ func UpdateRepositorySecurityAdvisory(t translations.TranslationHelperFunc) inve
 				hasUpdate = true
 			}
 			if _, ok := args["credits"]; ok {
+				if len(credits) == 0 {
+					return utils.NewToolResultError("invalid credits: at least one credit must be provided when credits is specified"), nil, nil
+				}
 				requestBody.Credits = credits
 				hasUpdate = true
 			}

Original file line number	Diff line number	Diff line change
`@@ -621,6 +621,9 @@ func UpdateRepositorySecurityAdvisory(t translations.TranslationHelperFunc) inve`
`621`	`621`	`hasUpdate = true`
`622`	`622`	`}`
`623`	`623`	`if _, ok := args["cweIds"]; ok {`
	`624`	`+ if len(cweIDs) == 0 {`
	`625`	`+ return utils.NewToolResultError("invalid cweIds: at least one CWE ID must be provided when cweIds is specified"), nil, nil`
	`626`	`+ }`
`624`	`627`	`requestBody.CWEIDs = cweIDs`
`625`	`628`	`hasUpdate = true`
`626`	`629`	`}`
`@@ -633,6 +636,9 @@ func UpdateRepositorySecurityAdvisory(t translations.TranslationHelperFunc) inve`
`633`	`636`	`hasUpdate = true`
`634`	`637`	`}`
`635`	`638`	`if _, ok := args["credits"]; ok {`
	`639`	`+ if len(credits) == 0 {`
	`640`	`+ return utils.NewToolResultError("invalid credits: at least one credit must be provided when credits is specified"), nil, nil`
	`641`	`+ }`
`636`	`642`	`requestBody.Credits = credits`
`637`	`643`	`hasUpdate = true`
`638`	`644`	`}`