fix: sort CVE records correctly

CVE records follow a specific format where the last segment represents a
numerical sequence. To properly sort CVE records, we must treat this
sequence segment differently than the rest of the record ID.

fixes #1811

Co-Authored-By: Claude <[email protected]>
Signed-off-by: Luiz Carvalho <[email protected]>

Author: lcarva

modules/fundamental/src/vulnerability/service/mod.rs

@@ -28,6 +28,7 @@ use trustify_common::{
     model::{Paginated, PaginatedResults},
     purl::Purl,
 };
+use sea_query::Expr;
 use trustify_entity::{advisory, cvss3, vulnerability};
 use trustify_module_ingestor::common::Deprecation;
 
@@ -47,7 +48,36 @@ impl VulnerabilityService {
         connection: &C,
     ) -> Result<PaginatedResults<VulnerabilitySummary>, Error> {
         let limiter = vulnerability::Entity::find()
-            .filtering_with(search, Columns::from_entity::<vulnerability::Entity>())?
+            .filtering_with(
+                search,
+                Columns::from_entity::<vulnerability::Entity>().translator(|field, order, _value| {
+                    // When sorting by 'id', translate to use a normalized sort key
+                    // This ensures proper numeric sorting within CVE IDs while maintaining
+                    // alphabetical ordering between different prefixes (ABC-, CVE-, GHSA-, etc.)
+                    if field == "id" && (order == "asc" || order == "desc") {
+                        Some(format!("id_sort_key:{}", order))
+                    } else {
+                        None
+                    }
+                })
+                .add_expr(
+                    "id_sort_key",
+                    // Create a normalized sort key that preserves prefixes but sorts numbers numerically
+                    // For CVE IDs: converts "CVE-2024-288" to "CVE-2024-0000000000000000288"
+                    //   - Year is always 4 digits, no padding needed
+                    //   - Pad sequence to 19 digits (max length per CVE schema)
+                    // CVE schema: https://github.com/CVEProject/cve-schema/blob/main/schema/CVE_Record_Format.json
+                    // For other IDs: returns the ID as-is for alphabetical sorting
+                    // This ensures: ABC-123 < CVE-2023-9000 < CVE-2024-10000 < GHSA-xxx
+                    Expr::cust(
+                        "CASE WHEN id ~ '^CVE-[0-9]{4}-[0-9]{4,19}$' THEN \
+                         SUBSTRING(id FROM '^CVE-[0-9]{4}-') || \
+                         LPAD(SUBSTRING(id FROM '-([0-9]+)$'), 19, '0') \
+                         ELSE id END"
+                    ),
+                    sea_orm::ColumnType::Text,
+                ),
+            )?
             .limiting(connection, paginated.offset, paginated.limit);
 
         let total = limiter.total().await?;

modules/fundamental/src/vulnerability/service/test.rs

@@ -540,6 +540,58 @@ async fn vulnerability_queries(ctx: &TrustifyContext) -> Result<(), anyhow::Erro
     Ok(())
 }
 
+#[test_context(TrustifyContext)]
+#[test(tokio::test)]
+async fn vulnerability_numeric_sorting(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
+    let service = VulnerabilityService::new();
+
+    ctx.graph.ingest_vulnerability("CVE-2024-40000", (), &ctx.db).await?;
+    ctx.graph.ingest_vulnerability("CVE-2024-10288000", (), &ctx.db).await?;
+    ctx.graph.ingest_vulnerability("CVE-2023-1234", (), &ctx.db).await?;
+    ctx.graph.ingest_vulnerability("CVE-2024-9000", (), &ctx.db).await?;
+    ctx.graph.ingest_vulnerability("CVE-2023-5100", (), &ctx.db).await?;
+    ctx.graph.ingest_vulnerability("GHSA-xxxx-yyyy-zzzz", (), &ctx.db).await?;
+    ctx.graph.ingest_vulnerability("ABC-xxxx-yyyy", (), &ctx.db).await?;
+
+    // Test ascending sort
+    let vulns = service
+        .fetch_vulnerabilities(
+            q("").sort("id:asc"),
+            Paginated::default(),
+            Default::default(),
+            &ctx.db,
+        )
+        .await?;
+    assert_eq!(7, vulns.items.len());
+    assert_eq!(vulns.items[0].head.identifier, "ABC-xxxx-yyyy");
+    assert_eq!(vulns.items[1].head.identifier, "CVE-2023-1234");
+    assert_eq!(vulns.items[2].head.identifier, "CVE-2023-5100");
+    assert_eq!(vulns.items[3].head.identifier, "CVE-2024-9000");
+    assert_eq!(vulns.items[4].head.identifier, "CVE-2024-40000");
+    assert_eq!(vulns.items[5].head.identifier, "CVE-2024-10288000");
+    assert_eq!(vulns.items[6].head.identifier, "GHSA-xxxx-yyyy-zzzz");
+
+    // Test descending sort
+    let vulns = service
+        .fetch_vulnerabilities(
+            q("").sort("id:desc"),
+            Paginated::default(),
+            Default::default(),
+            &ctx.db,
+        )
+        .await?;
+    assert_eq!(7, vulns.items.len());
+    assert_eq!(vulns.items[0].head.identifier, "GHSA-xxxx-yyyy-zzzz");
+    assert_eq!(vulns.items[1].head.identifier, "CVE-2024-10288000");
+    assert_eq!(vulns.items[2].head.identifier, "CVE-2024-40000");
+    assert_eq!(vulns.items[3].head.identifier, "CVE-2024-9000");
+    assert_eq!(vulns.items[4].head.identifier, "CVE-2023-5100");
+    assert_eq!(vulns.items[5].head.identifier, "CVE-2023-1234");
+    assert_eq!(vulns.items[6].head.identifier, "ABC-xxxx-yyyy");
+
+    Ok(())
+}
+
 #[test_context(TrustifyContext)]
 #[test(tokio::test)]
 async fn analyze_purls(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {