fix: properly filter cvss scores for the advisory

[dejanb]

Currently the logic incorrectly filters CVSS scores based on the vulnerability ID instead of the advisory ID. This change ensures that only CVSS scores related to the specific advisory are included in the advisory summary.

Summary by Sourcery

Fix CVSS filtering logic for advisory summaries to use advisory_id instead of vulnerability_id, update related invocation, and add validation tests

Bug Fixes:

• Filter CVSS scores by advisory_id in VulnerabilityAdvisoryHead instead of vulnerability_id
• Correct arguments passed to VulnerabilityAdvisoryHead::from_entities in vulnerability summary

Enhancements:

• Remove unused vulnerability parameter from VulnerabilityAdvisoryHead::from_entities signature

Tests:

• Add test verifying only advisory-specific CVSS scores are included in fetched vulnerabilities

[sourcery-ai]

Reviewer's Guide

Refactor the advisory summary builder to drop the vulnerability context and correctly filter CVSS entries by advisory ID, and enhance test coverage to verify advisory-specific scores and severities.

Class diagram for VulnerabilitySummary advisories field update

classDiagram
    class VulnerabilitySummary {
        +advisories: Vec<VulnerabilityAdvisoryHead>
    }
    class VulnerabilityAdvisoryHead {
        +from_entities(vuln_advisories: &[advisory::Model], vuln_cvss3s: &[cvss3::Model], tx: &C)
    }
    VulnerabilitySummary o-- VulnerabilityAdvisoryHead : advisories

Loading

File-Level Changes

Change	Details	Files
Refactor advisory head builder and correct CVSS filtering	Remove unused vulnerability parameter from from_entities signature Update invocation in VulnerabilitySummary to match new signature Change filter to use advisory_id when selecting CVSS entries	modules/fundamental/src/vulnerability/model/summary.rs modules/fundamental/src/vulnerability/model/details/vulnerability_advisory.rs
Extend service tests for advisory-specific CVSS validation	Assert exactly two advisories are returned for a CVE Verify first advisory’s score and severity are populated Verify second advisory’s score and severity are None	modules/fundamental/src/vulnerability/service/test.rs

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @dejanb - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codecov]

Codecov Report

Attention: Patch coverage is 66.66667% with 1 line in your changes missing coverage. Please review.

Project coverage is 67.94%. Comparing base (e07d93c) to head (68c6e46).
Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
...les/fundamental/src/vulnerability/model/summary.rs	50.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1883      +/-   ##
==========================================
- Coverage   67.94%   67.94%   -0.01%     
==========================================
  Files         364      364              
  Lines       22973    22967       -6     
  Branches    22973    22967       -6     
==========================================
- Hits        15610    15604       -6     
  Misses       6486     6486              
  Partials      877      877              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[helio-frota]

approving the rust part -- no idea about the business

[trustification-ci-bot]

Successfully created backport PR for release/0.3.z:

• fix: properly filter cvss scores for the advisory [Backport release/0.3.z] #1885