From cece886967272b97217fed6a837df25f81780209 Mon Sep 17 00:00:00 2001
From: Dejan Bosanac <dbosanac@redhat.com>
Date: Thu, 17 Jul 2025 14:00:17 +0200
Subject: [PATCH] fix: properly filter cvss scores for the advisory

Currently the logic incorrectly filters CVSS scores based on the vulnerability ID instead of the advisory ID.
This change ensures that only CVSS scores related to the specific advisory are included in the advisory summary.

(cherry picked from commit 41490755448bfb799bdbb33609938b36ee55e02c)
---
 .../model/details/vulnerability_advisory.rs       |  3 +--
 .../src/vulnerability/model/summary.rs            |  9 ++-------
 .../fundamental/src/vulnerability/service/test.rs | 15 +++++++++++++++
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/modules/fundamental/src/vulnerability/model/details/vulnerability_advisory.rs b/modules/fundamental/src/vulnerability/model/details/vulnerability_advisory.rs
index 019e5918f..046ee07fd 100644
--- a/modules/fundamental/src/vulnerability/model/details/vulnerability_advisory.rs
+++ b/modules/fundamental/src/vulnerability/model/details/vulnerability_advisory.rs
@@ -85,7 +85,6 @@ impl VulnerabilityAdvisoryHead {
         }
     }
     pub async fn from_entities<C: ConnectionTrait>(
-        vulnerability: &vulnerability::Model,
         vuln_advisories: &[advisory::Model],
         vuln_cvss3s: &[cvss3::Model],
         tx: &C,
@@ -98,7 +97,7 @@ impl VulnerabilityAdvisoryHead {
             // filter all vulnerability cvss3 to those that pertain to only this advisory.
             let cvss3 = vuln_cvss3s
                 .iter()
-                .filter(|e| e.vulnerability_id == vulnerability.id)
+                .filter(|e| e.advisory_id == advisory.id)
                 .collect::<Vec<_>>();
 
             let score = if cvss3.is_empty() {
diff --git a/modules/fundamental/src/vulnerability/model/summary.rs b/modules/fundamental/src/vulnerability/model/summary.rs
index 8204cc9ca..a3c6ee8d1 100644
--- a/modules/fundamental/src/vulnerability/model/summary.rs
+++ b/modules/fundamental/src/vulnerability/model/summary.rs
@@ -70,13 +70,8 @@ impl VulnerabilitySummary {
                 .await?,
                 average_severity: vuln.base_severity.map(|s| s.into()),
                 average_score: vuln.base_score,
-                advisories: VulnerabilityAdvisoryHead::from_entities(
-                    vuln,
-                    advisories,
-                    vuln_cvss3s,
-                    tx,
-                )
-                .await?,
+                advisories: VulnerabilityAdvisoryHead::from_entities(advisories, vuln_cvss3s, tx)
+                    .await?,
             });
         }
 
diff --git a/modules/fundamental/src/vulnerability/service/test.rs b/modules/fundamental/src/vulnerability/service/test.rs
index 93e3a08af..df8729723 100644
--- a/modules/fundamental/src/vulnerability/service/test.rs
+++ b/modules/fundamental/src/vulnerability/service/test.rs
@@ -457,6 +457,21 @@ async fn vulnerability_queries(ctx: &TrustifyContext) -> Result<(), anyhow::Erro
     assert_eq!(vulns.items[0].average_score, Some(6.9));
     assert_eq!(vulns.items[0].average_severity, Some(Severity::Medium));
 
+    let vulns = service
+        .fetch_vulnerabilities(
+            q("CVE-2023-39325"),
+            Paginated::default(),
+            Default::default(),
+            &ctx.db,
+        )
+        .await?;
+    assert_eq!(1, vulns.items.len());
+    assert_eq!(2, vulns.items[0].advisories.len());
+    assert_eq!(vulns.items[0].advisories[0].score, Some(7.5));
+    assert_eq!(vulns.items[0].advisories[0].severity, Some(Severity::High));
+    assert_eq!(vulns.items[0].advisories[1].score, None);
+    assert_eq!(vulns.items[0].advisories[1].severity, None);
+
     Ok(())
 }