Skip to content

feat(trustify): migrate DA backend from Trustify v2 to v3 endpoints#638

Open
ruromero wants to merge 7 commits into
guacsec:mainfrom
ruromero:TC-4522
Open

feat(trustify): migrate DA backend from Trustify v2 to v3 endpoints#638
ruromero wants to merge 7 commits into
guacsec:mainfrom
ruromero:TC-4522

Conversation

@ruromero

@ruromero ruromero commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

Migrates the DA backend from Trustify v2 /api/v2/vulnerability/analyze and /api/v2/purl/recommend endpoints to v3 /api/v3/vulnerability/analyze and /api/v3/purl/recommend.

  • Rewrites TrustifyResponseHandler to parse the v3 response format (details[].purl_statuses[], base_score, advisory.issuer)
  • Converts all WireMock test fixtures to v3 format
  • Updates expected report files for v3 score values
  • Bumps trustify-da-api-model to 2.0.10-SNAPSHOT

Test plan

  • All 295 unit tests pass (mvn verify -Pdev)
  • TrustifyResponseHandlerTest — 12 test cases cover: empty responses, single/multiple issues, severity mapping, remediation parsing, withdrawn advisories, CVE deduplication, unknown severity fallback
  • AnalysisTest integration tests pass with v3 fixtures
  • Spotless formatting clean

Jira

TC-4522

Dependencies

Summary by Sourcery

Migrate Trustify integration to the v3 vulnerability and recommendation APIs and adapt response handling to the new schema.

New Features:

  • Support Trustify v3 /api/v3/vulnerability/analyze and /api/v3/purl/recommend endpoints in the DA backend.

Enhancements:

  • Update TrustifyResponseHandler to consume v3 fields such as base_score, purl_statuses and issuer for CVSS, source and remediation data.
  • Refine remediation parsing to use version ranges and structured remediation metadata from Trustify v3 responses.
  • Adjust severity handling to fall back from unknown severity labels to score-based severities and treat 'none' severity as a low score-based severity.
  • Change the default issue source label from manual to unknown for issues without an issuer.

Build:

  • Bump trustify-da-api dependency to 2.0.10-SNAPSHOT to align with the v3 API model.

Tests:

  • Convert Trustify WireMock fixtures and expected reports to the v3 response format and update unit tests to cover withdrawn advisories, missing scores, invalid severities and remediation parsing.

@sourcery-ai

sourcery-ai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Reviewer's Guide

Migrates DA backend Trustify integration from v2 to v3 analyze/recommend endpoints and rewrites response handling logic and tests to consume the new v3 response shape (base_score, purl_statuses, advisory.issuer, remediations, version ranges).

Sequence diagram for Trustify v3 analyze endpoint integration

sequenceDiagram
  participant DAService
  participant TrustifyApi
  participant TrustifyResponseHandler
  participant Issue

  DAService->>TrustifyApi: POST /api/v3/vulnerability/analyze
  TrustifyApi-->>DAService: v3 response (details, purl_statuses, base_score)
  DAService->>TrustifyResponseHandler: toIssues(response)
  TrustifyResponseHandler->>TrustifyResponseHandler: getSource(purl_status)
  TrustifyResponseHandler->>TrustifyResponseHandler: setCvssData(issue, vuln, purlStatus)
  TrustifyResponseHandler->>Issue: cvssScore(base_score.score)
  TrustifyResponseHandler->>Issue: setSeverity(SeverityUtils.fromValue | fromScore)
  TrustifyResponseHandler->>Issue: setRemediation(Remediation)
Loading

File-Level Changes

Change Details Files
Rewrite TrustifyResponseHandler to consume Trustify v3 response model and derive issues, CVSS data, remediation and source from new fields.
  • Replace use of status.affected and labels/importer with purl_statuses[] and advisory.issuer for iterating advisories and deriving source.
  • Introduce new setCvssData that reads vuln.base_score (score, severity) and falls back to score-based severity when needed, including handling of invalid or 'none' severities.
  • Change remediation extraction to use purl_statuses[].version_range and remediations[], populating fixedIn, VersionRange, and RemediationInfo instead of ranges/events.
  • Update default source from 'manual' to 'unknown' and adapt getSource to use issuer.name or fallback.
src/main/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandler.java
Update Trustify integration endpoints to v3 paths and bump Trustify DA API dependency to match the new v3 model.
  • Change TRUSTIFY_RECOMMEND_PATH and TRUSTIFY_ANALYZE_PATH constants from /api/v2/... to /api/v3/...
  • Bump trustify-da-api.version from 2.0.9 to 2.0.10-SNAPSHOT in pom.xml.
src/main/java/io/github/guacsec/trustifyda/integration/Constants.java
pom.xml
Adapt TrustifyResponseHandler tests and fixtures to v3 response format and new behavior for severity, remediation, and source.
  • Rewrite JSON fixtures in TrustifyResponseHandlerTest to use v3 structures: details[].purl_statuses[], base_score, advisory.issuer, version_range, remediations.
  • Adjust expectations for CVSS score and severity handling (including fallback cases and invalid/none severity) and for remediation contents (fixedIn, version ranges, categories).
  • Update tests to expect default source 'unknown' and to cover v3-specific cases like withdrawn advisories and empty purl_statuses arrays.
src/test/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandlerTest.java
src/test/resources/__files/trustify/maven_report.json
src/test/resources/__files/trustify/pypi_report.json
Refresh expected analysis reports to align with v3 scoring/response changes.
  • Update expected batch_report.json and report.json fixtures to match v3-derived scores, severities, and remediation fields.
src/test/resources/__files/reports/batch_report.json
src/test/resources/__files/reports/report.json

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 2 issues, and left some high level feedback:

  • The new setCvssData logic relies solely on base_score; if Trustify ever omits this field for some entries, consider a fallback to per-advisory/purl_status scoring data to avoid silently producing issues without CVSS information.
  • The remediation construction in setCvssData (version range + remediations) has become quite dense; consider extracting this into helper methods to make the transformation from v3 JSON to Remediation and VersionRange easier to follow and maintain.
  • Changing DEFAULT_SOURCE from "manual" to "unknown" and deriving source from issuer.name instead of the previous importer may affect how issues are grouped by source; if this is intentional, it may be worth centralizing the mapping logic in a dedicated helper to keep future adjustments localized.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The new `setCvssData` logic relies solely on `base_score`; if Trustify ever omits this field for some entries, consider a fallback to per-advisory/purl_status scoring data to avoid silently producing issues without CVSS information.
- The remediation construction in `setCvssData` (version range + remediations) has become quite dense; consider extracting this into helper methods to make the transformation from v3 JSON to `Remediation` and `VersionRange` easier to follow and maintain.
- Changing `DEFAULT_SOURCE` from "manual" to "unknown" and deriving source from `issuer.name` instead of the previous importer may affect how issues are grouped by source; if this is intentional, it may be worth centralizing the mapping logic in a dedicated helper to keep future adjustments localized.

## Individual Comments

### Comment 1
<location path="src/test/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandlerTest.java" line_range="472" />
<code_context>
     Issue issue = issues.get(0);

-    // Should prioritize V4 based on SCORE_TYPE_ORDER
+    // v3 provides pre-computed base_score
     assertEquals(7.2f, issue.getCvssScore());
     assertEquals(Severity.HIGH, issue.getSeverity());
</code_context>
<issue_to_address>
**suggestion (testing):** Consider adding a test where base_score has a score but no severity to verify score-based severity fallback

The updated `setCvssData` falls back to `SeverityUtils.fromScore` when `base_score.severity` is missing or unparsable, but there’s no test for a `base_score` that has only a numeric score and no severity field. Please add a test (e.g., a variant of `testResponseToIssuesWithMultipleScoreTypes`) using such input to verify that severity is correctly derived from the score when Trustify omits `severity`.

Suggested implementation:

```java
    List<Issue> issues = packageItem.issues();
    Issue issue = issues.get(0);

    // v3 provides pre-computed base_score
    assertEquals(7.2f, issue.getCvssScore());
    assertEquals(Severity.HIGH, issue.getSeverity());
  }

  @Test
  void testBaseScoreSeverityFallbackWhenSeverityMissing() throws Exception {
    String response = """
    {
      "vulnerabilities": [{
        "identifier": "CVE-2024-1597",
        "title": "Test CVE",
        "scores": {
          "cvss_v3": {
            "version": "3.1",
            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "base_score": {
              "score": 7.2
            }
          }
        }
      }],
      "packages": [{
        "purl": "pkg:maven/org.example/foo@1.0.0",
        "issues": [{
          "identifier": "CVE-2024-1597"
        }]
      }],
      "warnings": []
    }
    """;

    // Adapt this setup to however the existing tests obtain a PackageItem
    PackageItem packageItem = trustifyResponseHandler.handleResponse(response);

    List<Issue> issuesWithScoreOnly = packageItem.issues();
    Issue issueWithScoreOnly = issuesWithScoreOnly.get(0);

    // base_score has only a numeric score and no severity; severity should be derived from the score
    assertEquals(7.2f, issueWithScoreOnly.getCvssScore());
    assertEquals(Severity.HIGH, issueWithScoreOnly.getSeverity());
  }
        {
          "identifier": "CVE-2024-1597",

```

The new test assumes there is a `trustifyResponseHandler.handleResponse(String)` (or similar) method that returns a `PackageItem`, consistent with how `packageItem` is created in the existing tests. To integrate this test correctly, you should:

1. Replace `trustifyResponseHandler.handleResponse(response)` with the exact helper or setup logic used in the other tests in this class to obtain `packageItem` from the JSON response.
2. Ensure the JSON structure (particularly the `packages` and `issues` linkage) matches what the existing tests expect. If the existing tests use a slightly different envelope (e.g., different top-level keys or nesting), adjust the JSON in the new test to mirror that structure while keeping `base_score` with only a `score` field and no `severity`.
3. If the class uses a different naming convention for the handler or `PackageItem`, adjust the types and variable names accordingly.
</issue_to_address>

### Comment 2
<location path="src/test/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandlerTest.java" line_range="699" />
<code_context>

     Issue issue = issues.get(0);
-    assertEquals("manual", issue.getSource());
+    assertEquals("unknown", issue.getSource());
   }

</code_context>
<issue_to_address>
**suggestion (testing):** Consider a dedicated test for purl_status entries without an advisory to exercise getSource’s DEFAULT_SOURCE path explicitly

Since `getSource` now derives the source from `advisory.issuer.name` with a fallback to "unknown", this test only covers the `issuer == null` case when an advisory is present. Please also add a test where `purl_status` has no `advisory` at all to cover the `advisory == null` branch and verify it still returns "unknown" without throwing.

Suggested implementation:

```java
import io.github.guacsec.trustifyda.api.PackageRef;
import io.github.guacsec.trustifyda.api.v5.Issue;
import io.github.guacsec.trustifyda.api.v5.RemediationCategory;
import io.github.guacsec.trustifyda.api.v5.Severity;
import io.github.guacsec.trustifyda.integration.Constants;
import io.github.guacsec.trustifyda.integration.providers.trustify.ubi.UBIRecommendation;

  @Test
  void testIssueSourceIsUnknownWhenAdvisoryIsMissing() {
    // Response containing a purl_status entry without an advisory block to
    // exercise the getSource DEFAULT_SOURCE ("unknown") path.
    String responseWithoutAdvisory = """
{
  "purl_status": [
    {
      "purl": "pkg:maven/org.example/foo@1.0.0",
      "status": "vulnerable"
    }
  ]
}
""";

    List<Issue> issues = TrustifyResponseHandler.responseToIssues(responseWithoutAdvisory);

    assertEquals(1, issues.size());

    Issue issue = issues.get(0);
    assertEquals("unknown", issue.getSource());
  }

  private static Stream<String> testResponseToIssuesWithValidData() {
    return Stream.of(

```

Depending on the existing code in `TrustifyResponseHandlerTest` and `TrustifyResponseHandler`, you may need to:

1. Ensure the following imports are present at the top of the file (if they are not already):
   - `import java.util.List;`
   - `import org.junit.jupiter.api.Test;`
2. Adjust the call `TrustifyResponseHandler.responseToIssues(responseWithoutAdvisory);` if your handler uses a different factory/utility method or signature (for example `fromResponse`, `toIssues`, or an instance method).
3. If your Trustify JSON structure requires additional mandatory fields beyond `purl` and `status`, extend the `responseWithoutAdvisory` JSON fixture accordingly while keeping the `advisory` field absent for this test case.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Issue issue = issues.get(0);

// Should prioritize V4 based on SCORE_TYPE_ORDER
// v3 provides pre-computed base_score

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (testing): Consider adding a test where base_score has a score but no severity to verify score-based severity fallback

The updated setCvssData falls back to SeverityUtils.fromScore when base_score.severity is missing or unparsable, but there’s no test for a base_score that has only a numeric score and no severity field. Please add a test (e.g., a variant of testResponseToIssuesWithMultipleScoreTypes) using such input to verify that severity is correctly derived from the score when Trustify omits severity.

Suggested implementation:

    List<Issue> issues = packageItem.issues();
    Issue issue = issues.get(0);

    // v3 provides pre-computed base_score
    assertEquals(7.2f, issue.getCvssScore());
    assertEquals(Severity.HIGH, issue.getSeverity());
  }

  @Test
  void testBaseScoreSeverityFallbackWhenSeverityMissing() throws Exception {
    String response = """
    {
      "vulnerabilities": [{
        "identifier": "CVE-2024-1597",
        "title": "Test CVE",
        "scores": {
          "cvss_v3": {
            "version": "3.1",
            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "base_score": {
              "score": 7.2
            }
          }
        }
      }],
      "packages": [{
        "purl": "pkg:maven/org.example/foo@1.0.0",
        "issues": [{
          "identifier": "CVE-2024-1597"
        }]
      }],
      "warnings": []
    }
    """;

    // Adapt this setup to however the existing tests obtain a PackageItem
    PackageItem packageItem = trustifyResponseHandler.handleResponse(response);

    List<Issue> issuesWithScoreOnly = packageItem.issues();
    Issue issueWithScoreOnly = issuesWithScoreOnly.get(0);

    // base_score has only a numeric score and no severity; severity should be derived from the score
    assertEquals(7.2f, issueWithScoreOnly.getCvssScore());
    assertEquals(Severity.HIGH, issueWithScoreOnly.getSeverity());
  }
        {
          "identifier": "CVE-2024-1597",

The new test assumes there is a trustifyResponseHandler.handleResponse(String) (or similar) method that returns a PackageItem, consistent with how packageItem is created in the existing tests. To integrate this test correctly, you should:

  1. Replace trustifyResponseHandler.handleResponse(response) with the exact helper or setup logic used in the other tests in this class to obtain packageItem from the JSON response.
  2. Ensure the JSON structure (particularly the packages and issues linkage) matches what the existing tests expect. If the existing tests use a slightly different envelope (e.g., different top-level keys or nesting), adjust the JSON in the new test to mirror that structure while keeping base_score with only a score field and no severity.
  3. If the class uses a different naming convention for the handler or PackageItem, adjust the types and variable names accordingly.


Issue issue = issues.get(0);
assertEquals("manual", issue.getSource());
assertEquals("unknown", issue.getSource());

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (testing): Consider a dedicated test for purl_status entries without an advisory to exercise getSource’s DEFAULT_SOURCE path explicitly

Since getSource now derives the source from advisory.issuer.name with a fallback to "unknown", this test only covers the issuer == null case when an advisory is present. Please also add a test where purl_status has no advisory at all to cover the advisory == null branch and verify it still returns "unknown" without throwing.

Suggested implementation:

import io.github.guacsec.trustifyda.api.PackageRef;
import io.github.guacsec.trustifyda.api.v5.Issue;
import io.github.guacsec.trustifyda.api.v5.RemediationCategory;
import io.github.guacsec.trustifyda.api.v5.Severity;
import io.github.guacsec.trustifyda.integration.Constants;
import io.github.guacsec.trustifyda.integration.providers.trustify.ubi.UBIRecommendation;

  @Test
  void testIssueSourceIsUnknownWhenAdvisoryIsMissing() {
    // Response containing a purl_status entry without an advisory block to
    // exercise the getSource DEFAULT_SOURCE ("unknown") path.
    String responseWithoutAdvisory = """
{
  "purl_status": [
    {
      "purl": "pkg:maven/org.example/foo@1.0.0",
      "status": "vulnerable"
    }
  ]
}
""";

    List<Issue> issues = TrustifyResponseHandler.responseToIssues(responseWithoutAdvisory);

    assertEquals(1, issues.size());

    Issue issue = issues.get(0);
    assertEquals("unknown", issue.getSource());
  }

  private static Stream<String> testResponseToIssuesWithValidData() {
    return Stream.of(

Depending on the existing code in TrustifyResponseHandlerTest and TrustifyResponseHandler, you may need to:

  1. Ensure the following imports are present at the top of the file (if they are not already):
    • import java.util.List;
    • import org.junit.jupiter.api.Test;
  2. Adjust the call TrustifyResponseHandler.responseToIssues(responseWithoutAdvisory); if your handler uses a different factory/utility method or signature (for example fromResponse, toIssues, or an instance method).
  3. If your Trustify JSON structure requires additional mandatory fields beyond purl and status, extend the responseWithoutAdvisory JSON fixture accordingly while keeping the advisory field absent for this test case.

@codecov-commenter

codecov-commenter commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 80.39216% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 56.67%. Comparing base (f0ee562) to head (0203577).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
...on/providers/trustify/TrustifyResponseHandler.java 82.35% 0 Missing and 15 partials ⚠️
...integration/providers/ProviderResponseHandler.java 16.66% 0 Missing and 5 partials ⚠️
Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##               main     #638      +/-   ##
============================================
- Coverage     56.86%   56.67%   -0.20%     
- Complexity      823      836      +13     
============================================
  Files            94       92       -2     
  Lines          4815     4863      +48     
  Branches        624      655      +31     
============================================
+ Hits           2738     2756      +18     
- Misses         1802     1814      +12     
- Partials        275      293      +18     
Flag Coverage Δ
integration-tests 56.67% <80.39%> (-0.20%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...thub/guacsec/trustifyda/integration/Constants.java 100.00% <ø> (ø)
.../providers/trustify/RecommendationAggregation.java 84.53% <100.00%> (+0.66%) ⬆️
...ntegration/registry/RegistryEnrichmentService.java 78.26% <100.00%> (+0.98%) ⬆️
...integration/providers/ProviderResponseHandler.java 68.42% <16.66%> (-0.55%) ⬇️
...on/providers/trustify/TrustifyResponseHandler.java 86.01% <82.35%> (-5.81%) ⬇️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ruromero ruromero force-pushed the TC-4522 branch 4 times, most recently from 57e5ce8 to 0f446ab Compare June 30, 2026 10:59
@ruromero

ruromero commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator Author

Verification Report for TC-4522 (commit a007ebb)

Check Result Details
Review Feedback PASS 5 suggestions from sourcery-ai[bot], no code change requests
Root-Cause Investigation N/A No sub-tasks created — nothing to investigate
Scope Containment WARN 10 out-of-scope files changed, 3 task-specified files not modified (Vulnerability.java, AbstractAnalysisTest.java, AnalysisTest.java)
Diff Size WARN 2,380 lines across 15 files (task specified 8); reasonable for v2→v3 migration
Commit Traceability PASS All 5 commits reference TC-4522
Sensitive Patterns PASS No secrets, credentials, or sensitive patterns detected
CI Status PASS Integration Tests (11m45s) and commitlint (18s) both pass
Acceptance Criteria PASS All 8 acceptance criteria satisfied
Test Quality PASS Repetitive: PASS (9 tests share boilerplate but assert distinct logic), Documentation: PASS (0/26 tests have comments, matching baseline), Eval Quality: N/A
Test Change Classification ADDITIVE +10 new test methods, +44 assertions, 0 removed, 0 disabled
Verification Commands PASS CI passes, implicitly verifying mvn spotless:apply and mvn verify

Overall: WARN

Two warnings to note:

  • Scope Containment: PR touches 10 files not listed in the task specification (pom.xml, ProviderResponseHandler, RecommendationAggregation, RegistryEnrichmentService, main.js, and their tests/fixtures). Three task-specified files (Vulnerability.java, AbstractAnalysisTest.java, AnalysisTest.java) were not modified — likely scope was refined during implementation.
  • Diff Size: 2,380 lines across 15 files exceeds the 8 files specified in the task, but is consistent with the scope of a v2→v3 API migration including fixture updates.

No blocking issues found. All acceptance criteria are met and CI passes.


This comment was AI-generated by sdlc-workflow/verify-pr v0.11.0.

@ruromero ruromero requested a review from a-oren July 1, 2026 06:21

@a-oren a-oren left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, just deleting two files that are no longer in use.

Comment on lines -47 to -48
import io.github.guacsec.trustifyda.model.trustify.AdvisoryScore;
import io.github.guacsec.trustifyda.model.trustify.ScoreType;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AdvisoryScore.java and ScoreType.java are no longer imported or used anywhere in the codebase after this PR, delete both files

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — both files deleted in afb0649.

@ruromero ruromero requested a review from a-oren July 2, 2026 09:52

@a-oren a-oren left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ruromero and others added 7 commits July 6, 2026 09:20
Cover untested code paths in setCvssData, getSource, and toIssues:
fallback to purlStatus scores, full version range fields, remediation
URL, unknown remediation category, missing/blank advisory source,
score-based severity derivation, and CVE deduplication logic.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…stedContent

RecommendationAggregation and RegistryEnrichmentService were overwriting
the Remediation object when adding trustedContent, destroying any upstream
fixedIn/versionRanges/remediations data from Trustify v3. Now merges onto
the existing Remediation instead. Also updates the remediation counter in
ProviderResponseHandler to count upstream-only remediations.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When highInclusive is true, the high version is still affected — it
should not appear in fixedIn. Read highInclusive before deciding
whether to populate the fixed version list.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
TC-4522

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants