feat: include all scores in PurlStatus

[Strum355]

UI needs the full list of scores to adopt /api/v3/vulnerability/analyze endpoint, which was included in the v2 version in the AnalysisAdvisory struct

Summary by Sourcery

Expose full CVSS score details for PurlStatus and propagate them through the vulnerability analysis pipeline and API.

New Features:

• Add a scores collection to PurlStatus to return all CVSS score entries alongside the aggregated average score via the API.

Enhancements:

• Compute PurlStatus averages from the underlying CVSS models while also retaining and returning the full list of individual scores per advisory.
• Adjust vulnerability service processing to pass through full CVSS score models rather than only pre-aggregated scores.
• Extend OpenAPI schema and tests to cover the new scores field in PurlStatus responses.

[sourcery-ai]

Reviewer's Guide

Extend PurlStatus to expose the full list of CVSS scores for each vulnerability, adjust the service layer to propagate raw CVSS models instead of only an aggregated score, and update tests and OpenAPI schema to reflect the new scores field.

Sequence diagram for propagation of all CVSS scores into PurlStatus

sequenceDiagram
    participant Client
    participant VulnerabilityService
    participant Cvss3Store
    participant PurlStatus

    Client->>VulnerabilityService: analyze_vulnerability()
    VulnerabilityService->>Cvss3Store: load_cvss3_scores()
    Cvss3Store-->>VulnerabilityService: Vec cvss3::Model

    VulnerabilityService->>VulnerabilityService: build cvss3_map(HashMap<(Uuid, String), Vec cvss3::Model>)

    loop for each advisory and purl status
        VulnerabilityService->>VulnerabilityService: lookup scores = cvss3_map[(advisory_id, vulnerability_id)]
        VulnerabilityService->>PurlStatus: from_head(vuln_head, status, version_range, cpe, &scores)
        activate PurlStatus
        PurlStatus->>PurlStatus: average_score = Cvss3Score::from_iter(scores.iter().map(Cvss3Base::from))
        PurlStatus->>PurlStatus: all_scores = scores.iter().cloned().filter_map(Score::try_from).collect()
        PurlStatus-->>VulnerabilityService: PurlStatus{average_severity, average_score, scores: all_scores, ...}
        deactivate PurlStatus
    end

    VulnerabilityService-->>Client: AnalysisDetails including Vec PurlStatus with scores[]

Loading

Class diagram for updated PurlStatus score handling

classDiagram
    class PurlStatus {
        +VulnerabilityHead vulnerability
        +Severity average_severity
        +f64 average_score
        +Vec~Score~ scores
        +String status
        +Option~StatusContext~ context
        +Option~VersionRange~ version_range
        +from_vulnerability(vuln, version_range, status, cpe, tx) Result~PurlStatus, Error~
        +from_head(vuln_head, status, version_range, cpe, scores) Result~PurlStatus, Error~
    }

    class Score {
        +f64 value
        +Severity severity
        +try_from(cvss3_model) Result~Score, Error~
    }

    class Cvss3Score {
        +f64 value()
        +Severity severity()
        +from_iter(iterator) Cvss3Score
    }

    class Cvss3Base {
        +from(cvss3_model) Cvss3Base
    }

    class Cvss3Model {
    }

    class VulnerabilityService {
        +build_analysis_details(...)
    }

    PurlStatus "1" --> "*" Score : has
    PurlStatus "1" --> "1" Cvss3Score : derives_average
    Cvss3Score "1" --> "*" Cvss3Base : aggregates
    Cvss3Base "1" --> "1" Cvss3Model : wraps
    VulnerabilityService --> PurlStatus : constructs
    VulnerabilityService --> Cvss3Model : uses
    Score "1" --> "1" Cvss3Model : try_from

Loading

File-Level Changes

Change	Details	Files
Expose full list of CVSS scores on PurlStatus and compute both aggregate and per-score data from cvss3 models.	Add a scores: Vec field to PurlStatus and include it in the OpenAPI schema as a required array of Score objects. Change PurlStatus::from_entity to build an average Cvss3Score from cvss3 entities while also collecting all convertible Score values into the new scores field. Refactor PurlStatus::from_head to accept a slice of cvss3::Model, compute the average Cvss3Score from it, and populate the scores field with converted Score values. Update construction of PurlStatus instances in VulnerabilityService to pass through all cvss3::Model items rather than a pre-aggregated score and adjust cvss3_map to store cvss3::Model instead of Cvss3Base.	modules/fundamental/src/purl/model/details/purl.rs modules/fundamental/src/vulnerability/service/mod.rs openapi.yaml
Align tests with the new scores field on PurlStatus.	Extend CSAF reingest tests to assert non-empty scores vectors with multiple Score entries where applicable. Update CSAF delete test to assert a single Score element in scores matching the average_score/average_severity. Update OSV reingest tests to assert an empty scores vector when no CVSS scores are present.	modules/fundamental/tests/advisory/csaf/reingest.rs modules/fundamental/tests/advisory/csaf/delete.rs modules/fundamental/tests/advisory/osv/reingest.rs

Possibly linked issues

• #N/A: PR adds a scores array to PurlStatus and plumbing so all advisory CVSS scores are returned as required.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• In VulnerabilityService, when populating cvss3_map, you can avoid the extra clone by inserting score directly into the HashMap if cvss3_scores isn’t reused later (i.e., replace let score_clone = score.clone(); ... .push(score_clone); with .push(score);).
• The construction of all_scores in PurlStatus::from_vulnerability/from_head clones the CVSS3 models and then try_froms them; consider adding a TryFrom<&cvss3::Model> implementation for Score so you can map over references and avoid cloning.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `VulnerabilityService`, when populating `cvss3_map`, you can avoid the extra clone by inserting `score` directly into the `HashMap` if `cvss3_scores` isn’t reused later (i.e., replace `let score_clone = score.clone(); ... .push(score_clone);` with `.push(score);`).
- The construction of `all_scores` in `PurlStatus::from_vulnerability`/`from_head` clones the CVSS3 models and then `try_from`s them; consider adding a `TryFrom<&cvss3::Model>` implementation for `Score` so you can map over references and avoid cloning.

## Individual Comments

### Comment 1
<location> `modules/fundamental/src/purl/model/details/purl.rs:340-344` </location>
<code_context>
         let cvss3 = vuln.find_related(cvss3::Entity).all(tx).await?;
-        let average_score = Score::from_iter(cvss3.iter().map(Cvss3Base::from));
+        let average_score = Cvss3Score::from_iter(cvss3.iter().map(Cvss3Base::from));
+        let all_scores = cvss3
+            .iter()
+            .cloned()
+            .filter_map(|cvss3| Score::try_from(cvss3).ok())
+            .collect();
+
         Ok(Self {
</code_context>

<issue_to_address>
**issue:** Consider whether silently dropping scores that fail `Score::try_from` is acceptable.

This `filter_map` will drop any CVSS3 values that fail `Score::try_from`, so `scores` may exclude items that contributed to `average_score`. If conversion failures are expected in real data, consider logging them or propagating an error instead of skipping them silently.
</issue_to_address>

### Comment 2
<location> `modules/fundamental/tests/advisory/csaf/reingest.rs:164-175` </location>
<code_context>
             },
             average_severity: Severity::Medium,
             average_score: 5.3f64,
+            scores: vec![
+                Score {
+                    severity: Severity::Medium,
+                    value: 5.3,
</code_context>

<issue_to_address>
**suggestion (testing):** Use distinct scores in the expectation to prove that all individual scores (not just count) are preserved

The new expectations only verify that `scores` contains multiple entries, not that distinct CVSS scores are preserved. Please make the entries differ (e.g., one V3.1 and one V2/V3.0, or with different `value`s) so the test would fail if only a single or averaged score were returned.

```suggestion
            scores: vec![
                Score {
                    severity: Severity::Medium,
                    value: 5.3,
                    r#type: ScoreType::V3_1,
                },
                Score {
                    severity: Severity::Medium,
                    value: 7.5,
                    r#type: ScoreType::V3_0,
                }
            ],
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue: Consider whether silently dropping scores that fail Score::try_from is acceptable.

This filter_map will drop any CVSS3 values that fail Score::try_from, so scores may exclude items that contributed to average_score. If conversion failures are expected in real data, consider logging them or propagating an error instead of skipping them silently.

[codecov]

Codecov Report

❌ Patch coverage is 94.44444% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.27%. Comparing base (648d488) to head (24547af).

Files with missing lines	Patch %	Lines
modules/fundamental/src/purl/model/details/purl.rs	94.44%	0 Missing and 1 partial ⚠️
...les/fundamental/src/vulnerability/endpoints/mod.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2166      +/-   ##
==========================================
+ Coverage   68.24%   68.27%   +0.02%     
==========================================
  Files         376      376              
  Lines       21208    21221      +13     
  Branches    21208    21221      +13     
==========================================
+ Hits        14473    14488      +15     
+ Misses       5868     5862       -6     
- Partials      867      871       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ctron]

I know we're doing a bad job with this so far. But it would be good to improve in the future and document fields, so that it would also end up in the OpenAPI spec

[Strum355]

Updated the description. Made me notice that it feels a bit odd for the scores/severity to be in the PurlStatus type given that theres a 1:N from vuln->score, but no direct relationship between purl_status->score from what I saw in the seaorm schema

[carlosthe19916]

@Strum355 my apologies for the delayed review.
I tested this PR and it works fine. Just a minor thing to change: The current response of /api/v3/vulnerability/analyze has the following shape:

{
  "purl1": {
    details: [
      ...vulnerability fields here, // this not needed
      purl_statuses: [{
         vulnerability: {...vulnerability fields here},
         advisory: {},
         scores: []
      }]
    ]
  }
}

notice that the field purl.details contains a set of fields that belong to a Vulnerability, while at the same time the vulnerability fields are already present inside the purl_statuses field.

Could we clean up the duplicate vulnerability fields?

[Strum355]

notice that the field purl.details contains a set of fields that belong to a Vulnerability, while at the same time the vulnerability fields are already present inside the purl_statuses field.

Could we clean up the duplicate vulnerability fields?

Thanks for the feedback! I had noticed the duplication as well, but Im not sure on which side we want to remove it from. While I am leaning towards removing it from

trustify/modules/fundamental/src/vulnerability/model/analyze.rs

Lines 18 to 20 in 53e6492

	pub struct AnalysisDetails {
	#[serde(flatten)]
	pub head: VulnerabilityHead,

, this does mean that each entry in purl_status will have the same values for vulnerability

[carlosthe19916]

this does mean that each entry in purl_status will have the same values for vulnerability

@Strum355 this wouldn't be a problem for the client side (UI). I'll let you take the final decision on regards of which side the fields should be removed from :)

[Strum355]

@Strum355 this wouldn't be a problem for the client side (UI). I'll let you take the final decision on regards of which side the fields should be removed from :)

@ctron @dejanb I opted to remove it from the top level AnalysisDetails, lmk if you feel strongly otherwise