From bb89ec7517622f9abf3163c6877ddd5242b3cb18 Mon Sep 17 00:00:00 2001
From: Patrik Segedy <psegedy@redhat.com>
Date: Tue, 21 May 2024 14:45:48 +0200
Subject: [PATCH] fix(csaf): products for package names built from the same
 source

RHINENG-9890
---
 vmaas/cache.go           |  5 +++--
 vmaas/load.go            | 13 +++++++++++++
 vmaas/vulnerabilities.go | 26 +++++++++++++++++---------
 3 files changed, 33 insertions(+), 11 deletions(-)

diff --git a/vmaas/cache.go b/vmaas/cache.go
index c46b7bd..41db348 100644
--- a/vmaas/cache.go
+++ b/vmaas/cache.go
@@ -25,8 +25,9 @@ type Cache struct {
 
 	ArchCompat map[ArchID]map[ArchID]bool
 
-	PackageDetails map[PkgID]PackageDetail
-	Nevra2PkgID    map[Nevra]PkgID
+	PackageDetails    map[PkgID]PackageDetail
+	Nevra2PkgID       map[Nevra]PkgID
+	NameID2SrcNameIDs map[NameID]map[NameID]struct{}
 
 	RepoIDs            []RepoID
 	RepoDetails        map[RepoID]RepoDetail
diff --git a/vmaas/load.go b/vmaas/load.go
index 5082230..8569039 100644
--- a/vmaas/load.go
+++ b/vmaas/load.go
@@ -330,6 +330,7 @@ func loadPkgDetails(c *Cache) {
 	id2pkdDetail := make(map[PkgID]PackageDetail, cnt)
 	nevra2id := make(map[Nevra]PkgID, cnt)
 	srcPkgID2PkgID := make(map[PkgID][]PkgID, cntSrc)
+	nameID2SrcNameIDs := make(map[NameID]map[NameID]struct{})
 	var pkgID PkgID
 	for rows.Next() {
 		var det PackageDetail
@@ -347,6 +348,16 @@ func loadPkgDetails(c *Cache) {
 			continue
 		}
 
+		var srcNameID NameID
+		row := sqlDB.QueryRow("SELECT name_id FROM package_detail WHERE id = ?", *det.SrcPkgID)
+		if err := row.Scan(&srcNameID); err != nil {
+			panic(err)
+		}
+		if _, ok := nameID2SrcNameIDs[det.NameID]; !ok {
+			nameID2SrcNameIDs[det.NameID] = make(map[NameID]struct{})
+		}
+		nameID2SrcNameIDs[det.NameID][srcNameID] = struct{}{}
+
 		_, ok := srcPkgID2PkgID[*det.SrcPkgID]
 		if !ok {
 			srcPkgID2PkgID[*det.SrcPkgID] = []PkgID{}
@@ -354,10 +365,12 @@ func loadPkgDetails(c *Cache) {
 
 		srcPkgID2PkgID[*det.SrcPkgID] = append(srcPkgID2PkgID[*det.SrcPkgID], pkgID)
 	}
+
 	// FIXME: build ModifiedID index (probably not needed for vulnerabilities/updates)
 	c.PackageDetails = id2pkdDetail
 	c.Nevra2PkgID = nevra2id
 	c.SrcPkgID2PkgID = srcPkgID2PkgID
+	c.NameID2SrcNameIDs = nameID2SrcNameIDs
 }
 
 func loadRepoDetails(c *Cache) { //nolint: funlen
diff --git a/vmaas/vulnerabilities.go b/vmaas/vulnerabilities.go
index e918780..f393638 100644
--- a/vmaas/vulnerabilities.go
+++ b/vmaas/vulnerabilities.go
@@ -389,19 +389,27 @@ func repos2cpes(c *Cache, repoIDs []RepoID) []CpeID {
 	return res
 }
 
+func productsWithCVEs(c *Cache, cpe CpeID, nameID NameID, modules []ModuleStream) []CSAFProduct {
+	products := make([]CSAFProduct, 0, len(modules)+1)
+	product := CSAFProduct{CpeID: cpe, PackageNameID: nameID, ModuleStream: ModuleStream{}}
+	if _, ok := c.CSAFCVEs[product]; ok {
+		products = append(products, product)
+	}
+	for _, ms := range modules {
+		product = CSAFProduct{CpeID: cpe, PackageNameID: nameID, ModuleStream: ms}
+		if _, ok := c.CSAFCVEs[product]; ok {
+			products = append(products, product)
+		}
+	}
+	return products
+}
+
 func cpes2products(c *Cache, cpes []CpeID, nameID NameID, modules []ModuleStream, pkg NevraString) ProductsPackage {
 	products := make([]CSAFProduct, 0, len(cpes)*(len(modules)+1))
 	for _, cpe := range cpes {
 		// create unfixed products for every CPE, unfixed product has PackageID=0
-		product := CSAFProduct{CpeID: cpe, PackageNameID: nameID, ModuleStream: ModuleStream{}}
-		if _, ok := c.CSAFCVEs[product]; ok {
-			products = append(products, product)
-		}
-		for _, ms := range modules {
-			product = CSAFProduct{CpeID: cpe, PackageNameID: nameID, ModuleStream: ms}
-			if _, ok := c.CSAFCVEs[product]; ok {
-				products = append(products, product)
-			}
+		for srcNameID := range c.NameID2SrcNameIDs[nameID] {
+			products = append(products, productsWithCVEs(c, cpe, srcNameID, modules)...)
 		}
 	}
 	pp := ProductsPackage{}