RedHatInsights · psegedy · Jul 2, 2024 · Jul 2, 2024 · Jul 2, 2024
diff --git a/vmaas/types.go b/vmaas/types.go
@@ -116,6 +116,7 @@ type AffectedPackage struct {
 	Name string   `json:"package_name"`
 	EVRA string   `json:"evra"`
 	Cpe  CpeLabel `json:"cpe"`
+	ModuleStreamPtrs
 }
 
 type Vulnerabilities struct {

diff --git a/vmaas/vulnerabilities.go b/vmaas/vulnerabilities.go
@@ -142,7 +142,7 @@ func evaluate(c *Cache, opts *options, request *Request) (*VulnerabilitiesCvesDe
 				if _, inUnpatchedCves := cves.UnpatchedCves[cve]; inUnpatchedCves {
 					continue
 				}
-				updateCves(cves.Cves, cve, Package{String: pkg}, []string{update.Erratum}, "")
+				updateCves(cves.Cves, cve, Package{String: pkg}, []string{update.Erratum}, "", nil)
 			}
 		}
 	}
@@ -175,14 +175,19 @@ func evaluate(c *Cache, opts *options, request *Request) (*VulnerabilitiesCvesDe
 func evaluateUnpatchedCves(c *Cache, products []ProductsPackage, cves *VulnerabilitiesCvesDetails) {
 	for _, pp := range products {
 		for _, product := range pp.ProductsUnfixed {
+			module := product.ModuleStream
 			cn := CpeIDNameID{CpeID: product.CpeID, NameID: product.PackageNameID}
 			csafCves := c.CSAFCVEs[cn][product]
 			for _, cveID := range csafCves.Unfixed {
 				cve := c.CveNames[int(cveID)]
 				cpe := c.CpeID2Label[product.CpeID]
 				if _, ok := cves.UnpatchedCves[cve]; !ok {
 					// show only CVE hit for the first package
-					updateCves(cves.UnpatchedCves, cve, pp.Package, nil, cpe)
+					if module.Module != "" {
+						updateCves(cves.UnpatchedCves, cve, pp.Package, nil, cpe, &module)
+					} else {
+						updateCves(cves.UnpatchedCves, cve, pp.Package, nil, cpe, nil)
+					}
 				}
 			}
 		}
@@ -213,7 +218,7 @@ func evaluateManualCves(c *Cache, products []ProductsPackage, cves *Vulnerabilit
 						CSAFProductID: c.CSAFProduct2ID[product],
 					}]
 
-					updateCves(cves.ManualCves, cve, pp.Package, []string{erratum}, cpe)
+					updateCves(cves.ManualCves, cve, pp.Package, []string{erratum}, cpe, nil)
 				}
 			}
 		}
@@ -225,7 +230,8 @@ func (d *ProcessedDefinition) evaluate(
 	dst map[string]VulnerabilityDetail,
 ) {
 	for _, p := range d.Packages {
-		if evaluateCriteria(c, d.CriteriaID, p.NameID, p.Nevra, modules) {
+		resultContext := map[string]interface{}{}
+		if evaluateCriteria(c, d.CriteriaID, p.NameID, p.Nevra, modules, resultContext) {
 			for _, cve := range cvesOval {
 				_, inCves := cves.Cves[cve]
 				_, inUnpatchedCves := cves.UnpatchedCves[cve]
@@ -237,7 +243,12 @@ func (d *ProcessedDefinition) evaluate(
 				for _, erratumID := range c.OvalDefinitionID2ErrataIDs[d.DefinitionID] {
 					errataNames = append(errataNames, c.ErratumID2Name[erratumID])
 				}
-				updateCves(dst, cve, p, errataNames, d.Cpe)
+				if data, has := resultContext["module"]; has {
+					module := data.(ModuleStream)
+					updateCves(dst, cve, p, errataNames, d.Cpe, &module)
+				} else {
+					updateCves(dst, cve, p, errataNames, d.Cpe, nil)
+				}
 			}
 		}
 	}
@@ -548,7 +559,7 @@ func repos2definitions(c *Cache, r *ProcessedRequest) map[DefinitionID]CpeID {
 }
 
 func evaluateCriteria(c *Cache, criteriaID CriteriaID, pkgNameID NameID, nevra utils.Nevra,
-	modules map[string]string,
+	modules map[string]string, resultContext map[string]interface{},
 ) bool {
 	moduleTestDeps := c.OvalCriteriaID2DepModuleTestIDs[criteriaID]
 	testDeps := c.OvalCriteriaID2DepTestIDs[criteriaID]
@@ -576,6 +587,7 @@ func evaluateCriteria(c *Cache, criteriaID CriteriaID, pkgNameID NameID, nevra u
 		}
 		if evaluateModuleTest(c, m, modules) {
 			matches++
+			resultContext["module"] = c.OvalModuleTestDetail[m].ModuleStream
 		} else if mustMatch { // AND
 			break
 		}
@@ -596,7 +608,7 @@ func evaluateCriteria(c *Cache, criteriaID CriteriaID, pkgNameID NameID, nevra u
 		if matches >= requiredMatches {
 			break
 		}
-		if evaluateCriteria(c, cr, pkgNameID, nevra, modules) {
+		if evaluateCriteria(c, cr, pkgNameID, nevra, modules, resultContext) {
 			matches++
 		} else if mustMatch { // AND
 			break
@@ -669,7 +681,9 @@ func evaluateTest(c *Cache, testID TestID, pkgNameID NameID, nevra utils.Nevra)
 	return matched
 }
 
-func updateCves(cves map[string]VulnerabilityDetail, cve string, pkg Package, errata []string, cpe CpeLabel) {
+func updateCves(cves map[string]VulnerabilityDetail, cve string, pkg Package, errata []string, cpe CpeLabel,
+	module *ModuleStream,
+) {
 	if _, has := cves[cve]; !has {
 		cveDetail := VulnerabilityDetail{
 			CVE:      cve,
@@ -685,6 +699,10 @@ func updateCves(cves map[string]VulnerabilityDetail, cve string, pkg Package, er
 				EVRA: pkg.EVRAStringE(true),
 				Cpe:  cpe,
 			}}
+			if module != nil {
+				cveDetail.Affected[0].ModuleStreamPtrs.Module = &module.Module
+				cveDetail.Affected[0].ModuleStreamPtrs.Stream = &module.Stream
+			}
 		}
 		cves[cve] = cveDetail
 		return
@@ -696,11 +714,16 @@ func updateCves(cves map[string]VulnerabilityDetail, cve string, pkg Package, er
 		vulnDetail.Errata[erratum] = true
 	}
 	if len(cpe) > 0 {
-		vulnDetail.Affected = append(vulnDetail.Affected, AffectedPackage{
+		affectedPackage := AffectedPackage{
 			Name: pkg.Name,
 			EVRA: pkg.EVRAStringE(true),
 			Cpe:  cpe,
-		})
+		}
+		if module != nil {
+			affectedPackage.ModuleStreamPtrs.Module = &module.Module
+			affectedPackage.ModuleStreamPtrs.Stream = &module.Stream
+		}
+		vulnDetail.Affected = append(vulnDetail.Affected, affectedPackage)
 	}
 	cves[cve] = vulnDetail
 }