enable further deduplication by filtering out SNYK based IDs where po…

…ssible (#930)

packages/repocop/src/evaluation/repository.test.ts

@@ -21,6 +21,7 @@ import {
 	hasDependencyTracking,
 	hasOldAlerts,
 	snykAlertToRepocopVulnerability,
+	snykVulnIdFilter,
 } from './repository';
 
 function evaluateRepoTestHelper(
@@ -973,3 +974,23 @@ describe('Deduplication of repocop vulnerabilities', () => {
 		expect(actual.length).toStrictEqual(2);
 	});
 });
+
+describe('NO RULE - Snyk vulnerability ID filter', () => {
+	test('Should not remove any IDs if no CVE id is present', () => {
+		const ids = ['SNYK-1234', 'SNYK-1235'];
+		const actual = snykVulnIdFilter(ids);
+		expect(actual).toStrictEqual(ids);
+	});
+
+	test('Should remove vulnerability IDs that start with Snyk, if a CVE id is present', () => {
+		const ids = ['SNYK-1234', 'CVE-1234'];
+		const actual = snykVulnIdFilter(ids);
+		expect(actual).toStrictEqual(['CVE-1234']);
+	});
+
+	test('Should return the original list if only CVEs are present', () => {
+		const ids = ['CVE-1234', 'CVE-1235'];
+		const actual = snykVulnIdFilter(ids);
+		expect(actual).toStrictEqual(ids);
+	});
+});

packages/repocop/src/evaluation/repository.ts

@@ -428,6 +428,15 @@ export function dependabotAlertToRepocopVulnerability(
 	};
 }
 
+export function snykVulnIdFilter(ids: string[]): string[] {
+	const hasCvePrefixedIssue = !!ids.find((cve) => cve.startsWith('CVE-'));
+	if (hasCvePrefixedIssue) {
+		return ids.filter((cve) => cve.startsWith('CVE-'));
+	} else {
+		return ids;
+	}
+}
+
 export function snykAlertToRepocopVulnerability(
 	fullName: string,
 	issue: SnykIssue,
@@ -460,7 +469,7 @@ export function snykAlertToRepocopVulnerability(
 		ecosystem: ecosystem ?? 'unknown ecosystem',
 		alert_issue_date: new Date(issue.attributes.created_at),
 		is_patchable: isPatchable,
-		cves: issue.attributes.problems.map((p) => p.id),
+		cves: snykVulnIdFilter(issue.attributes.problems.map((p) => p.id)),
 	};
 }