fix: CVE notifications during scan + help chat doc loading + Dockerfile (#55)

2026-03-30 13:10:56 +00:00
parent 49d5cd4e0a
commit 23cf37b6c3
11 changed files with 247 additions and 60 deletions
@@ -315,20 +315,67 @@ impl PipelineOrchestrator {
                .await?;
        }

-        // Persist CVE alerts (upsert by cve_id + repo_id)
-        for alert in &cve_alerts {
-            let filter = doc! {
-                "cve_id": &alert.cve_id,
-                "repo_id": &alert.repo_id,
-            };
-            let update = mongodb::bson::to_document(alert)
-                .map(|d| doc! { "$set": d })
-                .unwrap_or_else(|_| doc! {});
-            self.db
-                .cve_alerts()
-                .update_one(filter, update)
-                .upsert(true)
-                .await?;
+        // Persist CVE alerts and create notifications
+        {
+            use compliance_core::models::notification::{parse_severity, CveNotification};
+
+            let repo_name = repo.name.clone();
+            let mut new_notif_count = 0u32;
+
+            for alert in &cve_alerts {
+                // Upsert the alert
+                let filter = doc! {
+                    "cve_id": &alert.cve_id,
+                    "repo_id": &alert.repo_id,
+                };
+                let update = mongodb::bson::to_document(alert)
+                    .map(|d| doc! { "$set": d })
+                    .unwrap_or_else(|_| doc! {});
+                self.db
+                    .cve_alerts()
+                    .update_one(filter, update)
+                    .upsert(true)
+                    .await?;
+
+                // Create notification (dedup by cve_id + repo + package + version)
+                let notif_filter = doc! {
+                    "cve_id": &alert.cve_id,
+                    "repo_id": &alert.repo_id,
+                    "package_name": &alert.affected_package,
+                    "package_version": &alert.affected_version,
+                };
+                let severity = parse_severity(alert.severity.as_deref(), alert.cvss_score);
+                let mut notification = CveNotification::new(
+                    alert.cve_id.clone(),
+                    repo_id.clone(),
+                    repo_name.clone(),
+                    alert.affected_package.clone(),
+                    alert.affected_version.clone(),
+                    severity,
+                );
+                notification.cvss_score = alert.cvss_score;
+                notification.summary = alert.summary.clone();
+                notification.url = Some(format!("https://osv.dev/vulnerability/{}", alert.cve_id));
+
+                let notif_update = doc! {
+                    "$setOnInsert": mongodb::bson::to_bson(&notification).unwrap_or_default()
+                };
+                if let Ok(result) = self
+                    .db
+                    .cve_notifications()
+                    .update_one(notif_filter, notif_update)
+                    .upsert(true)
+                    .await
+                {
+                    if result.upserted_id.is_some() {
+                        new_notif_count += 1;
+                    }
+                }
+            }
+
+            if new_notif_count > 0 {
+                tracing::info!("[{repo_id}] Created {new_notif_count} CVE notification(s)");
+            }
        }

        // Stage 6: Issue Creation