Vulnerabilities are now loaded from the vulnDB

app/controllers/Statistics.scala

@@ -164,17 +164,24 @@ class Statistics @Inject() (
         val relevantReports = selection.result
         val vulns = relevantReports.vulnerableDependencies.flatMap(dep => dep.vulnerabilities.map(vuln => (vuln, dep))).groupBy(_._1.name).mapValues{case vulnsWithDeps =>
           val (vulnSeq, depSeq) = vulnsWithDeps.unzip
-          val Seq(vuln) = vulnSeq.toSet.toSeq // Will fail when there are more different descriptions for one vulnerability…
+          //val Seq(vuln) = vulnSeq.toSet.toSeq // Will fail when there are more different descriptions for one vulnerability… TODO: load from database instead
-          vuln -> depSeq.toSet
+          /*vuln -> */depSeq.toSet
         }// .map(identity) // The .map(identity) materializes lazily mapped Map (because .mapValues is lazy). I am, however, unsure if this is a good idea. Probably not.
-        vulns.get(name).fold(Future.successful(Ok(views.html.statistics.vulnerabilityNotFound(
+        vulns.get(name).fold{
-          name = name,
+          for{
-          projectsWithSelection = selection.projectsWithSelection
+            vulnOption <- odcService.getVulnerabilityDetails(name)
-        )))){ case (vuln, vulnerableDependencies) =>
+          } yield Ok(views.html.statistics.vulnerabilityNotFound( // TODO: the not found page might be replaced by some page explaining that there is no project affected by that vulnerability
+            name = name,
+            projectsWithSelection = selection.projectsWithSelection
+          ))
+        }{ vulnerableDependencies =>
           for {
+            vulnOption <- odcService.getVulnerabilityDetails(name)
             plainLibs <- librariesService.byPlainLibraryIdentifiers(vulnerableDependencies.flatMap(_.plainLibraryIdentifiers)).map(_.keySet)
             ticketOption <- vulnerabilityNotificationService.issueTrackerExport.ticketForVulnerability(name)
-          } yield Ok(views.html.statistics.vulnerability(
+          } yield vulnOption.fold{
+            sys.error("The vulnerability is not in the database, you seem to have outdated the local vulnerability database") // TODO: consider fallback or more friendly error message
+          }{vuln => Ok(views.html.statistics.vulnerability(
             vulnerability = vuln,
             affectedProjects = vulnerableDependencies.flatMap(dep => dep.projects.map(proj => (proj, dep))).groupBy(_._1).mapValues(_.map(_._2)),
             vulnerableDependencies = vulnerableDependencies,
@@ -184,7 +191,7 @@ class Statistics @Inject() (
               ticket <- ticketOption
               issueTrackerService <- issueTrackerServiceOption
             } yield ticket -> issueTrackerService.ticketLink(ticket)
-          ))
+          ))}
         }
 
       }

app/services/OdcService.scala

@@ -8,7 +8,7 @@ import _root_.org.owasp.dependencycheck.dependency.VulnerableSoftware
 import _root_.org.owasp.dependencycheck.utils.{DependencyVersion, DependencyVersionUtil, Settings}
 import com.github.nscala_time.time.Imports._
 import com.google.inject.Inject
-import models.odc.OdcProperty
+import models.odc.{Vulnerabilities, OdcProperty}
 import models.odc.tables._
 import play.api.db.slick.{DatabaseConfigProvider, HasDatabaseConfigProvider}
 import play.db.NamedDatabase
@@ -29,20 +29,27 @@ class OdcService @Inject()(@NamedDatabase("odc") protected val dbConfigProvider:
 
   def getReferences(id: Int): Future[Seq[com.ysoft.odc.Reference]] = db.run(references.filter(_.cveId === id).map(_.base).result)
 
-  def getVulnerabilityDetails(id: Int): Future[Option[com.ysoft.odc.Vulnerability]] = {
+  def getVulnerabilityDetails(id: Int): Future[Option[com.ysoft.odc.Vulnerability]] = getVulnerabilityDetails(_.id === id)
-    for {
+
-      bareVulnOption <- db.run(vulnerabilities.filter(_.id === id).map(_.base).result).map(_.headOption)
+  def getVulnerabilityDetails(name: String): Future[Option[com.ysoft.odc.Vulnerability]] = getVulnerabilityDetails(_.cve === name)
-      vulnerableSoftware <- getVulnerableSoftware(id)
+
-      references <- getReferences(id)
+  def getVulnerabilityDetails(cond: Vulnerabilities => Rep[Boolean]): Future[Option[com.ysoft.odc.Vulnerability]] = {
-    } yield bareVulnOption.map{bareVuln =>
+    db.run(vulnerabilities.filter(cond).result).map(_.headOption) flatMap { bareVulnOption =>
-      com.ysoft.odc.Vulnerability(
+      bareVulnOption.fold[Future[Option[com.ysoft.odc.Vulnerability]]](Future.successful(None)) { case (id, bareVuln) =>
-        name = bareVuln.cve,
+        for {
-        cweOption = bareVuln.cweOption,
+          vulnerableSoftware <- getVulnerableSoftware(id)
-        cvss = bareVuln.cvss,
+          references <- getReferences(id)
-        description = bareVuln.description,
+        } yield Some(
-        vulnerableSoftware = vulnerableSoftware,
+          com.ysoft.odc.Vulnerability(
-        references = references
+            name = bareVuln.cve,
-      )
+            cweOption = bareVuln.cweOption,
+            cvss = bareVuln.cvss,
+            description = bareVuln.description,
+            vulnerableSoftware = vulnerableSoftware,
+            references = references
+          )
+        )
+      }
     }
   }