Merge pull request #114 from luhring/noisy-git-diff

Don't modify file advisories if no new vulnerability matches apply to the package
wolfi-dev · Mar 27, 2023 · 625e8a4 · 625e8a4
2 parents 463a174 + 5ef616d
commit 625e8a4
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/pkg/advisory/advisory.go b/pkg/advisory/advisory.go
@@ -153,6 +153,10 @@ func Discover(options DiscoverOptions) error {
 			return build.Advisories{}, configs.ErrSkip
 		}
 
+		// Keep track of whether we'll need to add advisories for new matches. If not,
+		// we won't touch the file.
+		anyNewMatches := false
+
 		//nolint:gocritic // rangeValCopy rule not worth it here
 		for _, m := range matchesForPackage {
 			if !m.CPE.VersionRange.Includes(cfg.Package.Version) {
@@ -169,6 +173,7 @@ func Discover(options DiscoverOptions) error {
 				continue
 			}
 
+			anyNewMatches = true
 			log.Printf("found new potential vulnerability for package %q: %s", cfg.Package.Name, vulnID)
 
 			ts := time.Now()
@@ -180,6 +185,10 @@ func Discover(options DiscoverOptions) error {
 			cfg.Advisories[vulnID] = append(cfg.Advisories[vulnID], ac)
 		}
 
+		if !anyNewMatches {
+			return build.Advisories{}, configs.ErrSkip
+		}
+
 		return cfg.Advisories, nil
 	})
 	if err != nil {