added vulnerability by severity metric

AvrAlexandra · AvrAlexandra · commit 3c96b835e38c · 2025-05-31T00:21:43.000+03:00
diff --git a/src/commands/history-metrics/metrics-command.ts b/src/commands/history-metrics/metrics-command.ts
@@ -3,7 +3,8 @@ import path from 'path'
 import {Command} from 'commander'
 import {
   GrowthPatternMetric,
-  VersionChangeMetric
+  VersionChangeMetric,
+  VulnerabilityFixBySeverityMetric
 } from './metrics-generator';
 import {
   generateGrowthPatternChartData,
@@ -32,12 +33,12 @@ export interface MetricOptions {
   inputFiles: string[];
 }
 
-type MetricType = 'growth-pattern' | 'version-changes';
+type MetricType = 'growth-pattern' | 'version-changes' | 'vulnerability-fixes-by-severity';
 
 interface MetricConfig {
-  processor: (data: any) => any;
+  processor: (data: any, libraryInfo?: any) => any;
   requiredPrefixes: string[];
-  chartGenerator: (results: any, options: MetricOptions) => { data: any[]; layout: any }[];
+  chartGenerator?: (results: any, options: MetricOptions) => { data: any[]; layout: any }[];
 }
 
 const metricsRegistry: Record<MetricType, MetricConfig> = {
@@ -50,6 +51,10 @@ const metricsRegistry: Record<MetricType, MetricConfig> = {
     processor: VersionChangeMetric,
     requiredPrefixes: ['dependency-history'],
     chartGenerator: generateVersionChangeChartData
+  },
+  'vulnerability-fixes-by-severity': {
+    processor: VulnerabilityFixBySeverityMetric,
+    requiredPrefixes: ['commit-dependency-history', 'library-info']
   }
 };
 
@@ -72,44 +77,59 @@ export async function runMetrics(historyFolder: string, options: MetricOptions):
     return;
   }
 
-  const validInputFiles = options.inputFiles.filter(file =>
-    config.requiredPrefixes.some(prefix => file.startsWith(prefix))
+  const inputBase = path.join(historyFolder, options.inputDir || '');
+  const outputBase = path.join(historyFolder, options.results);
+  fs.mkdirSync(outputBase, { recursive: true });
+
+  let libraryInfo: any = undefined;
+  const libraryInfoFile = options.inputFiles.find(file => file.startsWith('library-info'));
+
+  if (libraryInfoFile) {
+    const libCandidates = [
+      path.join(inputBase, libraryInfoFile),
+      path.join(inputBase, `${libraryInfoFile}.json`)
+    ];
+    const libPath = libCandidates.find(p => fs.existsSync(p));
+    if (libPath) {
+      const libContent = fs.readFileSync(libPath, 'utf-8');
+      libraryInfo = JSON.parse(libContent);
+    } else {
+      console.warn(`⚠️ Specified library-info file not found for: ${libraryInfoFile}`);
+    }
+  }
+
+  const mainDataFile = options.inputFiles.find(file =>
+    config.requiredPrefixes.some(prefix => file.startsWith(prefix) && prefix !== 'library-info')
   );
 
-  if (!validInputFiles.length) {
-    console.warn(`⚠️ No input files match the required prefixes: ${config.requiredPrefixes.join(', ')}`);
+  if (!mainDataFile) {
+    console.warn(`⚠️ No valid main data file found. Expected prefix: ${config.requiredPrefixes.join(', ')}`);
     return;
   }
 
-  const inputBase = path.join(historyFolder, options.inputDir || '');
-  const outputBase = path.join(historyFolder, options.results);
-  fs.mkdirSync(outputBase, { recursive: true });
+  const fileName = mainDataFile.endsWith('.json') ? mainDataFile : `${mainDataFile}.json`;
+  const filePath = path.join(inputBase, fileName);
 
-  for (const relativeName of validInputFiles) {
-    const fileName = relativeName.endsWith('.json') ? relativeName : `${relativeName}.json`;
-    const filePath = path.join(inputBase, fileName);
-
-    if (!fs.existsSync(filePath)) {
-      console.warn(`⚠️ File not found: ${filePath}`);
-      continue;
-    }
+  if (!fs.existsSync(filePath)) {
+    console.warn(`⚠️ File not found: ${filePath}`);
+    return;
+  }
 
-    const fileContents = fs.readFileSync(filePath, 'utf-8');
-    const data = JSON.parse(fileContents);
-    const results = config.processor(data);
+  const fileContents = fs.readFileSync(filePath, 'utf-8');
+  const data = JSON.parse(fileContents);
+  const results = config.processor(data, libraryInfo);
 
-    const outputFile = path.join(outputBase, `${path.parse(fileName).name}-${metricType}-metric.json`);
-    fs.writeFileSync(outputFile, JSON.stringify(results, null, 2));
+  const outputFile = path.join(outputBase, `${metricType}-metric.json`);
+  fs.writeFileSync(outputFile, JSON.stringify(results, null, 2));
 
-    if (options.chart) {
-      const chartConfigs = config.chartGenerator(results, options);
-      if (chartConfigs?.length) {
-        await generateHtmlChart(outputFile, chartConfigs);
-      } else {
-        console.warn(`⚠️ No chart data generated for metric '${metricType}'.`);
-      }
+  if (options.chart && config.chartGenerator) {
+    const chartConfigs = config.chartGenerator(results, options);
+    if (chartConfigs?.length) {
+      await generateHtmlChart(outputFile, chartConfigs);
+    } else {
+      console.warn(`⚠️ No chart data generated for metric '${metricType}'.`);
     }
-
-    console.log(`✅ Metric calculated for ${filePath} and chart generated (if requested).`);
   }
+
+  console.log(`✅ Metric calculated for ${filePath} and chart generated (if requested).`);
 }
diff --git a/src/commands/history-metrics/metrics-generator.ts b/src/commands/history-metrics/metrics-generator.ts
@@ -1,4 +1,5 @@
 import semver from "semver/preload";
+import { LibraryInfo } from "../../extension-points/registrar";
 
 export function GrowthPatternMetric(data: CommitDependencyHistory): any {
   const summary: Record<string, any> = {};
@@ -78,3 +79,52 @@ export function VersionChangeMetric(dependencies: Record<string, { history: any[
 
   return results;
 }
+
+export function VulnerabilityFixBySeverityMetric(
+  commitHistory: CommitDependencyHistory,
+  libraryInfoMap: Record<string, { plugin: string; info: LibraryInfo }>
+): Record<string, Record<string, number>> {
+  const timeline: Record<string, Record<string, number>> = {};
+
+  for (const [, commitEntry] of Object.entries(commitHistory)) {
+    if (!commitEntry || !Array.isArray(commitEntry.history)) continue;
+    const historyArray = commitEntry.history;
+
+    for (const entry of historyArray) {
+      if (
+        entry.action !== 'MODIFIED' ||
+        !entry.fromVersion ||
+        !entry.toVersion ||
+        !entry.date ||
+        !entry.depinderDependencyName
+      ) continue;
+
+      const libKey = Object.keys(libraryInfoMap).find(k => k.endsWith(`:${entry.depinderDependencyName}`));
+      if (!libKey) continue;
+
+      const libInfo = libraryInfoMap[libKey];
+      const libVulnerabilities = libInfo?.info?.vulnerabilities || [];
+
+      const month = entry.date.slice(0, 7);
+
+      for (const vuln of libVulnerabilities) {
+        if (!vuln.vulnerableRange || !vuln.severity) continue;
+        const cleanRange = vuln.vulnerableRange.replace(/,/g, ' ').trim();
+
+        const wasVulnerable =
+          semver.valid(entry.fromVersion) && semver.satisfies(entry.fromVersion, cleanRange);
+        const stillVulnerable =
+          semver.valid(entry.toVersion) && semver.satisfies(entry.toVersion, cleanRange);
+        const isFixed = wasVulnerable && !stillVulnerable;
+
+        if (isFixed) {
+          if (!timeline[month]) timeline[month] = {};
+          if (!timeline[month][vuln.severity]) timeline[month][vuln.severity] = 0;
+          timeline[month][vuln.severity]++;
+        }
+      }
+    }
+  }
+
+  return timeline;
+}
