Fix and optimized patched CVE sort to exclude duplicates

Author: lightswitch05

sonar-project.properties

@@ -6,6 +6,6 @@ sonar.sources=./src
 sonar.tests=./tests/unit
 #sonar.php.tests.reportPath=./tests/_output/test-results.xml
 sonar.php.coverage.reportPaths=./tests/_output/coverage.xml
-sonar.verbose=true
+#sonar.verbose=true
 sonar.scm.revision=${env.GITHUB_SHA}
 sonar.buildString=${env.GITHUB_SHA}

src/PhpRelease.php

@@ -15,8 +15,11 @@ private function __construct(private PhpVersion $version, private ?string $relea
     {
     }
 
-    public static function fromReleaseDescription(PhpVersion $version, ?string $releaseDate, ?string $releaseDescription): PhpRelease
-    {
+    public static function fromReleaseDescription(
+        PhpVersion $version,
+        ?string $releaseDate,
+        ?string $releaseDescription
+    ): PhpRelease {
         $release = new self($version, $releaseDate);
         if (!empty($releaseDescription) && preg_match_all('#CVE-\d+-\d+#i', $releaseDescription, $cveMatches)) {
             foreach ($cveMatches[0] as $match) {
@@ -42,10 +45,17 @@ public static function sort(array $releases): array
 
     private function addPatchedCveIds(CveId $cveId): void
     {
-        if (!in_array($cveId, $this->patchedCveIds, true)) {
-            $this->patchedCveIds[] = $cveId;
-            $this->patchedCveIds = CveId::sort($this->patchedCveIds);
+        for ($i = 0; $i < sizeof($this->patchedCveIds); $i++) {
+            $comparison = $this->patchedCveIds[$i]->compareTo($cveId);
+            if ($comparison === 0) {
+                return;
+            }
+            if ($comparison > 0) {
+                array_splice($this->patchedCveIds, $i, 0, [$cveId]);
+                return;
+            }
         }
+        $this->patchedCveIds[] = $cveId;
     }
 
     public function getVersion(): PhpVersion
@@ -66,7 +76,7 @@ public function getPatchedCveIds(): array
         return $this->patchedCveIds;
     }
 
-    
+
     public function jsonSerialize(): array
     {
         return [

tests/unit/PhpReleaseTest.php

@@ -28,14 +28,16 @@ public function testItParsesASimpleString()
 
     public function testItParsesMultipleCves()
     {
-        $release = PhpRelease::fromReleaseDescription(self::$PHP_VERSION, self::$PHP_RELEASE_DATE, "CVE-2019-1234 CVE-2018-1234");
+        $release = PhpRelease::fromReleaseDescription(self::$PHP_VERSION, self::$PHP_RELEASE_DATE, "CVE-2019-1234 CVE-2017-1234 CVE-2018-1234 CVE-2020-1234 CVE-2020-1234");
         $this->assertNotEmpty($release);
         $this->assertNotEmpty($release->getPatchedCveIds());
         $this->assertEquals(json_encode([
             'releaseDate' => self::$PHP_RELEASE_DATE,
             'patchedCves' => [
+                'CVE-2017-1234',
                 'CVE-2018-1234',
-                'CVE-2019-1234'
+                'CVE-2019-1234',
+                'CVE-2020-1234'
             ]
         ]), json_encode($release));
     }
@@ -57,4 +59,18 @@ public function testItSorts()
         $this->assertEquals((string) $smallest->getVersion(), (string) $sorted[0]->getVersion());
         $this->assertEquals((string) $largest->getVersion(), (string) $sorted[1]->getVersion());
     }
+
+    public function testItRemovesDuplicateCves()
+    {
+        $release = PhpRelease::fromReleaseDescription(self::$PHP_VERSION, self::$PHP_RELEASE_DATE, "CVE-2023-1234 CVE-2018-1234 CVE-2023-1234 CVE-2018-1234");
+        $this->assertNotEmpty($release);
+        $this->assertNotEmpty($release->getPatchedCveIds());
+        $this->assertEquals(json_encode([
+            'releaseDate' => self::$PHP_RELEASE_DATE,
+            'patchedCves' => [
+                'CVE-2018-1234',
+                'CVE-2023-1234',
+            ]
+        ]), json_encode($release));
+    }
 }