Improve VulnerabilityMatcher (#783)

* Improve VulnerabilityMatcher

Author: ArBridgeman

doc/changes/unreleased.md

@@ -1,3 +1,7 @@
 # Unreleased
 
 ## Summary
+
+## Features
+
+* #777: Improved VulnerabilityMatcher to handle packages with multiple vulnerabilities

exasol/toolbox/util/dependencies/track_vulnerabilities.py

@@ -1,3 +1,4 @@
+from collections import defaultdict
 from inspect import cleandoc
 
 from pydantic import (
@@ -10,12 +11,11 @@
 
 class VulnerabilityMatcher:
     def __init__(self, current_vulnerabilities: list[Vulnerability]):
-        # Dict of current vulnerabilities:
-        # * keys: package names
-        # * values: set of each vulnerability's references
-        self._references = {
-            v.package.name: set(v.references) for v in current_vulnerabilities
-        }
+        # Dictionary mapping package names to a unified set of all active
+        # vulnerability references (IDs, CVEs, aliases) for that package.
+        self._references = defaultdict(set)
+        for v in current_vulnerabilities:
+            self._references[v.package.name].update(v.references)
 
     def is_resolved(self, vuln: Vulnerability) -> bool:
         """
@@ -34,8 +34,8 @@ def is_resolved(self, vuln: Vulnerability) -> bool:
         vulnerability.
         """
         refs = set(vuln.references)
-        current = self._references.get(vuln.package.name, set())
-        return not refs.intersection(current)
+        current_refs = self._references.get(vuln.package.name, set())
+        return refs.isdisjoint(current_refs)
 
 
 class DependenciesAudit(BaseModel):

test/unit/util/dependencies/track_vulnerabilities_test.py

@@ -39,7 +39,7 @@ def test_changed_id_not_resolved(
         self, sample_vulnerability, flipped_id_vulnerability
     ):
         """
-        Simulate a vulnerability to be still present, but it's ID having
+        Simulate a vulnerability to be still present, but its ID having
         changed over time.
 
         The test verifies that the vulnerability (using the original ID) is
@@ -56,6 +56,34 @@ def test_resolved(self, sample_vulnerability):
         matcher = VulnerabilityMatcher(current_vulnerabilities=[])
         assert matcher.is_resolved(vuln)
 
+    def test_no_resolution_same_package(self):
+        """
+        Scenario: 'cryptography' has two vulnerabilities.
+        One is resolved (removed from the current list), the other remains.
+        """
+        pkg_data = {"name": "cryptography", "version": "46.0.6"}
+
+        vuln_1 = Vulnerability(
+            package=pkg_data,
+            id="GHSA-m959-cc7f-wv43",
+            aliases=["CVE-2026-34073"],
+            fix_versions=["46.0.6"],
+            description="Dummy description",
+        )
+
+        vuln_2 = Vulnerability(
+            package=pkg_data,
+            id="GHSA-p423-j2cm-9vmq",
+            aliases=["CVE-2026-39892"],
+            fix_versions=["46.0.7"],
+            description="Dummy description",
+        )
+
+        matcher = VulnerabilityMatcher(current_vulnerabilities=[vuln_1, vuln_2])
+
+        assert matcher.is_resolved(vuln_1) is False
+        assert matcher.is_resolved(vuln_2) is False
+
 
 class TestDependenciesAudit:
     def test_no_vulnerabilities_for_previous_and_current(self):