fix: only care about ecosystem suffix if present in both ecosystems when determining equality

[G-Rath]

This changes how we compare ecosystems so that the suffix is only considered when it is present for both ecosystems being compared, since we can't reliably extract that.

Resolves #769

[G-Rath]

the fact that the offline output has vulnerabilities whereas the online one doesn't indicates there's a potential bug in the api's Alpine comparator 🤔

[another-rex]

Yes there is a bug in alpine version enumeration, just fixed this week in: google/osv.dev#2241 but not in production yet.

[G-Rath]

Cool - I'd seen a few of those go around this/last week, so figured it might have been known 😅

[codecov-commenter]

Codecov Report

❌ Patch coverage is 75.00000% with 3 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@46aee59). Learn more about missing BASE report.
⚠️ Report is 1137 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/utility/vulns/vulnerability.go	75.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1007   +/-   ##
=======================================
  Coverage        ?   65.30%           
=======================================
  Files           ?      150           
  Lines           ?    12535           
  Branches        ?        0           
=======================================
  Hits            ?     8186           
  Misses          ?     3884           
  Partials        ?      465           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[another-rex]

LGTM, thanks!. Going to wait till the next OSV.dev release (with the alpine enumeration fix) before merging this, so we'll have the correct snapshots.

[G-Rath]

Turns out we're not accurately sorting the table output at least for local - I'll tackle that somewhere...

[hogo6002]

LGTM

[G-Rath]

I cannot for the life of me replicate that sorting difference locally 😕

[hogo6002]

I cannot for the life of me replicate that sorting difference locally 😕

I tried running update_snaps for this branch locally, and it did change the order, but it's still a little different from the Ubuntu results.

[G-Rath]

Yeah, it seems that every couple of hours the order changes - I'm not sure if its coinciding with something on the osv.dev side like work being landed or if it's just some clock-shift based randomness, but it seems to be "hours" based rather than "seconds" based...

[hogo6002]

Yeah, it seems that every couple of hours the order changes - I'm not sure if its coinciding with something on the osv.dev side like work being landed or if it's just some clock-shift based randomness, but it seems to be "hours" based rather than "seconds" based...

Yeah I see what you mean. I just tested again and the result shows different.

[hogo6002]

I had a look with @michaelkedar on this issue. We noticed that the result changes after the exporter cron job publishes a new all.zip. We think this is because the exporter runs in parallel (google/osv.dev#2167), which may cause the order to be slightly different each time. To solve this, I guess we need to either sort the all.zip on the OSV.dev side or order all vulnerabilities alphabetically on the OSV-Scanner side. What do you think @another-rex

[G-Rath]

oohh good find - fwiw locally I've been playing around with sorting the table rows within packages by their url though that got blocked by it being an interface{}; I've not gotten back to it yet so might be an easy fix

[another-rex]

Hmm... is this behaviour new? All.zip is built concurrently, but that has always been the case if I understand correctly.

[hogo6002]

Hmm... is this behaviour new? All.zip is built concurrently, but that has always been the case if I understand correctly.

I don't think this is a new behaviour. Even though all.zip is built concurrently, the files are usually modified in alphabetical order, just a few are out of place. That's probably why most of our tests are passing. But this PR has a bunch of vulnerabilities with adjacency IDs (like 9840, 9841, 9842, and 9843), which is probably why it's failing. But I am not 100% sure if this is the issue as the modified order doesn't really align with the scanner output order.

[another-rex]

I think this just needs a flag change in the test to match the new download-offline-db flag and should be good to merge.