fix: handle multiple ranges + add link

Author: danielroe

app/components/Package/VulnerabilityTree.vue

@@ -158,13 +158,14 @@ function getDepthStyle(depth: string | undefined) {
                   {{ vuln.id }}
                 </a>
                 <span class="truncate w-0 flex-1">{{ vuln.summary }}</span>
-                <span
+                <NuxtLink
                   v-if="vuln.fixedIn"
-                  class="shrink-0 font-mono text-emerald-600 dark:text-emerald-400"
+                  :to="packageRoute(pkg.name, vuln.fixedIn)"
+                  class="shrink-0 font-mono text-emerald-600 dark:text-emerald-400 hover:underline"
                   :title="$t('package.vulnerabilities.fixed_in_title', { version: vuln.fixedIn })"
                 >
                   → {{ vuln.fixedIn }}
-                </span>
+                </NuxtLink>
               </li>
               <li
                 v-if="pkg.vulnerabilities.length > 2 && !showAllVulnerabilities"

server/utils/dependency-analysis.ts

@@ -149,30 +149,41 @@ function getVulnerabilityUrl(vuln: OsvVulnerability): string {
 }
 
 /**
- * Check if a version falls within an OSV range (between introduced and fixed).
- * OSV ranges use events: introduced starts vulnerability, fixed ends it.
+ * Parse OSV range events into introduced/fixed pairs.
+ * OSV events form a timeline: [introduced, fixed, introduced, fixed, ...]
+ * A single range can have multiple introduced/fixed pairs representing
+ * periods where the vulnerability was active, was fixed, and was reintroduced.
+ * @see https://ossf.github.io/osv-schema/#affectedrangesevents-fields
  */
-function isVersionInRange(version: string, range: OsvRange): boolean {
-  const introduced = range.events.find(e => e.introduced)?.introduced
-  const fixed = range.events.find(e => e.fixed)?.fixed
-
-  if (!introduced) return false
-
-  // Handle "0" as "0.0.0" for semver comparison
-  const introVersion = introduced === '0' ? '0.0.0' : introduced
+function parseRangeIntervals(range: OsvRange): Array<{ introduced: string; fixed?: string }> {
+  const intervals: Array<{ introduced: string; fixed?: string }> = []
+  let currentIntroduced: string | undefined
+
+  for (const event of range.events) {
+    if (event.introduced !== undefined) {
+      // Start a new interval (close previous open one if any)
+      if (currentIntroduced !== undefined) {
+        intervals.push({ introduced: currentIntroduced })
+      }
+      currentIntroduced = event.introduced
+    } else if (event.fixed !== undefined && currentIntroduced !== undefined) {
+      intervals.push({ introduced: currentIntroduced, fixed: event.fixed })
+      currentIntroduced = undefined
+    }
+  }
 
-  try {
-    // Version must be >= introduced AND < fixed (if fixed exists)
-    return semver.gte(version, introVersion) && (!fixed || semver.lt(version, fixed))
-  } catch {
-    // If semver parsing fails, skip this range
-    return false
+  // Handle trailing introduced with no fixed (still vulnerable)
+  if (currentIntroduced !== undefined) {
+    intervals.push({ introduced: currentIntroduced })
   }
+
+  return intervals
 }
 
 /**
  * Extract the fixed version for a specific package version from vulnerability data.
- * Finds the range that contains the current version and returns its fixed version.
+ * Finds the interval that contains the current version and returns its fixed version
+ * Finds the interval that contains the current version and returns its fixed version.
  * @see https://ossf.github.io/osv-schema/#affectedrangesevents-fields
  */
 function getFixedVersion(
@@ -187,18 +198,26 @@ function getFixedVersion(
     a => a.package.ecosystem === 'npm' && a.package.name === packageName,
   )
 
-  // Check each entry's ranges to find one that contains the current version
+  // Check each entry's ranges to find the interval that contains the current version
   for (const entry of packageAffectedEntries) {
     if (!entry.ranges) continue
 
     for (const range of entry.ranges) {
       // Only handle SEMVER ranges (most common for npm)
       if (range.type !== 'SEMVER') continue
 
-      if (isVersionInRange(currentVersion, range)) {
-        // Found the matching range - return its fixed version
-        const fixedEvent = range.events.find(e => e.fixed)
-        if (fixedEvent?.fixed) return fixedEvent.fixed
+      const intervals = parseRangeIntervals(range)
+      for (const interval of intervals) {
+        const introVersion = interval.introduced === '0' ? '0.0.0' : interval.introduced
+        try {
+          const afterIntro = semver.gte(currentVersion, introVersion)
+          const beforeFixed = !interval.fixed || semver.lt(currentVersion, interval.fixed)
+          if (afterIntro && beforeFixed && interval.fixed) {
+            return interval.fixed
+          }
+        } catch {
+          continue
+        }
       }
     }
   }

test/unit/server/utils/dependency-analysis.spec.ts

@@ -721,6 +721,68 @@ describe('dependency-analysis', () => {
       expect(result.vulnerablePackages[0]?.vulnerabilities[0]?.fixedIn).toBe('16.0.11')
     })
 
+    it('handles multiple introduced/fixed pairs in a single range', async () => {
+      const mockResolved = new Map([
+        [
+          'example@1.5.0',
+          {
+            name: 'example',
+            version: '1.5.0',
+            size: 1000,
+            optional: false,
+            depth: 'root' as const,
+            path: ['example@1.5.0'],
+          },
+        ],
+      ])
+      vi.mocked(resolveDependencyTree).mockResolvedValue(mockResolved)
+
+      // Single range with multiple introduced/fixed pairs (reintroduced vulnerability)
+      // Range: 0-0.2.1, 1.0.0-1.2.3, 1.4.0-1.6.0
+      // Version 1.5.0 should match the third interval (1.4.0-1.6.0)
+      mockOsvApi(
+        [{ vulns: [{ id: 'GHSA-multi-range', modified: '2024-01-01' }] }],
+        new Map([
+          [
+            'example@1.5.0',
+            {
+              vulns: [
+                {
+                  id: 'GHSA-multi-range',
+                  summary: 'Multi-range vulnerability',
+                  database_specific: { severity: 'HIGH' },
+                  affected: [
+                    {
+                      package: { ecosystem: 'npm', name: 'example' },
+                      ranges: [
+                        {
+                          type: 'SEMVER',
+                          events: [
+                            { introduced: '0' },
+                            { fixed: '0.2.1' },
+                            { introduced: '1.0.0' },
+                            { fixed: '1.2.3' },
+                            { introduced: '1.4.0' },
+                            { fixed: '1.6.0' },
+                          ],
+                        },
+                      ],
+                    },
+                  ],
+                },
+              ],
+            },
+          ],
+        ]),
+      )
+
+      const result = await analyzeDependencyTree('example', '1.5.0')
+
+      expect(result.vulnerablePackages).toHaveLength(1)
+      // Should match the third interval and return its fixed version
+      expect(result.vulnerablePackages[0]?.vulnerabilities[0]?.fixedIn).toBe('1.6.0')
+    })
+
     it('returns undefined fixedIn when no matching range has a fixed version', async () => {
       const mockResolved = new Map([
         [