Question: Inconsistent CPE handling across FilterUnfixed / PatchStatus / FormatFixedStatus #2455
Description
Question
When using --ignore-unfixed, CPE-based vulnerabilities appear to be handled differently across three related functions in models/vulninfos.go. Is this intentional?
Observed behavior
| Function | CPE entry handling | Line |
|---|---|---|
FilterUnfixed() |
return true — includes CPE entries (treats as "not confirmed fixed") |
L72-76 |
PatchStatus() |
return "" — returns empty string (unknown status) |
L732-735 |
FormatFixedStatus() |
continue — skips CPE entries entirely |
L193-195 |
The comment at L73 explains the rationale well:
// Report cves detected by CPE because Vuls can't know 'fixed' or 'unfixed'Potential inconsistency
When --ignore-unfixed is enabled:
FilterUnfixedincludes CPE entries in the results (safe-side behavior — makes sense)- But
FormatFixedStatusskips CPE entries when building the summary → summary total count < actual CVE count displayed PatchStatusreturns""for CPE entries → patch status column shows blank in TUI/Slack/table output
This means a user could see, for example, "3/5 fixed" in the summary but 7 CVEs listed in the detail (the extra 2 being CPE-detected with no fix status).
Test coverage note
TestVulnInfo_PatchStatuscovers the CPE case (expects"")TestVulnInfos_FilterUnfixeddoes not include any CPE test casesFormatFixedStatushas no dedicated test
Question
Is the current behavior intentional? If not, I'm happy to submit a PR to align the three functions — either:
- (A) Include CPE entries in
FormatFixedStatuswith an "unknown" status, or - (B) Add a comment documenting the intentional divergence + add CPE test cases to
FilterUnfixed
Thank you for maintaining this excellent tool!