vulnerability_package.rb

# frozen_string_literal: true

require "vers"

module Git
  module Pkgs
    module Models
      class VulnerabilityPackage < Sequel::Model
        many_to_one :vulnerability, key: :vulnerability_id

        dataset_module do
          def for_package(ecosystem, name)
            where(ecosystem: ecosystem, package_name: name)
          end
        end

        def affects_version?(version)
          return false if affected_versions.nil? || affected_versions.empty?
          return false if version.nil? || version.empty?

          # Convert OSV ecosystem to purl type for Vers
          bib_ecosystem = Ecosystems.from_osv(ecosystem) || ecosystem.downcase
          purl_type = Ecosystems.to_purl(bib_ecosystem) || bib_ecosystem

          # Handle || separator (OR conditions between different ranges)
          # Each part separated by || is an independent range (OR)
          # Within each part, space-separated constraints are AND conditions
          affected_versions.split(" || ").any? do |range_part|
            range_matches?(version, range_part, purl_type)
          end
        rescue ArgumentError, Vers::Error
          # If we can't parse the version or range, be conservative and assume affected
          true
        end

        def range_matches?(version, range_part, purl_type)
          # Extract individual constraints (e.g., ">=7.1.0 <7.1.3.1" -> [">=7.1.0", "<7.1.3.1"])
          constraints = range_part.scan(/[<>=!~^]+[^\s]+/)
          return false if constraints.empty?

          # All constraints must be satisfied (AND logic)
          constraints.all? do |constraint|
            Vers.satisfies?(version, constraint, purl_type)
          end
        end

        def fixed_versions_list
          return [] if fixed_versions.nil? || fixed_versions.empty?

          fixed_versions.split(",").map(&:strip)
        end

        def purl
          Models::Package.generate_purl(ecosystem, package_name)
        end
      end
    end
  end
end