Improve Quick fix

[5byuri]

No description provided.

[Copilot]

Pull request overview

This PR adds a prototype “quick fix” workflow under cmd/devguard-cli/test/ to fetch package metadata from registries (npm/crates) and attempt to validate whether updating a dependency chain results in a vulnerable package version being at/above a fixed version.

Changes:

• Add npm registry response type definitions for JSON unmarshalling.
• Add registry helper functions (npm/crates) and a quickfix CLI that walks a dependency chain.
• Add semver parsing/recommendation logic to select newer versions within the same major band.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 13 comments.

File	Description
cmd/devguard-cli/test/types.go	Introduces structs for npm registry JSON responses.
cmd/devguard-cli/test/quickfix.go	Implements the dependency-chain “quick fix” logic and a main() driver.
cmd/devguard-cli/test/package_manager_functions.go	Adds registry request helpers for npm/crates and a version existence check.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (21)

cmd/devguard-cli/test/quickfix.go:273

• The purls array is being mutated during iteration by assigning new versions to purls[i].Version. This modifies the input parameter, which could be unexpected behavior for callers. Consider either: (1) documenting this side effect clearly in a function comment, (2) creating a copy of the purls array at the beginning if the original should be preserved, or (3) returning the modified purls array as part of the function result to make the mutation explicit.

func checkVulnerabilityFixChain[T any](resolver Resolver[T], purls []packageurl.PackageURL, fixedVersion string) (string, error) {

	if len(purls) < 2 {
		return "", fmt.Errorf("purl array must contain at least 2 elements")
	}

	// Version format validation is delegated to each resolver
	// (semver for NPM, Debian version for Debian packages)

	for i := 0; i < len(purls)-1; i++ {
		pkgName := purls[i].Name
		currentVersion := purls[i].Version

		// fetch all version
		allVersionsMeta, err := resolver.FetchPackageMetadata(purls[i])
		if err != nil {
			return "", fmt.Errorf("failed to fetch all versions for %s: %w", pkgName, err)
		}

		var latestVersion string
		if i == 0 {
			versions, err := resolver.GetRecommendedVersions(allVersionsMeta, currentVersion)
			if err != nil {
				return "", fmt.Errorf("failed to get recommended versions for %s: %w", pkgName, err)
			}

			if len(versions) == 0 {
				return "", fmt.Errorf("no newer version available for %s@%s in the same major band", pkgName, currentVersion)
			}

			latestVersion = versions[0]
			if latestVersion == currentVersion {
				return "", fmt.Errorf("no new version available for %s (current: %s)", pkgName, currentVersion)
			}
		} else {
			// we are not resolving any ^ or ~, therefore we are only allowed to use the EXACT version specified in the previous package's dependencies
			latestVersion = currentVersion
		}
		purls[i].Version = latestVersion
		fmt.Printf("Found newer version for %s: %s to %s\n", pkgName, currentVersion, latestVersion)

		// Second: check latest version
		latestMeta, err := resolver.FetchPackageMetadata(purls[i])
		if err != nil {
			return "", fmt.Errorf("failed to fetch latest metadata for %s@%s: %w", pkgName, latestVersion, err)
		}

		nextPkgName := purls[i+1].Name

		// next version spec might not be an exact version, but could also be a range like ^15.0.0, ~15.4.0, >15.0.0, >=15.4.0, etc.
		nextVersionConstraint := resolver.FindDependencyVersionInMeta(latestMeta, nextPkgName)
		if nextVersionConstraint == "" {
			return "", fmt.Errorf("package %s not found in %s@%s dependencies", nextPkgName, pkgName, latestVersion)
		}

		fmt.Printf(" %s@%s requires %s: %s\n", pkgName, latestVersion, nextPkgName, nextVersionConstraint)

		// create a new purl - like we updated the purl in the next iteration
		// image A --> B
		// we updated A to A', now we check the new version of B
		// Important: copy qualifiers (arch, distro) from original PURL to preserve suite/arch info
		nextPURL := packageurl.PackageURL{
			Type:       purls[i+1].Type,
			Name:       purls[i+1].Name,
			Qualifiers: purls[i+1].Qualifiers,
			// we do not define version right here
			// since versionConstraint might be a range or a constraint, we want to fetch ALL versions of that package and then resolve the versionConstraint to a specific version using the resolver's ResolveBestVersion function
		}

		nextAllVersionsMeta, err := resolver.FetchPackageMetadata(nextPURL)
		if err != nil {
			return "", fmt.Errorf("failed to fetch all versions for %s: %w", nextPkgName, err)
		}

		nextBestVersion, err := resolver.ResolveBestVersion(nextAllVersionsMeta, nextVersionConstraint, purls[i+1].Version)
		if err != nil {
			return "", fmt.Errorf("failed to resolve version for %s with spec %s: %w", nextPkgName, nextVersionConstraint, err)
		}

		purls[i+1].Version = nextBestVersion
		fmt.Printf(" Resolved %s to version: %s\n", nextPkgName, nextBestVersion)
	}

cmd/devguard-cli/test/npm_resolver.go:227

• The HTTP request constructs URLs using string concatenation with package names that could contain special characters. While packageurl.PackageURL validates the format, there's no explicit URL encoding of the package name before concatenation. For scoped packages or packages with special characters, this could lead to malformed URLs. Use url.PathEscape() or construct the URL using url.URL with proper escaping to ensure robustness.

		req, err = httpClient.Get("https://registry.npmjs.org/" + pkg.Name + "/" + normalizedVersion)
	} else {
		req, err = httpClient.Get("https://registry.npmjs.org/" + pkg.Name)

cmd/devguard-cli/test/debian_resolver.go:249

• The GetRecommendedVersions function returns versions that are >= currentVersion but doesn't sort them. The function comment says it returns "newer versions" which implies they might be sorted, but there's no sorting applied. The caller in checkVulnerabilityFixChain expects the first element (versions[0]) to be the latest/best version, but this might not be the case if the versions aren't sorted. Either add sorting (descending) before returning, or document that the caller is responsible for sorting.

func (d *DebianResolver) GetRecommendedVersions(allVersionsMeta DebianResponse, currentVersion string) ([]string, error) {
	if len(allVersionsMeta.Versions) == 0 {
		return nil, fmt.Errorf("no versions available")
	}

	currentVer, err := version.Parse(currentVersion)
	if err != nil {
		return nil, fmt.Errorf("invalid current version '%s': %w", currentVersion, err)
	}

	var recommended []string
	for _, ver := range allVersionsMeta.Versions {
		parsedVer, err := version.Parse(ver)
		if err != nil {
			continue // skip invalid versions
		}

		// Include versions >= currentVersion
		if version.Compare(parsedVer, currentVer) >= 0 {
			recommended = append(recommended, ver)
		}
	}

	return recommended, nil

cmd/devguard-cli/test/quickfix.go:317

• The main() function example comment mentions "nextra-theme-docs@3.4.0" which is an NPM package, but the example code uses Debian packages (passwd, adduser, apt). This creates confusion about what the expected output should be. Update the comment to reflect a Debian package example, or change the example code to use NPM packages to match the comment.

	// Example output: nextra-theme-docs@3.4.0 (or similar if a fix is found)

cmd/devguard-cli/test/crates_resolver.go:24

• The function name 'GetCratesRegistry' does not follow Go naming conventions. In Go, exported functions that retrieve data typically start with 'get' in lowercase as a verb. However, this naming is also inconsistent with similar functions like 'getNPMRegistry' (lowercase 'get'). For consistency with the npm_resolver.go implementation, this should be renamed to 'getCratesRegistry'.

func GetCratesRegistry(pkg packageurl.PackageURL) (*http.Response, error) {

cmd/devguard-cli/test/npm_resolver.go:234

• Potential nil pointer dereference: The error handling checks 'if req != nil' before closing the response body when an error occurs. However, if httpClient.Get() returns an error, req will typically be nil, making this check unnecessary and potentially misleading. The standard pattern is to only close the body when the request succeeds (no error and valid response). The close on line 232 when req != nil but there's an error is correct defensive programming, but the same pattern should apply consistently.

	if err != nil {
		if req != nil {
			req.Body.Close()
		}
		return nil, err

cmd/devguard-cli/test/crates_resolver.go:31

• The HTTP request constructs URLs using string concatenation with package names and versions that could contain special characters. There's no explicit URL encoding of the parameters before concatenation. Use url.PathEscape() or construct the URL using url.URL with proper escaping to ensure the URL is well-formed for all valid package identifiers.

		req, err = httpClient.Get("https://crates.io/api/v1/crates/" + pkg.Name + "/" + pkg.Version)
	} else {
		req, err = httpClient.Get("https://crates.io/api/v1/crates/" + pkg.Name)

cmd/devguard-cli/test/debian_resolver.go:129

• The HTTP request constructs URLs using string concatenation without explicit URL encoding of the suite and arch parameters. While these values come from a controlled map (distroToSuite) and PURL qualifiers, it's safer to use url.PathEscape() or construct the URL properly to prevent potential issues if invalid values somehow make it through.

	url := "https://deb.debian.org/debian/dists/" + suite + "/main/binary-" + arch + "/Packages.xz"

cmd/devguard-cli/test/npm_resolver.go:69

• Inefficient version parsing: The code parses versions into string slices (line 57), then reconstructs them back into strings (line 68), only to parse them again with semver.IsValid (line 69). This creates unnecessary allocations and string operations. Consider working with the original version strings directly from npmResponse.Versions map, which would eliminate the intermediate slice creation and string join operations.

	for _, obj := range npmResponse.Versions {
		// skip release candidates
		if strings.Contains(obj.Version, "-") {
			continue
		}
		versionParts := strings.Split(obj.Version, ".")
		versions = append(versions, versionParts)
	}

	var currentMajor, currentMinor, currentPatch int
	if _, err := fmt.Sscanf(currentVersion, "%d.%d.%d", &currentMajor, &currentMinor, &currentPatch); err != nil {
		return nil, fmt.Errorf("invalid current version format: %s", currentVersion)
	}

	var recommended []string
	for _, version := range versions {
		versionStr := strings.Join(version, ".")
		if !semver.IsValid("v" + versionStr) {

cmd/devguard-cli/test/package_manager_functions.go:1

• Inconsistent copyright header format: This file uses "Copyright 2026 lars hermges @ l3montree GmbH" which differs from the standard format "Copyright (C) 2026 l3montree GmbH" used in other files like types.go, quickfix.go, and debian_resolver.go in the same PR. The copyright header should follow a consistent format across all files.

// Copyright 2026 lars hermges @ l3montree GmbH

cmd/devguard-cli/test/quickfix.go:115

• The >= and > operators restrict matches to the same major version, which deviates from standard semver semantics. While this appears intentional for the vulnerability fix algorithm (matching the behavior in GetRecommendedVersions), it creates confusion because these operators don't behave as users would expect. Consider: (1) renaming the operators to be more explicit about the restriction (e.g., ">=same-major"), (2) adding prominent documentation explaining this non-standard behavior, or (3) refactoring to separate the major-version-aware logic from the general version comparison logic.

	case ">=":
		// Greater than or equal: same major version, >= base
		return versionParts[0] == baseParts[0] && semver.Compare("v"+version, "v"+baseVersion) >= 0

	case ">":
		// Greater than: same major version, > base
		return versionParts[0] == baseParts[0] && semver.Compare("v"+version, "v"+baseVersion) > 0

cmd/devguard-cli/test/debian_resolver.go:315

• The ResolveBestVersion function doesn't sort the candidates before returning candidates[0]. After filtering versions that match the constraint, the function should sort candidates in descending order (highest version first) to ensure candidates[0] is actually the "best" (newest) version. Add sorting similar to the NPM resolver implementation at line 206-208.

func (d *DebianResolver) ResolveBestVersion(allVersionsMeta DebianResponse, versionConstraint VersionConstraint, currentVersion string) (string, error) {
	constraint := string(versionConstraint)

	// If no constraint, return newest version
	if constraint == "" {
		if len(allVersionsMeta.Versions) > 0 {
			return allVersionsMeta.Versions[0], nil
		}
		return "", fmt.Errorf("no versions available")
	}

	// Parse constraint: ">> 1.2.3", ">= 1.2.3", "<< 2.0", "= 1.2.3", etc.
	operator, constraintVer, err := parseDebianConstraint(constraint)
	if err != nil {
		return "", fmt.Errorf("failed to parse constraint '%s': %w", constraint, err)
	}

	targetVer, err := version.Parse(constraintVer)
	if err != nil {
		return "", fmt.Errorf("invalid constraint version '%s': %w", constraintVer, err)
	}

	// filter
	var candidates []string
	for _, ver := range allVersionsMeta.Versions {
		parsedVer, err := version.Parse(ver)
		if err != nil {
			continue
		}

		cmp := version.Compare(parsedVer, targetVer)
		match := false

		switch operator {
		case ">>":
			match = cmp > 0
		case ">=":
			match = cmp >= 0
		case "<<":
			match = cmp < 0
		case "<=":
			match = cmp <= 0
		case "=":
			match = cmp == 0
		}

		if match {
			candidates = append(candidates, ver)
		}
	}

	if len(candidates) == 0 {
		return "", fmt.Errorf("no version matches constraint '%s'", constraint)
	}

	return candidates[0], nil

cmd/devguard-cli/test/quickfix.go:291

• Missing test coverage for the core algorithm: The checkVulnerabilityFixChain function, which is the main entry point and implements the vulnerability fix chain algorithm, has no unit tests. Additionally, the Resolver interface implementations (NPMResolver, DebianResolver) have no tests for their methods like FetchPackageMetadata, GetRecommendedVersions, FindDependencyVersionInMeta, ResolveBestVersion, and CheckIfVulnerabilityIsFixed. Add comprehensive tests for these critical components to ensure correctness and prevent regressions.

func checkVulnerabilityFixChain[T any](resolver Resolver[T], purls []packageurl.PackageURL, fixedVersion string) (string, error) {

	if len(purls) < 2 {
		return "", fmt.Errorf("purl array must contain at least 2 elements")
	}

	// Version format validation is delegated to each resolver
	// (semver for NPM, Debian version for Debian packages)

	for i := 0; i < len(purls)-1; i++ {
		pkgName := purls[i].Name
		currentVersion := purls[i].Version

		// fetch all version
		allVersionsMeta, err := resolver.FetchPackageMetadata(purls[i])
		if err != nil {
			return "", fmt.Errorf("failed to fetch all versions for %s: %w", pkgName, err)
		}

		var latestVersion string
		if i == 0 {
			versions, err := resolver.GetRecommendedVersions(allVersionsMeta, currentVersion)
			if err != nil {
				return "", fmt.Errorf("failed to get recommended versions for %s: %w", pkgName, err)
			}

			if len(versions) == 0 {
				return "", fmt.Errorf("no newer version available for %s@%s in the same major band", pkgName, currentVersion)
			}

			latestVersion = versions[0]
			if latestVersion == currentVersion {
				return "", fmt.Errorf("no new version available for %s (current: %s)", pkgName, currentVersion)
			}
		} else {
			// we are not resolving any ^ or ~, therefore we are only allowed to use the EXACT version specified in the previous package's dependencies
			latestVersion = currentVersion
		}
		purls[i].Version = latestVersion
		fmt.Printf("Found newer version for %s: %s to %s\n", pkgName, currentVersion, latestVersion)

		// Second: check latest version
		latestMeta, err := resolver.FetchPackageMetadata(purls[i])
		if err != nil {
			return "", fmt.Errorf("failed to fetch latest metadata for %s@%s: %w", pkgName, latestVersion, err)
		}

		nextPkgName := purls[i+1].Name

		// next version spec might not be an exact version, but could also be a range like ^15.0.0, ~15.4.0, >15.0.0, >=15.4.0, etc.
		nextVersionConstraint := resolver.FindDependencyVersionInMeta(latestMeta, nextPkgName)
		if nextVersionConstraint == "" {
			return "", fmt.Errorf("package %s not found in %s@%s dependencies", nextPkgName, pkgName, latestVersion)
		}

		fmt.Printf(" %s@%s requires %s: %s\n", pkgName, latestVersion, nextPkgName, nextVersionConstraint)

		// create a new purl - like we updated the purl in the next iteration
		// image A --> B
		// we updated A to A', now we check the new version of B
		// Important: copy qualifiers (arch, distro) from original PURL to preserve suite/arch info
		nextPURL := packageurl.PackageURL{
			Type:       purls[i+1].Type,
			Name:       purls[i+1].Name,
			Qualifiers: purls[i+1].Qualifiers,
			// we do not define version right here
			// since versionConstraint might be a range or a constraint, we want to fetch ALL versions of that package and then resolve the versionConstraint to a specific version using the resolver's ResolveBestVersion function
		}

		nextAllVersionsMeta, err := resolver.FetchPackageMetadata(nextPURL)
		if err != nil {
			return "", fmt.Errorf("failed to fetch all versions for %s: %w", nextPkgName, err)
		}

		nextBestVersion, err := resolver.ResolveBestVersion(nextAllVersionsMeta, nextVersionConstraint, purls[i+1].Version)
		if err != nil {
			return "", fmt.Errorf("failed to resolve version for %s with spec %s: %w", nextPkgName, nextVersionConstraint, err)
		}

		purls[i+1].Version = nextBestVersion
		fmt.Printf(" Resolved %s to version: %s\n", nextPkgName, nextBestVersion)
	}

	vulnPkgName := purls[len(purls)-1].Name
	vulnVersion := purls[len(purls)-1].Version

	// Version format validation is delegated to resolver's CheckIfVulnerabilityIsFixed
	// (each resolver validates according to its version scheme)

	// Check if vulnerability is fixed using resolver-specific comparison
	isFixed := resolver.CheckIfVulnerabilityIsFixed(vulnVersion, fixedVersion)

	if isFixed {
		fixingVersion := purls[0].Name + "@" + purls[0].Version
		return fixingVersion, nil
	}

	fmt.Printf("Fix not verified: %s@%s is < %s\n", vulnPkgName, vulnVersion, fixedVersion)
	return "", nil
}

cmd/devguard-cli/test/quickfix.go:319

• A main() function exists in a test directory file. This suggests that this file (quickfix.go) is intended to be runnable as a standalone program for testing purposes. However, this makes the package structure ambiguous - it's unclear whether this is production code or test code. Consider either: (1) moving this to a separate cmd/example or cmd/tool directory if it's meant to be a runnable tool, or (2) converting it to an example test (Example functions) if it's documentation, or (3) removing the main() function entirely if this is meant to be library code. The hardcoded test data in main() suggests this is temporary development/debugging code that should not be committed.

func main() {

	// ["debian@12.8","pkg:deb/debian/apt@2.6.1A~5.2.0.202311171811?arch=amd64&distro=debian-12.8","pkg:deb/debian/adduser@3.134.0?arch=all&distro=debian-12.8","pkg:deb/debian/passwd@1:4.13+dfsg1-1+deb12u1?arch=amd64&distro=debian-12.8&epoch=1"]
	purl3, _ := packageurl.FromString("pkg:deb/debian/apt@2.6.1A~5.2.0.202311171811?arch=amd64&distro=debian-12.8")
	purl2, _ := packageurl.FromString("pkg:deb/debian/adduser@3.134.0?arch=all&distro=debian-12.8")
	purl1, _ := packageurl.FromString("pkg:deb/debian/passwd@1:4.13+dfsg1-1+deb12u1?arch=amd64&distro=debian-12.8&epoch=1")

	purls := []packageurl.PackageURL{
		purl1,
		purl2,
		purl3,
	}

	// in component_fixed_version in database
	fixedVersion := "1:4.0.14-9"

	resolver := &DebianResolver{}

	fixingVersion, err := checkVulnerabilityFixChain(resolver, purls, fixedVersion)
	if err != nil {
		fmt.Println("Error:", err)
		return
	}
	fmt.Println(fixingVersion)
	// Example output: nextra-theme-docs@3.4.0 (or similar if a fix is found)

}

cmd/devguard-cli/test/npm_resolver.go:222

• Comment does not match the code behavior: The comment states "remove quotes if present" but strings.Trim removes leading/trailing forward slashes ("/"), not quotes. Either the comment is incorrect or the wrong function is being used. If the intent is to remove quotes, use strings.Trim(pkg.Version, ""'"). If the intent is to remove slashes, update the comment to "remove leading/trailing slashes if present".

	normalizedVersion := strings.Trim(pkg.Version, "/") // remove quotes if present

cmd/devguard-cli/test/debian_resolver.go:123

• The fetchAllVersions function doesn't sort the returned versions list. Since GetRecommendedVersions expects to work with all available versions and relies on proper ordering, and the ResolveBestVersion function expects candidates[0] to be the best match, the versions should be sorted in descending order. Add sorting after collecting versions from the versionSet to ensure consistent behavior.

func (d *DebianResolver) fetchAllVersions(pkgName string) (DebianResponse, error) {
	url := "https://snapshot.debian.org/mr/binary/" + pkgName + "/"

	resp, err := httpClient.Get(url)
	if err != nil {
		return DebianResponse{}, fmt.Errorf("failed to fetch versions for %s: %w", pkgName, err)
	}
	defer resp.Body.Close()

	if resp.StatusCode != 200 {
		return DebianResponse{}, fmt.Errorf("snapshot API returned %d for %s", resp.StatusCode, pkgName)
	}

	var result snapshotMRResult
	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
		return DebianResponse{}, fmt.Errorf("failed to parse snapshot response: %w", err)
	}

	versionSet := make(map[string]bool)
	for ver := range result.Versions {
		versionSet[ver] = true
	}

	versions := make([]string, 0, len(versionSet))
	for ver := range versionSet {
		versions = append(versions, ver)
	}

	return DebianResponse{
		PackageName: pkgName,
		Versions:    versions,
	}, nil

cmd/devguard-cli/test/quickfix.go:250

• Typo in variable name: The comment says "image A --> B" but should say "imagine A --> B" (missing the 'n'). This appears to be meant as "imagine" based on a similar comment at line 185.

		// image A --> B

cmd/devguard-cli/test/quickfix.go:298

• Errors are ignored in main(): The packageurl.FromString() calls ignore errors by using the blank identifier (_). If any of these PURL strings are malformed, the program will continue with zero-valued structs, leading to incorrect behavior or panics later. Either handle the errors properly or add comments explaining why it's safe to ignore them in this specific test/example context.

	purl3, _ := packageurl.FromString("pkg:deb/debian/apt@2.6.1A~5.2.0.202311171811?arch=amd64&distro=debian-12.8")
	purl2, _ := packageurl.FromString("pkg:deb/debian/adduser@3.134.0?arch=all&distro=debian-12.8")
	purl1, _ := packageurl.FromString("pkg:deb/debian/passwd@1:4.13+dfsg1-1+deb12u1?arch=amd64&distro=debian-12.8&epoch=1")

cmd/devguard-cli/test/package_manager_functions.go:25

• Global shared HTTP client: The httpClient variable is shared across all resolver implementations. While this is generally acceptable for a simple timeout configuration, consider making this configurable or allowing resolvers to customize their own HTTP clients. Different registries may require different timeout values, retry policies, or custom transport settings (e.g., for corporate proxies). Consider passing the HTTP client as a parameter to resolver constructors or making it configurable through a Config struct.

var httpClient = &http.Client{
	Timeout: 30 * time.Second,
}

cmd/devguard-cli/test/crates_resolver.go:47

• The crates_resolver.go file only implements a registry fetch function but doesn't implement the full Resolver interface like NPMResolver and DebianResolver do. This creates an incomplete implementation that cannot be used with the checkVulnerabilityFixChain function. Either implement the full Resolver interface for Crates/Cargo packages, or add a comment explaining that this is work-in-progress and should not be used yet.

package main

import (
	"fmt"
	"net/http"

	"github.com/package-url/packageurl-go"
)

func GetCratesRegistry(pkg packageurl.PackageURL) (*http.Response, error) {
	var req *http.Response
	var err error

	if pkg.Version != "" {
		req, err = httpClient.Get("https://crates.io/api/v1/crates/" + pkg.Name + "/" + pkg.Version)
	} else {
		req, err = httpClient.Get("https://crates.io/api/v1/crates/" + pkg.Name)
	}

	if err != nil {
		if req != nil {
			req.Body.Close()
		}
		return nil, err
	}

	if req.StatusCode != 200 {
		req.Body.Close()
		return nil, fmt.Errorf("failed to fetch data for %s: %s", pkg.Name, req.Status)
	}
	return req, nil

}

cmd/devguard-cli/test/debian_resolver.go:357

• The debianPrefix function is defined but never used in this file. This appears to be dead code. Either remove this function if it's not needed, or add a comment explaining why it's defined here for future use.

func debianPrefix(pkgName string) string {
	runes := []rune(pkgName)

	// special rule for lib* packages
	if strings.HasPrefix(pkgName, "lib") && len(runes) > 3 {
		return "lib" + string(runes[3])
	}

	// default: first rune
	return string(runes[0])
}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (6)

cmd/devguard-cli/test/debian_resolver.go:122

• FetchPackageMetadata downloads and decompresses the full Packages.xz on every call. In checkVulnerabilityFixChain this will be invoked multiple times per chain, which is likely to be very slow and puts unnecessary load on Debian mirrors. Consider caching the decompressed index per (suite, arch) for the process lifetime, or passing a shared index into the resolver.

	url := "https://deb.debian.org/debian/dists/" + suite + "/main/binary-" + arch + "/Packages.xz"

	resp, err := httpClient.Get(url)
	if err != nil {
		return DebianResponse{}, fmt.Errorf("failed to fetch Packages.xz: %w", err)
	}
	defer resp.Body.Close()

cmd/devguard-cli/test/quickfix.go:257

• Core quick-fix behavior in checkVulnerabilityFixChain / CheckVulnerabilityFixChainAuto (version selection, dependency constraint resolution, and fix verification) isn’t covered by tests yet. Given the amount of branching and resolver-specific behavior, adding unit tests with a stub Resolver (no network) would make regressions much less likely.

func CheckVulnerabilityFixChainAuto(purls []packageurl.PackageURL, fixedVersion string) (string, error) {
	if len(purls) == 0 {
		return "", fmt.Errorf("no PURLs provided")
	}

cmd/devguard-cli/test/npm_resolver.go:256

• normalizedVersion := strings.Trim(pkg.Version, "/") doesn’t “remove quotes”; it only strips leading/trailing slashes. If the intent is to sanitize/normalize the version for a URL path segment, consider using strings.TrimSpace plus proper URL escaping (and keep the comment consistent with the implementation).

	normalizedVersion := strings.Trim(pkg.Version, "/") // remove quotes if present

	if pkg.Version != "" {
		req, err = httpClient.Get("https://registry.npmjs.org/" + pkg.Name + "/" + normalizedVersion)

cmd/devguard-cli/test/package_manager_functions.go:3

• The copyright header format in this file differs from the rest of cmd/devguard-cli (most files use // Copyright (C) … l3montree GmbH). Aligning it keeps license scanning and automated header checks consistent.

// Copyright 2026 lars hermges @ l3montree GmbH

// This program is free software: you can redistribute it and/or modify

cmd/devguard-cli/test/npm_resolver.go:164

• ResolveBestVersion implements the core constraint-matching logic (including ||, caret semantics for 0.x, and exact handling), but there are no unit tests covering its end-to-end output. Adding table-driven tests for representative constraints would help validate behavior and prevent subtle regressions.

// resolveBestVersion finds the best matching version given a version spec and all available versions
// versionConstraint examples: "15.4.7", "^15.0.0", "~15.4.0", ">15.0.0", ">=15.4.0"
// Also supports incomplete semver like "^14.0", "^14", "~15", etc.
// Returns the highest matching version, or error if no match or spec is invalid
func (resolver *NPMResolver) ResolveBestVersion(allVersionsMeta *NPMResponse, versionConstraint VersionConstraint, currentVersion string) (string, error) {
	versionConstraintStr := strings.TrimSpace(string(versionConstraint))

	var rangeType string
	var baseVersion string
	var baseVersions []string
	// Determine range type and extract base version
	if strings.Contains(versionConstraintStr, "||") {
		rangeType = "||"
		baseVersions = splitOrExpression(versionConstraintStr)
	} else {
		rangeType, baseVersion = resolver.ParseVersionConstraint(versionConstraintStr)
		// Normalize incomplete semver versions (e.g., "14.0" -> "14.0.0", "14" -> "14.0.0")
		baseVersion = normalizeVersion(baseVersion)
	}

cmd/devguard-cli/test/npm_resolver.go:96

• GetUpgradeCandidates rejects currentVersion unless it matches %d.%d.%d exactly. Elsewhere the code explicitly supports pre-release/build metadata and incomplete semver (via parseVersion/normalizeVersion). Consider normalizing/cleaning currentVersion before validation so versions like 1.2.3-rc.0, 1.2, or 1 don’t fail early.

	var currentMajor, currentMinor, currentPatch int
	if _, err := fmt.Sscanf(currentVersion, "%d.%d.%d", &currentMajor, &currentMinor, &currentPatch); err != nil {
		return nil, fmt.Errorf("invalid current version format: %s", currentVersion)
	}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (7)

cmd/devguard-cli/test/quickfix_test.go:350

• Typo in test failure message: "shouldnt" -> "shouldn't".

			t.Errorf("using just Name %q shouldnt find scoped dep", purl.Name)
		}

cmd/devguard-cli/test/debian_resolver.go:296

• ResolveBestVersion() assumes allVersionsMeta.Versions[0] is the newest version when constraint is empty, but FetchPackageMetadata/parseParagraphs currently return Versions in the iteration order of Packages.xz (not guaranteed sorted). This can return a non-latest version. Consider sorting Versions descending once when building DebianResponse (and/or updating DebianResponse.Versions comment to match behavior).

	// If no constraint, return newest version
	if constraint == "" {
		if len(allVersionsMeta.Versions) > 0 {
			return allVersionsMeta.Versions[0], nil
		}

cmd/devguard-cli/test/npm_resolver.go:177

• In the "exact" case, ResolveBestVersion() returns baseVersion without checking that it actually exists in allVersionsMeta (e.g., a dependency could specify an exact version that is not published). This can lead to a later 404 when fetching metadata. Consider verifying the version exists in allVersionsMeta.Versions (or returning a clear error) before returning it.

	// For exact version, simply return the requested version; equality with currentVersion is allowed
	if rangeType == "exact" {
		if baseVersion == currentVersion {
			return "", fmt.Errorf("exact version %s is same as current version, no upgrade possible", baseVersion)
		}
		return baseVersion, nil
	}

cmd/devguard-cli/test/quickfix.go:169

• The PR adds substantial new decision logic in checkVulnerabilityFixChain()/CheckVulnerabilityFixChainAuto (version selection, dependency constraint resolution, and the final fixed-version check), but the current tests only cover helpers and NPM constraint parsing. Consider adding unit tests for the chain-resolution behavior using a small fake Resolver implementation (so tests don’t depend on network registries) to cover: (1) selecting an upgraded root version, (2) resolving next dependency versions from constraints (including empty/no-constraint), and (3) fixed-version comparison outcomes.

func checkVulnerabilityFixChain[T any](resolver Resolver[T], purls []packageurl.PackageURL, fixedVersion string) (string, error) {

	if len(purls) < 2 {
		return "", fmt.Errorf("purl array must contain at least 2 elements")
	}

cmd/devguard-cli/test/debian_resolver.go:123

• fetchVersionMetadata downloads and decompresses the full Packages.xz for each call. Since checkVulnerabilityFixChain calls FetchPackageMetadata multiple times per package in the chain, this can result in repeatedly downloading large index files and significantly slow down runs (and put load on deb.debian.org). Consider adding caching keyed by (suite, arch) for the parsed Packages.xz contents, or fetching once per suite/arch and reusing it across resolutions.

	// Fetch from Packages.xz for the specified suite
	url := "https://deb.debian.org/debian/dists/" + suite + "/main/binary-" + arch + "/Packages.xz"

	resp, err := httpClient.Get(url)
	if err != nil {
		return DebianResponse{}, fmt.Errorf("failed to fetch Packages.xz: %w", err)
	}
	defer resp.Body.Close()

cmd/devguard-cli/test/debian_resolver.go:175

• This error message hard-codes the string "suite" instead of including the actual suite that was queried. This makes debugging much harder when the lookup fails. Consider passing the suite into parseParagraphs() (or formatting the error in fetchVersionMetadata) so the error includes the real suite name.

		if targetDependencies == nil {
			return DebianResponse{}, fmt.Errorf("package %s@%s not found in %s", pkgName, pkgVersion, "suite")
		}

cmd/devguard-cli/test/npm_resolver.go:255

• The comment says "remove quotes if present" but the code trims "/" characters. Either update the comment to match the behavior (trimming slashes) or change the trimming to what is actually intended.

	normalizedVersion := strings.Trim(pkg.Version, "/") // remove quotes if present

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

debianVersionsMatch() currently strips everything after the first '+'. This will cause distinct Debian versions like "2.36-9+deb12u9" and "2.36-9+deb12u10" to normalize to the same value and be treated as equal, which can select the wrong package stanza (and therefore wrong dependencies). Consider only stripping known rebuild/source suffixes (e.g. "+bN", "+dfsg", "+ds") and keep security-update suffixes like "+debXXuY", or switch to parsing with pault.ag/go/debian/version and compare equality while handling the epoch mismatch separately.

Suggested change

	// Normalize both versions by removing epoch and any +X suffixes for comparison
	normalizeVer := func(v string) string {
	// Remove epoch prefix
	if idx := strings.Index(v, ":"); idx != -1 {
	v = v[idx+1:]
	}
	// Remove any +X suffix (binary rebuild +b1, +b2, source mods +dfsg, etc.)
	if idx := strings.Index(v, "+"); idx != -1 {
	v = v[:idx]
	// Regex to strip known rebuild/source suffixes but keep security-update suffixes like "+deb12u9".
	// Matches:
	// +bN (binary rebuilds)
	// +dfsg, +dfsgN
	// +ds, +dsN
	rebuildSuffixRe := regexp.MustCompile(`^(.*?)(\+b[0-9]+|\+dfsg[0-9]*|\+ds[0-9]*)$`)
	// Normalize both versions by removing epoch and known rebuild/source suffixes for comparison.
	normalizeVer := func(v string) string {
	// Remove epoch prefix.
	if idx := strings.Index(v, ":"); idx != -1 {
	v = v[idx+1:]
	}
	// Strip known rebuild/source suffixes at the end, but keep security-update suffixes like "+deb12u9".
	if matches := rebuildSuffixRe.FindStringSubmatch(v); matches != nil {
	v = matches[1]

[Copilot]

checkVulnerabilityFixChain treats an empty VersionConstraint as "dependency not found" (nextVersionConstraint == ""), but Debian dependencies often omit a version constraint and parseDependencies stores those as an empty string. This will incorrectly error for valid dependencies without constraints. Consider changing the Resolver interface to return (VersionConstraint, bool) (or a dedicated constraint type with an 'Exists' flag), and treat an empty-but-present constraint as "no constraint" rather than "missing dependency".

Suggested change

	return "", fmt.Errorf("package %s not found in %s@%s dependencies", nextPkgName, pkgName, latestVersion)
	}
	fmt.Printf(" %s@%s requires %s: %s\n", pkgName, latestVersion, nextPkgName, nextVersionConstraint)
	// No explicit version constraint: dependency exists but is unconstrained.
	fmt.Printf(" %s@%s has unconstrained dependency %s\n", pkgName, latestVersion, nextPkgName)
	} else {
	fmt.Printf(" %s@%s requires %s: %s\n", pkgName, latestVersion, nextPkgName, nextVersionConstraint)
	}