Fix when getting Vaadin analysis to also check the affected dependency group, name and version

[tamasmak]

AppSec Kit handles and shows the found vulnerabilities per dependency. It can happen that two dependencies are affected by the same vulnerability:

In cases like this if the security team wants to provide separate analysis for the two vulnerabilities then the current logic to get the analysis is not correct. Currently, we get an analysis based only on the vulnerability id and after we check if the affected dependency's parent's group, name and version match the ones provided in the analysis assessment.

We need to extend the logic with checking the group, name and version when we get the analysis to be able to choose the right analysis for the given vulnerability and dependency combination.

Dependencies and their parent:

Same in the generated SBOM:

[heruan]

What if we have an analysis of CVE-2023-6378 for logback-classic, but the application is affected by the same vulnerability and only depends on logback-core? Would the analysis be shown after this change?

[tamasmak]

What if we have an analysis of CVE-2023-6378 for logback-classic, but the application is affected by the same vulnerability and only depends on logback-core? Would the analysis be shown after this change?

No, because I realized that the current vulnerability analysis’ structure is using Map<String, CLASS> almost everywhere, so I think the current vulnerability analysis structure is not suitable to handle cases like this. The structure should be improved like this:
In VulnerabilityAnalysis we should store the VulnerabilityDetails in List
private Map<String, List<VulnerabilityDetails>> vulnerabilities = new HashMap<>();
instead of
private Map<String, VulnerabilityDetails> vulnerabilities = new HashMap<>();
then we could have a structure like this

{
  "vulnerabilities": {
    "CVE-2023-6378": [
      {
        "dependency": {
          "name": "ch.qos.logback:logback-classic",
          "affectedVersions": ["[,1.4.12)"]
        },
        "assessments": {
          "com.vaadin:vaadin-spring-boot-starter": {
            "affectedVersions": {
              "[24.3.0,]": {
                "status": "TRUE_POSITIVE",
                "comment": "Analysis in case of logback-classic"
              }
            }
          }
        }
      },
      {
        "dependency": {
          "name": "ch.qos.logback:logback-core",
          "affectedVersions": ["[,1.4.12)"]
        },
        "assessments": {
          "com.vaadin:vaadin-spring-boot-starter": {
            "affectedVersions": {
              "[24.3.0,]": {
                "status": "TRUE_POSITIVE",
                "comment": "Analysis in case of logback-core"
              }
            }
          }
        }
      }
    ]
  }
}

and provide analysis for both cases.
Note that this is a coincidence that the two affected dependencies have the same parent, it can also happen that two dependencies are affected by the same vulnerability but have a different parent.
But the main goal of this PR, to also check the group, name and version is still needed, just we need to change how we store the analysis.

[heruan]

We can change the analysis structure if we keep it compatible with older kit versions, e.g. by introducing a new property instead of changing the existing one. If we do this, do we still need this PR?

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}