Don't fail when no vulnerabilities were detected

DerGuteMoritz · DerGuteMoritz · commit 9930b804bd44 · 2025-03-26T16:15:32.000+01:00
This allows setting fail-threshold to -1 which will result in a failure in case only vulnerabilities
with a score of 0 were detected. This is a pertty common occurrence these days as the NVD struggles
to keep up with assigning scores to newly reported CVEs in a timely manner.
diff --git a/src/nvd/report.clj b/src/nvd/report.clj
@@ -123,9 +123,11 @@
 
 (defn fail-build? [project]
   (let [^Engine engine (:engine project)
-        highest-score (long (apply max 0 (scores engine)))
+        all-scores (scores engine)
+        highest-score (long (apply max 0 all-scores))
         fail-threshold (long (get-in project [:nvd :fail-threshold] 0))]
     (->
      project
      (assoc-in [:nvd :highest-score] highest-score)
-     (assoc :failed? (> highest-score fail-threshold)))))
+     (assoc :failed? (and (seq all-scores)
+                          (> highest-score fail-threshold))))))
