From 72064de27d889a25f2b4a1a6f939912764a819f1 Mon Sep 17 00:00:00 2001
From: James Telfer <792299+jamestelfer@users.noreply.github.com>
Date: Fri, 15 Mar 2024 21:45:59 +1100
Subject: [PATCH] fix: ensure valued dates are not overwritten on merge

Failed summaries will lack timestamps; only overwrite a timestamp if it's valued.
---
 src/finding/summary.go                       |  8 ++++++--
 src/finding/summary_test.go                  | 11 +++++++++++
 src/finding/testdata/TestMergeSummary.golden | 16 ++++++++++++++++
 3 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/src/finding/summary.go b/src/finding/summary.go
index a8966500..6857cdaf 100644
--- a/src/finding/summary.go
+++ b/src/finding/summary.go
@@ -224,8 +224,12 @@ func mergeSingle(merged, other Summary) Summary {
 	merged.Platforms = append(merged.Platforms, other.Platforms...)
 	merged.FailedPlatforms = append(merged.FailedPlatforms, other.FailedPlatforms...)
 
-	merged.ImageScanCompletedAt = other.ImageScanCompletedAt
-	merged.VulnerabilitySourceUpdatedAt = other.VulnerabilitySourceUpdatedAt
+	if other.ImageScanCompletedAt != nil {
+		merged.ImageScanCompletedAt = other.ImageScanCompletedAt
+	}
+	if other.VulnerabilitySourceUpdatedAt != nil {
+		merged.VulnerabilitySourceUpdatedAt = other.VulnerabilitySourceUpdatedAt
+	}
 
 	return merged
 }
diff --git a/src/finding/summary_test.go b/src/finding/summary_test.go
index fa066a74..28aaa2d4 100644
--- a/src/finding/summary_test.go
+++ b/src/finding/summary_test.go
@@ -2,6 +2,7 @@ package finding_test
 
 import (
 	"testing"
+	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
@@ -149,6 +150,8 @@ func TestMergeSummary(t *testing.T) {
 					Platforms: p("other1"),
 				},
 			},
+			ImageScanCompletedAt:         tm(2010, 1, 1),
+			VulnerabilitySourceUpdatedAt: tm(2010, 1, 2),
 		},
 		{
 			Platforms: p("other2"),
@@ -168,6 +171,9 @@ func TestMergeSummary(t *testing.T) {
 	// base.Merge(others...)
 	base := finding.MergeSummaries(others)
 
+	assert.NotNil(t, base.ImageScanCompletedAt)
+	assert.NotNil(t, base.VulnerabilitySourceUpdatedAt)
+
 	autogold.ExpectFile(t, base)
 }
 
@@ -215,3 +221,8 @@ func fscore3(name string, severity types.FindingSeverity, score string, vector s
 func i(id string) findingconfig.Ignore {
 	return findingconfig.Ignore{ID: id}
 }
+
+func tm(yyyy int, mm time.Month, dd int) *time.Time {
+	t := time.Date(yyyy, mm, dd, 0, 0, 0, 0, time.UTC)
+	return &t
+}
diff --git a/src/finding/testdata/TestMergeSummary.golden b/src/finding/testdata/TestMergeSummary.golden
index 75d4a28a..fc3f56dc 100644
--- a/src/finding/testdata/TestMergeSummary.golden
+++ b/src/finding/testdata/TestMergeSummary.golden
@@ -31,6 +31,22 @@ finding.Summary{
 		},
 	},
 	Ignored: []finding.Detail{},
+	ImageScanCompletedAt: valast.Ptr(time.Date(2010,
+		1,
+		1,
+		0,
+		0,
+		0,
+		0,
+		time.UTC)),
+	VulnerabilitySourceUpdatedAt: valast.Ptr(time.Date(2010,
+		1,
+		2,
+		0,
+		0,
+		0,
+		0,
+		time.UTC)),
 	Platforms: []v1.Platform{
 		{OS: "base"},
 		{OS: "other1"},