From 830cbda67f3349fee522f6f91bf03d41893bbb65 Mon Sep 17 00:00:00 2001
From: Nicolas Crocfer <ncrocfer@gmail.com>
Date: Mon, 1 Jun 2026 15:33:37 +0200
Subject: [PATCH] fix: exclude unscored CVEs when CVSS 3.1 threshold is set

Signed-off-by: Nicolas Crocfer <ncrocfer@gmail.com>
---
 .../dags/includes/tasks/notifications.py      |  9 +++--
 scheduler/tests/tasks/test_notifications.py   | 33 +++++++++++++++++++
 2 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/scheduler/dags/includes/tasks/notifications.py b/scheduler/dags/includes/tasks/notifications.py
index 9a68662f..f41d84e9 100644
--- a/scheduler/dags/includes/tasks/notifications.py
+++ b/scheduler/dags/includes/tasks/notifications.py
@@ -183,7 +183,7 @@ def make_notifications_chunks(**context):
 
 
 def filter_changes(notification, changes, changes_details):
-    notification_score = notification["notification_conf"]["metrics"]["cvss31"]
+    notification_score = float(notification["notification_conf"]["metrics"]["cvss31"])
     notification_types = notification["notification_conf"]["types"]
     logger.debug(
         "Notification score: %s, types: %s", notification_score, notification_types
@@ -199,8 +199,11 @@ def filter_changes(notification, changes, changes_details):
         )
 
         # Exclude change if CVSS31 score is lower than notification one
-        if change_score and float(change_score["score"]) < float(notification_score):
-            continue
+        if notification_score > 0:
+            if not change_score or change_score.get("score") is None:
+                continue
+            if float(change_score["score"]) < notification_score:
+                continue
 
         # Exclude change if types don't match notifications ones
         if not notification_types or not any(
diff --git a/scheduler/tests/tasks/test_notifications.py b/scheduler/tests/tasks/test_notifications.py
index 75806031..df341db1 100644
--- a/scheduler/tests/tasks/test_notifications.py
+++ b/scheduler/tests/tasks/test_notifications.py
@@ -166,3 +166,36 @@ def test_filter_changes(open_file):
     notifications["notification_conf"]["metrics"]["cvss31"] = 6
     notifications["notification_conf"]["types"] = ["title"]
     assert filter_changes(notifications, changes, changes_details) == []
+
+
+def test_filter_changes_without_cvss31_score(open_file):
+    """
+    A change without a cvss31 score is not returned by default.
+    """
+    notifications = open_file("redis/0001/notifications.json")[
+        "d9edc06b-1d7b-43c7-8cf5-bfa6687cd9fd"
+    ][0]
+    changes_details = open_file("redis/0001/changes_details.json")
+
+    change_id = "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
+    changes = [change_id]
+    changes_details = {
+        **changes_details,
+        change_id: {
+            "change_types": ["created"],
+            "change_path": "2024/CVE-2024-00001.json",
+            "cve_vendors": ["vendor"],
+            "cve_id": "CVE-2024-00001",
+            "cve_metrics": {
+                "cvssV3_1": {"data": {}, "provider": None},
+            },
+        },
+    }
+
+    notifications["notification_conf"]["types"] = ["created"]
+
+    notifications["notification_conf"]["metrics"]["cvss31"] = 9
+    assert filter_changes(notifications, changes, changes_details) == []
+
+    notifications["notification_conf"]["metrics"]["cvss31"] = 0
+    assert filter_changes(notifications, changes, changes_details) == [change_id]