AIML-390: Add criticalVulnerabilities field to list_application_libraries response

manual-tests/list-application-libraries-manual-test.md

@@ -15,6 +15,7 @@ The `list_application_libraries` tool retrieves all third-party libraries used b
 - `classCount` - Total classes in the library
 - `classesUsed` - Classes actually loaded by the application
 - `totalVulnerabilities` - Total CVE count
+- `criticalVulnerabilities` - CRITICAL severity CVE count only
 - `highVulnerabilities` - HIGH severity CVE count only (does not include CRITICAL)
 - `vulnerabilities` - List of CVE details
 - `grade` - Security grade (A, B, C, D, F)
@@ -48,11 +49,11 @@ The `list_application_libraries` tool retrieves all third-party libraries used b
 
 ### Sample Vulnerable Libraries (from spring-petclinic-live-example)
 
-| Filename | CVE Count | High CVEs | Key CVEs |
-|----------|-----------|-----------|----------|
-| tomcat-embed-core-10.1.12.jar | 16 | 9 | CVE-2024-50379, CVE-2025-24813, CVE-2024-56337 |
-| spring-security-core-6.1.3.jar | 3 | 2 | CVE-2024-22257, CVE-2024-22234 |
-| spring-security-crypto-6.1.3.jar | 1 | 1 | CVE-2025-22228 |
+| Filename | CVE Count | Critical CVEs | High CVEs | Key CVEs |
+|----------|-----------|---------------|-----------|----------|
+| tomcat-embed-core-10.1.12.jar | 16 | 7 | 9 | CVE-2024-50379, CVE-2025-24813, CVE-2024-56337 |
+| spring-security-core-6.1.3.jar | 3 | 1 | 2 | CVE-2024-22257, CVE-2024-22234 |
+| spring-security-crypto-6.1.3.jar | 1 | 0 | 1 | CVE-2025-22228 |
 
 ---
 
@@ -137,8 +138,9 @@ use contrast mcp to list libraries for application 7949c260-6ae9-477f-970a-60d8f
   - CVE-2025-24813 (CRITICAL)
   - CVE-2024-56337 (CRITICAL)
   - Multiple HIGH severity CVEs
+- `criticalVulnerabilities` counts CRITICAL severity CVEs only
 - `highVulnerabilities` counts only HIGH severity CVEs (not CRITICAL)
-- To get total high-impact CVEs, add CRITICAL count from vulnerability details to `highVulnerabilities`
+- `totalVulnerabilities` = `criticalVulnerabilities` + `highVulnerabilities` + other severities
 
 ---
 
@@ -646,6 +648,7 @@ use contrast mcp to list libraries for application 1d5cdd44-19b9-44df-88b1-ad02c
       "classesUsed": 384,
       "grade": "F",
       "totalVulnerabilities": 6,
+      "criticalVulnerabilities": 1,
       "highVulnerabilities": 5,
       "vulnerabilities": [
         {

src/main/java/com/contrast/labs/ai/mcp/contrast/sdkextension/data/LibraryExtended.java

@@ -82,6 +82,9 @@ public class LibraryExtended {
   @SerializedName("total_vulnerabilities")
   private int totalVulnerabilities;
 
+  @SerializedName("critical_vulnerabilities")
+  private int criticalVulnerabilities;
+
   @SerializedName("high_vulnerabilities")
   private int highVulnerabilities;
 

src/main/java/com/contrast/labs/ai/mcp/contrast/tool/library/ListApplicationLibrariesTool.java

@@ -62,6 +62,9 @@ Use search_applications(name=...) to find the application ID from a name.
           - hash: Unique library hash for identification
           - classCount: Total classes in the library
           - classesUsed: Number of classes actually loaded by the application
+          - totalVulnerabilities: Total CVE count
+          - criticalVulnerabilities: CRITICAL severity CVE count
+          - highVulnerabilities: HIGH severity CVE count (not CRITICAL)
           - vulnerabilities: Known CVEs affecting this library version
           - grade: Library security grade (A-F)
 

src/test/java/com/contrast/labs/ai/mcp/contrast/AnonymousLibraryExtendedBuilder.java

@@ -45,6 +45,7 @@ public class AnonymousLibraryExtendedBuilder {
   private long releaseDate = System.currentTimeMillis();
   private long latestReleaseDate = System.currentTimeMillis();
   private int totalVulnerabilities = 0;
+  private int criticalVulnerabilities = 0;
   private int highVulnerabilities = 0;
   private boolean custom = false;
   private double libScore = 75.0;
@@ -152,6 +153,11 @@ public AnonymousLibraryExtendedBuilder withTotalVulnerabilities(int totalVulnera
     return this;
   }
 
+  public AnonymousLibraryExtendedBuilder withCriticalVulnerabilities(int criticalVulnerabilities) {
+    this.criticalVulnerabilities = criticalVulnerabilities;
+    return this;
+  }
+
   public AnonymousLibraryExtendedBuilder withHighVulnerabilities(int highVulnerabilities) {
     this.highVulnerabilities = highVulnerabilities;
     return this;
@@ -211,6 +217,7 @@ public LibraryExtended build() {
     lenient().when(library.getReleaseDate()).thenReturn(releaseDate);
     lenient().when(library.getLatestReleaseDate()).thenReturn(latestReleaseDate);
     lenient().when(library.getTotalVulnerabilities()).thenReturn(totalVulnerabilities);
+    lenient().when(library.getCriticalVulnerabilities()).thenReturn(criticalVulnerabilities);
     lenient().when(library.getHighVulnerabilities()).thenReturn(highVulnerabilities);
     lenient().when(library.isCustom()).thenReturn(custom);
     lenient().when(library.getLibScore()).thenReturn(libScore);

src/test/java/com/contrast/labs/ai/mcp/contrast/AnonymousLibraryExtendedBuilderTest.java

@@ -0,0 +1,23 @@
+package com.contrast.labs.ai.mcp.contrast;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.jupiter.api.Test;
+
+class AnonymousLibraryExtendedBuilderTest {
+
+  @Test
+  void builder_should_support_criticalVulnerabilities() {
+    var library =
+        AnonymousLibraryExtendedBuilder.validLibrary().withCriticalVulnerabilities(3).build();
+
+    assertThat(library.getCriticalVulnerabilities()).isEqualTo(3);
+  }
+
+  @Test
+  void builder_should_default_criticalVulnerabilities_to_zero() {
+    var library = AnonymousLibraryExtendedBuilder.validLibrary().build();
+
+    assertThat(library.getCriticalVulnerabilities()).isEqualTo(0);
+  }
+}

src/test/java/com/contrast/labs/ai/mcp/contrast/sdkextension/data/LibraryExtendedTest.java

@@ -73,4 +73,12 @@ void getTotalVulnerabilities_should_ignore_api_value_when_array_has_different_co
 
     assertThat(library.getTotalVulnerabilities()).isEqualTo(4);
   }
+
+  @Test
+  void criticalVulnerabilities_should_be_settable_and_gettable() {
+    var library = new LibraryExtended();
+    library.setCriticalVulnerabilities(5);
+
+    assertThat(library.getCriticalVulnerabilities()).isEqualTo(5);
+  }
 }

test-plans/test-plan-list_application_libraries.md

@@ -55,7 +55,8 @@ LibraryExtended {
     int classCount,               // Total classes in library
     int classesUsed,              // Classes actually loaded by app
     int totalVulnerabilities,     // Total CVE count
-    int highVulnerabilities,      // CRITICAL + HIGH CVE count
+    int criticalVulnerabilities,  // CRITICAL severity CVE count only
+    int highVulnerabilities,      // HIGH severity CVE count only (not CRITICAL)
     List<LibraryVulnerabilityExtended> vulns,  // CVE details
     String grade,                 // Security grade (A, B, C, D, F)
     double libScore,              // Numeric library score
@@ -228,11 +229,12 @@ LibraryExtended {
 
 **Test Steps:**
 1. Find library with vulnerabilities
-2. Count HIGH/CRITICAL in `vulns` list
-3. Compare to `highVulnerabilities` field
+2. Count CRITICAL and HIGH separately in `vulns` list
+3. Compare to `criticalVulnerabilities` and `highVulnerabilities` fields
 
 **Expected Results:**
-- `highVulnerabilities` = count of CRITICAL + HIGH
+- `criticalVulnerabilities` = count of CRITICAL severity only
+- `highVulnerabilities` = count of HIGH severity only (not CRITICAL)
 - Severity codes: CRITICAL, HIGH, MEDIUM, LOW
 - Counts are accurate
 
@@ -245,10 +247,10 @@ LibraryExtended {
 **Test Steps:**
 1. Find libraries where:
    - `classesUsed > 0` AND
-   - `highVulnerabilities > 0`
+   - (`criticalVulnerabilities > 0` OR `highVulnerabilities > 0`)
 
 **Expected Results:**
-- These are highest risk (used + critical CVEs)
+- These are highest risk (used + CRITICAL/HIGH CVEs)
 - Should be prioritized for upgrade
 - Can calculate risk score from these fields
 
@@ -722,6 +724,7 @@ The `list_application_libraries` tool passes testing if:
       "classCount": 1250,
       "classesUsed": 345,
       "totalVulnerabilities": 2,
+      "criticalVulnerabilities": 0,
       "highVulnerabilities": 1,
       "vulns": [
         {"severityCode": "HIGH"},
@@ -744,6 +747,7 @@ The `list_application_libraries` tool passes testing if:
       "classCount": 450,
       "classesUsed": 0,
       "totalVulnerabilities": 0,
+      "criticalVulnerabilities": 0,
       "highVulnerabilities": 0,
       "vulns": [],
       "grade": "A",