chore: fix transitive dependencies being marked as directly upgradable

[CatalinSnyk]

Description

In certain cases the Remediation Summary would count transitive dependency upgrades as directly upgradable. This would results in incorrect upgrade advice (e.g. Upgrade from x@1.2.3 to x@1.2.3 - since the actual upgrade would be inside for a nested dependency).

The changes should allign the remediation summary building with the legacy implementation that can be found here. In terms of tests, I added a few more cases to the remedation testing logic to get the coverage to 85%, but I also slightly updated the testresults_cli.json to the newer TestAPI structure in order to add it as a test case for the human readable output.

Checklist

• Tests added and all succeed (make test)
• Regenerated mocks, etc. (make generate)
• Linted (make lint)
• Test your changes work for the CLI

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[CatalinSnyk]

This is the main fix to ensure transitive dependency upgrades are not reported as directly upgradable.

[CatalinSnyk]

Added this to match the logic in the legacy implementation. I didn't add another fixture file in this PR, but I left an action items for adding a Python project one in CLI-1349, and settled for just a unit test case for now.

[PeterSchafer]

Suggestion: It seems that none of the test cases covers the case that something isn't filtered. Let's add this, maybe to one of the existing cases.

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Partial Remediations Possibly Lost 🟡 [minor] In processUpgradeAdvice, when an upgrade is skipped because it is transitive-only (line 187), the matchedPaths counter is not incremented. If an issue has multiple paths where some are direct upgrades and some are transitive-only, the logic on lines 205-206 might incorrectly categorize the overall remediation status as partially resolved or unresolved based on the outcome field, even if the primary direct upgrades were successful. if fromPkg.Name == toPkg.Name && fromPkg.Version == toPkg.Version { continue } matchedPaths++

📚 Repository Context Analyzed This review considered 11 relevant code sections from 7 files (average relevance: 0.89) pkg/utils/sarif/sarif.go (lines 248-499) internal/presenters/components.go (2 segments, lines 1-293) internal/presenters/presenter_ufm.go (lines 1-143) internal/local_findings/source/openapi/rest/rest/test.spec.yaml (lines 1528-1728) internal/ufm_helpers/remediation.go (2 segments, lines 1-275) internal/presenters/funcs.go (3 segments, lines 249-470) internal/presenters/styles.go (lines 1-43)