NuGet · loic-sharma · Sep 8, 2021 · Sep 1, 2021 · Sep 2, 2021 · Sep 6, 2021
@@ -206,7 +206,7 @@ private DisplayPackageViewModel SetupCommon(
                 && packageKeyToVulnerabilities.TryGetValue(package.Key, out var vulnerabilities)
                 && vulnerabilities != null && vulnerabilities.Any())
             {
-                viewModel.Vulnerabilities = vulnerabilities;
+                viewModel.Vulnerabilities = vulnerabilities.OrderByDescending(vul => vul.Severity).ToList().AsReadOnly();
                 maxVulnerabilitySeverity = viewModel.Vulnerabilities.Max(v => v.Severity); // cache for messaging
                 viewModel.MaxVulnerabilitySeverity = maxVulnerabilitySeverity.Value;
             }

@@ -924,6 +924,36 @@ public void DeprecationFieldsAreSetAsExpected(
             Assert.Null(versionModel.CustomMessage);
         }
 
+        [Fact]
+        public void VulnerabilitiesDisplayedInOrder()
+        {
+            var package = CreateTestPackage("1.0.0");
+
+            var packageKeyToVulnerabilities = new Dictionary<int, IReadOnlyList<PackageVulnerability>>
+            {
+                { package.Key, new List<PackageVulnerability>
+                    {
+                        new PackageVulnerability { Key = 1, Severity = PackageVulnerabilitySeverity.High },
+                        new PackageVulnerability { Key = 2, Severity = PackageVulnerabilitySeverity.Low },
+                        new PackageVulnerability { Key = 3, Severity = PackageVulnerabilitySeverity.Critical },
+                    }
+                }
+            };
+
+            // Act
+            var model = CreateDisplayPackageViewModel(
+                package,
+                currentUser: null,
+                packageKeyToVulnerabilities: packageKeyToVulnerabilities,
+                readmeHtml: null);
+
+            // Assert
+            var versionModel = model.PackageVersions.Single();
+            Assert.Null(versionModel.CustomMessage);
+            Assert.NotNull(model.Vulnerabilities);
+            Assert.Equal(model.Vulnerabilities, packageKeyToVulnerabilities[package.Key].OrderByDescending(p => p.Severity).ToList().AsReadOnly());
-            Assert.Equal(model.Vulnerabilities, packageKeyToVulnerabilities[package.Key].OrderByDescending(p => p.Severity).ToList().AsReadOnly());
+            Assert.Equal(PackageVulnerabilitySeverity.Critical, model.Vulnerabilities[0].Severity);
+            Assert.Equal(PackageVulnerabilitySeverity.High, model.Vulnerabilities[1].Severity);
+            Assert.Equal(PackageVulnerabilitySeverity.Low, model.Vulnerabilities[2].Severity);
-            Assert.Equal(model.Vulnerabilities, packageKeyToVulnerabilities[package.Key].OrderByDescending(p => p.Severity).ToList().AsReadOnly());
+            Assert.Equal(PackageVulnerabilitySeverity.Critical, model.Vulnerabilities[0].Severity);
+            Assert.Equal(PackageVulnerabilitySeverity.High, model.Vulnerabilities[1].Severity);
+            Assert.Equal(PackageVulnerabilitySeverity.Low, model.Vulnerabilities[2].Severity);
+        }
+
         [Theory]
         [InlineData(true)]
         [InlineData(false)]