-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3b2986a
commit b409492
Showing
6 changed files
with
260 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -39,6 +39,74 @@ func TestEnrichSBOM_CycloneDXWithVulnerabilities(t *testing.T) { | |
assert.Equal(t, "SNYK-PYTHON-NUMPY-73513", vuln.ID) | ||
} | ||
|
||
func TestEnrichSBOM_CycloneDXExternalRefs(t *testing.T) { | ||
teardown := setupTestEnv(t) | ||
defer teardown() | ||
|
||
bom := &cdx.BOM{ | ||
Components: &[]cdx.Component{ | ||
{ | ||
BOMRef: "pkg:pypi/[email protected]", | ||
Name: "numpy", | ||
Version: "1.16.0", | ||
PackageURL: "pkg:pypi/[email protected]", | ||
}, | ||
}, | ||
} | ||
doc := &sbom.SBOMDocument{BOM: bom} | ||
logger := zerolog.Nop() | ||
|
||
EnrichSBOM(doc, logger) | ||
|
||
assert.NotNil(t, bom.Components) | ||
refs := (*bom.Components)[0].ExternalReferences | ||
assert.Len(t, *refs, 2) | ||
|
||
ref1 := (*refs)[0] | ||
assert.Equal(t, "https://snyk.io/advisor/python/numpy", ref1.URL) | ||
assert.Equal(t, "Snyk Advisor", ref1.Comment) | ||
assert.Equal(t, cdx.ExternalReferenceType("Other"), ref1.Type) | ||
|
||
ref2 := (*refs)[1] | ||
assert.Equal(t, "https://security.snyk.io/package/pip/numpy", ref2.URL) | ||
assert.Equal(t, "Snyk Vulnerability DB", ref2.Comment) | ||
assert.Equal(t, cdx.ExternalReferenceType("Other"), ref2.Type) | ||
} | ||
|
||
func TestEnrichSBOM_CycloneDXExternalRefs_WithNamespace(t *testing.T) { | ||
teardown := setupTestEnv(t) | ||
defer teardown() | ||
|
||
bom := &cdx.BOM{ | ||
Components: &[]cdx.Component{ | ||
{ | ||
BOMRef: "@emotion/[email protected]", | ||
Name: "react", | ||
Version: "11.11.3", | ||
PackageURL: "pkg:npm/%40emotion/[email protected]", | ||
}, | ||
}, | ||
} | ||
doc := &sbom.SBOMDocument{BOM: bom} | ||
logger := zerolog.Nop() | ||
|
||
EnrichSBOM(doc, logger) | ||
|
||
assert.NotNil(t, bom.Components) | ||
refs := (*bom.Components)[0].ExternalReferences | ||
assert.Len(t, *refs, 2) | ||
|
||
ref1 := (*refs)[0] | ||
assert.Equal(t, "https://snyk.io/advisor/npm-package/@emotion/react", ref1.URL) | ||
assert.Equal(t, "Snyk Advisor", ref1.Comment) | ||
assert.Equal(t, cdx.ExternalReferenceType("Other"), ref1.Type) | ||
|
||
ref2 := (*refs)[1] | ||
assert.Equal(t, "https://security.snyk.io/package/npm/@emotion%2Freact", ref2.URL) | ||
assert.Equal(t, "Snyk Vulnerability DB", ref2.Comment) | ||
assert.Equal(t, cdx.ExternalReferenceType("Other"), ref2.Type) | ||
} | ||
|
||
func TestEnrichSBOM_CycloneDXWithVulnerabilities_NestedComponents(t *testing.T) { | ||
teardown := setupTestEnv(t) | ||
defer teardown() | ||
|
@@ -117,13 +185,56 @@ func TestEnrichSBOM_SPDXWithVulnerabilities(t *testing.T) { | |
|
||
EnrichSBOM(doc, logger) | ||
|
||
vulnRef := bom.Packages[0].PackageExternalReferences[1] | ||
vulnRef := bom.Packages[0].PackageExternalReferences[3] | ||
assert.Equal(t, "SECURITY", vulnRef.Category) | ||
assert.Equal(t, "advisory", vulnRef.RefType) | ||
assert.Equal(t, "https://security.snyk.io/vuln/SNYK-PYTHON-NUMPY-73513", vulnRef.Locator) | ||
assert.Equal(t, "Arbitrary Code Execution", vulnRef.ExternalRefComment) | ||
} | ||
|
||
func TestEnrichSBOM_SPDXExternalRefs(t *testing.T) { | ||
teardown := setupTestEnv(t) | ||
defer teardown() | ||
|
||
bom := &spdx_2_3.Document{ | ||
Packages: []*spdx_2_3.Package{ | ||
{ | ||
PackageSPDXIdentifier: "pkg:pypi/[email protected]", | ||
PackageName: "numpy", | ||
PackageVersion: "1.16.0", | ||
PackageExternalReferences: []*spdx_2_3.PackageExternalReference{ | ||
{ | ||
Category: spdx.CategoryPackageManager, | ||
RefType: "purl", | ||
Locator: "pkg:pypi/[email protected]", | ||
}, | ||
}, | ||
}, | ||
}, | ||
} | ||
|
||
doc := &sbom.SBOMDocument{BOM: bom} | ||
logger := zerolog.Nop() | ||
|
||
EnrichSBOM(doc, logger) | ||
|
||
assert.NotNil(t, bom.Packages) | ||
refs := (*bom.Packages[0]).PackageExternalReferences | ||
assert.Len(t, refs, 4) | ||
|
||
ref1 := refs[1] | ||
assert.Equal(t, "https://snyk.io/advisor/python/numpy", ref1.Locator) | ||
assert.Equal(t, "Snyk Advisor", ref1.ExternalRefComment) | ||
assert.Equal(t, "advisory", ref1.RefType) | ||
assert.Equal(t, "Other", ref1.Category) | ||
|
||
ref2 := refs[2] | ||
assert.Equal(t, "https://security.snyk.io/package/pip/numpy", ref2.Locator) | ||
assert.Equal(t, "Snyk Vulnerability DB", ref2.ExternalRefComment) | ||
assert.Equal(t, "url", ref2.RefType) | ||
assert.Equal(t, "Other", ref2.Category) | ||
} | ||
|
||
func setupTestEnv(t *testing.T) func() { | ||
t.Helper() | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters