Skip to content

Commit

Permalink
test(vulnerable-code): Test lookup for a Go package
Browse files Browse the repository at this point in the history
This showcases the current problem with purl encoding for cases where
ORT and the purl specification disagree whether a package ecosystem has
the concept of namespaces or not. Also see the larger discussion at [1].

[1]: package-url/purl-spec#176

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
  • Loading branch information
sschuberth committed Oct 25, 2024
1 parent cee8a78 commit c535f61
Showing 1 changed file with 30 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -83,4 +83,34 @@ class VulnerableCodeFunTest : WordSpec({
}
}
}

"Vulnerable Go packages" should {
"return findings for QUIC" {
val vc = VulnerableCodeFactory().create(PluginConfig())

// TODO: To work-around issue #9298, this hard-codes the `Identifier` to have a namespace although ORT
// produces Go `Identifier`s without namespaces. This way `toPurl()` produces purl conforming to the
// specification which does treat Go packages as if they had namespaces.
val id = Identifier("Go:github.com/quic-go:quic-go:0.40.0")
val pkg = Package.EMPTY.copy(id, purl = id.toPurl())

val findings = vc.retrievePackageFindings(setOf(pkg))

findings.values.flatMap { it.summary.issues } should beEmpty()
with(findings.values.flatMap { it.vulnerabilities }.associateBy { it.id }) {
keys shouldContainAll setOf(
"CVE-2023-49295"
)

getValue("CVE-2023-49295").references.find {
it.url.toString() == "https://nvd.nist.gov/vuln/detail/CVE-2023-49295"
} shouldNotBeNull {
scoringSystem shouldBe "cvssv3"
severity shouldBe "MEDIUM"
score shouldBe 6.5f
vector shouldBe "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
}
}
}
})

0 comments on commit c535f61

Please sign in to comment.