github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/pkg/vex/vex_test.go (about) 1 package vex_test 2 3 import ( 4 "os" 5 "testing" 6 7 "github.com/stretchr/testify/assert" 8 "github.com/stretchr/testify/require" 9 10 ftypes "github.com/devseccon/trivy/pkg/fanal/types" 11 "github.com/devseccon/trivy/pkg/log" 12 "github.com/devseccon/trivy/pkg/types" 13 "github.com/devseccon/trivy/pkg/vex" 14 ) 15 16 func TestMain(m *testing.M) { 17 log.InitLogger(false, true) 18 os.Exit(m.Run()) 19 } 20 21 func TestVEX_Filter(t *testing.T) { 22 type fields struct { 23 filePath string 24 report types.Report 25 } 26 type args struct { 27 vulns []types.DetectedVulnerability 28 } 29 tests := []struct { 30 name string 31 fields fields 32 args args 33 want []types.DetectedVulnerability 34 }{ 35 { 36 name: "OpenVEX", 37 fields: fields{ 38 filePath: "testdata/openvex.json", 39 }, 40 args: args{ 41 vulns: []types.DetectedVulnerability{ 42 { 43 VulnerabilityID: "CVE-2021-44228", 44 PkgName: "spring-boot", 45 InstalledVersion: "2.6.0", 46 PkgRef: "pkg:maven/org.springframework.boot/spring-boot@2.6.0?type=pom", 47 }, 48 }, 49 }, 50 want: []types.DetectedVulnerability{}, 51 }, 52 { 53 name: "OpenVEX, multiple statements", 54 fields: fields{ 55 filePath: "testdata/openvex-multiple.json", 56 }, 57 args: args{ 58 vulns: []types.DetectedVulnerability{ 59 { 60 VulnerabilityID: "CVE-2021-44228", 61 PkgName: "spring-boot", 62 InstalledVersion: "2.6.0", 63 PkgRef: "pkg:maven/org.springframework.boot/spring-boot@2.6.0?type=pom", 64 }, 65 { 66 VulnerabilityID: "CVE-2021-0001", 67 PkgName: "spring-boot", 68 InstalledVersion: "2.6.0", 69 PkgRef: "pkg:maven/org.springframework.boot/spring-boot@2.6.0?type=pom", 70 }, 71 }, 72 }, 73 want: []types.DetectedVulnerability{ 74 { 75 VulnerabilityID: "CVE-2021-0001", 76 PkgName: "spring-boot", 77 InstalledVersion: "2.6.0", 78 PkgRef: "pkg:maven/org.springframework.boot/spring-boot@2.6.0?type=pom", 79 }, 80 }, 81 }, 82 { 83 name: "CycloneDX SBOM with CycloneDX VEX", 84 fields: fields{ 85 filePath: "testdata/cyclonedx.json", 86 report: types.Report{ 87 CycloneDX: &ftypes.CycloneDX{ 88 SerialNumber: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", 89 Version: 1, 90 }, 91 }, 92 }, 93 args: args{ 94 vulns: []types.DetectedVulnerability{ 95 { 96 VulnerabilityID: "CVE-2018-7489", 97 PkgName: "jackson-databind", 98 InstalledVersion: "2.8.0", 99 PkgRef: "jackson-databind-2.8.0", 100 }, 101 { 102 VulnerabilityID: "CVE-2018-7490", 103 PkgName: "jackson-databind", 104 InstalledVersion: "2.8.0", 105 PkgRef: "jackson-databind-2.8.0", 106 }, 107 }, 108 }, 109 want: []types.DetectedVulnerability{ 110 { 111 VulnerabilityID: "CVE-2018-7490", 112 PkgName: "jackson-databind", 113 InstalledVersion: "2.8.0", 114 PkgRef: "jackson-databind-2.8.0", 115 }, 116 }, 117 }, 118 { 119 name: "CycloneDX VEX wrong URN", 120 fields: fields{ 121 filePath: "testdata/cyclonedx.json", 122 report: types.Report{ 123 CycloneDX: &ftypes.CycloneDX{ 124 SerialNumber: "urn:uuid:wrong", 125 Version: 1, 126 }, 127 }, 128 }, 129 args: args{ 130 vulns: []types.DetectedVulnerability{ 131 { 132 VulnerabilityID: "CVE-2018-7489", 133 PkgName: "jackson-databind", 134 InstalledVersion: "2.8.0", 135 PkgRef: "jackson-databind-2.8.0", 136 }, 137 }, 138 }, 139 want: []types.DetectedVulnerability{ 140 { 141 VulnerabilityID: "CVE-2018-7489", 142 PkgName: "jackson-databind", 143 InstalledVersion: "2.8.0", 144 PkgRef: "jackson-databind-2.8.0", 145 }, 146 }, 147 }, 148 } 149 150 for _, tt := range tests { 151 t.Run(tt.name, func(t *testing.T) { 152 v, err := vex.New(tt.fields.filePath, tt.fields.report) 153 require.NoError(t, err) 154 assert.Equal(t, tt.want, v.Filter(tt.args.vulns)) 155 }) 156 } 157 }