Add extra unit test for the OSV-Scanner support

Signed-off-by: tdruez <[email protected]>

Author: tdruez

scanpipe/tests/data/sca-integrations/osv-scanner-vulns-sbom.cdx.json

@@ -0,0 +1,66 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "version": 1,
+  "components": [
+    {
+      "bom-ref": "pkg:composer/league/[email protected]",
+      "type": "library",
+      "name": "league/flysystem",
+      "version": "1.0.8",
+      "licenses": [],
+      "purl": "pkg:composer/league/[email protected]"
+    },
+    {
+      "bom-ref": "pkg:npm/[email protected]",
+      "type": "library",
+      "name": "has-flag",
+      "version": "4.0.0",
+      "licenses": [],
+      "purl": "pkg:npm/[email protected]"
+    },
+    {
+      "bom-ref": "pkg:npm/[email protected]",
+      "type": "library",
+      "name": "wrappy",
+      "version": "1.0.2",
+      "licenses": [],
+      "purl": "pkg:npm/[email protected]"
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "GHSA-9f46-5r25-5wfm",
+      "references": [
+        {
+          "id": "CVE-2021-32708",
+          "source": {}
+        }
+      ],
+      "ratings": [
+        {
+          "method": "CVSSv3",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+        }
+      ],
+      "description": "Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem",
+      "detail": "### Impact\n\nThe whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.\n\nThe conditions: \n\n- A user is allowed to supply the path or filename of an uploaded file.\n- The supplied path or filename is not checked against unicode chars.\n- The supplied pathname checked against an extension deny-list, not an allow-list.\n- The supplied path or filename contains a unicode whitespace char in the extension.\n- The uploaded file is stored in a directory that allows PHP code to be executed.\n\nGiven these conditions are met a user can upload and execute arbitrary code on the system under attack.\n\n### Patches\n\nThe unicode whitespace removal has been replaced with a rejection (exception).\n\nThe library has been patched in:\n- 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32\n- 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74\n\n### Workarounds\n\nFor 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.\n",
+      "advisories": [
+        {
+          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32708"
+        }
+      ],
+      "published": "2021-06-29T03:13:28Z",
+      "updated": "2024-02-16T08:21:35Z",
+      "credits": {
+        "organizations": []
+      },
+      "affects": [
+        {
+          "ref": "pkg:composer/league/[email protected]"
+        }
+      ]
+    }
+  ]
+}

scanpipe/tests/test_sca_integrations.py

@@ -164,3 +164,24 @@ def test_scanpipe_scan_integrations_load_sbom_osv_scanner(self):
         self.assertEqual(16, project1.discoveredpackages.count())
         self.assertEqual(0, project1.discoveredpackages.vulnerable().count())
         self.assertEqual(15, project1.discovereddependencies.count())
+
+    def test_scanpipe_scan_integrations_load_sbom_osv_scanner_cdx_vulnerabilities(self):
+        # Input file taken from: https://google.github.io/osv-scanner/output/#cyclonedx
+        input_location = (
+            self.data / "sca-integrations" / "osv-scanner-vulns-sbom.cdx.json"
+        )
+
+        pipeline_name = "load_sbom"
+        project1 = make_project()
+        project1.copy_input_from(input_location)
+
+        run = project1.add_pipeline(pipeline_name)
+        pipeline = run.make_pipeline_instance()
+
+        exitcode, out = pipeline.execute()
+        self.assertEqual(0, exitcode, msg=out)
+
+        self.assertEqual(1, project1.codebaseresources.count())
+        self.assertEqual(3, project1.discoveredpackages.count())
+        self.assertEqual(1, project1.discoveredpackages.vulnerable().count())
+        self.assertEqual(0, project1.discovereddependencies.count())