-
-
Notifications
You must be signed in to change notification settings - Fork 779
Expand file tree
/
Copy pathModelConverterTest.java
More file actions
96 lines (80 loc) · 4.13 KB
/
Copy pathModelConverterTest.java
File metadata and controls
96 lines (80 loc) · 4.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
/*
* This file is part of Dependency-Track.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* Copyright (c) OWASP Foundation. All Rights Reserved.
*/
package org.dependencytrack.parser.cyclonedx;
import org.dependencytrack.PersistenceCapableTest;
import org.dependencytrack.model.Component;
import org.dependencytrack.model.Finding;
import org.dependencytrack.model.Project;
import org.dependencytrack.model.Severity;
import org.dependencytrack.model.Vulnerability;
import org.dependencytrack.parser.cyclonedx.util.ModelConverter;
import org.dependencytrack.tasks.scanners.AnalyzerIdentity;
import org.junit.jupiter.api.Test;
import java.util.List;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatNoException;
class ModelConverterTest extends PersistenceCapableTest {
@Test
void generateVulnerabilitiesSkipsFindingWhoseComponentWasDeleted() {
final Project project = qm.createProject("acme-app", null, "1.0.0", null, null, null, true, false);
Vulnerability vulnerability = new Vulnerability();
vulnerability.setVulnId("INT-001");
vulnerability.setSource(Vulnerability.Source.INTERNAL);
vulnerability.setSeverity(Severity.HIGH);
vulnerability = qm.createVulnerability(vulnerability, false);
Component component = new Component();
component.setProject(project);
component.setName("acme-lib");
component.setVersion("1.0.0");
component = qm.createComponent(component, false);
qm.addVulnerability(vulnerability, component, AnalyzerIdentity.INTERNAL_ANALYZER);
// Resolve the findings up front, mirroring what the exporter does before conversion.
final List<Finding> findings = qm.getFindings(project, true);
assertThat(findings).hasSize(1);
// Simulate the component being deleted in the window between the findings query
// and the export (e.g. a concurrent re-analysis or manual deletion).
qm.recursivelyDelete(component, false);
// Before the fix this threw a NullPointerException and aborted the whole export.
assertThatNoException().isThrownBy(() ->
ModelConverter.generateVulnerabilities(qm, CycloneDXExporter.Variant.VEX, findings));
final List<org.cyclonedx.model.vulnerability.Vulnerability> result =
ModelConverter.generateVulnerabilities(qm, CycloneDXExporter.Variant.VEX, findings);
assertThat(result).isEmpty();
}
@Test
void generateVulnerabilitiesConvertsFindingWithResolvableComponent() {
final Project project = qm.createProject("acme-app", null, "1.0.0", null, null, null, true, false);
Vulnerability vulnerability = new Vulnerability();
vulnerability.setVulnId("INT-001");
vulnerability.setSource(Vulnerability.Source.INTERNAL);
vulnerability.setSeverity(Severity.HIGH);
vulnerability = qm.createVulnerability(vulnerability, false);
Component component = new Component();
component.setProject(project);
component.setName("acme-lib");
component.setVersion("1.0.0");
component = qm.createComponent(component, false);
qm.addVulnerability(vulnerability, component, AnalyzerIdentity.INTERNAL_ANALYZER);
final List<Finding> findings = qm.getFindings(project, true);
final List<org.cyclonedx.model.vulnerability.Vulnerability> result =
ModelConverter.generateVulnerabilities(qm, CycloneDXExporter.Variant.VEX, findings);
assertThat(result).hasSize(1);
assertThat(result.get(0).getId()).isEqualTo("INT-001");
}
}