test(vulnerable-code): Add a test for a Commons-Compress CVE

Signed-off-by: Sebastian Schuberth <[email protected]>
oss-review-toolkit · Feb 12, 2024 · 03c14c3 · 03c14c3
1 parent 38187ca
commit 03c14c3
Showing 1 changed file with 46 additions and 22 deletions.
diff --git a/plugins/advisors/vulnerable-code/src/funTest/kotlin/VulnerableCodeFunTest.kt b/plugins/advisors/vulnerable-code/src/funTest/kotlin/VulnerableCodeFunTest.kt
@@ -19,7 +19,7 @@
 
 package org.ossreviewtoolkit.plugins.advisors.vulnerablecode
 
-import io.kotest.core.spec.style.StringSpec
+import io.kotest.core.spec.style.WordSpec
 import io.kotest.matchers.collections.beEmpty
 import io.kotest.matchers.collections.shouldContainAll
 import io.kotest.matchers.should
@@ -30,27 +30,51 @@ import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.utils.toPurl
 import org.ossreviewtoolkit.utils.test.shouldNotBeNull
 
-class VulnerableCodeFunTest : StringSpec({
-    "Findings should be returned for a vulnerable package" {
-        val vc = VulnerableCode("VulnerableCode", VulnerableCodeConfiguration())
-        val id = Identifier("Maven:com.google.guava:guava:19.0")
-        val pkg = Package.EMPTY.copy(id, purl = id.toPurl())
-
-        val findings = vc.retrievePackageFindings(setOf(pkg))
-
-        findings.values.flatMap { it.summary.issues } should beEmpty()
-        with(findings.values.flatMap { it.vulnerabilities }.associateBy { it.id }) {
-            keys shouldContainAll setOf(
-                "CVE-2018-10237",
-                "CVE-2020-8908",
-                "CVE-2023-2976"
-            )
-
-            getValue("CVE-2023-2976").references.find {
-                it.url.toString() == "https://nvd.nist.gov/vuln/detail/CVE-2023-2976"
-            } shouldNotBeNull {
-                severity shouldBe "7.1"
-                severityRating shouldBe "HIGH"
+class VulnerableCodeFunTest : WordSpec({
+    "Vulnerable Maven packages" should {
+        "return findings for Guava" {
+            val vc = VulnerableCode("VulnerableCode", VulnerableCodeConfiguration())
+            val id = Identifier("Maven:com.google.guava:guava:19.0")
+            val pkg = Package.EMPTY.copy(id, purl = id.toPurl())
+
+            val findings = vc.retrievePackageFindings(setOf(pkg))
+
+            findings.values.flatMap { it.summary.issues } should beEmpty()
+            with(findings.values.flatMap { it.vulnerabilities }.associateBy { it.id }) {
+                keys shouldContainAll setOf(
+                    "CVE-2018-10237",
+                    "CVE-2020-8908",
+                    "CVE-2023-2976"
+                )
+
+                getValue("CVE-2023-2976").references.find {
+                    it.url.toString() == "https://nvd.nist.gov/vuln/detail/CVE-2023-2976"
+                } shouldNotBeNull {
+                    severity shouldBe "7.1"
+                    severityRating shouldBe "HIGH"
+                }
+            }
+        }
+
+        "return findings for Commons-Compress" {
+            val vc = VulnerableCode("VulnerableCode", VulnerableCodeConfiguration())
+            val id = Identifier("Maven:org.apache.commons:commons-compress:1.23.0")
+            val pkg = Package.EMPTY.copy(id, purl = id.toPurl())
+
+            val findings = vc.retrievePackageFindings(setOf(pkg))
+
+            findings.values.flatMap { it.summary.issues } should beEmpty()
+            with(findings.values.flatMap { it.vulnerabilities }.associateBy { it.id }) {
+                keys shouldContainAll setOf(
+                    "CVE-2023-42503"
+                )
+
+                getValue("CVE-2023-42503").references.find {
+                    it.url.toString() == "https://nvd.nist.gov/vuln/detail/CVE-2023-42503"
+                } shouldNotBeNull {
+                    severity shouldBe "5.5"
+                    severityRating shouldBe "MEDIUM"
+                }
             }
         }
     }