Add specs for #to_security_report method

36984eb5 · Oscar Tovar · 3040248b · 36984eb5 · 36984eb5
--- a/ee/lib/gitlab/vulnerability_scanning/sbom_scanner.rb
+++ b/ee/lib/gitlab/vulnerability_scanning/sbom_scanner.rb
@@ -9,7 +9,7 @@ class SbomScanner
      SECURITY_REPORT_TYPE = "dependency_scanning"
      SCANNER_EXTERNAL_ID = "gitlab-sbom-vulnerability-scanner"
-      SCANNER_NAME = "Gitlab SBoM Vulnerabilty Scanner"
+      SCANNER_NAME = "GitLab SBoM Vulnerability Scanner"
      SCANNER_VENDOR = "GitLab"
      SCANNER_VERSION = "0.1.0"

--- a/ee/spec/lib/gitlab/vulnerability_scanning/sbom_scanner_spec.rb
+++ b/ee/spec/lib/gitlab/vulnerability_scanning/sbom_scanner_spec.rb
@@ -8,28 +8,53 @@
  let_it_be(:ci_build) { build(:ci_build, pipeline: pipeline) }
  let_it_be(:component) { build(:ci_reports_sbom_component) }
  let_it_be(:sbom) { build(:ci_reports_sbom_report, components: [component]) }
-  let_it_be(:advisories) { build_list(:pm_advisory, 2) }
+  let_it_be(:advisories) { [] }
+  let(:findings) do
+    advisories.map do |advisory|
+      identifiers = advisory.identifiers.map do |ident|
+        build(:ci_reports_security_identifier,
+          external_id: ident['value'],
+          external_type: ident['type'],
+          name: ident['name'],
+          url: ident['url'])
+      end
+      build(:ci_reports_security_finding, scanner: scanner, identifiers: identifiers)
+    end
+  end
+  let(:scanner) do
+    build(:ci_reports_security_scanner, external_id: 'gitlab-sbom-vulnerability-scanner',
+      name: 'GitLab SBoM Vulnerability Scanner', vendor: 'GitLab', version: '0.1.0')
+  end
-  subject(:scanner) { described_class.new(ci_build, sbom) }
+  subject(:sbom_scanner) { described_class.new(ci_build, sbom) }
  describe "#to_security_report" do
    before do
      allow(subject).to receive(:fetch_advisories).and_return([[component, advisories]])
    end
-    context "when advisories are found for the component" do
+    context "when advisories are not found for the component" do
-      it "creates a security report with dependencies and findings" do
+      it "creates a security report with dependencies and no findings" do
-        expect(scanner.to_security_report).to be_a_kind_of(::Gitlab::Ci::Reports::Security::Report)
+        expect(sbom_scanner.to_security_report).to be_a_kind_of(::Gitlab::Ci::Reports::Security::Report)
-        expect(scanner.to_security_report.findings.length).to be 2
+        expect(sbom_scanner.to_security_report.errored?).to be(false)
+        expect(sbom_scanner.to_security_report.findings.length).to be 0
      end
    end
-    context "when advisories are not found for the component" do
+    context "when advisories are found for the component" do
-      let_it_be(:advisories) { [] }
+      let_it_be(:advisories) { build_list(:pm_advisory, 1) }
-      it "creates a security report with dependencies and no findings" do
+      it "creates a security report with dependencies and findings" do
-        expect(scanner.to_security_report).to be_a_kind_of(::Gitlab::Ci::Reports::Security::Report)
+        expect(sbom_scanner.to_security_report).to be_a_kind_of(::Gitlab::Ci::Reports::Security::Report)
-        expect(scanner.to_security_report.findings.length).to be 0
+        expect(sbom_scanner.to_security_report.errored?).to be(false)
+        expect(sbom_scanner.to_security_report.scanners.count).to eq(1)
+        expect(sbom_scanner.to_security_report.scanners.each_value.first).to eq(scanner)
+        expect(sbom_scanner.to_security_report.findings.count).to eq(1)
+        expect(sbom_scanner.to_security_report.findings.first.name).to include(findings.first.identifiers.first.name)
+        expect(sbom_scanner.to_security_report.findings.first.identifiers).to match_array(findings.first.identifiers)
      end
    end
  end