Skip to content

Fix TestCreateVulnerabilitiesMap tests #1038

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eyalk007 wants to merge 1 commit into
base: v3_er
Choose a base branch
from
Open

Fix TestCreateVulnerabilitiesMap tests #1038

eyalk007 wants to merge 1 commit into from

Conversation

@eyalk007
Copy link
Collaborator

@eyalk007 eyalk007 commented Jan 19, 2026

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.
  • Update documentation about new features / new supported technologies
  • Fix all test cases that were corrupted due to V3 changes
  • Update vulnerability tests to use real SBOM structure from testdata files
  • Add SBOM testdata files with proper JFrog catalog format:
    • sbom_with_vulnerabilities.json: Main vulnerability test with axios CVEs
    • sbom_multiple_vulns_same_pkg.json: Tests max version selection logic
    • sbom_no_fix_version.json: Tests that vulns without fixes are excluded
  • Update violations test to use SecurityCommandResults.Violations field
  • Add support for loading SBOM from testdata files in test runner

Test cases now properly validate:

  • Vulnerabilities processed from SBOM format
  • Violations processed from Violations field
  • Max fix version selection when multiple CVEs affect same package
  • Vulnerabilities without fix versions are not added to map

@eyalk007
Fix and enhance TestCreateVulnerabilitiesMap tests
f86b1b8 
- Fix all test cases that were corrupted due to V3 changes
- Update vulnerability tests to use real SBOM structure from testdata files
- Add SBOM testdata files with proper JFrog catalog format:
  - sbom_with_vulnerabilities.json: Main vulnerability test with axios CVEs
  - sbom_multiple_vulns_same_pkg.json: Tests max version selection logic
  - sbom_no_fix_version.json: Tests that vulns without fixes are excluded
- Update violations test to use SecurityCommandResults.Violations field
- Add support for loading SBOM from testdata files in test runner

Test cases now properly validate:
- Vulnerabilities processed from SBOM format
- Violations processed from Violations field
- Max fix version selection when multiple CVEs affect same package
- Vulnerabilities without fix versions are not added to map
@eyalk007 eyalk007 self-assigned this Jan 19, 2026
@eyalk007 eyalk007 added the ignore for release Automatically generated release notes label Jan 19, 2026
@eyalk007 eyalk007 changed the title Fix and enhance TestCreateVulnerabilitiesMap tests Fix TestCreateVulnerabilitiesMap tests Jan 19, 2026
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Jan 19, 2026
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Jan 19, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 19, 2026

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 1 issues
Scan Category Status Security Issues
Software Composition Analysis ℹ️ Not Scanned -
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done
1 Issues Found 1 Medium
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

@github-actions
Copy link
Contributor

github-actions bot commented Jan 19, 2026 

file

at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1768822706-2146104482/scanrepository/scanrepository_test.go (line 929)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(fmt.Sprintf("%s.tar.gz", projectName)) (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1768822706-2146104482/scanrepository/scanrepository_test.go line 927)

↘️ file (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1768822706-2146104482/scanrepository/scanrepository_test.go line 927)

↘️ file (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1768822706-2146104482/scanrepository/scanrepository_test.go line 929)

eranturgeman
eranturgeman reviewed Jan 20, 2026
View reviewed changes
scanrepository/scanrepository_test.go

testCases := []struct {
name string
sbomFile string // Optional: path to SBOM JSON file to load
Copy link
Contributor

@eranturgeman eranturgeman Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rename to sbomFilePath and you can delete the comment (if you want to leave it -place it above)

eranturgeman
eranturgeman reviewed Jan 20, 2026
View reviewed changes
scanrepository/scanrepository_test.go
JasResults: &results.JasScansResults{},
}},
},
// axios@1.2.0 has 4 CVEs with fix versions: 1.6.0, 1.7.8, 1.12.0, 1.8.2
Copy link
Contributor

@eranturgeman eranturgeman Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

delete comment

eranturgeman
eranturgeman reviewed Jan 20, 2026
View reviewed changes
scanrepository/scanrepository_test.go
SuggestedFixedVersion: "1.9.1",
IsDirectDependency: true,
Cves: []string{"CVE-2023-1234", "CVE-2023-4321"},
Cves: []string{"CVE-2023-1234"},
Copy link
Contributor

@eranturgeman eranturgeman Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did you remove the second CVE due to the bug you found that we only take a single CVE even when several exist?

eranturgeman
eranturgeman reviewed Jan 20, 2026
View reviewed changes
scanrepository/scanrepository_test.go
JasResults: &results.JasScansResults{},
}},
},
// shared-pkg@1.0.0 has 3 CVEs with fix versions: 1.5.0, 1.8.0, 1.6.0
Copy link
Contributor

@eranturgeman eranturgeman Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

delete comment

eranturgeman
eranturgeman reviewed Jan 20, 2026
View reviewed changes
scanrepository/scanrepository_test.go

for _, testCase := range testCases {
t.Run(testCase.name, func(t *testing.T) {
// Load SBOM from file if specified
Copy link
Contributor

@eranturgeman eranturgeman Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

delete comment

eranturgeman
eranturgeman reviewed Jan 20, 2026
View reviewed changes
scanrepository/scanrepository_test.go
var sbom cyclonedx.BOM
err = json.Unmarshal(sbomData, &sbom)
require.NoError(t, err, "Failed to unmarshal SBOM")
// Set the SBOM in the first target's ScaResults
Copy link
Contributor

@eranturgeman eranturgeman Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

delete comment

eranturgeman
eranturgeman approved these changes Jan 20, 2026
View reviewed changes
Copy link
Contributor

@eranturgeman eranturgeman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great! please see my comments and please place all sbom files in an inner dir inside testdata/scanrepository just for better ordering

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eranturgeman eranturgeman eranturgeman approved these changes

Assignees

@eyalk007 eyalk007

Labels

ignore for release Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eyalk007 @eranturgeman