mirror of
https://github.com/anchore/syft.git
synced 2026-05-20 04:05:24 +02:00
b7a6d5e946
Syft can get CPEs from several source, including generating them based on package data, finding them in the NVD CPE dictionary, or finding them declared in a manifest or existing SBOM. Record where Syft got CPEs so that consumers of SBOMs can reason about how trustworthy they are. Signed-off-by: Will Murphy <will.murphy@anchore.com>
44 lines
1.1 KiB
Go
44 lines
1.1 KiB
Go
package cpe
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func Test_Merge(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
input [][]CPE
|
|
expected []CPE
|
|
}{
|
|
{
|
|
name: "merge, removing duplicates and ordered",
|
|
input: [][]CPE{
|
|
{
|
|
Must("cpe:2.3:a:*:package:1:*:*:*:*:*:*:*", NVDDictionaryLookupSource),
|
|
Must("cpe:2.3:a:*:package:1:*:*:*:*:*:*:*", DeclaredSource),
|
|
Must("cpe:2.3:a:some:package:*:*:*:*:*:*:*:*", GeneratedSource),
|
|
},
|
|
{
|
|
Must("cpe:2.3:a:some:package:1:*:*:*:*:*:*:*", DeclaredSource),
|
|
Must("cpe:2.3:a:some:package:*:*:*:*:*:*:*:*", GeneratedSource),
|
|
},
|
|
},
|
|
expected: []CPE{
|
|
Must("cpe:2.3:a:*:package:1:*:*:*:*:*:*:*", NVDDictionaryLookupSource),
|
|
Must("cpe:2.3:a:some:package:1:*:*:*:*:*:*:*", DeclaredSource),
|
|
Must("cpe:2.3:a:*:package:1:*:*:*:*:*:*:*", DeclaredSource),
|
|
Must("cpe:2.3:a:some:package:*:*:*:*:*:*:*:*", GeneratedSource),
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, test := range tests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
out := Merge(test.input[0], test.input[1])
|
|
assert.Equal(t, test.expected, out)
|
|
})
|
|
}
|
|
}
|