From 9fad303e640c0e4525868e2c484bfdfb88759e78 Mon Sep 17 00:00:00 2001
From: Frank Viernau <x9fviern@zeiss.com>
Date: Tue, 28 Jan 2025 09:35:26 +0100
Subject: [PATCH] test(black-duck): Test vulnerability parsing from a CVSS 2

Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
---
 ...rieve-package-findings-expected-result.yml | 27 +++++++++++++++++++
 .../src/funTest/kotlin/BlackDuckFunTest.kt    |  5 ++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/plugins/advisors/black-duck/src/funTest/assets/retrieve-package-findings-expected-result.yml b/plugins/advisors/black-duck/src/funTest/assets/retrieve-package-findings-expected-result.yml
index 9f71ca14edecf..53578b5996bb1 100644
--- a/plugins/advisors/black-duck/src/funTest/assets/retrieve-package-findings-expected-result.yml
+++ b/plugins/advisors/black-duck/src/funTest/assets/retrieve-package-findings-expected-result.yml
@@ -27,3 +27,30 @@ Crate::sys-info:0.7.0:
       severity: "CRITICAL"
       score: 9.8
       vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+Pod::AFNetworking:0.10.0:
+  advisor:
+    name: "BlackDuck"
+    capabilities:
+    - "VULNERABILITIES"
+  summary:
+    start_time: "1970-01-01T00:00:00Z"
+    end_time: "1970-01-01T00:00:00Z"
+  vulnerabilities:
+  - id: "CVE-2015-3996"
+    description: "The default AFSecurityPolicy.validatesDomainName configuration for\
+      \ AFSSLPinningModeNone in the AFNetworking framework before 2.5.3, as used in\
+      \ the ownCloud iOS Library, disables verification of a server hostname against\
+      \ the domain name in the subject's Common Name (CN) of the X.509 certificate,\
+      \ which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary\
+      \ valid certificate."
+    references:
+    - url: "https://BLACK_DUCK_SERVER_HOST/api/vulnerabilities/CVE-2015-3996"
+      scoring_system: "CVSS2"
+      severity: "MEDIUM"
+      score: 4.3
+      vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
+    - url: "https://BLACK_DUCK_SERVER_HOST/api/cwes/CWE-254"
+      scoring_system: "CVSS2"
+      severity: "MEDIUM"
+      score: 4.3
+      vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
diff --git a/plugins/advisors/black-duck/src/funTest/kotlin/BlackDuckFunTest.kt b/plugins/advisors/black-duck/src/funTest/kotlin/BlackDuckFunTest.kt
index b9f2f59a775b3..12ec7b37f5c0c 100644
--- a/plugins/advisors/black-duck/src/funTest/kotlin/BlackDuckFunTest.kt
+++ b/plugins/advisors/black-duck/src/funTest/kotlin/BlackDuckFunTest.kt
@@ -111,8 +111,9 @@ class BlackDuckFunTest : WordSpec({
                 .readValue<Map<Identifier, AdvisorResult>>()
             val packages = setOf(
                 // Package using CVSS 3.1 vector:
-                "Crate::sys-info:0.7.0"
-                // Todo: Add a package using CVSS 2 vector:
+                "Crate::sys-info:0.7.0",
+                // Package using CVSS 2 vector only:
+                "Pod::AFNetworking:0.10.0"
             ).mapTo(mutableSetOf()) {
                 identifierToPackage(it)
             }