Merge pull request #2893 from nscuro/issue-2859

Add regression test for #2859
DependencyTrack · Jul 17, 2023 · ce788aa · ce788aa
2 parents f3fbbac + ccb1056
commit ce788aa
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 0 deletions.
diff --git a/src/test/java/org/dependencytrack/tasks/BomUploadProcessingTaskTest.java b/src/test/java/org/dependencytrack/tasks/BomUploadProcessingTaskTest.java
@@ -25,6 +25,7 @@
 import alpine.notification.Subscriber;
 import alpine.notification.Subscription;
 import net.jcip.annotations.NotThreadSafe;
+import org.apache.commons.io.IOUtils;
 import org.dependencytrack.PersistenceCapableTest;
 import org.dependencytrack.event.BomUploadEvent;
 import org.dependencytrack.event.NewVulnerableDependencyAnalysisEvent;
@@ -56,6 +57,7 @@
 import java.util.concurrent.ConcurrentLinkedQueue;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatNoException;
 import static org.dependencytrack.assertion.Assertions.assertConditionWithTimeout;
 
 @NotThreadSafe
@@ -209,4 +211,14 @@ public void informWithInvalidCycloneDxBomTest() throws Exception {
         assertThat(project.getLastBomImport()).isNull();
     }
 
+    @Test // https://github.com/DependencyTrack/dependency-track/issues/2859
+    public void informIssue2859Test() throws Exception {
+        final Project project = qm.createProject("Acme Example", null, "1.0", null, null, null, true, false);
+
+        final byte[] bomBytes = IOUtils.resourceToByteArray("/unit/bom-issue2859.xml");
+
+        assertThatNoException()
+                .isThrownBy(() -> new BomUploadProcessingTask().inform(new BomUploadEvent(project.getUuid(), bomBytes)));
+    }
+
 }
diff --git a/src/test/resources/unit/bom-issue2859.xml b/src/test/resources/unit/bom-issue2859.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
+    <metadata>
+        <component type="application" bom-ref="acme">
+            <publisher>DependencyTrack</publisher>
+            <name>Acme example</name>
+            <externalReferences>
+                <reference type="build-system">
+                    <url>https://acme.example</url>
+                </reference>
+                <reference type="distribution">
+                    <url>https://acme.example</url>
+                </reference>
+                <reference type="issue-tracker">
+                    <url>https://acme.example</url>
+                </reference>
+                <reference type="vcs">
+                    <url>https://acme.example</url>
+                </reference>
+            </externalReferences>
+        </component>
+    </metadata>
+    <components>
+        <component type="application" bom-ref="comp">
+            <author>Sometimes this field is long because it is composed of a list of authors......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................</author>
+            <publisher>Example Incorporated</publisher>
+            <group>com.example</group>
+            <name>xmlutil</name>
+            <version>1.0.0</version>
+            <description>A makebelieve XML utility library</description>
+            <hashes>
+                <hash alg="MD5">2b67669c925048d1a5c7f124d9ba1d2a</hash>
+                <hash alg="SHA-1">72ca79908c814022905e86f8bbecd9b829352139</hash>
+                <hash alg="SHA-256">1389877662864d2bb0488b4b1e417ce5647a1687084341178a203b243dfe90e7</hash>
+            </hashes>
+            <licenses>
+                <license>
+                    <id>Apache-2.0</id>
+                    <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
+                </license>
+            </licenses>
+            <copyright>Copyright Example Inc. All rights reserved.</copyright>
+            <cpe>cpe:/a:example:xmlutil:1.0.0</cpe>
+            <purl>pkg:maven/com.example/xmlutil@1.0.0?packaging=jar</purl>
+            <modified>false</modified>
+        </component>
+    </components>
+    <vulnerabilities>
+        <vulnerability bom-ref="comp-vuln">
+            <id>BOMVULN-01</id>
+            <ratings>
+                <rating>
+                    <score>10.0</score>
+                    <severity>critical</severity>
+                    <method>CVSSv3</method>
+                </rating>
+            </ratings>
+            <affects>
+                <target>
+                    <ref>comp</ref>
+                </target>
+            </affects>
+        </vulnerability>
+    </vulnerabilities>
+</bom>