From 9cc9d47a1e21869a890c1148ff3ad681a1c83c97 Mon Sep 17 00:00:00 2001
From: Paul Rosca <152853861+paulrosca-snyk@users.noreply.github.com>
Date: Tue, 17 Dec 2024 14:56:23 +0200
Subject: [PATCH] fix: wrong vuln rating source (#81)

---
 lib/snyk/enrich_cyclonedx.go | 17 ++++++++++++++---
 lib/snyk/enrich_test.go      |  5 +++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/lib/snyk/enrich_cyclonedx.go b/lib/snyk/enrich_cyclonedx.go
index e46af56..5e7c861 100644
--- a/lib/snyk/enrich_cyclonedx.go
+++ b/lib/snyk/enrich_cyclonedx.go
@@ -204,10 +204,21 @@ func enrichCycloneDX(cfg *Config, bom *cdx.BOM, logger *zerolog.Logger) *cdx.BOM
 
 				if issue.Attributes.Severities != nil {
 					for _, sev := range *issue.Attributes.Severities {
-						source := cdx.Source{
-							Name: "Snyk",
-							URL:  snykVulnerabilityDBWebURL,
+						var source cdx.Source
+						if sev.Source != nil {
+							source = cdx.Source{
+								Name: *sev.Source,
+							}
+						} else {
+							source = cdx.Source{
+								Name: "Snyk",
+							}
 						}
+
+						if source.Name == "Snyk" {
+							source.URL = snykVulnerabilityDBWebURL
+						}
+
 						if sev.Score != nil {
 							score := float64(*sev.Score)
 							rating := cdx.VulnerabilityRating{
diff --git a/lib/snyk/enrich_test.go b/lib/snyk/enrich_test.go
index 29f29b0..6f164e9 100644
--- a/lib/snyk/enrich_test.go
+++ b/lib/snyk/enrich_test.go
@@ -47,6 +47,11 @@ func TestEnrichSBOM_CycloneDXWithVulnerabilities(t *testing.T) {
 	vuln := (*bom.Vulnerabilities)[0]
 	assert.Equal(t, "pkg:pypi/numpy@1.16.0", vuln.BOMRef)
 	assert.Equal(t, "SNYK-PYTHON-NUMPY-73513", vuln.ID)
+
+	assert.NotNil(t, vuln.Ratings)
+	assert.Len(t, *vuln.Ratings, 4)
+	assert.Equal(t, (*vuln.Ratings)[0].Source, &cdx.Source{Name: "Snyk", URL: "https://security.snyk.io"})
+	assert.Equal(t, (*vuln.Ratings)[1].Source, &cdx.Source{Name: "NVD"})
 }
 
 func TestEnrichSBOM_CycloneDXExternalRefs(t *testing.T) {