From cc38f1978093eaa7c87c26ebef92eca36e637806 Mon Sep 17 00:00:00 2001
From: twu <twu@users.noreply.github.com>
Date: Wed, 8 May 2024 15:21:28 +0200
Subject: [PATCH] Fix tests.

---
 src/skjold/sources/gemnasium.py   | 9 ++++++---
 tests/fixtures/formats/ignore/all | 5 +++++
 tests/test_cli.py                 | 4 ++--
 tests/test_gemnasium.py           | 3 +++
 tests/test_pyup.py                | 4 ++--
 5 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/src/skjold/sources/gemnasium.py b/src/skjold/sources/gemnasium.py
index 5ff5bae..2d0b1d6 100644
--- a/src/skjold/sources/gemnasium.py
+++ b/src/skjold/sources/gemnasium.py
@@ -38,7 +38,6 @@ def source(self) -> str:
 
     @property
     def severity(self) -> str:
-
         for field in ["cvss_v3", "cvss_v2"]:
             vector = self._json.get(field, None)
             if vector:
@@ -72,7 +71,7 @@ def vulnerable_version_range(self) -> List[specifiers.SpecifierSet]:
         affected_range = self._json["affected_range"]
 
         # Gemnasium sometimes uses spaces instead of commas for ranges
-        affected_range = affected_range.strip().replace(' ', ',')
+        affected_range = affected_range.strip().replace(" ", ",")
 
         # Gemnasium seems to invalidate/withdraw advisories by marking them this way.
         # See pypi/pyspark/CVE-2020-27218.yml#L11 in gemnasium-db.
@@ -85,6 +84,11 @@ def vulnerable_version_range(self) -> List[specifiers.SpecifierSet]:
         vulnerable_versions = []
 
         for spec in affected_range.split("||"):
+            # Workaround to ensure that we strip any trailing dots from ranges/specs e.g. >=1.2.,<=2.0.
+            spec = spec.replace(".,", ",")
+            if "," in spec and spec.endswith("."):
+                spec = spec[:-1]
+
             vulnerable_versions.append(specifiers.SpecifierSet(spec, prereleases=True))
         return vulnerable_versions
 
@@ -102,7 +106,6 @@ def is_affected(self, version: str) -> bool:
 
 
 class Gemnasium(SecurityAdvisorySource):
-
     _url = "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/archive/master/gemnasium-db-master.tar.gz"
     _name = "gemnasium"
 
diff --git a/tests/fixtures/formats/ignore/all b/tests/fixtures/formats/ignore/all
index 4696380..8e03af2 100644
--- a/tests/fixtures/formats/ignore/all
+++ b/tests/fixtures/formats/ignore/all
@@ -23,4 +23,9 @@ ignore:
   - expires: 2100-01-01T00:00:00+0000
     package: urllib3
     reason: No remediation available.
+  PYSEC-2023-212:
+  - expires: 2100-01-01T00:00:00+0000
+    package: urllib3
+    reason: No remediation available.
+
 version: "1.0"
diff --git a/tests/test_cli.py b/tests/test_cli.py
index d558f37..12ef623 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -78,7 +78,7 @@ def test_vulnerable_package_with_ignore_list_via_env(
 
     result = runner.invoke(cli, args=["audit", "-"], input=input_, obj=config)
 
-    assert "Ignored 6 finding(s)!" in result.stderr
+    assert "Ignored 7 finding(s)!" in result.stderr
     assert "No vulnerable packages found!" in result.stderr
     assert result.exit_code == 0
 
@@ -105,7 +105,7 @@ def test_vulnerable_package_with_ignore_list_via_cli(
         cli, args=["audit", "-i", ignore_path, "-"], input=input_, obj=config
     )
 
-    assert "Ignored 6 finding(s)!" in result.stderr
+    assert "Ignored 7 finding(s)!" in result.stderr
     assert "No vulnerable packages found!" in result.stderr
     assert result.exit_code == 0
 
diff --git a/tests/test_gemnasium.py b/tests/test_gemnasium.py
index 9442cc1..62192ed 100644
--- a/tests/test_gemnasium.py
+++ b/tests/test_gemnasium.py
@@ -160,4 +160,7 @@ def test_ensure_gemnasium_update(cache_dir: str) -> None:
     assert found and len(findings) > 0
 
     found, findings = source.is_vulnerable_package(Dependency("Django", "2.3.0"))
+    assert found is True and len(findings) > 0
+
+    found, findings = source.is_vulnerable_package(Dependency("Django", "3.2.25"))
     assert found is False and len(findings) == 0
diff --git a/tests/test_pyup.py b/tests/test_pyup.py
index e1d620a..b5a6f98 100644
--- a/tests/test_pyup.py
+++ b/tests/test_pyup.py
@@ -110,7 +110,8 @@ def test_ensure_is_affected_single(
         ("pyup", Dependency("werkzeug", "0.12"), True),
         ("pyup", Dependency("werkzeug", "1.0.0"), True),
         ("pyup", Dependency("werkzeug", "1.0.1"), True),
-        ("pyup", Dependency("werkzeug", "2.2.3"), False),
+        ("pyup", Dependency("werkzeug", "2.2.3"), True),
+        ("pyup", Dependency("werkzeug", "3.0.1"), False),
         ("pyup", Dependency("does-not-exist", "0"), False),
     ],
 )
@@ -120,7 +121,6 @@ def test_ensure_source_is_affected_single(
     is_vulnerable: bool,
     cache_dir: str,
 ) -> None:
-
     from skjold.tasks import _sources
 
     assert source_name in _sources