From 27bb15ef41fff5454467c44bc62bad01a0fb8136 Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@nexb.com>
Date: Tue, 3 Sep 2024 18:00:15 +0400
Subject: [PATCH] Add unit test for the include_vex feature #108

Signed-off-by: tdruez <tdruez@nexb.com>
---
 CHANGELOG.rst               |  3 +++
 component_catalog/models.py |  7 ++-----
 dje/tests/test_outputs.py   | 21 +++++++++++++++++++++
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 1e1e24da..8df12def 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -110,6 +110,9 @@ Release notes
 - Add a "Improve Packages from PurlDB" action in the Product details view.
   https://github.com/aboutcode-org/dejacode/issues/45
 
+- Add the ability to download the CycloneDX VEX-only and SBOM+VEX combined outputs.
+  https://github.com/aboutcode-org/dejacode/issues/108
+
 ### Version 5.1.0
 
 - Upgrade Python version to 3.12 and Django to 5.0.x
diff --git a/component_catalog/models.py b/component_catalog/models.py
index 0c891207..e999abdf 100644
--- a/component_catalog/models.py
+++ b/component_catalog/models.py
@@ -2369,9 +2369,7 @@ def get_spdx_packages(self):
 
     @property
     def cyclonedx_bom_ref(self):
-        if package_url := self.get_package_url():
-            return str(package_url)
-        return str(self.uuid)
+        return self.package_url or str(self.uuid)
 
     def as_cyclonedx(self, license_expression_spdx=None):
         """Return this Package as an CycloneDX Component entry."""
@@ -2395,12 +2393,11 @@ def as_cyclonedx(self, license_expression_spdx=None):
             if (hash_value := getattr(self, field_name))
         ]
 
-        package_url = self.get_package_url()
         return cyclonedx_component.Component(
             name=self.name,
             version=self.version,
             bom_ref=self.cyclonedx_bom_ref,
-            purl=package_url,
+            purl=self.get_package_url(),
             licenses=licenses,
             copyright=self.copyright,
             description=self.description,
diff --git a/dje/tests/test_outputs.py b/dje/tests/test_outputs.py
index 29694881..03406e1a 100644
--- a/dje/tests/test_outputs.py
+++ b/dje/tests/test_outputs.py
@@ -10,12 +10,15 @@
 
 from cyclonedx.model import bom as cyclonedx_bom
 
+from component_catalog.tests import make_package
+from component_catalog.tests import make_vulnerability
 from dejacode import __version__ as dejacode_version
 from dje import outputs
 from dje.models import Dataspace
 from dje.tests import create_superuser
 from dje.tests import create_user
 from product_portfolio.models import Product
+from product_portfolio.tests import make_product_package
 
 
 class OutputsTestCase(TestCase):
@@ -73,6 +76,24 @@ def test_outputs_get_cyclonedx_bom(self):
         bom = outputs.get_cyclonedx_bom(instance=self.product1, user=self.super_user)
         self.assertIsInstance(bom, cyclonedx_bom.Bom)
 
+    def test_outputs_get_cyclonedx_bom_include_vex(self):
+        package_in_product = make_package(self.dataspace, package_url="pkg:type/name")
+        make_product_package(self.product1, package_in_product)
+        package_not_in_product = make_package(self.dataspace)
+        vulnerability1 = make_vulnerability(
+            self.dataspace, affecting=[package_in_product, package_not_in_product]
+        )
+        make_vulnerability(self.dataspace, affecting=[package_not_in_product])
+
+        bom = outputs.get_cyclonedx_bom(
+            instance=self.product1,
+            user=self.super_user,
+            include_vex=True,
+        )
+        self.assertIsInstance(bom, cyclonedx_bom.Bom)
+        self.assertEqual(1, len(bom.vulnerabilities))
+        self.assertEqual(vulnerability1.vulnerability_id, bom.vulnerabilities[0].id)
+
     def test_outputs_get_cyclonedx_bom_json(self):
         bom = outputs.get_cyclonedx_bom(instance=self.product1, user=self.super_user)
         bom_json = outputs.get_cyclonedx_bom_json(bom)