test(osv): Narrow down two assertions

Assert the returned vulnerabilities which is the focus of the tests.

Signed-off-by: Frank Viernau <[email protected]>

Author: fviernau

plugins/advisors/osv/src/funTest/kotlin/OsvFunTest.kt

@@ -26,13 +26,10 @@ import io.kotest.matchers.collections.shouldContainExactlyInAnyOrder
 import io.kotest.matchers.shouldBe
 import io.kotest.matchers.shouldNot
 
-import java.time.Instant
-
-import org.ossreviewtoolkit.model.AdvisorResult
 import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.VcsInfo
-import org.ossreviewtoolkit.plugins.advisors.api.normalizeVulnerabilityData
+import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 import org.ossreviewtoolkit.utils.test.identifierToPackage
 import org.ossreviewtoolkit.utils.test.readResourceValue
 
@@ -80,13 +77,15 @@ class OsvFunTest : WordSpec({
                 identifierToPackage(it)
             }
 
-            val packageFindings = osv.retrievePackageFindings(packages).mapKeys { it.key.id }
+            val packageFindings = osv.retrievePackageFindings(packages).entries.associate {
+                it.key.id to it.value.vulnerabilities
+            }
 
-            val expectedResult = readResourceValue<Map<Identifier, AdvisorResult>>(
+            val expectedResult = readResourceValue<Map<Identifier, List<Vulnerability>>>(
                 "/retrieve-package-findings-expected-result.yml"
             )
 
-            packageFindings.patchTimes() shouldBe expectedResult.patchTimes()
+            packageFindings shouldBe expectedResult
         }
 
         "return the vulnerabilities for the commit of Hadoop 3.3.1" {
@@ -95,25 +94,17 @@ class OsvFunTest : WordSpec({
                 vcsProcessed = VcsInfo.EMPTY.copy(revision = "a3b9c37a397ad4188041dd80621bdeefc46885f2")
             )
 
-            val packageFindings = osv.retrievePackageFindings(setOf(pkg)).mapKeys { it.key.id }
+            val packageFindings = osv.retrievePackageFindings(setOf(pkg)).entries.associate {
+                it.key.id to it.value.vulnerabilities
+            }
 
-            val expectedResult = readResourceValue<Map<Identifier, AdvisorResult>>(
+            val expectedResult = readResourceValue<Map<Identifier, List<Vulnerability>>>(
                 "/hadoop-commit-has-expected-result.yml"
             )
 
-            packageFindings.patchTimes() shouldBe expectedResult.patchTimes()
+            packageFindings shouldBe expectedResult
         }
     }
 })
 
 private fun createOsv(): Osv = OsvFactory.create()
-
-private fun Map<Identifier, AdvisorResult>.patchTimes(): Map<Identifier, AdvisorResult> =
-    mapValues { (_, advisorResult) ->
-        advisorResult.normalizeVulnerabilityData().copy(
-            summary = advisorResult.summary.copy(
-                startTime = Instant.EPOCH,
-                endTime = Instant.EPOCH
-            )
-        )
-    }

plugins/advisors/osv/src/funTest/resources/hadoop-commit-has-expected-result.yml

@@ -1,30 +1,24 @@
 ---
 ':::':
-  advisor:
-    name: "OSV"
-  summary:
-    start_time: "2026-04-11T13:48:17.178933551Z"
-    end_time: "2026-04-11T13:48:18.413494698Z"
-  vulnerabilities:
-  - id: "CVE-2022-26612"
-    description: "In Apache Hadoop, The unTar function uses unTarUsingJava function\
-      \ on Windows and the built-in tar utility on Unix and other OSes. As a result,\
-      \ a TAR entry may create a symlink under the expected extraction directory which\
-      \ points to an external directory. A subsequent TAR entry may extract an arbitrary\
-      \ file into the external directory using the symlink name. This however would\
-      \ be caught by the same targetDirPath check on Unix because of the getCanonicalPath\
-      \ call. However on Windows, getCanonicalPath doesn't resolve symbolic links,\
-      \ which bypasses the check. unpackEntries during TAR extraction follows symbolic\
-      \ links which allows writing outside expected base directory on Windows. This\
-      \ was addressed in Apache Hadoop 3.2.3"
-    references:
-    - url: "https://security.netapp.com/advisory/ntap-20220519-0004/"
-      scoring_system: "CVSS_V3"
-      severity: null
-      score: null
-      vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-    - url: "https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyz"
-      scoring_system: "CVSS_V3"
-      severity: null
-      score: null
-      vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+- id: "CVE-2022-26612"
+  description: "In Apache Hadoop, The unTar function uses unTarUsingJava function\
+    \ on Windows and the built-in tar utility on Unix and other OSes. As a result,\
+    \ a TAR entry may create a symlink under the expected extraction directory which\
+    \ points to an external directory. A subsequent TAR entry may extract an arbitrary\
+    \ file into the external directory using the symlink name. This however would\
+    \ be caught by the same targetDirPath check on Unix because of the getCanonicalPath\
+    \ call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which\
+    \ bypasses the check. unpackEntries during TAR extraction follows symbolic links\
+    \ which allows writing outside expected base directory on Windows. This was addressed\
+    \ in Apache Hadoop 3.2.3"
+  references:
+  - url: "https://security.netapp.com/advisory/ntap-20220519-0004/"
+    scoring_system: "CVSS_V3"
+    severity: null
+    score: null
+    vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+  - url: "https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyz"
+    scoring_system: "CVSS_V3"
+    severity: null
+    score: null
+    vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"