fix: wrong vuln rating source (#81)

Author: paulrosca-snyk

lib/snyk/enrich_cyclonedx.go

@@ -204,10 +204,21 @@ func enrichCycloneDX(cfg *Config, bom *cdx.BOM, logger *zerolog.Logger) *cdx.BOM
 
 				if issue.Attributes.Severities != nil {
 					for _, sev := range *issue.Attributes.Severities {
-						source := cdx.Source{
-							Name: "Snyk",
-							URL:  snykVulnerabilityDBWebURL,
+						var source cdx.Source
+						if sev.Source != nil {
+							source = cdx.Source{
+								Name: *sev.Source,
+							}
+						} else {
+							source = cdx.Source{
+								Name: "Snyk",
+							}
 						}
+
+						if source.Name == "Snyk" {
+							source.URL = snykVulnerabilityDBWebURL
+						}
+
 						if sev.Score != nil {
 							score := float64(*sev.Score)
 							rating := cdx.VulnerabilityRating{

lib/snyk/enrich_test.go

@@ -47,6 +47,11 @@ func TestEnrichSBOM_CycloneDXWithVulnerabilities(t *testing.T) {
 	vuln := (*bom.Vulnerabilities)[0]
 	assert.Equal(t, "pkg:pypi/[email protected]", vuln.BOMRef)
 	assert.Equal(t, "SNYK-PYTHON-NUMPY-73513", vuln.ID)
+
+	assert.NotNil(t, vuln.Ratings)
+	assert.Len(t, *vuln.Ratings, 4)
+	assert.Equal(t, (*vuln.Ratings)[0].Source, &cdx.Source{Name: "Snyk", URL: "https://security.snyk.io"})
+	assert.Equal(t, (*vuln.Ratings)[1].Source, &cdx.Source{Name: "NVD"})
 }
 
 func TestEnrichSBOM_CycloneDXExternalRefs(t *testing.T) {