Update shared examples of integration test project to allow fixtures without vulnerabilities

Proposal

While working on Output CycloneDX reports, I needed to create some fixture projects with dependencies, however, when attempting to use the report with scanned files shared example from the integration test project, I ran into issues, because it fails unless the given dependency also has a vulnerability.

The purpose of this issue is to update the report with scanned files shared example so that it functions properly with fixture files that only have a dependency without a related vulnerability.

Further details

Current implementation:

RSpec.shared_examples "report with scanned files" do |scanned_files|
  it "matches scanned files" do
    skip missing_report_message if report.nil?

    want = scanned_files.sort
    expect(report["vulnerabilities"].map { |v| v.dig("location", "file") }.uniq.sort).to eql want
    if report.dig("scan", "type") == "dependency_scanning"
      expect(report["dependency_files"].map { |df| df["path"] }.uniq.sort).to eql want
    end
  end
end

/cc @gonzoyumo @NicoleSchwartz @fcatteau

Edited Mar 02, 2022 by Adam Cohen