If caller out of scope risk shall not be created for code backdooring…

… rule

pkg/security/risks/builtin/code_backdooring_rule.go

@@ -60,7 +60,7 @@ func (r *CodeBackdooringRule) GenerateRisks(parsedModel *types.Model) ([]*types.
 
 			for _, callerLink := range parsedModel.IncomingTechnicalCommunicationLinksMappedByTargetId[technicalAsset.Id] {
 				caller := parsedModel.TechnicalAssets[callerLink.SourceId]
-				if (!callerLink.VPN && caller.Internet) || caller.OutOfScope {
+				if !callerLink.VPN && caller.Internet && !caller.OutOfScope {
 					risks = append(risks, r.createRisk(parsedModel, technicalAsset))
 					break
 				}

pkg/security/risks/builtin/code_backdooring_rule_test.go

@@ -224,3 +224,44 @@ func TestCodeBackdooringRuleGenerateRisksTechAssetNotInternetButComingThroughVPN
 	assert.Nil(t, err)
 	assert.Empty(t, risks)
 }
+
+func TestCodeBackdooringRuleGenerateRisksTechAssetNotInternetButComingThroughVPNInternetButCallerOutOfScopeRisksNotCreated(t *testing.T) {
+	rule := NewCodeBackdooringRule()
+
+	risks, err := rule.GenerateRisks(&types.Model{
+		TechnicalAssets: map[string]*types.TechnicalAsset{
+			"git-lab-ci-cd": {
+				Id:    "git-lab-ci-cd",
+				Title: "GitLab CI/CD",
+				Technologies: types.TechnologyList{
+					{
+						Name: "build-pipeline",
+						Attributes: map[string]bool{
+							types.IsDevelopmentRelevant: true,
+						},
+					},
+				},
+			},
+			"vpn": {
+				Title:    "VPN",
+				Internet: true,
+			},
+			"out-of-scope": {
+				Title:      "Out of Scope",
+				OutOfScope: true,
+			},
+		},
+		IncomingTechnicalCommunicationLinksMappedByTargetId: map[string][]*types.CommunicationLink{
+			"git-lab-ci-cd": {
+				{
+					SourceId: "out-of-scope",
+					TargetId: "git-lab-ci-cd",
+					VPN:      false,
+				},
+			},
+		},
+	})
+
+	assert.Nil(t, err)
+	assert.Empty(t, risks)
+}