From 863ba184a9e8f3a3c6d9a36e7c30cb5584e69142 Mon Sep 17 00:00:00 2001
From: Yevhen Zavhorodnii <yevhen.zavhorodnii@ticketmaster.co.uk>
Date: Wed, 29 May 2024 11:38:46 +0100
Subject: [PATCH] If caller out of scope risk shall not be created for code
 backdooring rule

---
 .../risks/builtin/code_backdooring_rule.go    |  2 +-
 .../builtin/code_backdooring_rule_test.go     | 41 +++++++++++++++++++
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/pkg/security/risks/builtin/code_backdooring_rule.go b/pkg/security/risks/builtin/code_backdooring_rule.go
index 5675971d..438924b3 100644
--- a/pkg/security/risks/builtin/code_backdooring_rule.go
+++ b/pkg/security/risks/builtin/code_backdooring_rule.go
@@ -60,7 +60,7 @@ func (r *CodeBackdooringRule) GenerateRisks(parsedModel *types.Model) ([]*types.
 
 			for _, callerLink := range parsedModel.IncomingTechnicalCommunicationLinksMappedByTargetId[technicalAsset.Id] {
 				caller := parsedModel.TechnicalAssets[callerLink.SourceId]
-				if (!callerLink.VPN && caller.Internet) || caller.OutOfScope {
+				if !callerLink.VPN && caller.Internet && !caller.OutOfScope {
 					risks = append(risks, r.createRisk(parsedModel, technicalAsset))
 					break
 				}
diff --git a/pkg/security/risks/builtin/code_backdooring_rule_test.go b/pkg/security/risks/builtin/code_backdooring_rule_test.go
index c36007e2..3a19e142 100644
--- a/pkg/security/risks/builtin/code_backdooring_rule_test.go
+++ b/pkg/security/risks/builtin/code_backdooring_rule_test.go
@@ -224,3 +224,44 @@ func TestCodeBackdooringRuleGenerateRisksTechAssetNotInternetButComingThroughVPN
 	assert.Nil(t, err)
 	assert.Empty(t, risks)
 }
+
+func TestCodeBackdooringRuleGenerateRisksTechAssetNotInternetButComingThroughVPNInternetButCallerOutOfScopeRisksNotCreated(t *testing.T) {
+	rule := NewCodeBackdooringRule()
+
+	risks, err := rule.GenerateRisks(&types.Model{
+		TechnicalAssets: map[string]*types.TechnicalAsset{
+			"git-lab-ci-cd": {
+				Id:    "git-lab-ci-cd",
+				Title: "GitLab CI/CD",
+				Technologies: types.TechnologyList{
+					{
+						Name: "build-pipeline",
+						Attributes: map[string]bool{
+							types.IsDevelopmentRelevant: true,
+						},
+					},
+				},
+			},
+			"vpn": {
+				Title:    "VPN",
+				Internet: true,
+			},
+			"out-of-scope": {
+				Title:      "Out of Scope",
+				OutOfScope: true,
+			},
+		},
+		IncomingTechnicalCommunicationLinksMappedByTargetId: map[string][]*types.CommunicationLink{
+			"git-lab-ci-cd": {
+				{
+					SourceId: "out-of-scope",
+					TargetId: "git-lab-ci-cd",
+					VPN:      false,
+				},
+			},
+		},
+	})
+
+	assert.Nil(t, err)
+	assert.Empty(t, risks)
+}