Add integration tests for UV and Pnpm

[attiasas]

test(audit): add new SCA CycloneDX integration tests for UV and pnpm

Summary

Adds static audit (“new SCA”) integration coverage for pnpm (pnpm-lock.yaml) and uv (uv.lock / pyproject.toml) by extending audit_test.go with CycloneDX SBOM validations and committing minimal fixture projects under tests/testdata/projects/package-managers/.

Changes

• audit_test.go: TestAuditNewScaCycloneDxPnpm and TestAuditNewScaCycloneDxUV using format.CycloneDx, WithSbom: true, and validations.VerifyCycloneDxResults with exact counts for vulnerabilities, BOM components, licenses, and applicability.
• pnpm fixture: tests/testdata/projects/package-managers/npm/pnpm-lock/ (package.json, pnpm-lock.yaml v9) with xml and json dependencies for deterministic SCA output.
• uv fixture: tests/testdata/projects/package-managers/python/uv/uv/ (pyproject.toml, uv.lock, small app/ package) using pinned vulnerable-ish dependencies (requests, pyyaml, pillow) plus sample first-party patterns in app/main.py for SAST/secrets-style signal in the UV test expectations.
• tests/testdata/projects/package-managers/npm/npm-project/.jfrog/jfrog-cli.conf.v6: local JFrog CLI v6 config fixture (test server URLs and credentials).

Testing

• Run the new tests (or the audit integration suite they belong to), for example:
  • go test -run 'TestAuditNewScaCycloneDx(Pnpm|UV)' ./...
• Requires the same environment as existing new SCA / static scan integration tests (Artifactory/Xray per securityIntegrationTestUtils.InitAuditNewScaTests and utils.StaticScanMinVersion).

Notes

• Fixture app/main.py contains synthetic secrets and insecure patterns solely for scanner validation; not production credentials.

---

[github-actions]

---

🐸 JFrog Frogbot