[Enhancement] internal/builder/security_builder.go has no tests: InjectSecurityData and buildFileVulnerability are untested

[wiebe-vandendriessche]

Problem or motivation

internal/builder/security_builder.go implements InjectSecurityData and buildFileVulnerability, which convert raw HF security scan tree entries into CycloneDX Vulnerability objects and inject them into the BOM. There is no corresponding test file. This code contains non-trivial logic: the unsafeCount/cautionCount early-exit guard (which already has a confirmed bug with "suspicious" status), per-scanner rating aggregation, pickle import detail formatting, and advisory URL handling. None of this is exercised by any test.

Proposed solution

Add internal/builder/security_builder_test.go covering:

• InjectSecurityData with an empty entries slice — verify no-op
• InjectSecurityData with all-safe entries — verify no vulnerabilities added
• InjectSecurityData with one "unsafe" entry — verify one vulnerability with SeverityCritical rating
• InjectSecurityData with one "suspicious" entry — verify vulnerability is added (regression test for the early-exit bug)
• buildFileVulnerability with a PickleImportScan entry — verify import details appear in description
• isActionable and statusToSeverity as unit tests for all documented status values

Alternatives considered

None.

Additional context

Affected file: internal/builder/security_builder.go. The fetcher.SecurityFileEntry and fetcher.SecurityFileStatus structs needed for test fixtures are already used in internal/metadata/fieldspecs_test.go.