From 0bb63875c419f12e50f6b2135b54cfe3b91ac791 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Fri, 13 Sep 2024 12:00:56 +0400 Subject: [PATCH] test: add appropriate parsed BOMs Signed-off-by: knqyf263 --- integration/sbom_test.go | 4 +- .../fluentd-multiple-lockfiles-cyclonedx.json | 6 +- ...multiple-lockfiles-reused.cdx.json.golden} | 64 +++---- .../fluentd-multiple-lockfiles.json.golden | 2 +- pkg/sbom/cyclonedx/marshal_test.go | 160 +++++++++++------- pkg/sbom/io/encode_test.go | 82 +++++---- pkg/vex/vex_test.go | 34 ++-- 7 files changed, 197 insertions(+), 155 deletions(-) rename integration/testdata/{fluentd-multiple-lockfiles-short.cdx.json.golden => fluentd-multiple-lockfiles-reused.cdx.json.golden} (91%) diff --git a/integration/sbom_test.go b/integration/sbom_test.go index e887f1520e68..1d39ca0d254b 100644 --- a/integration/sbom_test.go +++ b/integration/sbom_test.go @@ -59,14 +59,14 @@ func TestSBOM(t *testing.T) { golden: "testdata/fluentd-multiple-lockfiles.json.golden", }, { - name: "scan SBOM into SBOM", + name: "scan CycloneDX into CycloneDX", args: args{ input: "testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json", format: "cyclonedx", artifactType: "cyclonedx", }, fakeUUID: "3ff14136-e09f-4df9-80ea-%012d", - golden: "testdata/fluentd-multiple-lockfiles-short.cdx.json.golden", + golden: "testdata/fluentd-multiple-lockfiles-reused.cdx.json.golden", }, { name: "minikube KBOM", diff --git a/integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json b/integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json index f5db904207d1..82d711cd909c 100644 --- a/integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json +++ b/integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json @@ -120,7 +120,7 @@ ] }, { - "bom-ref": "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec", + "bom-ref": "179eaea5-d48e-4dd3-a53d-c87c3f6e9e5b", "type": "library", "name": "activesupport", "version": "6.0.2.1", @@ -163,8 +163,8 @@ { "ref": "95de56ee-980c-413d-8f68-6c674dc3e9d1", "dependsOn": [ - "353f2470-9c8b-4647-9d0d-96d893838dc8", - "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec" + "179eaea5-d48e-4dd3-a53d-c87c3f6e9e5b", + "353f2470-9c8b-4647-9d0d-96d893838dc8" ] } ] diff --git a/integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden b/integration/testdata/fluentd-multiple-lockfiles-reused.cdx.json.golden similarity index 91% rename from integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden rename to integration/testdata/fluentd-multiple-lockfiles-reused.cdx.json.golden index 496ca8ae3110..c45912c976d3 100644 --- a/integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden +++ b/integration/testdata/fluentd-multiple-lockfiles-reused.cdx.json.golden @@ -2,7 +2,7 @@ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", - "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000010", + "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000006", "version": 1, "metadata": { "timestamp": "2021-08-25T12:20:30+00:00", @@ -80,14 +80,6 @@ "version": "5.0-4", "purl": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2", "properties": [ - { - "name": "aquasecurity:trivy:PkgID", - "value": "bash@5.0-4" - }, - { - "name": "aquasecurity:trivy:PkgType", - "value": "debian" - }, { "name": "aquasecurity:trivy:SrcName", "value": "bash" @@ -95,6 +87,14 @@ { "name": "aquasecurity:trivy:SrcVersion", "value": "5.0-4" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c" + }, + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f" } ] }, @@ -105,14 +105,6 @@ "version": "2.0.5-1", "purl": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2", "properties": [ - { - "name": "aquasecurity:trivy:PkgID", - "value": "libidn2-0@2.0.5-1" - }, - { - "name": "aquasecurity:trivy:PkgType", - "value": "debian" - }, { "name": "aquasecurity:trivy:SrcName", "value": "libidn2" @@ -120,11 +112,19 @@ { "name": "aquasecurity:trivy:SrcVersion", "value": "2.0.5-1" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c" + }, + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f" } ] }, { - "bom-ref": "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec", + "bom-ref": "179eaea5-d48e-4dd3-a53d-c87c3f6e9e5b", "type": "library", "name": "activesupport", "version": "6.0.2.1", @@ -142,11 +142,15 @@ "value": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec" }, { - "name": "aquasecurity:trivy:PkgID", - "value": "activesupport@6.0.2.1" + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:a8877cad19f14a7044524a145ce33170085441a7922458017db1631dcd5f7602" + }, + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9" }, { - "name": "aquasecurity:trivy:PkgType", + "name": "aquasecurity:trivy:Type", "value": "gemspec" } ] @@ -163,21 +167,9 @@ { "ref": "95de56ee-980c-413d-8f68-6c674dc3e9d1", "dependsOn": [ - "353f2470-9c8b-4647-9d0d-96d893838dc8", - "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec" + "179eaea5-d48e-4dd3-a53d-c87c3f6e9e5b", + "353f2470-9c8b-4647-9d0d-96d893838dc8" ] - }, - { - "ref": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2", - "dependsOn": [] - }, - { - "ref": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2", - "dependsOn": [] - }, - { - "ref": "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec", - "dependsOn": [] } ], "vulnerabilities": [ @@ -512,7 +504,7 @@ "updated": "2020-10-17T12:15:00+00:00", "affects": [ { - "ref": "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec", + "ref": "179eaea5-d48e-4dd3-a53d-c87c3f6e9e5b", "versions": [ { "version": "6.0.2.1", diff --git a/integration/testdata/fluentd-multiple-lockfiles.json.golden b/integration/testdata/fluentd-multiple-lockfiles.json.golden index fec0e1a39a0d..82241f14b60e 100644 --- a/integration/testdata/fluentd-multiple-lockfiles.json.golden +++ b/integration/testdata/fluentd-multiple-lockfiles.json.golden @@ -168,7 +168,7 @@ "PkgIdentifier": { "PURL": "pkg:gem/activesupport@6.0.2.1", "UID": "66a6de64809697cd", - "BOMRef": "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec" + "BOMRef": "179eaea5-d48e-4dd3-a53d-c87c3f6e9e5b" }, "InstalledVersion": "6.0.2.1", "FixedVersion": "6.0.3.1, 5.2.4.3", diff --git a/pkg/sbom/cyclonedx/marshal_test.go b/pkg/sbom/cyclonedx/marshal_test.go index 8b88c4ec762a..396f1aa05fcf 100644 --- a/pkg/sbom/cyclonedx/marshal_test.go +++ b/pkg/sbom/cyclonedx/marshal_test.go @@ -65,21 +65,6 @@ var ( ) func TestMarshaler_MarshalReport(t *testing.T) { - testSBOM := core.NewBOM(core.Options{GenerateBOMRef: true}) - testSBOM.AddComponent(&core.Component{ - Root: true, - Type: core.TypeApplication, - Name: "jackson-databind-2.13.4.1.jar", - PkgIdentifier: ftypes.PkgIdentifier{ - BOMRef: "aff65b54-6009-4c32-968d-748949ef46e8", - }, - Properties: []core.Property{ - { - Name: "SchemaVersion", - Value: "2", - }, - }, - }) tests := []struct { name string @@ -1475,61 +1460,18 @@ func TestMarshaler_MarshalReport(t *testing.T) { }, }, Vulnerabilities: []types.DetectedVulnerability{ - { - VulnerabilityID: "CVE-2022-42003", - PkgName: "com.fasterxml.jackson.core:jackson-databind", - PkgPath: "jackson-databind-2.13.4.1.jar", - PkgIdentifier: ftypes.PkgIdentifier{ - BOMRef: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.1", - UID: "9A5066570222D04C", - PURL: &packageurl.PackageURL{ - Type: packageurl.TypeMaven, - Namespace: "com.fasterxml.jackson.core", - Name: "jackson-databind", - Version: "2.13.4.1", - }, - }, - InstalledVersion: "2.13.4.1", - FixedVersion: "2.12.7.1, 2.13.4.2", - Status: dtypes.StatusFixed, - SeveritySource: "ghsa", - PrimaryURL: "https://avd.aquasec.com/nvd/cve-2022-42003", - DataSource: &dtypes.DataSource{ - ID: vulnerability.GHSA, - Name: "GitHub Security Advisory Maven", - URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", - }, - Vulnerability: dtypes.Vulnerability{ - Title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", - Description: "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.", - Severity: dtypes.SeverityHigh.String(), - VendorSeverity: dtypes.VendorSeverity{ - vulnerability.GHSA: dtypes.SeverityHigh, - }, - CVSS: dtypes.VendorCVSS{ - vulnerability.GHSA: dtypes.CVSS{ - V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - V3Score: 7.5, - }, - }, - References: []string{ - "https://access.redhat.com/security/cve/CVE-2022-42003", - }, - PublishedDate: lo.ToPtr(time.Date(2022, 10, 02, 05, 15, 0, 0, time.UTC)), - LastModifiedDate: lo.ToPtr(time.Date(2022, 12, 20, 10, 15, 0, 0, time.UTC)), - }, - }, + vuln1, }, }, }, - BOM: testSBOM, + BOM: testSBOM(), }, want: &cdx.BOM{ XMLNS: "http://cyclonedx.org/schema/bom/1.6", BOMFormat: "CycloneDX", SpecVersion: cdx.SpecVersion1_6, JSONSchema: "http://cyclonedx.org/schema/bom-1.6.schema.json", - SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000002", + SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", Version: 1, Metadata: &cdx.Metadata{ Timestamp: "2021-08-25T12:20:30+00:00", @@ -2110,3 +2052,99 @@ func TestMarshaler_MarshalReport(t *testing.T) { }) } } + +var ( + vuln1 = types.DetectedVulnerability{ + VulnerabilityID: "CVE-2022-42003", + PkgName: "com.fasterxml.jackson.core:jackson-databind", + PkgPath: "jackson-databind-2.13.4.1.jar", + PkgIdentifier: ftypes.PkgIdentifier{ + BOMRef: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.1", + UID: "9A5066570222D04C", + PURL: &packageurl.PackageURL{ + Type: packageurl.TypeMaven, + Namespace: "com.fasterxml.jackson.core", + Name: "jackson-databind", + Version: "2.13.4.1", + }, + }, + InstalledVersion: "2.13.4.1", + FixedVersion: "2.12.7.1, 2.13.4.2", + Status: dtypes.StatusFixed, + SeveritySource: "ghsa", + PrimaryURL: "https://avd.aquasec.com/nvd/cve-2022-42003", + DataSource: &dtypes.DataSource{ + ID: vulnerability.GHSA, + Name: "GitHub Security Advisory Maven", + URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", + }, + Vulnerability: dtypes.Vulnerability{ + Title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", + Description: "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.", + Severity: dtypes.SeverityHigh.String(), + VendorSeverity: dtypes.VendorSeverity{ + vulnerability.GHSA: dtypes.SeverityHigh, + }, + CVSS: dtypes.VendorCVSS{ + vulnerability.GHSA: dtypes.CVSS{ + V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + V3Score: 7.5, + }, + }, + References: []string{ + "https://access.redhat.com/security/cve/CVE-2022-42003", + }, + PublishedDate: lo.ToPtr(time.Date(2022, 10, 02, 05, 15, 0, 0, time.UTC)), + LastModifiedDate: lo.ToPtr(time.Date(2022, 12, 20, 10, 15, 0, 0, time.UTC)), + }, + } +) + +func testSBOM() *core.BOM { + bom := core.NewBOM(core.Options{GenerateBOMRef: true}) + appComponent := &core.Component{ + Root: true, + Type: core.TypeApplication, + Name: "jackson-databind-2.13.4.1.jar", + PkgIdentifier: ftypes.PkgIdentifier{ + BOMRef: "aff65b54-6009-4c32-968d-748949ef46e8", + }, + Properties: []core.Property{ + { + Name: "SchemaVersion", + Value: "2", + }, + }, + } + libComponent := &core.Component{ + Type: core.TypeLibrary, + Name: "jackson-databind", + Group: "com.fasterxml.jackson.core", + Version: "2.13.4.1", + PkgIdentifier: ftypes.PkgIdentifier{ + BOMRef: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4.1", + UID: "9A5066570222D04C", + PURL: &packageurl.PackageURL{ + Type: packageurl.TypeMaven, + Namespace: "com.fasterxml.jackson.core", + Name: "jackson-databind", + Version: "2.13.4.1", + }, + }, + Properties: []core.Property{ + { + Name: "FilePath", + Value: "jackson-databind-2.13.4.1.jar", + }, + { + Name: "PkgType", + Value: "jar", + }, + }, + } + bom.AddComponent(appComponent) + bom.AddComponent(libComponent) + bom.AddRelationship(appComponent, libComponent, core.RelationshipContains) + bom.AddRelationship(libComponent, nil, core.RelationshipDependsOn) + return bom +} diff --git a/pkg/sbom/io/encode_test.go b/pkg/sbom/io/encode_test.go index 52fbed415933..223fb0027e11 100644 --- a/pkg/sbom/io/encode_test.go +++ b/pkg/sbom/io/encode_test.go @@ -5,6 +5,7 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/package-url/packageurl-go" + "github.com/samber/lo" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -703,22 +704,22 @@ func TestEncoder_Encode(t *testing.T) { BOM: newTestBOM(t), }, wantComponents: map[uuid.UUID]*core.Component{ - uuid.MustParse("2ff14136-e09f-4df9-80ea-000000000001"): appComponent, - uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): libComponent, + uuid.MustParse(id1): &appComponent, + uuid.MustParse(id2): &libComponent, }, wantRels: map[uuid.UUID][]core.Relationship{ - uuid.MustParse("2ff14136-e09f-4df9-80ea-000000000001"): { + uuid.MustParse(id1): { { - Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"), + Dependency: uuid.MustParse(id2), Type: core.RelationshipContains, }, }, - uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): nil, + uuid.MustParse(id2): nil, }, wantVulns: make(map[uuid.UUID][]core.Vulnerability), }, { - name: "SBOM file without root component", + name: "fill vulnerabilities in SBOM being scanned", report: types.Report{ SchemaVersion: 2, ArtifactName: "report.cdx.json", @@ -728,21 +729,12 @@ func TestEncoder_Encode(t *testing.T) { Target: "Java", Type: ftypes.Jar, Class: types.ClassLangPkg, - Packages: []ftypes.Package{ + Vulnerabilities: []types.DetectedVulnerability{ { - ID: "org.apache.logging.log4j:log4j-core:2.23.1", - Name: "org.apache.logging.log4j:log4j-core", - Version: "2.23.1", - Identifier: ftypes.PkgIdentifier{ - UID: "6C0AE96901617503", - PURL: &packageurl.PackageURL{ - Type: packageurl.TypeMaven, - Namespace: "org.apache.logging.log4j", - Name: "log4j-core", - Version: "2.23.1", - }, - }, - FilePath: "log4j-core-2.23.1.jar", + VulnerabilityID: "CVE-2021-44228", + PkgName: libComponent.Name, + InstalledVersion: libComponent.Version, + PkgIdentifier: libComponent.PkgIdentifier, }, }, }, @@ -750,19 +742,18 @@ func TestEncoder_Encode(t *testing.T) { BOM: newTestBOM2(t), }, wantComponents: map[uuid.UUID]*core.Component{ - uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): fsComponent, - uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): libComponent, + uuid.MustParse(id1): &libComponent, }, - wantRels: map[uuid.UUID][]core.Relationship{ - uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): { + wantRels: map[uuid.UUID][]core.Relationship{}, + wantVulns: map[uuid.UUID][]core.Vulnerability{ + uuid.MustParse(id1): { { - Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"), - Type: core.RelationshipContains, + ID: "CVE-2021-44228", + PkgName: libComponent.Name, + InstalledVersion: libComponent.Version, }, }, - uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): nil, }, - wantVulns: make(map[uuid.UUID][]core.Vulnerability), }, { name: "json file created from SBOM file (BOM is empty)", @@ -796,8 +787,8 @@ func TestEncoder_Encode(t *testing.T) { }, }, wantComponents: map[uuid.UUID]*core.Component{ - uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): fsComponent, - uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): libComponent, + uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): &fsComponent, + uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): &libComponent, }, wantRels: map[uuid.UUID][]core.Relationship{ uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): { @@ -847,7 +838,9 @@ func TestEncoder_Encode(t *testing.T) { require.Len(t, got.Components(), len(tt.wantComponents)) for id, want := range tt.wantComponents { - assert.EqualExportedValues(t, *want, *got.Components()[id], id) + gotComponent, ok := got.Components()[id] + require.True(t, ok, id) + assert.EqualExportedValues(t, *want, *gotComponent, id) } assert.Equal(t, tt.wantRels, got.Relationships()) @@ -856,13 +849,18 @@ func TestEncoder_Encode(t *testing.T) { } } +const ( + id1 = "2ff14136-e09f-4df9-80ea-000000000001" + id2 = "2ff14136-e09f-4df9-80ea-000000000002" +) + var ( - appComponent = &core.Component{ + appComponent = core.Component{ Root: true, Type: core.TypeApplication, Name: "log4j-core-2.23.1.jar", } - fsComponent = &core.Component{ + fsComponent = core.Component{ Root: true, Type: core.TypeFilesystem, Name: "report.cdx.json", @@ -876,7 +874,7 @@ var ( }, }, } - libComponent = &core.Component{ + libComponent = core.Component{ Type: core.TypeLibrary, Name: "log4j-core", Group: "org.apache.logging.log4j", @@ -915,15 +913,27 @@ var ( func newTestBOM(t *testing.T) *core.BOM { uuid.SetFakeUUID(t, "2ff14136-e09f-4df9-80ea-%012d") + + // Copy components + app := lo.ToPtr(appComponent) + lib := lo.ToPtr(libComponent) + bom := core.NewBOM(core.Options{}) - bom.AddComponent(appComponent) + bom.AddComponent(app) + bom.AddComponent(lib) + bom.AddRelationship(app, lib, core.RelationshipContains) + bom.AddRelationship(lib, nil, core.RelationshipDependsOn) return bom } // BOM without root component func newTestBOM2(t *testing.T) *core.BOM { uuid.SetFakeUUID(t, "2ff14136-e09f-4df9-80ea-%012d") + + // Copy components + lib := lo.ToPtr(libComponent) + bom := core.NewBOM(core.Options{}) - bom.AddComponent(libComponent) + bom.AddComponent(lib) return bom } diff --git a/pkg/vex/vex_test.go b/pkg/vex/vex_test.go index 4a9686972a5e..c989c608fccd 100644 --- a/pkg/vex/vex_test.go +++ b/pkg/vex/vex_test.go @@ -331,10 +331,7 @@ func TestFilter(t *testing.T) { args: args{ report: &types.Report{ ArtifactType: artifact.TypeCycloneDX, - BOM: &core.BOM{ - SerialNumber: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", - Version: 1, - }, + BOM: cdxBOM("urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"), Results: []types.Result{ springResult(types.Result{ Vulnerabilities: []types.DetectedVulnerability{vuln1}, @@ -352,10 +349,6 @@ func TestFilter(t *testing.T) { }, want: &types.Report{ ArtifactType: artifact.TypeCycloneDX, - BOM: &core.BOM{ - SerialNumber: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", - Version: 1, - }, Results: []types.Result{ springResult(types.Result{ Vulnerabilities: []types.DetectedVulnerability{}, @@ -369,10 +362,7 @@ func TestFilter(t *testing.T) { args: args{ report: &types.Report{ ArtifactType: artifact.TypeCycloneDX, - BOM: &core.BOM{ - SerialNumber: "urn:uuid:wrong", - Version: 1, - }, + BOM: cdxBOM("urn:uuid:wrong"), Results: []types.Result{ springResult(types.Result{ Vulnerabilities: []types.DetectedVulnerability{vuln1}, @@ -390,10 +380,6 @@ func TestFilter(t *testing.T) { }, want: &types.Report{ ArtifactType: artifact.TypeCycloneDX, - BOM: &core.BOM{ - SerialNumber: "urn:uuid:wrong", - Version: 1, - }, Results: []types.Result{ springResult(types.Result{ Vulnerabilities: []types.DetectedVulnerability{vuln1}, @@ -573,6 +559,7 @@ repositories: return } require.NoError(t, err) + tt.args.report.BOM = nil // Ignore BOM for comparison assert.Equal(t, tt.want, tt.args.report) }) } @@ -692,6 +679,21 @@ func goMultiPathResult(result types.Result) types.Result { return result } +func cdxBOM(serialNumber string) *core.BOM { + bom := core.NewBOM(core.Options{GenerateBOMRef: true}) + bom.SerialNumber = serialNumber + bom.Version = 1 + c := &core.Component{ + Type: core.TypeLibrary, + Root: true, + Name: springPackage.Name, + Version: springPackage.Version, + PkgIdentifier: springPackage.Identifier, + } + bom.AddComponent(c) + return bom +} + func modifiedFinding(vuln types.DetectedVulnerability, statement, source string) types.ModifiedFinding { return types.ModifiedFinding{ Type: types.FindingTypeVulnerability,