github.com/anchore/syft@v1.38.2/syft/pkg/cataloger/githubactions/parse_workflow_test.go (about) 1 package githubactions 2 3 import ( 4 "testing" 5 6 "github.com/anchore/syft/syft/artifact" 7 "github.com/anchore/syft/syft/file" 8 "github.com/anchore/syft/syft/pkg" 9 "github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest" 10 ) 11 12 func Test_parseWorkflowForActionUsage(t *testing.T) { 13 fixture := "test-fixtures/workflow-multi-job.yaml" 14 fixtureLocationSet := file.NewLocationSet(file.NewLocation(fixture).WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)) 15 16 expected := []pkg.Package{ 17 { 18 Name: "./.github/actions/bootstrap", 19 Version: "", 20 Type: pkg.GithubActionPkg, 21 Locations: fixtureLocationSet, 22 PURL: "", // don't have enough context without parsing the git origin, which still may not be accurate 23 Metadata: pkg.GitHubActionsUseStatement{Value: "./.github/actions/bootstrap"}, 24 }, 25 { 26 Name: "actions/cache", 27 Version: "v3", 28 Type: pkg.GithubActionPkg, 29 Locations: fixtureLocationSet, 30 PURL: "pkg:github/actions/cache@v3", 31 Metadata: pkg.GitHubActionsUseStatement{Value: "actions/cache@v3"}, 32 }, 33 { 34 Name: "actions/cache/restore", 35 Version: "v3", 36 Type: pkg.GithubActionPkg, 37 Locations: fixtureLocationSet, 38 PURL: "pkg:github/actions/cache@v3#restore", 39 Metadata: pkg.GitHubActionsUseStatement{Value: "actions/cache/restore@v3"}, 40 }, 41 { 42 Name: "actions/cache/save", 43 Version: "v3", 44 Type: pkg.GithubActionPkg, 45 Locations: fixtureLocationSet, 46 PURL: "pkg:github/actions/cache@v3#save", 47 Metadata: pkg.GitHubActionsUseStatement{Value: "actions/cache/save@v3"}, 48 }, 49 { 50 Name: "actions/checkout", 51 Version: "v4", 52 Type: pkg.GithubActionPkg, 53 Locations: fixtureLocationSet, 54 PURL: "pkg:github/actions/checkout@v4", 55 Metadata: pkg.GitHubActionsUseStatement{Value: "actions/checkout@v4"}, 56 }, 57 } 58 59 var expectedRelationships []artifact.Relationship 60 pkgtest.TestFileParser(t, fixture, parseWorkflowForActionUsage, expected, expectedRelationships) 61 } 62 63 func Test_parseWorkflowForWorkflowUsage(t *testing.T) { 64 fixture := "test-fixtures/call-shared-workflow.yaml" 65 fixtureLocationSet := file.NewLocationSet(file.NewLocation(fixture).WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)) 66 67 expected := []pkg.Package{ 68 { 69 Name: "octo-org/this-repo/.github/workflows/workflow-1.yml", 70 Version: "172239021f7ba04fe7327647b213799853a9eb89", 71 Type: pkg.GithubActionWorkflowPkg, 72 Locations: fixtureLocationSet, 73 PURL: "pkg:github/octo-org/this-repo@172239021f7ba04fe7327647b213799853a9eb89#.github/workflows/workflow-1.yml", 74 Metadata: pkg.GitHubActionsUseStatement{ 75 Value: "octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89", 76 }, 77 }, 78 { 79 Name: "./.github/workflows/workflow-2.yml", 80 Version: "", 81 Type: pkg.GithubActionWorkflowPkg, 82 Locations: fixtureLocationSet, 83 PURL: "", // don't have enough context without parsing the git origin, which still may not be accurate 84 Metadata: pkg.GitHubActionsUseStatement{Value: "./.github/workflows/workflow-2.yml"}, 85 }, 86 { 87 Name: "octo-org/another-repo/.github/workflows/workflow.yml", 88 Version: "v1", 89 Type: pkg.GithubActionWorkflowPkg, 90 Locations: fixtureLocationSet, 91 PURL: "pkg:github/octo-org/another-repo@v1#.github/workflows/workflow.yml", 92 Metadata: pkg.GitHubActionsUseStatement{Value: "octo-org/another-repo/.github/workflows/workflow.yml@v1"}, 93 }, 94 } 95 96 var expectedRelationships []artifact.Relationship 97 pkgtest.TestFileParser(t, fixture, parseWorkflowForWorkflowUsage, expected, expectedRelationships) 98 } 99 100 func Test_parseWorkflowForVersionComments(t *testing.T) { 101 fixture := "test-fixtures/workflow-with-version-comments.yaml" 102 fixtureLocationSet := file.NewLocationSet(file.NewLocation(fixture).WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)) 103 104 expected := []pkg.Package{ 105 { 106 Name: "./.github/actions/bootstrap", 107 Version: "", 108 Type: pkg.GithubActionPkg, 109 Locations: fixtureLocationSet, 110 PURL: "", // don't have enough context without parsing the git origin, which still may not be accurate 111 Metadata: pkg.GitHubActionsUseStatement{ 112 Value: "./.github/actions/bootstrap", 113 }, 114 }, 115 { 116 Name: "actions/checkout", 117 Version: "v4.2.2", 118 Type: pkg.GithubActionPkg, 119 Locations: fixtureLocationSet, 120 PURL: "pkg:github/actions/checkout@v4.2.2", 121 Metadata: pkg.GitHubActionsUseStatement{ 122 Value: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683", 123 Comment: "v4.2.2", 124 }, 125 }, 126 } 127 128 var expectedRelationships []artifact.Relationship 129 pkgtest.TestFileParser(t, fixture, parseWorkflowForActionUsage, expected, expectedRelationships) 130 } 131 132 func Test_corruptActionWorkflow(t *testing.T) { 133 pkgtest.NewCatalogTester(). 134 FromFile(t, "test-fixtures/corrupt/workflow-multi-job.yaml"). 135 WithError(). 136 TestParser(t, parseWorkflowForActionUsage) 137 } 138 139 func Test_corruptWorkflowWorkflow(t *testing.T) { 140 pkgtest.NewCatalogTester(). 141 FromFile(t, "test-fixtures/corrupt/workflow-multi-job.yaml"). 142 WithError(). 143 TestParser(t, parseWorkflowForWorkflowUsage) 144 }