github.com/anchore/syft@v1.38.2/test/cli/spdx_tooling_validation_test.go

github.com/anchore/syft@v1.38.2/test/cli/spdx_tooling_validation_test.go (about)

     1  package cli
     2  
     3  import (
     4  	"fmt"
     5  	"os"
     6  	"os/exec"
     7  	"path"
     8  	"path/filepath"
     9  	"strings"
    10  	"testing"
    11  
    12  	"github.com/stretchr/testify/require"
    13  
    14  	"github.com/anchore/stereoscope/pkg/imagetest"
    15  )
    16  
    17  func TestSpdxValidationTooling(t *testing.T) {
    18  	// note: the external tooling requires that the daemon explicitly has the image loaded, not just that
    19  	// we can get the image from a cache tar.
    20  	imgTag := imagetest.LoadFixtureImageIntoDocker(t, "image-java-spdx-tools")
    21  
    22  	images := []string{
    23  		"alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d",
    24  		"photon:3.0@sha256:888675e193418d924feea262cf639c46532b63c2027a39fd3ac75383b3c1130e",
    25  		"debian:stable@sha256:729c2433e196207749a86f1d86e0106822041bb280b4200cf7a4db97608f6d3a",
    26  	}
    27  
    28  	env := map[string]string{
    29  		"SYFT_FILE_METADATA_CATALOGER_ENABLED": "true",
    30  		"SYFT_FILE_CONTENTS_CATALOGER_ENABLED": "true",
    31  		"SYFT_FILE_METADATA_DIGESTS":           "sha1",
    32  	}
    33  
    34  	tests := []struct {
    35  		name     string
    36  		syftArgs []string
    37  		images   []string
    38  		setup    func(t *testing.T)
    39  		env      map[string]string
    40  	}{
    41  		{
    42  			name:     "spdx validation tooling tag value",
    43  			syftArgs: []string{"scan", "-o", "spdx"},
    44  			images:   images,
    45  			env:      env,
    46  		},
    47  		{
    48  			name:     "spdx validation tooling json",
    49  			syftArgs: []string{"scan", "-o", "spdx-json"},
    50  			images:   images,
    51  			env:      env,
    52  		},
    53  		{
    54  			name:     "spdx validation tooling tag value",
    55  			syftArgs: []string{"scan", "-o", "spdx@2.2"},
    56  			images:   images,
    57  			env:      env,
    58  		},
    59  		{
    60  			name:     "spdx validation tooling json",
    61  			syftArgs: []string{"scan", "-o", "spdx-json@2.2"},
    62  			images:   images,
    63  			env:      env,
    64  		},
    65  	}
    66  
    67  	for _, test := range tests {
    68  		for _, image := range test.images {
    69  			t.Run(test.name+"_"+image, func(t *testing.T) {
    70  
    71  				args := append(test.syftArgs, image)
    72  
    73  				var suffix string
    74  				if strings.Contains(test.name, "json") {
    75  					suffix = ".json"
    76  				} else {
    77  					suffix = ".spdx"
    78  				}
    79  
    80  				dir := t.TempDir()
    81  				sbomPath := filepath.Join(dir, fmt.Sprintf("sbom%s", suffix))
    82  
    83  				args = append(args, "--file", sbomPath)
    84  
    85  				cmd, _, stderr := runSyft(t, test.env, args...)
    86  				if cmd.ProcessState.ExitCode() != 0 {
    87  					t.Fatalf("failed to run syft: %s", stderr)
    88  				}
    89  
    90  				cwd, err := os.Getwd()
    91  				require.NoError(t, err)
    92  
    93  				// validate against spdx java tooling
    94  				fileArg := fmt.Sprintf("DIR=%s", dir)
    95  				mountArg := fmt.Sprintf("BASE=%s", path.Base(sbomPath))
    96  				imageArg := fmt.Sprintf("IMAGE=%s", imgTag)
    97  
    98  				validateCmd := exec.Command("make", "validate", fileArg, mountArg, imageArg)
    99  				validateCmd.Dir = filepath.Join(cwd, "test-fixtures", "image-java-spdx-tools")
   100  
   101  				stdout, stderr, err := runCommand(validateCmd, map[string]string{})
   102  				if err != nil {
   103  					t.Fatalf("invalid SPDX document:%v\nSTDOUT:\n%s\nSTDERR:\n%s", err, stdout, stderr)
   104  				}
   105  			})
   106  		}
   107  	}
   108  }