github.com/anchore/syft@v1.4.2-0.20240516191711-1bec1fc5d397/syft/pkg/cataloger/binary/README.md (about) 1 # Adding tests for the Binary classifier cataloger 2 3 > [!TIP] 4 > **TL;DR** to add a test for a new classifier: 5 > 1. head to the correct directory: `cd test-fixtures` 6 > 2. add a new entry to `config.yaml` to track where to get the binary from (verify the entry with `make list`) 7 > 3. run `make download` to get the binary 8 > 4. run `make add-snippet` and follow the prompts (use `/` to search) 9 > 5. add a new test case to `Test_Cataloger_PositiveCases` in `../cataloger_test.go` 10 11 12 To test the binary cataloger we run it against a set of files ("test fixtures"). There are two kinds of test fixtures: 13 14 - **Full binaries**: files downloaded and cached at test runtime 15 - **Snippets**: ~100 byte files checked into the repo 16 17 The upside with snippets is that they live with the test, don't necessarily require network access or hosting concerns, and are easy to add. The downside is that they are not the entire real binary so modifications may require recreating the snippet entirely. 18 19 The upside with full binaries is that they are the "Real McCoy" and allows the business logic to change without needing to update the fixture. The downside is that they require network access and take up a lot of space. For instance, downloading all binaries for testing today requires downloading ~15GB of container images and ends up being ~500MB of disk space. 20 21 You can find the test fixtures at the following locations: 22 ``` 23 syft/pkg/cataloger/binary/test-fixtures/ 24 └── classifiers/ 25 ├── bin/ # full binaries 26 ├── ... 27 └── snippets/ # snippets 28 ``` 29 30 And use tooling to list and manage the fixtures: 31 32 - `make list` - list all fixtures 33 - `make download` - download binaries that are not covered by a snippet 34 - `make download-all` - download all binaries 35 - `go run ./manager add-snippet` - add a new snippet based off of a configured binary 36 - `capture-snippet.sh` - add a new snippet based off of a binary on your local machine (not recommended, but allowed) 37 38 There is a `config.yaml` that tracks all binaries that the tests can use. This makes it possible to download it at any time from a hosted source. Today the only method allowed is to download a container image and extract files out. 39 40 Here is an example entry in `config.yaml` for a binary reference from a container image: 41 42 ```yaml 43 from-images: 44 45 # note the group-name is assumed from the single binary name extracted: "redis-server" 46 - version: 7.2.3 47 images: 48 # note we're pulling the same binary from multiple images (representing different architectures) 49 - ref: redis:7.2.3@sha256:d4c84914b872521e215f77d8845914c2268a96b0e35bacd5691e1f5e1f88b500 50 platform: linux/amd64 51 - ref: redis:7.2.3@sha256:a0a0c38b31011b813cddf78d997f8ccba13019c27efd386984b0cfc1e4b618ff 52 platform: linux/arm64 53 # the paths to extract from the binary... 54 paths: 55 - /usr/local/bin/redis-server 56 57 # since there are multiple binaries in the image, we need to specify the group-name 58 - name: ruby-bullseye-shared-libs 59 version: 2.7.7 60 images: 61 - ref: ruby:2.7.7-bullseye@sha256:055191740a063f33fef1f09423e5ed8f91143aae62a3772a90910118464c5120 62 platform: linux/amd64 63 paths: 64 - /usr/local/bin/ruby 65 - /usr/local/lib/libruby.so.2.7.7 66 - /usr/local/lib/libruby.so.2.7 67 ``` 68 69 70 > [!NOTE] 71 > You will need a system with `go`, `bash`, `strings`, and `xxd` installed to capture test snippets. 72 73 74 ## Testing 75 76 The test cases have been setup to allow testing against full binaries or a mix of both (default). 77 To force running only against full binaries run with: 78 79 ```bash 80 go test -must-use-full-binaries ./syft/pkg/cataloger/binary/test-fixtures/... 81 ``` 82 83 ## Adding a new test fixture 84 85 ### Adding a snippet (recommended) 86 87 Even if you are adding a snippet, it is best practice to: 88 89 - create that snippet from a full binary (not craft a snippet by hand) 90 - track where the binary is from and how to download it in `config.yaml` 91 92 1. Follow the steps above to [add a full binary](#adding-a-full-binary) 93 94 2. Run `go run ./manager add-snippet` and follow the prompts to create a new snippet 95 - you should see your binary in the list of binaries to choose from. If not, check step 2 96 - if the search results in no matching snippets, you can specify your own search with `--search-for <grep-pattern>` 97 - you should see a new snippet file created in `snippets/` 98 99 3. Write a test that references your new snippet by `<name>/<version>/<architecture>` 100 - `<name>` is the name of the binary (e.g. `curl`) or the name in `config.yaml` if specified 101 - note that your test does not know about if it's running against a snippet or a full binary 102 103 104 ### Adding a full binary 105 106 1. Add a new entry to `config.yaml` with the following fields 107 - if you are adding a single binary, the `name` field does not need to be specified 108 - the `name` field is useful for distinguishing a quality about the binary (e.g. `java` vs `java-jre-ibm`) 109 110 2. Run `make download` and ensure your new binary is downloaded 111 112 113 ### Adding a custom snippet 114 115 If you need to add a snippet that is not based off of a full binary, you can use the `capture-snippet.sh` script. 116 117 ```bash 118 ./capture-snippet.sh <binary-path> <version> [--search-for <pattern>] [--length <length>] [--prefix-length <prefix_length>] [--group <name>] 119 ``` 120 121 122 This is **not** recommended because it is not reproducible and does not allow for the test to be run against a full binary.