github.com/anchore/syft@v1.4.2-0.20240516191711-1bec1fc5d397/test/cli/spdx_tooling_validation_test.go

github.com/anchore/syft@v1.4.2-0.20240516191711-1bec1fc5d397/test/cli/spdx_tooling_validation_test.go (about)

     1  package cli
     2  
     3  import (
     4  	"fmt"
     5  	"os"
     6  	"os/exec"
     7  	"path"
     8  	"path/filepath"
     9  	"strings"
    10  	"testing"
    11  
    12  	"github.com/stretchr/testify/require"
    13  
    14  	"github.com/anchore/stereoscope/pkg/imagetest"
    15  )
    16  
    17  func TestSpdxValidationTooling(t *testing.T) {
    18  	// note: the external tooling requires that the daemon explicitly has the image loaded, not just that
    19  	// we can get the image from a cache tar.
    20  	imgTag := imagetest.LoadFixtureImageIntoDocker(t, "image-java-spdx-tools")
    21  
    22  	images := []string{
    23  		"alpine:3.17.3@sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d",
    24  		"photon:3.0@sha256:888675e193418d924feea262cf639c46532b63c2027a39fd3ac75383b3c1130e",
    25  		"debian:stable@sha256:729c2433e196207749a86f1d86e0106822041bb280b4200cf7a4db97608f6d3a",
    26  	}
    27  
    28  	env := map[string]string{
    29  		"SYFT_FILE_METADATA_CATALOGER_ENABLED": "true",
    30  		"SYFT_FILE_CONTENTS_CATALOGER_ENABLED": "true",
    31  		"SYFT_FILE_METADATA_DIGESTS":           "sha1",
    32  	}
    33  
    34  	tests := []struct {
    35  		name     string
    36  		syftArgs []string
    37  		images   []string
    38  		setup    func(t *testing.T)
    39  		env      map[string]string
    40  	}{
    41  		{
    42  			name:     "spdx validation tooling tag value",
    43  			syftArgs: []string{"scan", "-o", "spdx"},
    44  			images:   images,
    45  			env:      env,
    46  		},
    47  		{
    48  			name:     "spdx validation tooling json",
    49  			syftArgs: []string{"scan", "-o", "spdx-json"},
    50  			images:   images,
    51  			env:      env,
    52  		},
    53  	}
    54  
    55  	for _, test := range tests {
    56  		for _, image := range test.images {
    57  			t.Run(test.name+"_"+image, func(t *testing.T) {
    58  
    59  				args := append(test.syftArgs, image)
    60  
    61  				var suffix string
    62  				if strings.Contains(test.name, "json") {
    63  					suffix = ".json"
    64  				} else {
    65  					suffix = ".spdx"
    66  				}
    67  
    68  				dir := t.TempDir()
    69  				sbomPath := filepath.Join(dir, fmt.Sprintf("sbom%s", suffix))
    70  
    71  				args = append(args, "--file", sbomPath)
    72  
    73  				cmd, _, stderr := runSyft(t, test.env, args...)
    74  				if cmd.ProcessState.ExitCode() != 0 {
    75  					t.Fatalf("failed to run syft: %s", stderr)
    76  				}
    77  
    78  				cwd, err := os.Getwd()
    79  				require.NoError(t, err)
    80  
    81  				// validate against spdx java tooling
    82  				fileArg := fmt.Sprintf("DIR=%s", dir)
    83  				mountArg := fmt.Sprintf("BASE=%s", path.Base(sbomPath))
    84  				imageArg := fmt.Sprintf("IMAGE=%s", imgTag)
    85  
    86  				validateCmd := exec.Command("make", "validate", fileArg, mountArg, imageArg)
    87  				validateCmd.Dir = filepath.Join(cwd, "test-fixtures", "image-java-spdx-tools")
    88  
    89  				stdout, stderr, err := runCommand(validateCmd, map[string]string{})
    90  				if err != nil {
    91  					t.Fatalf("invalid SPDX document:%v\nSTDOUT:\n%s\nSTDERR:\n%s", err, stdout, stderr)
    92  				}
    93  			})
    94  		}
    95  	}
    96  }