github.com/khulnasoft/trivy@v0.48.1-0.20231207234930-27df843a75e0/integration/sbom_test.go (about) 1 //go:build integration 2 3 package integration 4 5 import ( 6 "path/filepath" 7 "testing" 8 9 v1 "github.com/google/go-containerregistry/pkg/v1" 10 "github.com/stretchr/testify/assert" 11 "github.com/stretchr/testify/require" 12 13 ftypes "github.com/khulnasoft/trivy/pkg/fanal/types" 14 "github.com/khulnasoft/trivy/pkg/types" 15 ) 16 17 func TestSBOM(t *testing.T) { 18 type args struct { 19 input string 20 format string 21 artifactType string 22 } 23 tests := []struct { 24 name string 25 args args 26 golden string 27 override types.Report 28 }{ 29 { 30 name: "centos7 cyclonedx", 31 args: args{ 32 input: "testdata/fixtures/sbom/centos-7-cyclonedx.json", 33 format: "json", 34 artifactType: "cyclonedx", 35 }, 36 golden: "testdata/centos-7.json.golden", 37 override: types.Report{ 38 ArtifactName: "testdata/fixtures/sbom/centos-7-cyclonedx.json", 39 ArtifactType: ftypes.ArtifactType("cyclonedx"), 40 Results: types.Results{ 41 { 42 Target: "testdata/fixtures/sbom/centos-7-cyclonedx.json (centos 7.6.1810)", 43 Vulnerabilities: []types.DetectedVulnerability{ 44 {PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"}, 45 {PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"}, 46 {PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"}, 47 }, 48 }, 49 }, 50 }, 51 }, 52 { 53 name: "fluentd-multiple-lockfiles cyclonedx", 54 args: args{ 55 input: "testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json", 56 format: "json", 57 artifactType: "cyclonedx", 58 }, 59 golden: "testdata/fluentd-multiple-lockfiles.json.golden", 60 }, 61 { 62 name: "minikube KBOM", 63 args: args{ 64 input: "testdata/fixtures/sbom/minikube-kbom.json", 65 format: "json", 66 artifactType: "cyclonedx", 67 }, 68 golden: "testdata/minikube-kbom.json.golden", 69 }, 70 { 71 name: "centos7 in in-toto attestation", 72 args: args{ 73 input: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl", 74 format: "json", 75 artifactType: "cyclonedx", 76 }, 77 golden: "testdata/centos-7.json.golden", 78 override: types.Report{ 79 ArtifactName: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl", 80 ArtifactType: ftypes.ArtifactType("cyclonedx"), 81 Results: types.Results{ 82 { 83 Target: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl (centos 7.6.1810)", 84 Vulnerabilities: []types.DetectedVulnerability{ 85 {PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"}, 86 {PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"}, 87 {PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"}, 88 }, 89 }, 90 }, 91 }, 92 }, 93 { 94 name: "centos7 spdx tag-value", 95 args: args{ 96 input: "testdata/fixtures/sbom/centos-7-spdx.txt", 97 format: "json", 98 artifactType: "spdx", 99 }, 100 golden: "testdata/centos-7.json.golden", 101 override: types.Report{ 102 ArtifactName: "testdata/fixtures/sbom/centos-7-spdx.txt", 103 ArtifactType: ftypes.ArtifactType("spdx"), 104 Results: types.Results{ 105 { 106 Target: "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)", 107 Vulnerabilities: []types.DetectedVulnerability{ 108 {PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"}, 109 {PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"}, 110 {PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"}, 111 }, 112 }, 113 }, 114 }, 115 }, 116 { 117 name: "centos7 spdx json", 118 args: args{ 119 input: "testdata/fixtures/sbom/centos-7-spdx.json", 120 format: "json", 121 artifactType: "spdx", 122 }, 123 golden: "testdata/centos-7.json.golden", 124 override: types.Report{ 125 ArtifactName: "testdata/fixtures/sbom/centos-7-spdx.json", 126 ArtifactType: ftypes.ArtifactType("spdx"), 127 Results: types.Results{ 128 { 129 Target: "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)", 130 Vulnerabilities: []types.DetectedVulnerability{ 131 {PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"}, 132 {PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"}, 133 {PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"}, 134 }, 135 }, 136 }, 137 }, 138 }, 139 } 140 141 // Set up testing DB 142 cacheDir := initDB(t) 143 144 for _, tt := range tests { 145 t.Run(tt.name, func(t *testing.T) { 146 osArgs := []string{ 147 "--cache-dir", 148 cacheDir, 149 "sbom", 150 "-q", 151 "--skip-db-update", 152 "--format", 153 tt.args.format, 154 } 155 156 // Set up the output file 157 outputFile := filepath.Join(t.TempDir(), "output.json") 158 if *update { 159 outputFile = tt.golden 160 } 161 162 osArgs = append(osArgs, "--output", outputFile) 163 osArgs = append(osArgs, tt.args.input) 164 165 // Run "trivy sbom" 166 err := execute(osArgs) 167 assert.NoError(t, err) 168 169 // Compare want and got 170 switch tt.args.format { 171 case "json": 172 compareSBOMReports(t, tt.golden, outputFile, tt.override) 173 default: 174 require.Fail(t, "invalid format", "format: %s", tt.args.format) 175 } 176 }) 177 } 178 } 179 180 // TODO(teppei): merge into compareReports 181 func compareSBOMReports(t *testing.T, wantFile, gotFile string, overrideWant types.Report) { 182 want := readReport(t, wantFile) 183 184 if overrideWant.ArtifactName != "" { 185 want.ArtifactName = overrideWant.ArtifactName 186 } 187 if overrideWant.ArtifactType != "" { 188 want.ArtifactType = overrideWant.ArtifactType 189 } 190 want.Metadata.ImageID = "" 191 want.Metadata.ImageConfig = v1.ConfigFile{} 192 want.Metadata.DiffIDs = nil 193 for i, result := range want.Results { 194 for j := range result.Vulnerabilities { 195 want.Results[i].Vulnerabilities[j].Layer.DiffID = "" 196 } 197 } 198 199 for i, result := range overrideWant.Results { 200 want.Results[i].Target = result.Target 201 for j, vuln := range result.Vulnerabilities { 202 want.Results[i].Vulnerabilities[j].PkgRef = vuln.PkgRef 203 } 204 } 205 206 got := readReport(t, gotFile) 207 assert.Equal(t, want, got) 208 }