diff --git a/tools/openchain_telco_sbom_validator/setup.py b/tools/openchain_telco_sbom_validator/setup.py index fe1e9bf..b933077 100644 --- a/tools/openchain_telco_sbom_validator/setup.py +++ b/tools/openchain_telco_sbom_validator/setup.py @@ -5,3 +5,4 @@ from setuptools import setup setup() + diff --git a/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py b/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py index 6aac85a..73b2670 100755 --- a/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py +++ b/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py @@ -6,7 +6,6 @@ # SPDX-License-Identifier: Apache-2.0 import logging -import sys import re import json from spdx_tools.spdx.model.document import Document @@ -16,7 +15,6 @@ from spdx_tools.spdx.parser.error import SPDXParsingError from spdx_tools.spdx.model.package import ExternalPackageRefCategory from spdx_tools.spdx import document_utils -from prettytable import PrettyTable from packageurl.contrib import purl2url import ntia_conformance_checker as ntia import validators @@ -96,23 +94,29 @@ def __init__(self): return None def validate(self, filePath, strict_purl_check=False, strict_url_check=False, functionRegistry:FunctionRegistry = FunctionRegistry()): - """ Validates, Returns a status and a list of problems. filePath: Path to the SPDX file to validate. strict_purl_check: Not only checks the syntax of the PURL, but also checks if the package can be downloaded. strict_url_check: Checks if the given URLs in PackageHomepages can be accessed.""" + """ Validates, Returns a status and a list of problems. + filePath: Path to the SPDX file to validate. + strict_purl_check: Not only checks the syntax of the PURL, but also checks if the package can be downloaded. + strict_url_check: Checks if the given URLs in PackageHomepages can be accessed.""" + + self.__test() + problems = Problems() try: doc = parse_anything.parse_file(filePath) except json.decoder.JSONDecodeError as e: logger.error("JSON syntax error at line " + str(e.lineno) + " column " + str(e.colno)) logger.error(e.msg) - sys.exit(1) + problems.append("File error", "", "", f"JSON syntax error at line {e.lineno} column {e.colno})") + return False, problems except SPDXParsingError as e: logger.error("ERROR! The file is not an SPDX file") for message in e.messages: logger.error(message) - logger.error("Exiting") - sys.exit(1) - logger.debug("Start validating.") + problems.append("File error", "", "", "The file is not an SPDX file") + return False, problems - problems = Problems() + logger.debug("Start validating.") errors = validate_full_spdx_document(doc) if errors: @@ -136,26 +140,29 @@ def validate(self, filePath, strict_purl_check=False, strict_url_check=False, fu if not sbomNTIA.ntia_minimum_elements_compliant: logger.debug("NTIA validation failed") components = sbomNTIA.get_components_without_names() - self.ntiaErrorLog(components, problems, doc,"Package without a name") - self.components = sbomNTIA.get_components_without_versions(return_tuples=True) - self.ntiaErrorLogNew(components, problems, doc,"Package without a version") + #logger.debug(f"components: {components}, problems: {str(problems)}, doc: {doc}") + self.__ntiaErrorLog(components, problems, doc, "Package without a name") + + #self.ntiaErrorLog(components, problems, doc, "Package without a name") + #self.ntiaErrorLogNew(components, problems, doc, "Package without a version") + components = sbomNTIA.get_components_without_versions(return_tuples=True) + self.__ntiaErrorLogNew(components, problems, doc, "Package without a version") components = sbomNTIA.get_components_without_suppliers(return_tuples=True) - self.ntiaErrorLogNew(components, problems, doc,"Package without a package supplier or package originator") + self.__ntiaErrorLogNew(components, problems, doc, "Package without a package supplier or package originator") components = sbomNTIA.get_components_without_identifiers() - self.ntiaErrorLog(components, problems, doc,"Package without an identifyer") + self.__ntiaErrorLog(components, problems, doc, "Package without an identifyer") else: logger.debug("NTIA validation succesful") if doc.creation_info.creator_comment: logger.debug(f"CreatorComment: {doc.creation_info.creator_comment}") - cisaSBOMTypes = ["Design", "Source", "Build", "Analyzed", "Deployed", "Runtime"] + cisaSBOMTypes = ["design", "source", "build", "analyzed", "deployed", "runtime"] typeFound = False for cisaSBOMType in cisaSBOMTypes: logger.debug(f"Checking {cisaSBOMType} against {doc.creation_info.creator_comment} ({doc.creation_info.creator_comment.find(cisaSBOMType)})") - creator_comment = doc.creation_info.creator_comment.lower(); - if -1 != doc.creation_info.creator_comment.find(cisaSBOMType): + if -1 != doc.creation_info.creator_comment.lower().find(cisaSBOMType): logger.debug("Found") typeFound = True @@ -185,9 +192,13 @@ def validate(self, filePath, strict_purl_check=False, strict_url_check=False, fu for package in doc.packages: logger.debug(f"Package: {package}") if not package.version: - problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "Version field is missing") + pass + ### This is already detected during the NTIA check. + #problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "Version field is missing") if not package.supplier: - problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "Supplier field is missing") + pass + ### This is already detected during the NTIA check. + #problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "Supplier field is missing") if not package.checksums: problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "Checksum field is missing") if package.external_references: @@ -244,7 +255,7 @@ def validate(self, filePath, strict_purl_check=False, strict_url_check=False, fu else: return True, None - def ntiaErrorLog(self, components, problems, doc, problemText): + def __ntiaErrorLog(self, components, problems, doc, problemText): logger.debug(f"# of components: {len(components)}") for component in components: logger.debug(f"Erroneous component: {component}") @@ -255,7 +266,7 @@ def ntiaErrorLog(self, components, problems, doc, problemText): else: problems.append("NTIA validation error", "Cannot be provided", component, problemText) - def ntiaErrorLogNew(self, components, problems, doc, problemText): + def __ntiaErrorLogNew(self, components, problems, doc, problemText): logger.debug(f"# of components: {len(components)}") for component in components: logger.debug(f"Erroneous component: {component}") @@ -269,6 +280,5 @@ def ntiaErrorLogNew(self, components, problems, doc, problemText): else: problems.append("NTIA validation error", "Cannot be provided", component, problemText) - -if __name__ == "__main__": - main() + def __test(self): + pass diff --git a/tools/openchain_telco_sbom_validator/testing/test-sbom-01.spdx b/tools/openchain_telco_sbom_validator/testing/test-sbom-01.spdx index 7bcf225..29bab51 100644 --- a/tools/openchain_telco_sbom_validator/testing/test-sbom-01.spdx +++ b/tools/openchain_telco_sbom_validator/testing/test-sbom-01.spdx @@ -7,7 +7,7 @@ LicenseListVersion: 3.21 Creator: Organization: Anchore, Inc Creator: Tool: syft-0.85.0 Created: 2023-07-19T08:04:05Z -CreatorComment: CISA SBOM Type: analyzed +CreatorComment: CISA SBOM Type: Analyzed ##### Package: libldap-2.4-2 diff --git a/tools/openchain_telco_sbom_validator/testing/test-test.sh b/tools/openchain_telco_sbom_validator/testing/test-test.sh index d8b72e1..110af93 100755 --- a/tools/openchain_telco_sbom_validator/testing/test-test.sh +++ b/tools/openchain_telco_sbom_validator/testing/test-test.sh @@ -28,7 +28,6 @@ function test_no_supplier_no_checksum assert_terminated_normally assert_exit_fail assert_has_output - assert_output_contains "libldap-2.4-2 | Supplier field is missing" assert_output_contains "libldap-2.4-2 | Checksum field is missing" assert_output_contains "The SPDX file test-sbom-01.spdx is not compliant with the OpenChain Telco SBOM Guide" } @@ -44,12 +43,7 @@ function test_no_name_no_version_no_supplier assert_output_contains "Package without a name" assert_output_contains "golang.org/x/sync-empty- | Package without a package" assert_output_contains "golang.org/x/sync- | Package without a package" - assert_output_contains "libldap-2.4-2 | Supplier field is missing" - assert_output_contains "golang.org/x/sync-empty- | Version field is missing" - assert_output_contains "golang.org/x/sync-empty- | Supplier field is missing" assert_output_contains "golang.org/x/sync-empty- | Checksum field is missing" - assert_output_contains "golang.org/x/sync- | Version field is missing" - assert_output_contains "golang.org/x/sync- | Supplier field is missing" assert_output_contains "golang.org/x/sync- | Checksum field is missing" assert_output_contains "The SPDX file test-sbom-02.spdx is not compliant with the OpenChain Telco SBOM Guide" } @@ -114,7 +108,7 @@ function test_no_version_json assert_terminated_normally assert_exit_fail assert_has_output - assert_output_contains "scanoss/engine | Version field is missing" + assert_output_contains "scanoss/engine | Package without a version" assert_output_contains "The SPDX file test-sbom-06.spdx.json is not compliant with the OpenChain Telco SBOM Guide" } diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-01.spdx.json b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-01.spdx.json new file mode 100644 index 0000000..620e480 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-01.spdx.json @@ -0,0 +1,56 @@ +{ + "spdxVersion": "SPDX-2.2", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "SBOM for scanoss/engine", + "documentNamespace": "https://spdx.org/spdxdocs/scanner.c-master-f804e73240bc7f145d226c2aebccd094a30bf5156514b8ba24216b4d44e7b06b", + "creationInfo": { + "creators": [ + "Tool: SCANOSS SBOM Workbench-1-15.0", + "Person: agustin", + "Organization: SCANOSS" + ], + "created": "2024-10-02T14:02:58Z", + "comment": "SBOM Build information - SBOM Type: Build" + }, + "packages": [ + { + "name": "scanoss/engine", + "SPDXID": "SPDXRef-e92b7b118e817b7c62494b38f693d2d3", + "versionInfo": "5.4.0", + "supplier": "Organization: SCANOSS", + "downloadLocation": "https://github.com/scanoss/engine", + "filesAnalyzed": false, + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "5d21f846c3bd1a7c91c4cf2ac57d3299dfcc2f67" + } + ], + "homepage": "https://github.com/scanoss/engine", + "licenseDeclared": "GPL-2.0-only", + "licenseConcluded": "GPL-2.0-only", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:github/scanoss/engine@5.4.0", + "referenceType": "purl" + } + ] + } +], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-e92b7b118e817b7c62494b38f693d2d3", + "relationshipType": "DESCRIBES" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-e92b7b118e817b7c62494b38f693d2d3", + "relationshipType": "CONTAINS" + } + ], +"documentDescribes": ["SPDXRef-e92b7b118e817b7c62494b38f693d2d3"] +} diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-02.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-02.spdx new file mode 100644 index 0000000..bd2d479 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-02.spdx @@ -0,0 +1,41 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: CISA SBOM Type: Analyzed + +##### Package: libldap-2.4-2 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-03.spdx.json b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-03.spdx.json new file mode 100644 index 0000000..d4b3c67 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-03.spdx.json @@ -0,0 +1,56 @@ +{ + "spdxVersion": "SPDX-2.2", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "SBOM for scanoss/engine", + "documentNamespace": "https://spdx.org/spdxdocs/scanner.c-master-f804e73240bc7f145d226c2aebccd094a30bf5156514b8ba24216b4d44e7b06b", + "creationInfo": { + "creators": [ + "Tool: SCANOSS SBOM Workbench-1-15.0", + "Person: agustin", + "Organization: SCANOSS" + ], + "created": "2024-10-02T14:02:58Z", + "comment": "SBOM Build information - SBOM Type: Build" + }, + "packages": [} + { + "name": "scanoss/engine", + "SPDXID": "SPDXRef-e92b7b118e817b7c62494b38f693d2d3", + "versionInfo": "5.4.0", + "supplier": "Organization: SCANOSS", + "downloadLocation": "https://github.com/scanoss/engine", + "filesAnalyzed": false, + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "5d21f846c3bd1a7c91c4cf2ac57d3299dfcc2f67" + } + ], + "homepage": "https://github.com/scanoss/engine", + "licenseDeclared": "GPL-2.0-only", + "licenseConcluded": "GPL-2.0-only", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:github/scanoss/engine@5.4.0", + "referenceType": "purl" + } + ] + } +], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-e92b7b118e817b7c62494b38f693d2d3", + "relationshipType": "DESCRIBES" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-e92b7b118e817b7c62494b38f693d2d3", + "relationshipType": "CONTAINS" + } + ], +"documentDescribes": ["SPDXRef-e92b7b118e817b7c62494b38f693d2d3"] +} diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-04.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-04.spdx new file mode 100644 index 0000000..a56b16a --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-04.spdx @@ -0,0 +1,68 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: CISA SBOM Type: analyzed + +##### Package: libldap-2.4-2 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-05.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-05.spdx new file mode 100644 index 0000000..c0109f1 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-05.spdx @@ -0,0 +1,41 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: CISA SBOM Type: Analyzed + +##### Package: libldap-2.4-2 + +PackageName: +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-06.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-06.spdx new file mode 100644 index 0000000..62e9a5a --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-06.spdx @@ -0,0 +1,42 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: CISA SBOM Type: Analyzed + +##### Package: libldap-2.4-2 + +PackageName: libldap-2.4-2-empty-version +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-07.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-07.spdx new file mode 100644 index 0000000..023cdf5 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-07.spdx @@ -0,0 +1,40 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Tool: syft 0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: CISA SBOM Type: deployed + +##### Package: libldap-2.4-2 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-08.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-08.spdx new file mode 100644 index 0000000..913cc84 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-08.spdx @@ -0,0 +1,41 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: runtime + +##### Package: libldap-2.4-2 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-09.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-09.spdx new file mode 100644 index 0000000..bf342d2 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-09.spdx @@ -0,0 +1,41 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: something-else + +##### Package: libldap-2.4-2 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-10.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-10.spdx new file mode 100644 index 0000000..7fc9748 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-10.spdx @@ -0,0 +1,40 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft 0.85.0 +Created: 2023-07-19T08:04:05Z + +##### Package: libldap-2.4-2 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-11.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-11.spdx new file mode 100644 index 0000000..d8278ca --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-11.spdx @@ -0,0 +1,39 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: runtime + +##### Package: libldap-2.4-2 + +PackageName: Nosupplier-Nochecksum-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-Nosupplier-Nochecksum +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-12.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-12.spdx new file mode 100644 index 0000000..b0e55eb --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-12.spdx @@ -0,0 +1,101 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: runtime + +##### Package: nopurl-libldap-2.4-2 + +PackageName: nopurl-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-nopurl-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* + + +##### Package: badpurl-libldap-2.4-2 + +PackageName: badpurl-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-badpurl-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.not-openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/not-debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +##### Package: nohomepage-libldap-2.4-2 + +PackageName: nohomepage-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-nohomepage-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf + + +Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-deb-nopurl-libldap-2.4-2-796a192b709a2a2b +Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-deb-badpurl-libldap-2.4-2-796a192b709a2a2b \ No newline at end of file diff --git a/tools/openchain_telco_sbom_validator/unittests/test-requirements.txt b/tools/openchain_telco_sbom_validator/unittests/test-requirements.txt new file mode 100644 index 0000000..55b033e --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test-requirements.txt @@ -0,0 +1 @@ +pytest \ No newline at end of file diff --git a/tools/openchain_telco_sbom_validator/unittests/test_functions.py b/tools/openchain_telco_sbom_validator/unittests/test_functions.py new file mode 100644 index 0000000..524c478 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test_functions.py @@ -0,0 +1,47 @@ +from spdx_tools.spdx.model.package import Package +from spdx_tools.spdx.model.document import Document +from openchain_telco_sbom_validator import validator + +def test_nok_package_function(): + v = validator.Validator() + functions = validator.FunctionRegistry() + functions.registerPackage(checkPackageHomepage) + result, problems = v.validate(filePath = "sboms/unittest-sbom-12.spdx", functionRegistry=functions) + assert result == False + assert len(problems) == 2 + assert problems[0].ErrorType == "Missing mandatory field from Package" + assert problems[0].Reason == "There is no purl type ExternalRef field in the Package" + assert problems[0].SPDX_ID == "SPDXRef-Package-deb-nopurl-libldap-2.4-2-796a192b709a2a2b" + assert problems[0].PackageName == "nopurl-libldap-2.4-2" + + assert problems[1].ErrorType == "Missing mandatory field from Package" + assert problems[1].Reason == "PackageHomePage field is missing" + assert problems[1].SPDX_ID == "SPDXRef-Package-deb-nohomepage-libldap-2.4-2-796a192b709a2a2b" + assert problems[1].PackageName == "nohomepage-libldap-2.4-2" + +def checkPackageHomepage(problems: validator.Problems, package: Package): + if isinstance(package.homepage, type(None)): + problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "PackageHomePage field is missing") + + +def test_nok_global_function(): + v = validator.Validator() + functions = validator.FunctionRegistry() + functions.registerGlobal(checkSPDXVersion) + result, problems = v.validate(filePath = "sboms/unittest-sbom-12.spdx", functionRegistry=functions) + assert result == False + assert len(problems) == 2 + + assert problems[0].ErrorType == "Missing mandatory field from Package" + assert problems[0].Reason == "There is no purl type ExternalRef field in the Package" + assert problems[0].SPDX_ID == "SPDXRef-Package-deb-nopurl-libldap-2.4-2-796a192b709a2a2b" + assert problems[0].PackageName == "nopurl-libldap-2.4-2" + + assert problems[1].ErrorType == "SPDX Version" + assert problems[1].Reason == "SPDX Version is SPDX-2.3" + assert problems[1].SPDX_ID == "General" + assert problems[1].PackageName == "General" + +def checkSPDXVersion(problems: validator.Problems, doc: Document): + if doc.creation_info.spdx_version == "SPDX-2.3": + problems.append("SPDX Version", "General", "General", f"SPDX Version is SPDX-2.3") diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_basic_errors.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_basic_errors.py new file mode 100644 index 0000000..bec7790 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_basic_errors.py @@ -0,0 +1,25 @@ +from openchain_telco_sbom_validator import validator + +def test_nok_empty_file(): + v = validator.Validator() + result, problems = v.validate("") + assert problems[0].ErrorType == "File error" + assert result == False + +def test_nok_not_spdx(): + v = validator.Validator() + result, problems = v.validate( "test_validator_basic_errors.py") + assert problems[0].ErrorType == "File error" + assert result == False + +def test_nok_json_error(): + v = validator.Validator() + result, problems = v.validate("sboms/unittest-sbom-03.spdx.json") + assert problems[0].ErrorType == "File error" + assert result == False + +def test_nok_not_valid_spdx(): + v = validator.Validator() + result, problems = v.validate("sboms/unittest-sbom-04.spdx") + assert problems[0].ErrorType == "SPDX validation error" + assert result == False diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_generic.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_generic.py new file mode 100644 index 0000000..6f1fdae --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_generic.py @@ -0,0 +1,51 @@ +from openchain_telco_sbom_validator import validator + +def test_ok_creator_comment(): + v = validator.Validator() + # CreatorComment: CISA SBOM Type: Analyzed + result, problems = v.validate(filePath = "sboms/unittest-sbom-02.spdx") + assert problems is None + assert result == True + # CreatorComment: CISA SBOM Type: analyzed + result, problems = v.validate(filePath = "sboms/unittest-sbom-07.spdx") + assert len(problems) == 2 + assert result == False + assert problems[0].ErrorType == "Missing or invalid field in CreationInfo::Creator" + assert problems[0].Reason == "There is no Creator field with Organization keyword in it" + assert problems[0].SPDX_ID == "General" + assert problems[0].PackageName == "General" + assert problems[1].ErrorType == "Missing or invalid field in CreationInfo::Creator" + assert problems[1].Reason == "There is no Creator field with Tool keyword in it or the field does not contain the tool name and its version separated with a hyphen" + assert problems[1].SPDX_ID == "General" + assert problems[1].PackageName == "General" + + # CreatorComment: runtime + result, problems = v.validate(filePath = "sboms/unittest-sbom-08.spdx") + assert problems is None + assert result == True + +def test_nok_creater_comment_incorrect_cisa(): + v = validator.Validator() + result, problems = v.validate(filePath = "sboms/unittest-sbom-09.spdx") + assert result == False + assert len(problems) == 1 + assert problems[0].ErrorType == "Invalid CreationInfo" + assert problems[0].Reason == "CreatorComment (something-else) is not in the CISA SBOM Type list (https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf)" + assert problems[0].SPDX_ID == "General" + assert problems[0].PackageName == "General" + +def test_nok_creater_comment_missing(): + v = validator.Validator() + result, problems = v.validate(filePath = "sboms/unittest-sbom-10.spdx") + assert result == False + assert len(problems) == 2 + assert problems[0].ErrorType == "Missing mandatory field from CreationInfo" + assert problems[0].Reason == "CreatorComment is missing" + assert problems[0].SPDX_ID == "General" + assert problems[0].PackageName == "General" + assert problems[1].ErrorType == "Missing or invalid field in CreationInfo::Creator" + assert problems[1].Reason == "There is no Creator field with Tool keyword in it or the field does not contain the tool name and its version separated with a hyphen" + assert problems[1].SPDX_ID == "General" + assert problems[1].PackageName == "General" + + diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_ntia_errors.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_ntia_errors.py new file mode 100644 index 0000000..29c6153 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_ntia_errors.py @@ -0,0 +1,18 @@ +from openchain_telco_sbom_validator import validator + +def test_nok_empty_name(): + v = validator.Validator() + result, problems = v.validate("sboms/unittest-sbom-05.spdx") + assert len(problems) == 1 + assert problems[0].ErrorType == "NTIA validation error" + assert problems[0].Reason == "Package without a name" + assert problems[0].SPDX_ID == "SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b" + assert result == False + +def test_nok_no_version(): + v = validator.Validator() + result, problems = v.validate("sboms/unittest-sbom-06.spdx") + assert len(problems) == 1 + assert problems[0].ErrorType == "NTIA validation error" + assert problems[0].Reason == "Package without a version" + assert result == False diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_ok.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_ok.py new file mode 100644 index 0000000..2c135e3 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_ok.py @@ -0,0 +1,13 @@ +from openchain_telco_sbom_validator import validator + +def test_ok_json(): + v = validator.Validator() + result, problems = v.validate(filePath = "sboms/unittest-sbom-01.spdx.json") + assert problems is None + assert result == True + +def test_ok(): + v = validator.Validator() + result, problems = v.validate(filePath = "sboms/unittest-sbom-02.spdx") + assert problems is None + assert result == True diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_package.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_package.py new file mode 100644 index 0000000..ee40aac --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_package.py @@ -0,0 +1,34 @@ +from openchain_telco_sbom_validator import validator + +def test_nok_creater_comment_missing(): + v = validator.Validator() + result, problems = v.validate(filePath = "sboms/unittest-sbom-11.spdx") + assert result == False + assert len(problems) == 2 + assert problems[0].ErrorType == "NTIA validation error" + assert problems[0].Reason == "Package without a package supplier or package originator" + assert problems[0].SPDX_ID == "SPDXRef-Package-deb-libldap-2.4-2-Nosupplier-Nochecksum" + assert problems[0].PackageName == "Nosupplier-Nochecksum-libldap-2.4-2" + assert problems[1].ErrorType == "Missing mandatory field from Package" + assert problems[1].Reason == "Checksum field is missing" + assert problems[1].SPDX_ID == "SPDXRef-Package-deb-libldap-2.4-2-Nosupplier-Nochecksum" + assert problems[1].PackageName == "Nosupplier-Nochecksum-libldap-2.4-2" + +def test_nok_purls(): + v = validator.Validator() + result, problems = v.validate(filePath = "sboms/unittest-sbom-12.spdx", strict_purl_check=True, strict_url_check=True) + assert result == False + assert len(problems) == 4 + assert problems[0].ErrorType == "Missing mandatory field from Package" + assert problems[0].Reason == "There is no purl type ExternalRef field in the Package" + assert problems[0].SPDX_ID == "SPDXRef-Package-deb-nopurl-libldap-2.4-2-796a192b709a2a2b" + assert problems[0].PackageName == "nopurl-libldap-2.4-2" + assert problems[1].ErrorType == "Useless mandatory field from Package" + assert problems[1].Reason == "purl (pkg:deb/not-debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11) in the ExternalRef cannot be converted to a downloadable URL" + assert problems[1].SPDX_ID == "SPDXRef-Package-deb-badpurl-libldap-2.4-2-796a192b709a2a2b" + assert problems[1].PackageName == "badpurl-libldap-2.4-2" + assert problems[2].ErrorType == "Invalid field in Package" + assert problems[2].Reason == "PackageHomePage field points to a nonexisting page (https://www.not-openldap.org/)" + assert problems[2].SPDX_ID == "SPDXRef-Package-deb-badpurl-libldap-2.4-2-796a192b709a2a2b" + assert problems[2].PackageName == "badpurl-libldap-2.4-2" + \ No newline at end of file