From 01ca0df9bd77167ea94b09aba5be114b4632ae77 Mon Sep 17 00:00:00 2001 From: Gergely Csatari Date: Mon, 14 Oct 2024 11:00:15 +0300 Subject: [PATCH 1/5] First try to add unit tests Signed-off-by: Gergely Csatari --- .../sboms/unittest-sbom-01.spdx.json | 56 +++++++++++++++ .../unittests/sboms/unittest-sbom-02.spdx | 41 +++++++++++ .../sboms/unittest-sbom-03.spdx.json | 56 +++++++++++++++ .../unittests/sboms/unittest-sbom-04.spdx | 68 +++++++++++++++++++ .../unittests/sboms/unittest-sbom-05.spdx | 41 +++++++++++ .../unittests/sboms/unittest-sbom-06.spdx | 42 ++++++++++++ .../unittests/test-requirements.txt | 1 + .../unittests/test_validator_basic_errors.py | 25 +++++++ .../unittests/test_validator_ntia_errors.py | 23 +++++++ .../unittests/test_validator_ok.py | 13 ++++ 10 files changed, 366 insertions(+) create mode 100644 tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-01.spdx.json create mode 100644 tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-02.spdx create mode 100644 tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-03.spdx.json create mode 100644 tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-04.spdx create mode 100644 tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-05.spdx create mode 100644 tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-06.spdx create mode 100644 tools/openchain_telco_sbom_validator/unittests/test-requirements.txt create mode 100644 tools/openchain_telco_sbom_validator/unittests/test_validator_basic_errors.py create mode 100644 tools/openchain_telco_sbom_validator/unittests/test_validator_ntia_errors.py create mode 100644 tools/openchain_telco_sbom_validator/unittests/test_validator_ok.py diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-01.spdx.json b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-01.spdx.json new file mode 100644 index 0000000..620e480 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-01.spdx.json @@ -0,0 +1,56 @@ +{ + "spdxVersion": "SPDX-2.2", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "SBOM for scanoss/engine", + "documentNamespace": "https://spdx.org/spdxdocs/scanner.c-master-f804e73240bc7f145d226c2aebccd094a30bf5156514b8ba24216b4d44e7b06b", + "creationInfo": { + "creators": [ + "Tool: SCANOSS SBOM Workbench-1-15.0", + "Person: agustin", + "Organization: SCANOSS" + ], + "created": "2024-10-02T14:02:58Z", + "comment": "SBOM Build information - SBOM Type: Build" + }, + "packages": [ + { + "name": "scanoss/engine", + "SPDXID": "SPDXRef-e92b7b118e817b7c62494b38f693d2d3", + "versionInfo": "5.4.0", + "supplier": "Organization: SCANOSS", + "downloadLocation": "https://github.com/scanoss/engine", + "filesAnalyzed": false, + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "5d21f846c3bd1a7c91c4cf2ac57d3299dfcc2f67" + } + ], + "homepage": "https://github.com/scanoss/engine", + "licenseDeclared": "GPL-2.0-only", + "licenseConcluded": "GPL-2.0-only", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:github/scanoss/engine@5.4.0", + "referenceType": "purl" + } + ] + } +], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-e92b7b118e817b7c62494b38f693d2d3", + "relationshipType": "DESCRIBES" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-e92b7b118e817b7c62494b38f693d2d3", + "relationshipType": "CONTAINS" + } + ], +"documentDescribes": ["SPDXRef-e92b7b118e817b7c62494b38f693d2d3"] +} diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-02.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-02.spdx new file mode 100644 index 0000000..bd2d479 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-02.spdx @@ -0,0 +1,41 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: CISA SBOM Type: Analyzed + +##### Package: libldap-2.4-2 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-03.spdx.json b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-03.spdx.json new file mode 100644 index 0000000..d4b3c67 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-03.spdx.json @@ -0,0 +1,56 @@ +{ + "spdxVersion": "SPDX-2.2", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "SBOM for scanoss/engine", + "documentNamespace": "https://spdx.org/spdxdocs/scanner.c-master-f804e73240bc7f145d226c2aebccd094a30bf5156514b8ba24216b4d44e7b06b", + "creationInfo": { + "creators": [ + "Tool: SCANOSS SBOM Workbench-1-15.0", + "Person: agustin", + "Organization: SCANOSS" + ], + "created": "2024-10-02T14:02:58Z", + "comment": "SBOM Build information - SBOM Type: Build" + }, + "packages": [} + { + "name": "scanoss/engine", + "SPDXID": "SPDXRef-e92b7b118e817b7c62494b38f693d2d3", + "versionInfo": "5.4.0", + "supplier": "Organization: SCANOSS", + "downloadLocation": "https://github.com/scanoss/engine", + "filesAnalyzed": false, + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "5d21f846c3bd1a7c91c4cf2ac57d3299dfcc2f67" + } + ], + "homepage": "https://github.com/scanoss/engine", + "licenseDeclared": "GPL-2.0-only", + "licenseConcluded": "GPL-2.0-only", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:github/scanoss/engine@5.4.0", + "referenceType": "purl" + } + ] + } +], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-e92b7b118e817b7c62494b38f693d2d3", + "relationshipType": "DESCRIBES" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-e92b7b118e817b7c62494b38f693d2d3", + "relationshipType": "CONTAINS" + } + ], +"documentDescribes": ["SPDXRef-e92b7b118e817b7c62494b38f693d2d3"] +} diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-04.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-04.spdx new file mode 100644 index 0000000..a264198 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-04.spdx @@ -0,0 +1,68 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: CISA SBOM Type: Analyzed + +##### Package: libldap-2.4-2 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-05.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-05.spdx new file mode 100644 index 0000000..c0109f1 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-05.spdx @@ -0,0 +1,41 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: CISA SBOM Type: Analyzed + +##### Package: libldap-2.4-2 + +PackageName: +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-06.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-06.spdx new file mode 100644 index 0000000..62e9a5a --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-06.spdx @@ -0,0 +1,42 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: CISA SBOM Type: Analyzed + +##### Package: libldap-2.4-2 + +PackageName: libldap-2.4-2-empty-version +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/test-requirements.txt b/tools/openchain_telco_sbom_validator/unittests/test-requirements.txt new file mode 100644 index 0000000..55b033e --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test-requirements.txt @@ -0,0 +1 @@ +pytest \ No newline at end of file diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_basic_errors.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_basic_errors.py new file mode 100644 index 0000000..d0e1fdc --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_basic_errors.py @@ -0,0 +1,25 @@ +from openchain_telco_sbom_validator import validator + +def test_nok_empty_file(): + v = validator.Validator + result, problems = v.validate(v, filePath = "") + assert problems[0].ErrorType == "File error" + assert result == False + +def test_nok_not_spdx(): + v = validator.Validator + result, problems = v.validate(v, filePath = "test_validator_basic_errors.py") + assert problems[0].ErrorType == "File error" + assert result == False + +def test_nok_json_error(): + v = validator.Validator + result, problems = v.validate(v, filePath = "sboms/unittest-sbom-03.spdx.json") + assert problems[0].ErrorType == "File error" + assert result == False + +def test_nok_not_valid_spdx(): + v = validator.Validator + result, problems = v.validate(v, filePath = "sboms/unittest-sbom-04.spdx") + assert problems[0].ErrorType == "SPDX validation error" + assert result == False diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_ntia_errors.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_ntia_errors.py new file mode 100644 index 0000000..d231425 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_ntia_errors.py @@ -0,0 +1,23 @@ +from openchain_telco_sbom_validator.validator import Validator + +def test_nok_empty_name(): + validator = Validator() + result, problems = validator.validate("sboms/unittest-sbom-05.spdx") + assert len(problems) == 2 + assert problems[0].ErrorType == "NTIA validation error" + assert problems[0].Reason == "Package without a name" + assert problems[0].SPDX_ID == "SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b" + assert problems[1].ErrorType == "NTIA validation error" + assert problems[1].Reason == "Package without a version" + assert problems[1].SPDX_ID == "SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b" + assert result == False + +def test_nok_no_version(): + validator = Validator() + result, problems = validator.validate("sboms/unittest-sbom-06.spdx") + assert isinstance(validator, Validator) + assert False + assert len(problems) == 1 + assert problems[0].ErrorType == "NTIA validation error" + assert problems[0].Reason == "Package without a name" + assert result == False diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_ok.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_ok.py new file mode 100644 index 0000000..be81ca5 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_ok.py @@ -0,0 +1,13 @@ +from openchain_telco_sbom_validator import validator + +def test_ok_json(): + v = validator.Validator + result, problems = v.validate(v, filePath = "sboms/unittest-sbom-01.spdx.json") + assert problems is None + assert result == True + +def test_ok(): + v = validator.Validator + result, problems = v.validate(v, filePath = "sboms/unittest-sbom-02.spdx") + assert problems is None + assert result == True From ad78cfe73d02cafa7a7d801e315394c0c39659af Mon Sep 17 00:00:00 2001 From: Gergely Csatari Date: Mon, 14 Oct 2024 11:01:22 +0300 Subject: [PATCH 2/5] Adding also the code fixes Signed-off-by: Gergely Csatari --- .../validator.py | 42 +++++++++++-------- .../testing/test-sbom-01.spdx | 2 +- 2 files changed, 26 insertions(+), 18 deletions(-) diff --git a/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py b/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py index 6aac85a..7118308 100755 --- a/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py +++ b/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py @@ -16,7 +16,6 @@ from spdx_tools.spdx.parser.error import SPDXParsingError from spdx_tools.spdx.model.package import ExternalPackageRefCategory from spdx_tools.spdx import document_utils -from prettytable import PrettyTable from packageurl.contrib import purl2url import ntia_conformance_checker as ntia import validators @@ -96,23 +95,29 @@ def __init__(self): return None def validate(self, filePath, strict_purl_check=False, strict_url_check=False, functionRegistry:FunctionRegistry = FunctionRegistry()): - """ Validates, Returns a status and a list of problems. filePath: Path to the SPDX file to validate. strict_purl_check: Not only checks the syntax of the PURL, but also checks if the package can be downloaded. strict_url_check: Checks if the given URLs in PackageHomepages can be accessed.""" + """ Validates, Returns a status and a list of problems. + filePath: Path to the SPDX file to validate. + strict_purl_check: Not only checks the syntax of the PURL, but also checks if the package can be downloaded. + strict_url_check: Checks if the given URLs in PackageHomepages can be accessed.""" + + self.__test() + problems = Problems() try: doc = parse_anything.parse_file(filePath) except json.decoder.JSONDecodeError as e: logger.error("JSON syntax error at line " + str(e.lineno) + " column " + str(e.colno)) logger.error(e.msg) - sys.exit(1) + problems.append("File error", "", "", f"JSON syntax error at line {e.lineno} column {e.colno})") + return False, problems except SPDXParsingError as e: logger.error("ERROR! The file is not an SPDX file") for message in e.messages: logger.error(message) - logger.error("Exiting") - sys.exit(1) - logger.debug("Start validating.") + problems.append("File error", "", "", "The file is not an SPDX file") + return False, problems - problems = Problems() + logger.debug("Start validating.") errors = validate_full_spdx_document(doc) if errors: @@ -136,13 +141,17 @@ def validate(self, filePath, strict_purl_check=False, strict_url_check=False, fu if not sbomNTIA.ntia_minimum_elements_compliant: logger.debug("NTIA validation failed") components = sbomNTIA.get_components_without_names() - self.ntiaErrorLog(components, problems, doc,"Package without a name") - self.components = sbomNTIA.get_components_without_versions(return_tuples=True) - self.ntiaErrorLogNew(components, problems, doc,"Package without a version") + #logger.debug(f"components: {components}, problems: {str(problems)}, doc: {doc}") + self.__ntiaErrorLog(components, problems, doc, "Package without a name") + + #self.ntiaErrorLog(components, problems, doc, "Package without a name") + #self.ntiaErrorLogNew(components, problems, doc, "Package without a version") + components = sbomNTIA.get_components_without_versions(return_tuples=True) + self.__ntiaErrorLogNew(components, problems, doc, "Package without a version") components = sbomNTIA.get_components_without_suppliers(return_tuples=True) - self.ntiaErrorLogNew(components, problems, doc,"Package without a package supplier or package originator") + self.__ntiaErrorLogNew(components, problems, doc, "Package without a package supplier or package originator") components = sbomNTIA.get_components_without_identifiers() - self.ntiaErrorLog(components, problems, doc,"Package without an identifyer") + self.__ntiaErrorLog(components, problems, doc, "Package without an identifyer") else: logger.debug("NTIA validation succesful") @@ -244,7 +253,7 @@ def validate(self, filePath, strict_purl_check=False, strict_url_check=False, fu else: return True, None - def ntiaErrorLog(self, components, problems, doc, problemText): + def __ntiaErrorLog(self, components, problems, doc, problemText): logger.debug(f"# of components: {len(components)}") for component in components: logger.debug(f"Erroneous component: {component}") @@ -255,7 +264,7 @@ def ntiaErrorLog(self, components, problems, doc, problemText): else: problems.append("NTIA validation error", "Cannot be provided", component, problemText) - def ntiaErrorLogNew(self, components, problems, doc, problemText): + def __ntiaErrorLogNew(self, components, problems, doc, problemText): logger.debug(f"# of components: {len(components)}") for component in components: logger.debug(f"Erroneous component: {component}") @@ -269,6 +278,5 @@ def ntiaErrorLogNew(self, components, problems, doc, problemText): else: problems.append("NTIA validation error", "Cannot be provided", component, problemText) - -if __name__ == "__main__": - main() + def __test(self): + pass diff --git a/tools/openchain_telco_sbom_validator/testing/test-sbom-01.spdx b/tools/openchain_telco_sbom_validator/testing/test-sbom-01.spdx index 7bcf225..29bab51 100644 --- a/tools/openchain_telco_sbom_validator/testing/test-sbom-01.spdx +++ b/tools/openchain_telco_sbom_validator/testing/test-sbom-01.spdx @@ -7,7 +7,7 @@ LicenseListVersion: 3.21 Creator: Organization: Anchore, Inc Creator: Tool: syft-0.85.0 Created: 2023-07-19T08:04:05Z -CreatorComment: CISA SBOM Type: analyzed +CreatorComment: CISA SBOM Type: Analyzed ##### Package: libldap-2.4-2 From 1a560373e79e2e0d389f6d1cdf612229fdb48c25 Mon Sep 17 00:00:00 2001 From: Gergely Csatari Date: Mon, 28 Oct 2024 09:44:06 +0200 Subject: [PATCH 3/5] Adding more unit tests Signed-off-by: Gergely Csatari --- .../validator.py | 10 +++++----- .../unittests/sboms/unittest-sbom-04.spdx | 2 +- .../unittests/test_validator_basic_errors.py | 16 ++++++++-------- .../unittests/test_validator_ntia_errors.py | 19 +++++++------------ .../unittests/test_validator_ok.py | 8 ++++---- 5 files changed, 25 insertions(+), 30 deletions(-) diff --git a/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py b/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py index 7118308..e81cad3 100755 --- a/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py +++ b/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py @@ -6,7 +6,6 @@ # SPDX-License-Identifier: Apache-2.0 import logging -import sys import re import json from spdx_tools.spdx.model.document import Document @@ -158,13 +157,12 @@ def validate(self, filePath, strict_purl_check=False, strict_url_check=False, fu if doc.creation_info.creator_comment: logger.debug(f"CreatorComment: {doc.creation_info.creator_comment}") - cisaSBOMTypes = ["Design", "Source", "Build", "Analyzed", "Deployed", "Runtime"] + cisaSBOMTypes = ["design", "source", "build", "analyzed", "deployed", "runtime"] typeFound = False for cisaSBOMType in cisaSBOMTypes: logger.debug(f"Checking {cisaSBOMType} against {doc.creation_info.creator_comment} ({doc.creation_info.creator_comment.find(cisaSBOMType)})") - creator_comment = doc.creation_info.creator_comment.lower(); - if -1 != doc.creation_info.creator_comment.find(cisaSBOMType): + if -1 != doc.creation_info.creator_comment.lower().find(cisaSBOMType): logger.debug("Found") typeFound = True @@ -194,7 +192,9 @@ def validate(self, filePath, strict_purl_check=False, strict_url_check=False, fu for package in doc.packages: logger.debug(f"Package: {package}") if not package.version: - problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "Version field is missing") + pass + ### This is already detected during the NTIA check. + #problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "Version field is missing") if not package.supplier: problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "Supplier field is missing") if not package.checksums: diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-04.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-04.spdx index a264198..a56b16a 100644 --- a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-04.spdx +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-04.spdx @@ -7,7 +7,7 @@ LicenseListVersion: 3.21 Creator: Organization: Anchore, Inc Creator: Tool: syft-0.85.0 Created: 2023-07-19T08:04:05Z -CreatorComment: CISA SBOM Type: Analyzed +CreatorComment: CISA SBOM Type: analyzed ##### Package: libldap-2.4-2 diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_basic_errors.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_basic_errors.py index d0e1fdc..bec7790 100644 --- a/tools/openchain_telco_sbom_validator/unittests/test_validator_basic_errors.py +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_basic_errors.py @@ -1,25 +1,25 @@ from openchain_telco_sbom_validator import validator def test_nok_empty_file(): - v = validator.Validator - result, problems = v.validate(v, filePath = "") + v = validator.Validator() + result, problems = v.validate("") assert problems[0].ErrorType == "File error" assert result == False def test_nok_not_spdx(): - v = validator.Validator - result, problems = v.validate(v, filePath = "test_validator_basic_errors.py") + v = validator.Validator() + result, problems = v.validate( "test_validator_basic_errors.py") assert problems[0].ErrorType == "File error" assert result == False def test_nok_json_error(): - v = validator.Validator - result, problems = v.validate(v, filePath = "sboms/unittest-sbom-03.spdx.json") + v = validator.Validator() + result, problems = v.validate("sboms/unittest-sbom-03.spdx.json") assert problems[0].ErrorType == "File error" assert result == False def test_nok_not_valid_spdx(): - v = validator.Validator - result, problems = v.validate(v, filePath = "sboms/unittest-sbom-04.spdx") + v = validator.Validator() + result, problems = v.validate("sboms/unittest-sbom-04.spdx") assert problems[0].ErrorType == "SPDX validation error" assert result == False diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_ntia_errors.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_ntia_errors.py index d231425..29c6153 100644 --- a/tools/openchain_telco_sbom_validator/unittests/test_validator_ntia_errors.py +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_ntia_errors.py @@ -1,23 +1,18 @@ -from openchain_telco_sbom_validator.validator import Validator +from openchain_telco_sbom_validator import validator def test_nok_empty_name(): - validator = Validator() - result, problems = validator.validate("sboms/unittest-sbom-05.spdx") - assert len(problems) == 2 + v = validator.Validator() + result, problems = v.validate("sboms/unittest-sbom-05.spdx") + assert len(problems) == 1 assert problems[0].ErrorType == "NTIA validation error" assert problems[0].Reason == "Package without a name" assert problems[0].SPDX_ID == "SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b" - assert problems[1].ErrorType == "NTIA validation error" - assert problems[1].Reason == "Package without a version" - assert problems[1].SPDX_ID == "SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b" assert result == False def test_nok_no_version(): - validator = Validator() - result, problems = validator.validate("sboms/unittest-sbom-06.spdx") - assert isinstance(validator, Validator) - assert False + v = validator.Validator() + result, problems = v.validate("sboms/unittest-sbom-06.spdx") assert len(problems) == 1 assert problems[0].ErrorType == "NTIA validation error" - assert problems[0].Reason == "Package without a name" + assert problems[0].Reason == "Package without a version" assert result == False diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_ok.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_ok.py index be81ca5..2c135e3 100644 --- a/tools/openchain_telco_sbom_validator/unittests/test_validator_ok.py +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_ok.py @@ -1,13 +1,13 @@ from openchain_telco_sbom_validator import validator def test_ok_json(): - v = validator.Validator - result, problems = v.validate(v, filePath = "sboms/unittest-sbom-01.spdx.json") + v = validator.Validator() + result, problems = v.validate(filePath = "sboms/unittest-sbom-01.spdx.json") assert problems is None assert result == True def test_ok(): - v = validator.Validator - result, problems = v.validate(v, filePath = "sboms/unittest-sbom-02.spdx") + v = validator.Validator() + result, problems = v.validate(filePath = "sboms/unittest-sbom-02.spdx") assert problems is None assert result == True From 4e93ac329a752165621932e2814ad1959e3e159a Mon Sep 17 00:00:00 2001 From: Gergely Csatari Date: Thu, 7 Nov 2024 15:37:20 +0200 Subject: [PATCH 4/5] Adding unit tests Signed-off-by: Gergely Csatari --- tools/openchain_telco_sbom_validator/setup.py | 1 + .../validator.py | 4 +- .../unittests/sboms/unittest-sbom-07.spdx | 40 +++++++ .../unittests/sboms/unittest-sbom-08.spdx | 41 +++++++ .../unittests/sboms/unittest-sbom-09.spdx | 41 +++++++ .../unittests/sboms/unittest-sbom-10.spdx | 40 +++++++ .../unittests/sboms/unittest-sbom-11.spdx | 39 +++++++ .../unittests/sboms/unittest-sbom-12.spdx | 101 ++++++++++++++++++ .../unittests/test_functions.py | 47 ++++++++ .../unittests/test_validator_generic.py | 51 +++++++++ .../unittests/test_validator_package.py | 34 ++++++ 11 files changed, 438 insertions(+), 1 deletion(-) create mode 100644 tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-07.spdx create mode 100644 tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-08.spdx create mode 100644 tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-09.spdx create mode 100644 tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-10.spdx create mode 100644 tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-11.spdx create mode 100644 tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-12.spdx create mode 100644 tools/openchain_telco_sbom_validator/unittests/test_functions.py create mode 100644 tools/openchain_telco_sbom_validator/unittests/test_validator_generic.py create mode 100644 tools/openchain_telco_sbom_validator/unittests/test_validator_package.py diff --git a/tools/openchain_telco_sbom_validator/setup.py b/tools/openchain_telco_sbom_validator/setup.py index fe1e9bf..b933077 100644 --- a/tools/openchain_telco_sbom_validator/setup.py +++ b/tools/openchain_telco_sbom_validator/setup.py @@ -5,3 +5,4 @@ from setuptools import setup setup() + diff --git a/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py b/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py index e81cad3..73b2670 100755 --- a/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py +++ b/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py @@ -196,7 +196,9 @@ def validate(self, filePath, strict_purl_check=False, strict_url_check=False, fu ### This is already detected during the NTIA check. #problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "Version field is missing") if not package.supplier: - problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "Supplier field is missing") + pass + ### This is already detected during the NTIA check. + #problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "Supplier field is missing") if not package.checksums: problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "Checksum field is missing") if package.external_references: diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-07.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-07.spdx new file mode 100644 index 0000000..023cdf5 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-07.spdx @@ -0,0 +1,40 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Tool: syft 0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: CISA SBOM Type: deployed + +##### Package: libldap-2.4-2 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-08.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-08.spdx new file mode 100644 index 0000000..913cc84 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-08.spdx @@ -0,0 +1,41 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: runtime + +##### Package: libldap-2.4-2 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-09.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-09.spdx new file mode 100644 index 0000000..bf342d2 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-09.spdx @@ -0,0 +1,41 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: something-else + +##### Package: libldap-2.4-2 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-10.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-10.spdx new file mode 100644 index 0000000..7fc9748 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-10.spdx @@ -0,0 +1,40 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft 0.85.0 +Created: 2023-07-19T08:04:05Z + +##### Package: libldap-2.4-2 + +PackageName: Correct-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-11.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-11.spdx new file mode 100644 index 0000000..d8278ca --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-11.spdx @@ -0,0 +1,39 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: runtime + +##### Package: libldap-2.4-2 + +PackageName: Nosupplier-Nochecksum-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-libldap-2.4-2-Nosupplier-Nochecksum +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf diff --git a/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-12.spdx b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-12.spdx new file mode 100644 index 0000000..b0e55eb --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/sboms/unittest-sbom-12.spdx @@ -0,0 +1,101 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: bitnami/mongodb-sharded:6.0-debian-11 +DocumentNamespace: https://anchore.com/syft/image/bitnami/mongodb-sharded-6.0-debian-11-272a0a56-d03f-4239-8205-42267d6d0d29 +LicenseListVersion: 3.21 +Creator: Organization: Anchore, Inc +Creator: Tool: syft-0.85.0 +Created: 2023-07-19T08:04:05Z +CreatorComment: runtime + +##### Package: nopurl-libldap-2.4-2 + +PackageName: nopurl-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-nopurl-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* + + +##### Package: badpurl-libldap-2.4-2 + +PackageName: badpurl-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-badpurl-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageHomePage: https://www.not-openldap.org/ +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/not-debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + +##### Package: nohomepage-libldap-2.4-2 + +PackageName: nohomepage-libldap-2.4-2 +SPDXID: SPDXRef-Package-deb-nohomepage-libldap-2.4-2-796a192b709a2a2b +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageOriginator: Person: Debian OpenLDAP Maintainers +PackageSupplier: Person: Jane Doe (jane.doe@example.com) +PackageChecksum: SHA256: e325881d738b1091d0105778523ad60eb61e62557b9dc15624e08144b3991d08 +PackageDownloadLocation: NOASSERTION +FilesAnalyzed: true +PackageVerificationCode: 8360ca10f484b118d367165552d0b934835d128a +PackageSourceInfo: acquired package info from DPKG DB: /usr/share/doc/libldap-2.4-2/copyright, /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums, /var/lib/dpkg/status +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap-2.4-2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: SECURITY cpe23Type cpe:2.3:a:libldap:libldap_2.4_2:2.4.57\+dfsg-3\+deb11u1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11 + + +LicenseID: LicenseRef-Autoconf +ExtractedText: Autoconf + + +Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-deb-nopurl-libldap-2.4-2-796a192b709a2a2b +Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-deb-badpurl-libldap-2.4-2-796a192b709a2a2b \ No newline at end of file diff --git a/tools/openchain_telco_sbom_validator/unittests/test_functions.py b/tools/openchain_telco_sbom_validator/unittests/test_functions.py new file mode 100644 index 0000000..524c478 --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test_functions.py @@ -0,0 +1,47 @@ +from spdx_tools.spdx.model.package import Package +from spdx_tools.spdx.model.document import Document +from openchain_telco_sbom_validator import validator + +def test_nok_package_function(): + v = validator.Validator() + functions = validator.FunctionRegistry() + functions.registerPackage(checkPackageHomepage) + result, problems = v.validate(filePath = "sboms/unittest-sbom-12.spdx", functionRegistry=functions) + assert result == False + assert len(problems) == 2 + assert problems[0].ErrorType == "Missing mandatory field from Package" + assert problems[0].Reason == "There is no purl type ExternalRef field in the Package" + assert problems[0].SPDX_ID == "SPDXRef-Package-deb-nopurl-libldap-2.4-2-796a192b709a2a2b" + assert problems[0].PackageName == "nopurl-libldap-2.4-2" + + assert problems[1].ErrorType == "Missing mandatory field from Package" + assert problems[1].Reason == "PackageHomePage field is missing" + assert problems[1].SPDX_ID == "SPDXRef-Package-deb-nohomepage-libldap-2.4-2-796a192b709a2a2b" + assert problems[1].PackageName == "nohomepage-libldap-2.4-2" + +def checkPackageHomepage(problems: validator.Problems, package: Package): + if isinstance(package.homepage, type(None)): + problems.append("Missing mandatory field from Package", package.spdx_id, package.name, "PackageHomePage field is missing") + + +def test_nok_global_function(): + v = validator.Validator() + functions = validator.FunctionRegistry() + functions.registerGlobal(checkSPDXVersion) + result, problems = v.validate(filePath = "sboms/unittest-sbom-12.spdx", functionRegistry=functions) + assert result == False + assert len(problems) == 2 + + assert problems[0].ErrorType == "Missing mandatory field from Package" + assert problems[0].Reason == "There is no purl type ExternalRef field in the Package" + assert problems[0].SPDX_ID == "SPDXRef-Package-deb-nopurl-libldap-2.4-2-796a192b709a2a2b" + assert problems[0].PackageName == "nopurl-libldap-2.4-2" + + assert problems[1].ErrorType == "SPDX Version" + assert problems[1].Reason == "SPDX Version is SPDX-2.3" + assert problems[1].SPDX_ID == "General" + assert problems[1].PackageName == "General" + +def checkSPDXVersion(problems: validator.Problems, doc: Document): + if doc.creation_info.spdx_version == "SPDX-2.3": + problems.append("SPDX Version", "General", "General", f"SPDX Version is SPDX-2.3") diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_generic.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_generic.py new file mode 100644 index 0000000..6f1fdae --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_generic.py @@ -0,0 +1,51 @@ +from openchain_telco_sbom_validator import validator + +def test_ok_creator_comment(): + v = validator.Validator() + # CreatorComment: CISA SBOM Type: Analyzed + result, problems = v.validate(filePath = "sboms/unittest-sbom-02.spdx") + assert problems is None + assert result == True + # CreatorComment: CISA SBOM Type: analyzed + result, problems = v.validate(filePath = "sboms/unittest-sbom-07.spdx") + assert len(problems) == 2 + assert result == False + assert problems[0].ErrorType == "Missing or invalid field in CreationInfo::Creator" + assert problems[0].Reason == "There is no Creator field with Organization keyword in it" + assert problems[0].SPDX_ID == "General" + assert problems[0].PackageName == "General" + assert problems[1].ErrorType == "Missing or invalid field in CreationInfo::Creator" + assert problems[1].Reason == "There is no Creator field with Tool keyword in it or the field does not contain the tool name and its version separated with a hyphen" + assert problems[1].SPDX_ID == "General" + assert problems[1].PackageName == "General" + + # CreatorComment: runtime + result, problems = v.validate(filePath = "sboms/unittest-sbom-08.spdx") + assert problems is None + assert result == True + +def test_nok_creater_comment_incorrect_cisa(): + v = validator.Validator() + result, problems = v.validate(filePath = "sboms/unittest-sbom-09.spdx") + assert result == False + assert len(problems) == 1 + assert problems[0].ErrorType == "Invalid CreationInfo" + assert problems[0].Reason == "CreatorComment (something-else) is not in the CISA SBOM Type list (https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf)" + assert problems[0].SPDX_ID == "General" + assert problems[0].PackageName == "General" + +def test_nok_creater_comment_missing(): + v = validator.Validator() + result, problems = v.validate(filePath = "sboms/unittest-sbom-10.spdx") + assert result == False + assert len(problems) == 2 + assert problems[0].ErrorType == "Missing mandatory field from CreationInfo" + assert problems[0].Reason == "CreatorComment is missing" + assert problems[0].SPDX_ID == "General" + assert problems[0].PackageName == "General" + assert problems[1].ErrorType == "Missing or invalid field in CreationInfo::Creator" + assert problems[1].Reason == "There is no Creator field with Tool keyword in it or the field does not contain the tool name and its version separated with a hyphen" + assert problems[1].SPDX_ID == "General" + assert problems[1].PackageName == "General" + + diff --git a/tools/openchain_telco_sbom_validator/unittests/test_validator_package.py b/tools/openchain_telco_sbom_validator/unittests/test_validator_package.py new file mode 100644 index 0000000..ee40aac --- /dev/null +++ b/tools/openchain_telco_sbom_validator/unittests/test_validator_package.py @@ -0,0 +1,34 @@ +from openchain_telco_sbom_validator import validator + +def test_nok_creater_comment_missing(): + v = validator.Validator() + result, problems = v.validate(filePath = "sboms/unittest-sbom-11.spdx") + assert result == False + assert len(problems) == 2 + assert problems[0].ErrorType == "NTIA validation error" + assert problems[0].Reason == "Package without a package supplier or package originator" + assert problems[0].SPDX_ID == "SPDXRef-Package-deb-libldap-2.4-2-Nosupplier-Nochecksum" + assert problems[0].PackageName == "Nosupplier-Nochecksum-libldap-2.4-2" + assert problems[1].ErrorType == "Missing mandatory field from Package" + assert problems[1].Reason == "Checksum field is missing" + assert problems[1].SPDX_ID == "SPDXRef-Package-deb-libldap-2.4-2-Nosupplier-Nochecksum" + assert problems[1].PackageName == "Nosupplier-Nochecksum-libldap-2.4-2" + +def test_nok_purls(): + v = validator.Validator() + result, problems = v.validate(filePath = "sboms/unittest-sbom-12.spdx", strict_purl_check=True, strict_url_check=True) + assert result == False + assert len(problems) == 4 + assert problems[0].ErrorType == "Missing mandatory field from Package" + assert problems[0].Reason == "There is no purl type ExternalRef field in the Package" + assert problems[0].SPDX_ID == "SPDXRef-Package-deb-nopurl-libldap-2.4-2-796a192b709a2a2b" + assert problems[0].PackageName == "nopurl-libldap-2.4-2" + assert problems[1].ErrorType == "Useless mandatory field from Package" + assert problems[1].Reason == "purl (pkg:deb/not-debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=amd64&upstream=openldap&distro=debian-11) in the ExternalRef cannot be converted to a downloadable URL" + assert problems[1].SPDX_ID == "SPDXRef-Package-deb-badpurl-libldap-2.4-2-796a192b709a2a2b" + assert problems[1].PackageName == "badpurl-libldap-2.4-2" + assert problems[2].ErrorType == "Invalid field in Package" + assert problems[2].Reason == "PackageHomePage field points to a nonexisting page (https://www.not-openldap.org/)" + assert problems[2].SPDX_ID == "SPDXRef-Package-deb-badpurl-libldap-2.4-2-796a192b709a2a2b" + assert problems[2].PackageName == "badpurl-libldap-2.4-2" + \ No newline at end of file From b0ae5bb99a81619e59d4ea4641347a82ee55b92d Mon Sep 17 00:00:00 2001 From: Gergely Csatari Date: Thu, 7 Nov 2024 15:50:19 +0200 Subject: [PATCH 5/5] Synching tests to the implementation Signed-off-by: Gergely Csatari --- tools/openchain_telco_sbom_validator/testing/test-test.sh | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/tools/openchain_telco_sbom_validator/testing/test-test.sh b/tools/openchain_telco_sbom_validator/testing/test-test.sh index 221e854..6f18700 100755 --- a/tools/openchain_telco_sbom_validator/testing/test-test.sh +++ b/tools/openchain_telco_sbom_validator/testing/test-test.sh @@ -28,7 +28,6 @@ function test_no_supplier_no_checksum assert_terminated_normally assert_exit_fail assert_has_output - assert_output_contains "libldap-2.4-2 | Supplier field is missing" assert_output_contains "libldap-2.4-2 | Checksum field is missing" assert_output_contains "The SPDX file test-sbom-01.spdx is not compliant with the OpenChain Telco SBOM Guide" } @@ -44,12 +43,7 @@ function test_no_name_no_version_no_supplier assert_output_contains "Package without a name" assert_output_contains "golang.org/x/sync-empty- | Package without a package" assert_output_contains "golang.org/x/sync- | Package without a package" - assert_output_contains "libldap-2.4-2 | Supplier field is missing" - assert_output_contains "golang.org/x/sync-empty- | Version field is missing" - assert_output_contains "golang.org/x/sync-empty- | Supplier field is missing" assert_output_contains "golang.org/x/sync-empty- | Checksum field is missing" - assert_output_contains "golang.org/x/sync- | Version field is missing" - assert_output_contains "golang.org/x/sync- | Supplier field is missing" assert_output_contains "golang.org/x/sync- | Checksum field is missing" assert_output_contains "The SPDX file test-sbom-02.spdx is not compliant with the OpenChain Telco SBOM Guide" } @@ -114,7 +108,7 @@ function test_no_version_json assert_terminated_normally assert_exit_fail assert_has_output - assert_output_contains "scanoss/engine | Version field is missing" + assert_output_contains "scanoss/engine | Package without a version" assert_output_contains "The SPDX file test-sbom-06.spdx.json is not compliant with the OpenChain Telco SBOM Guide" }