debian-mirror-gitlab/spec/lib/gitlab/ci/parsers/sbom/cyclonedx_spec.rb

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Gitlab::Ci::Parsers::Sbom::Cyclonedx, feature_category: :dependency_management do
  let(:report) { instance_double('Gitlab::Ci::Reports::Sbom::Report') }
  let(:report_data) { base_report_data }
  let(:raw_report_data) { report_data.to_json }
  let(:report_valid?) { true }
  let(:validator_errors) { [] }
  let(:properties_parser) { class_double('Gitlab::Ci::Parsers::Sbom::CyclonedxProperties') }

  let(:base_report_data) do
    {
      'bomFormat' => 'CycloneDX',
      'specVersion' => '1.4',
      'version' => 1
    }
  end

  subject(:parse!) { described_class.new.parse!(raw_report_data, report) }

  before do
    allow_next_instance_of(Gitlab::Ci::Parsers::Sbom::Validators::CyclonedxSchemaValidator) do |validator|
      allow(validator).to receive(:valid?).and_return(report_valid?)
      allow(validator).to receive(:errors).and_return(validator_errors)
    end

    allow(properties_parser).to receive(:parse_source)
    stub_const('Gitlab::Ci::Parsers::Sbom::CyclonedxProperties', properties_parser)
  end

  context 'when report JSON is invalid' do
    let(:raw_report_data) { '{ ' }

    it 'handles errors and adds them to the report' do
      expect(report).to receive(:add_error).with(a_string_including("Report JSON is invalid:"))

      expect { parse! }.not_to raise_error
    end
  end

  context 'when report uses an unsupported spec version' do
    let(:report_data) { base_report_data.merge({ 'specVersion' => '1.3' }) }

    it 'reports unsupported version as an error' do
      expect(report).to receive(:add_error).with("Unsupported CycloneDX spec version. Must be one of: 1.4")

      parse!
    end
  end

  context 'when report does not conform to the CycloneDX schema' do
    let(:report_valid?) { false }
    let(:validator_errors) { %w[error1 error2] }

    it 'reports all errors returned by the validator' do
      expect(report).to receive(:add_error).with("error1")
      expect(report).to receive(:add_error).with("error2")

      parse!
    end
  end

  context 'when cyclonedx report has no components' do
    it 'skips component processing' do
      expect(report).not_to receive(:add_component)

      parse!
    end
  end

  context 'when report has components' do
    let(:report_data) { base_report_data.merge({ 'components' => components }) }
    let(:components) do
      [
        {
          "name" => "activesupport",
          "version" => "5.1.4",
          "purl" => "pkg:gem/activesupport@5.1.4",
          "type" => "library",
          "bom-ref" => "pkg:gem/activesupport@5.1.4"
        },
        {
          "name" => "byebug",
          "version" => "10.0.0",
          "purl" => "pkg:gem/byebug@10.0.0",
          "type" => "library",
          "bom-ref" => "pkg:gem/byebug@10.0.0"
        },
        {
          "name" => "minimal-component",
          "type" => "library"
        },
        {
          # Should be skipped
          "name" => "unrecognized-type",
          "type" => "unknown"
        }
      ]
    end

    before do
      allow(report).to receive(:add_component)
    end

    it 'adds each component, ignoring unused attributes' do
      expect(report).to receive(:add_component)
        .with(
          an_object_having_attributes(
            name: "activesupport",
            version: "5.1.4",
            component_type: "library",
            purl: an_object_having_attributes(type: "gem")
          )
        )
      expect(report).to receive(:add_component)
        .with(
          an_object_having_attributes(
            name: "byebug",
            version: "10.0.0",
            component_type: "library",
            purl: an_object_having_attributes(type: "gem")
          )
        )
      expect(report).to receive(:add_component)
        .with(an_object_having_attributes(name: "minimal-component", version: nil, component_type: "library"))

      parse!
    end

    context 'when a component has an invalid purl' do
      before do
        components.push(
          {
            "name" => "invalid-component",
            "version" => "v0.0.1",
            "purl" => "pkg:nil",
            "type" => "library"
          }
        )
      end

      it 'adds an error to the report' do
        expect(report).to receive(:add_error).with("/components/#{components.size - 1}/purl is invalid")

        parse!
      end
    end
  end

  context 'when report has metadata properties' do
    let(:report_data) { base_report_data.merge({ 'metadata' => { 'properties' => properties } }) }

    let(:properties) do
      [
        { 'name' => 'gitlab:meta:schema_version', 'value' => '1' },
        { 'name' => 'gitlab:dependency_scanning:category', 'value' => 'development' },
        { 'name' => 'gitlab:dependency_scanning:input_file:path', 'value' => 'package-lock.json' },
        { 'name' => 'gitlab:dependency_scanning:source_file:path', 'value' => 'package.json' },
        { 'name' => 'gitlab:dependency_scanning:package_manager:name', 'value' => 'npm' },
        { 'name' => 'gitlab:dependency_scanning:language:name', 'value' => 'JavaScript' }
      ]
    end

    it 'passes them to the properties parser' do
      expect(properties_parser).to receive(:parse_source).with(properties)

      parse!
    end
  end
end
New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30			`# frozen_string_literal: true`

			`require 'spec_helper'`

New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30			`RSpec.describe Gitlab::Ci::Parsers::Sbom::Cyclonedx, feature_category: :dependency_management do`
New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30			`let(:report) { instance_double('Gitlab::Ci::Reports::Sbom::Report') }`
			`let(:report_data) { base_report_data }`
			`let(:raw_report_data) { report_data.to_json }`
			`let(:report_valid?) { true }`
			`let(:validator_errors) { [] }`
			`let(:properties_parser) { class_double('Gitlab::Ci::Parsers::Sbom::CyclonedxProperties') }`

			`let(:base_report_data) do`
			`{`
			`'bomFormat' => 'CycloneDX',`
			`'specVersion' => '1.4',`
			`'version' => 1`
			`}`
			`end`

			`subject(:parse!) { described_class.new.parse!(raw_report_data, report) }`

			`before do`
			`allow_next_instance_of(Gitlab::Ci::Parsers::Sbom::Validators::CyclonedxSchemaValidator) do \|validator\|`
			`allow(validator).to receive(:valid?).and_return(report_valid?)`
			`allow(validator).to receive(:errors).and_return(validator_errors)`
			`end`

			`allow(properties_parser).to receive(:parse_source)`
			`stub_const('Gitlab::Ci::Parsers::Sbom::CyclonedxProperties', properties_parser)`
			`end`

			`context 'when report JSON is invalid' do`
			`let(:raw_report_data) { '{ ' }`

			`it 'handles errors and adds them to the report' do`
			`expect(report).to receive(:add_error).with(a_string_including("Report JSON is invalid:"))`

			`expect { parse! }.not_to raise_error`
			`end`
			`end`

			`context 'when report uses an unsupported spec version' do`
			`let(:report_data) { base_report_data.merge({ 'specVersion' => '1.3' }) }`

			`it 'reports unsupported version as an error' do`
			`expect(report).to receive(:add_error).with("Unsupported CycloneDX spec version. Must be one of: 1.4")`

			`parse!`
			`end`
			`end`

			`context 'when report does not conform to the CycloneDX schema' do`
			`let(:report_valid?) { false }`
			`let(:validator_errors) { %w[error1 error2] }`

			`it 'reports all errors returned by the validator' do`
			`expect(report).to receive(:add_error).with("error1")`
			`expect(report).to receive(:add_error).with("error2")`

			`parse!`
			`end`
			`end`

			`context 'when cyclonedx report has no components' do`
			`it 'skips component processing' do`
			`expect(report).not_to receive(:add_component)`

			`parse!`
			`end`
			`end`

			`context 'when report has components' do`
			`let(:report_data) { base_report_data.merge({ 'components' => components }) }`
			`let(:components) do`
			`[`
			`{`
			`"name" => "activesupport",`
			`"version" => "5.1.4",`
			`"purl" => "pkg:gem/activesupport@5.1.4",`
			`"type" => "library",`
			`"bom-ref" => "pkg:gem/activesupport@5.1.4"`
			`},`
			`{`
			`"name" => "byebug",`
			`"version" => "10.0.0",`
			`"purl" => "pkg:gem/byebug@10.0.0",`
			`"type" => "library",`
			`"bom-ref" => "pkg:gem/byebug@10.0.0"`
			`},`
			`{`
			`"name" => "minimal-component",`
			`"type" => "library"`
			`},`
			`{`
			`# Should be skipped`
			`"name" => "unrecognized-type",`
			`"type" => "unknown"`
			`}`
			`]`
			`end`

New upstream version 15.6.4+ds1 2023-01-13 00:05:48 +05:30			`before do`
			`allow(report).to receive(:add_component)`
			`end`

New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30			`it 'adds each component, ignoring unused attributes' do`
			`expect(report).to receive(:add_component)`
New upstream version 15.6.4+ds1 2023-01-13 00:05:48 +05:30			`.with(`
			`an_object_having_attributes(`
			`name: "activesupport",`
			`version: "5.1.4",`
			`component_type: "library",`
			`purl: an_object_having_attributes(type: "gem")`
			`)`
			`)`
New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30			`expect(report).to receive(:add_component)`
New upstream version 15.6.4+ds1 2023-01-13 00:05:48 +05:30			`.with(`
			`an_object_having_attributes(`
			`name: "byebug",`
			`version: "10.0.0",`
			`component_type: "library",`
			`purl: an_object_having_attributes(type: "gem")`
			`)`
			`)`
New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30			`expect(report).to receive(:add_component)`
New upstream version 15.4.2+ds1 2022-10-11 01:57:18 +05:30			`.with(an_object_having_attributes(name: "minimal-component", version: nil, component_type: "library"))`
New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30
			`parse!`
			`end`
New upstream version 15.6.4+ds1 2023-01-13 00:05:48 +05:30
			`context 'when a component has an invalid purl' do`
			`before do`
			`components.push(`
			`{`
			`"name" => "invalid-component",`
			`"version" => "v0.0.1",`
			`"purl" => "pkg:nil",`
			`"type" => "library"`
			`}`
			`)`
			`end`

			`it 'adds an error to the report' do`
			`expect(report).to receive(:add_error).with("/components/#{components.size - 1}/purl is invalid")`

			`parse!`
			`end`
			`end`
New upstream version 15.3.1+ds1 2022-08-27 11:52:29 +05:30			`end`

			`context 'when report has metadata properties' do`
			`let(:report_data) { base_report_data.merge({ 'metadata' => { 'properties' => properties } }) }`

			`let(:properties) do`
			`[`
			`{ 'name' => 'gitlab:meta:schema_version', 'value' => '1' },`
			`{ 'name' => 'gitlab:dependency_scanning:category', 'value' => 'development' },`
			`{ 'name' => 'gitlab:dependency_scanning:input_file:path', 'value' => 'package-lock.json' },`
			`{ 'name' => 'gitlab:dependency_scanning:source_file:path', 'value' => 'package.json' },`
			`{ 'name' => 'gitlab:dependency_scanning:package_manager:name', 'value' => 'npm' },`
			`{ 'name' => 'gitlab:dependency_scanning:language:name', 'value' => 'JavaScript' }`
			`]`
			`end`

			`it 'passes them to the properties parser' do`
			`expect(properties_parser).to receive(:parse_source).with(properties)`

			`parse!`
			`end`
			`end`
			`end`