tools/sbom/sbom_writers_test.py - LeafOS-Project/android_build - Gitiles

 #!/usr/bin/env python3
 #
 # Copyright (C) 2023 The Android Open Source Project
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.

 import io
 import pathlib
 import unittest
 import sbom_data
 import sbom_writers

 BUILD_FINGER_PRINT = 'build_finger_print'
 SUPPLIER_GOOGLE = 'Organization: Google'
 SUPPLIER_UPSTREAM = 'Organization: upstream'

 SPDXID_PREBUILT_PACKAGE1 = 'SPDXRef-PREBUILT-package1'
 SPDXID_SOURCE_PACKAGE1 = 'SPDXRef-SOURCE-package1'
 SPDXID_UPSTREAM_PACKAGE1 = 'SPDXRef-UPSTREAM-package1'

 SPDXID_FILE1 = 'SPDXRef-file1'
 SPDXID_FILE2 = 'SPDXRef-file2'
 SPDXID_FILE3 = 'SPDXRef-file3'
 SPDXID_FILE4 = 'SPDXRef-file4'


 class SBOMWritersTest(unittest.TestCase):

   def setUp(self):
     # SBOM of a product
     self.sbom_doc = sbom_data.Document(name='test doc',
                                        namespace='http://www.google.com/sbom/spdx/android',
                                        creators=[SUPPLIER_GOOGLE],
                                        created='2023-03-31T22:17:58Z',
                                        describes=sbom_data.SPDXID_PRODUCT)
     self.sbom_doc.add_external_ref(
       sbom_data.DocumentExternalReference(id='DocumentRef-external_doc_ref',
                                           uri='external_doc_uri',
                                           checksum='SHA1: 1234567890'))
     self.sbom_doc.add_package(
       sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
                         name=sbom_data.PACKAGE_NAME_PRODUCT,
                         download_location=sbom_data.VALUE_NONE,
                         supplier=SUPPLIER_GOOGLE,
                         version=BUILD_FINGER_PRINT,
                         files_analyzed=True,
                         verification_code='123456',
                         file_ids=[SPDXID_FILE1, SPDXID_FILE2, SPDXID_FILE3]))

     self.sbom_doc.add_package(
       sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
                         name=sbom_data.PACKAGE_NAME_PLATFORM,
                         download_location=sbom_data.VALUE_NONE,
                         supplier=SUPPLIER_GOOGLE,
                         version=BUILD_FINGER_PRINT,
                         ))

     self.sbom_doc.add_package(
       sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
                         name='Prebuilt package1',
                         download_location=sbom_data.VALUE_NONE,
                         supplier=SUPPLIER_GOOGLE,
                         version=BUILD_FINGER_PRINT,
                         ))

     self.sbom_doc.add_package(
       sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
                         name='Source package1',
                         download_location=sbom_data.VALUE_NONE,
                         supplier=SUPPLIER_GOOGLE,
                         version=BUILD_FINGER_PRINT,
                         external_refs=[sbom_data.PackageExternalRef(
                           category=sbom_data.PackageExternalRefCategory.SECURITY,
                           type=sbom_data.PackageExternalRefType.cpe22Type,
                           locator='cpe:/a:jsoncpp_project:jsoncpp:1.9.4')]
                         ))

     self.sbom_doc.add_package(
       sbom_data.Package(id=SPDXID_UPSTREAM_PACKAGE1,
                         name='Upstream package1',
                         supplier=SUPPLIER_UPSTREAM,
                         version='1.1',
                         ))

     self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_SOURCE_PACKAGE1,
                                                           relationship=sbom_data.RelationshipType.VARIANT_OF,
                                                           id2=SPDXID_UPSTREAM_PACKAGE1))

     self.sbom_doc.files.append(
       sbom_data.File(id=SPDXID_FILE1, name='/bin/file1', checksum='SHA1: 11111'))
     self.sbom_doc.files.append(
       sbom_data.File(id=SPDXID_FILE2, name='/bin/file2', checksum='SHA1: 22222'))
     self.sbom_doc.files.append(
       sbom_data.File(id=SPDXID_FILE3, name='/bin/file3', checksum='SHA1: 33333'))
     self.sbom_doc.files.append(
       sbom_data.File(id=SPDXID_FILE4, name='file4.a', checksum='SHA1: 44444'))

     self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
                                                           relationship=sbom_data.RelationshipType.GENERATED_FROM,
                                                           id2=sbom_data.SPDXID_PLATFORM))
     self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE2,
                                                           relationship=sbom_data.RelationshipType.GENERATED_FROM,
                                                           id2=SPDXID_PREBUILT_PACKAGE1))
     self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE3,
                                                           relationship=sbom_data.RelationshipType.GENERATED_FROM,
                                                           id2=SPDXID_SOURCE_PACKAGE1
                                                           ))
     self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
                                                           relationship=sbom_data.RelationshipType.STATIC_LINK,
                                                           id2=SPDXID_FILE4
                                                           ))

     # SBOM fragment of a APK
     self.unbundled_sbom_doc = sbom_data.Document(name='test doc',
                                                  namespace='http://www.google.com/sbom/spdx/android',
                                                  creators=[SUPPLIER_GOOGLE],
                                                  created='2023-03-31T22:17:58Z',
                                                  describes=SPDXID_FILE1)

     self.unbundled_sbom_doc.files.append(
       sbom_data.File(id=SPDXID_FILE1, name='/bin/file1.apk', checksum='SHA1: 11111'))
     self.unbundled_sbom_doc.add_package(
       sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
                         name='Unbundled apk package',
                         download_location=sbom_data.VALUE_NONE,
                         supplier=SUPPLIER_GOOGLE,
                         version=BUILD_FINGER_PRINT))
     self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
                                                                     relationship=sbom_data.RelationshipType.GENERATED_FROM,
                                                                     id2=SPDXID_SOURCE_PACKAGE1))

   def test_tagvalue_writer(self):
     with io.StringIO() as output:
       sbom_writers.TagValueWriter.write(self.sbom_doc, output)
       expected_output = pathlib.Path('testdata/expected_tagvalue_sbom.spdx').read_text()
       self.maxDiff = None
       self.assertEqual(expected_output, output.getvalue())

   def test_tagvalue_writer_doc_describes_file(self):
     with io.StringIO() as output:
       self.sbom_doc.describes = SPDXID_FILE4
       sbom_writers.TagValueWriter.write(self.sbom_doc, output)
       expected_output = pathlib.Path('testdata/expected_tagvalue_sbom_doc_describes_file.spdx').read_text()
       self.maxDiff = None
       self.assertEqual(expected_output, output.getvalue())

   def test_tagvalue_writer_unbundled(self):
     with io.StringIO() as output:
       sbom_writers.TagValueWriter.write(self.unbundled_sbom_doc, output, fragment=True)
       expected_output = pathlib.Path('testdata/expected_tagvalue_sbom_unbundled.spdx').read_text()
       self.maxDiff = None
       self.assertEqual(expected_output, output.getvalue())

   def test_json_writer(self):
     with io.StringIO() as output:
       sbom_writers.JSONWriter.write(self.sbom_doc, output)
       expected_output = pathlib.Path('testdata/expected_json_sbom.spdx.json').read_text()
       self.maxDiff = None
       self.assertEqual(expected_output, output.getvalue())


 if __name__ == '__main__':
   unittest.main(verbosity=2)
	#!/usr/bin/env python3
	#
	# Copyright (C) 2023 The Android Open Source Project
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	import io
	import pathlib
	import unittest
	import sbom_data
	import sbom_writers

	BUILD_FINGER_PRINT = 'build_finger_print'
	SUPPLIER_GOOGLE = 'Organization: Google'
	SUPPLIER_UPSTREAM = 'Organization: upstream'

	SPDXID_PREBUILT_PACKAGE1 = 'SPDXRef-PREBUILT-package1'
	SPDXID_SOURCE_PACKAGE1 = 'SPDXRef-SOURCE-package1'
	SPDXID_UPSTREAM_PACKAGE1 = 'SPDXRef-UPSTREAM-package1'

	SPDXID_FILE1 = 'SPDXRef-file1'
	SPDXID_FILE2 = 'SPDXRef-file2'
	SPDXID_FILE3 = 'SPDXRef-file3'
	SPDXID_FILE4 = 'SPDXRef-file4'


	class SBOMWritersTest(unittest.TestCase):

	def setUp(self):
	# SBOM of a product
	self.sbom_doc = sbom_data.Document(name='test doc',
	namespace='http://www.google.com/sbom/spdx/android',
	creators=[SUPPLIER_GOOGLE],
	created='2023-03-31T22:17:58Z',
	describes=sbom_data.SPDXID_PRODUCT)
	self.sbom_doc.add_external_ref(
	sbom_data.DocumentExternalReference(id='DocumentRef-external_doc_ref',
	uri='external_doc_uri',
	checksum='SHA1: 1234567890'))
	self.sbom_doc.add_package(
	sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
	name=sbom_data.PACKAGE_NAME_PRODUCT,
	download_location=sbom_data.VALUE_NONE,
	supplier=SUPPLIER_GOOGLE,
	version=BUILD_FINGER_PRINT,
	files_analyzed=True,
	verification_code='123456',
	file_ids=[SPDXID_FILE1, SPDXID_FILE2, SPDXID_FILE3]))

	self.sbom_doc.add_package(
	sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
	name=sbom_data.PACKAGE_NAME_PLATFORM,
	download_location=sbom_data.VALUE_NONE,
	supplier=SUPPLIER_GOOGLE,
	version=BUILD_FINGER_PRINT,
	))

	self.sbom_doc.add_package(
	sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
	name='Prebuilt package1',
	download_location=sbom_data.VALUE_NONE,
	supplier=SUPPLIER_GOOGLE,
	version=BUILD_FINGER_PRINT,
	))

	self.sbom_doc.add_package(
	sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
	name='Source package1',
	download_location=sbom_data.VALUE_NONE,
	supplier=SUPPLIER_GOOGLE,
	version=BUILD_FINGER_PRINT,
	external_refs=[sbom_data.PackageExternalRef(
	category=sbom_data.PackageExternalRefCategory.SECURITY,
	type=sbom_data.PackageExternalRefType.cpe22Type,
	locator='cpe:/a:jsoncpp_project:jsoncpp:1.9.4')]
	))

	self.sbom_doc.add_package(
	sbom_data.Package(id=SPDXID_UPSTREAM_PACKAGE1,
	name='Upstream package1',
	supplier=SUPPLIER_UPSTREAM,
	version='1.1',
	))

	self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_SOURCE_PACKAGE1,
	relationship=sbom_data.RelationshipType.VARIANT_OF,
	id2=SPDXID_UPSTREAM_PACKAGE1))

	self.sbom_doc.files.append(
	sbom_data.File(id=SPDXID_FILE1, name='/bin/file1', checksum='SHA1: 11111'))
	self.sbom_doc.files.append(
	sbom_data.File(id=SPDXID_FILE2, name='/bin/file2', checksum='SHA1: 22222'))
	self.sbom_doc.files.append(
	sbom_data.File(id=SPDXID_FILE3, name='/bin/file3', checksum='SHA1: 33333'))
	self.sbom_doc.files.append(
	sbom_data.File(id=SPDXID_FILE4, name='file4.a', checksum='SHA1: 44444'))

	self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
	relationship=sbom_data.RelationshipType.GENERATED_FROM,
	id2=sbom_data.SPDXID_PLATFORM))
	self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE2,
	relationship=sbom_data.RelationshipType.GENERATED_FROM,
	id2=SPDXID_PREBUILT_PACKAGE1))
	self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE3,
	relationship=sbom_data.RelationshipType.GENERATED_FROM,
	id2=SPDXID_SOURCE_PACKAGE1
	))
	self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
	relationship=sbom_data.RelationshipType.STATIC_LINK,
	id2=SPDXID_FILE4
	))

	# SBOM fragment of a APK
	self.unbundled_sbom_doc = sbom_data.Document(name='test doc',
	namespace='http://www.google.com/sbom/spdx/android',
	creators=[SUPPLIER_GOOGLE],
	created='2023-03-31T22:17:58Z',
	describes=SPDXID_FILE1)

	self.unbundled_sbom_doc.files.append(
	sbom_data.File(id=SPDXID_FILE1, name='/bin/file1.apk', checksum='SHA1: 11111'))
	self.unbundled_sbom_doc.add_package(
	sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
	name='Unbundled apk package',
	download_location=sbom_data.VALUE_NONE,
	supplier=SUPPLIER_GOOGLE,
	version=BUILD_FINGER_PRINT))
	self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
	relationship=sbom_data.RelationshipType.GENERATED_FROM,
	id2=SPDXID_SOURCE_PACKAGE1))

	def test_tagvalue_writer(self):
	with io.StringIO() as output:
	sbom_writers.TagValueWriter.write(self.sbom_doc, output)
	expected_output = pathlib.Path('testdata/expected_tagvalue_sbom.spdx').read_text()
	self.maxDiff = None
	self.assertEqual(expected_output, output.getvalue())

	def test_tagvalue_writer_doc_describes_file(self):
	with io.StringIO() as output:
	self.sbom_doc.describes = SPDXID_FILE4
	sbom_writers.TagValueWriter.write(self.sbom_doc, output)
	expected_output = pathlib.Path('testdata/expected_tagvalue_sbom_doc_describes_file.spdx').read_text()
	self.maxDiff = None
	self.assertEqual(expected_output, output.getvalue())

	def test_tagvalue_writer_unbundled(self):
	with io.StringIO() as output:
	sbom_writers.TagValueWriter.write(self.unbundled_sbom_doc, output, fragment=True)
	expected_output = pathlib.Path('testdata/expected_tagvalue_sbom_unbundled.spdx').read_text()
	self.maxDiff = None
	self.assertEqual(expected_output, output.getvalue())

	def test_json_writer(self):
	with io.StringIO() as output:
	sbom_writers.JSONWriter.write(self.sbom_doc, output)
	expected_output = pathlib.Path('testdata/expected_json_sbom.spdx.json').read_text()
	self.maxDiff = None
	self.assertEqual(expected_output, output.getvalue())


	if __name__ == '__main__':
	unittest.main(verbosity=2)