Add latest changes from gitlab-org/gitlab@master

3 files changed, 156 insertions, 11 deletions

diff --git a/spec/lib/gitlab/ci/parsers/sbom/cyclonedx_spec.rb b/spec/lib/gitlab/ci/parsers/sbom/cyclonedx_spec.rb
index 59a7a03acea..c58e11063b8 100644
--- a/spec/lib/gitlab/ci/parsers/sbom/cyclonedx_spec.rb
+++ b/spec/lib/gitlab/ci/parsers/sbom/cyclonedx_spec.rb
@@ -4,7 +4,10 @@ require 'spec_helper'
 
 RSpec.describe Gitlab::Ci::Parsers::Sbom::Cyclonedx do
   let(:report) { instance_double('Gitlab::Ci::Reports::Sbom::Report') }
+  let(:report_data) { base_report_data }
   let(:raw_report_data) { report_data.to_json }
+  let(:report_valid?) { true }
+  let(:validator_errors) { [] }
 
   let(:base_report_data) do
     {
@@ -16,6 +19,13 @@ RSpec.describe Gitlab::Ci::Parsers::Sbom::Cyclonedx do
 
   subject(:parse!) { described_class.new(raw_report_data, report).parse! }
 
+  before do
+    allow_next_instance_of(Gitlab::Ci::Parsers::Sbom::Validators::CyclonedxSchemaValidator) do |validator|
+      allow(validator).to receive(:valid?).and_return(report_valid?)
+      allow(validator).to receive(:errors).and_return(validator_errors)
+    end
+  end
+
   context 'when report JSON is invalid' do
     let(:raw_report_data) { '{ ' }
 
@@ -36,9 +46,19 @@ RSpec.describe Gitlab::Ci::Parsers::Sbom::Cyclonedx do
     end
   end
 
-  context 'when cyclonedx report has no components' do
-    let(:report_data) { base_report_data }
+  context 'when report does not conform to the CycloneDX schema' do
+    let(:report_valid?) { false }
+    let(:validator_errors) { %w[error1 error2] }
+
+    it 'reports all errors returned by the validator' do
+      expect(report).to receive(:add_error).with("error1")
+      expect(report).to receive(:add_error).with("error2")
 
+      parse!
+    end
+  end
+
+  context 'when cyclonedx report has no components' do
     it 'skips component processing' do
       expect(report).not_to receive(:add_component)
 
diff --git a/spec/lib/gitlab/ci/parsers/sbom/validators/cyclonedx_schema_validator_spec.rb b/spec/lib/gitlab/ci/parsers/sbom/validators/cyclonedx_schema_validator_spec.rb
new file mode 100644
index 00000000000..c54a3268bbe
--- /dev/null
+++ b/spec/lib/gitlab/ci/parsers/sbom/validators/cyclonedx_schema_validator_spec.rb
@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe Gitlab::Ci::Parsers::Sbom::Validators::CyclonedxSchemaValidator do
+  # Reports should be valid or invalid according to the specification at
+  # https://cyclonedx.org/docs/1.4/json/
+
+  subject(:validator) { described_class.new(report_data) }
+
+  let_it_be(:required_attributes) do
+    {
+      "bomFormat" => "CycloneDX",
+      "specVersion" => "1.4",
+      "version" => 1
+    }
+  end
+
+  context "with minimally valid report" do
+    let_it_be(:report_data) { required_attributes }
+
+    it { is_expected.to be_valid }
+  end
+
+  context "when report has components" do
+    let(:report_data) { required_attributes.merge({ "components" => components }) }
+
+    context "with minimally valid components" do
+      let(:components) do
+        [
+          {
+            "type" => "library",
+            "name" => "activesupport"
+          },
+          {
+            "type" => "library",
+            "name" => "byebug"
+          }
+        ]
+      end
+
+      it { is_expected.to be_valid }
+    end
+
+    context "when components have versions" do
+      let(:components) do
+        [
+          {
+            "type" => "library",
+            "name" => "activesupport",
+            "version" => "5.1.4"
+          },
+          {
+            "type" => "library",
+            "name" => "byebug",
+            "version" => "10.0.0"
+          }
+        ]
+      end
+
+      it { is_expected.to be_valid }
+    end
+
+    context "when components are not valid" do
+      let(:components) do
+        [
+          { "type" => "foo" },
+          { "name" => "activesupport" }
+        ]
+      end
+
+      it { is_expected.not_to be_valid }
+
+      it "outputs errors for each validation failure" do
+        expect(validator.errors).to match_array([
+          "property '/components/0' is missing required keys: name",
+          "property '/components/0/type' is not one of: [\"application\", \"framework\"," \
+            " \"library\", \"container\", \"operating-system\", \"device\", \"firmware\", \"file\"]",
+          "property '/components/1' is missing required keys: type"
+        ])
+      end
+    end
+  end
+
+  context "when report has metadata" do
+    let(:metadata) do
+      {
+        "timestamp" => "2022-02-23T08:02:39Z",
+        "tools" => [{ "vendor" => "GitLab", "name" => "Gemnasium", "version" => "2.34.0" }],
+        "authors" => [{ "name" => "GitLab", "email" => "support@gitlab.com" }]
+      }
+    end
+
+    let(:report_data) { required_attributes.merge({ "metadata" => metadata }) }
+
+    it { is_expected.to be_valid }
+
+    context "when metadata has properties" do
+      before do
+        metadata.merge!({ "properties" => properties })
+      end
+
+      context "when properties are valid" do
+        let(:properties) do
+          [
+            { "name" => "gitlab:dependency_scanning:input_file", "value" => "Gemfile.lock" },
+            { "name" => "gitlab:dependency_scanning:package_manager", "value" => "bundler" }
+          ]
+        end
+
+        it { is_expected.to be_valid }
+      end
+
+      context "when properties are invalid" do
+        let(:properties) do
+          [
+            { "name" => ["gitlab:meta:schema_version"], "value" => 1 }
+          ]
+        end
+
+        it { is_expected.not_to be_valid }
+
+        it "outputs errors for each validation failure" do
+          expect(validator.errors).to match_array([
+            "property '/metadata/properties/0/name' is not of type: string",
+            "property '/metadata/properties/0/value' is not of type: string"
+          ])
+        end
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/global_id/deprecations_spec.rb b/spec/lib/gitlab/global_id/deprecations_spec.rb
index 2c58c7ff15d..3824473c95b 100644
--- a/spec/lib/gitlab/global_id/deprecations_spec.rb
+++ b/spec/lib/gitlab/global_id/deprecations_spec.rb
@@ -1,26 +1,19 @@
 # frozen_string_literal: true
 
 require 'fast_spec_helper'
-require 'test_prof/recipes/rspec/let_it_be'
 require 'graphql'
 require_relative '../../../../app/graphql/types/base_scalar'
 require_relative '../../../../app/graphql/types/global_id_type'
 require_relative '../../../support/helpers/global_id_deprecation_helpers'
 
-TestProf::BeforeAll.adapter = Class.new do
-  def begin_transaction; end
-
-  def rollback_transaction; end
-end.new
-
 RSpec.describe Gitlab::GlobalId::Deprecations do
   include GlobalIDDeprecationHelpers
 
-  let_it_be(:deprecation_1) do
+  let(:deprecation_1) do
     described_class::NameDeprecation.new(old_name: 'Foo::Model', new_name: 'Bar', milestone: '9.0')
   end
 
-  let_it_be(:deprecation_2) do
+  let(:deprecation_2) do
     described_class::NameDeprecation.new(old_name: 'Baz', new_name: 'Qux::Model', milestone: '10.0')
   end