1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
# frozen_string_literal: true
require "spec_helper"
RSpec.describe Gitlab::Ci::Parsers::Sbom::Validators::CyclonedxSchemaValidator do
# Reports should be valid or invalid according to the specification at
# https://cyclonedx.org/docs/1.4/json/
subject(:validator) { described_class.new(report_data) }
let_it_be(:required_attributes) do
{
"bomFormat" => "CycloneDX",
"specVersion" => "1.4",
"version" => 1
}
end
context "with minimally valid report" do
let_it_be(:report_data) { required_attributes }
it { is_expected.to be_valid }
end
context "when report has components" do
let(:report_data) { required_attributes.merge({ "components" => components }) }
context "with minimally valid components" do
let(:components) do
[
{
"type" => "library",
"name" => "activesupport"
},
{
"type" => "library",
"name" => "byebug"
}
]
end
it { is_expected.to be_valid }
end
context "when components have versions" do
let(:components) do
[
{
"type" => "library",
"name" => "activesupport",
"version" => "5.1.4"
},
{
"type" => "library",
"name" => "byebug",
"version" => "10.0.0"
}
]
end
it { is_expected.to be_valid }
end
context "when components are not valid" do
let(:components) do
[
{ "type" => "foo" },
{ "name" => "activesupport" }
]
end
it { is_expected.not_to be_valid }
it "outputs errors for each validation failure" do
expect(validator.errors).to match_array([
"property '/components/0' is missing required keys: name",
"property '/components/0/type' is not one of: [\"application\", \"framework\"," \
" \"library\", \"container\", \"operating-system\", \"device\", \"firmware\", \"file\"]",
"property '/components/1' is missing required keys: type"
])
end
end
end
context "when report has metadata" do
let(:metadata) do
{
"timestamp" => "2022-02-23T08:02:39Z",
"tools" => [{ "vendor" => "GitLab", "name" => "Gemnasium", "version" => "2.34.0" }],
"authors" => [{ "name" => "GitLab", "email" => "support@gitlab.com" }]
}
end
let(:report_data) { required_attributes.merge({ "metadata" => metadata }) }
it { is_expected.to be_valid }
context "when metadata has properties" do
before do
metadata.merge!({ "properties" => properties })
end
context "when properties are valid" do
let(:properties) do
[
{ "name" => "gitlab:dependency_scanning:input_file", "value" => "Gemfile.lock" },
{ "name" => "gitlab:dependency_scanning:package_manager", "value" => "bundler" }
]
end
it { is_expected.to be_valid }
end
context "when properties are invalid" do
let(:properties) do
[
{ "name" => ["gitlab:meta:schema_version"], "value" => 1 }
]
end
it { is_expected.not_to be_valid }
it "outputs errors for each validation failure" do
expect(validator.errors).to match_array([
"property '/metadata/properties/0/name' is not of type: string",
"property '/metadata/properties/0/value' is not of type: string"
])
end
end
end
end
end
|