test: validate CycloneDX with the JSON schema

knqyf263 · Aug 7, 2023 · 8abf60b · 8abf60b
1 parent a796701
commit 8abf60b
Show file tree

Hide file tree

Showing 6 changed files with 6,669 additions and 31 deletions.
diff --git a/integration/client_server_test.go b/integration/client_server_test.go
@@ -4,17 +4,14 @@ package integration
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 
-	cdx "github.com/CycloneDX/cyclonedx-go"
 	"github.com/docker/go-connections/nat"
-	"github.com/samber/lo"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	testcontainers "github.com/testcontainers/testcontainers-go"
@@ -402,45 +399,31 @@ func TestClientServerWithFormat(t *testing.T) {
 }
 
 func TestClientServerWithCycloneDX(t *testing.T) {
-	if *update {
-		t.Skipf("This test doesn't use golden files")
-	}
 	tests := []struct {
-		name                  string
-		args                  csArgs
-		wantComponentsCount   int
-		wantDependenciesCount int
+		name   string
+		args   csArgs
+		golden string
 	}{
 		{
 			name: "fluentd with RubyGems with CycloneDX format",
 			args: csArgs{
 				Format: "cyclonedx",
 				Input:  "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
 			},
-			wantComponentsCount:   161,
-			wantDependenciesCount: 162,
+			golden: "testdata/fluentd-multiple-lockfiles.cdx.json.golden",
 		},
 	}
 
 	addr, cacheDir := setup(t, setupOptions{})
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, "")
+			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)
 
 			// Run Trivy client
 			err := execute(osArgs)
 			require.NoError(t, err)
 
-			f, err := os.Open(outputFile)
-			require.NoError(t, err)
-			defer f.Close()
-
-			var got cdx.BOM
-			err = json.NewDecoder(f).Decode(&got)
-			require.NoError(t, err)
-
-			assert.EqualValues(t, tt.wantComponentsCount, len(lo.FromPtr(got.Components)))
-			assert.EqualValues(t, tt.wantDependenciesCount, len(lo.FromPtr(got.Dependencies)))
+			compareCycloneDX(t, tt.golden, outputFile)
 		})
 	}
 }

diff --git a/integration/integration_test.go b/integration/integration_test.go
@@ -11,18 +11,20 @@ import (
 	"os"
 	"path/filepath"
 	"sort"
+	"strings"
 	"testing"
 	"time"
 
 	cdx "github.com/CycloneDX/cyclonedx-go"
+	"github.com/samber/lo"
 	spdxjson "github.com/spdx/tools-golang/json"
 	"github.com/spdx/tools-golang/spdx"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/xeipuuv/gojsonschema"
 
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	"github.com/aquasecurity/trivy-db/pkg/metadata"
-
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/dbtest"
 	"github.com/aquasecurity/trivy/pkg/types"
@@ -212,6 +214,20 @@ func compareCycloneDX(t *testing.T, wantFile, gotFile string) {
 	want := readCycloneDX(t, wantFile)
 	got := readCycloneDX(t, gotFile)
 	assert.Equal(t, want, got)
+
+	// Validate CycloneDX output against the JSON schema
+	schemaLoader := gojsonschema.NewReferenceLoader(got.JSONSchema)
+	documentLoader := gojsonschema.NewGoLoader(got)
+
+	result, err := gojsonschema.Validate(schemaLoader, documentLoader)
+	require.NoError(t, err)
+
+	if valid := result.Valid(); !valid {
+		errs := lo.Map(result.Errors(), func(err gojsonschema.ResultError, _ int) string {
+			return err.String()
+		})
+		assert.True(t, valid, strings.Join(errs, "\n"))
+	}
 }
 
 func compareSpdxJson(t *testing.T, wantFile, gotFile string) {

diff --git a/integration/repo_test.go b/integration/repo_test.go
@@ -31,7 +31,7 @@ func TestRepository(t *testing.T) {
 		skipFiles      []string
 		skipDirs       []string
 		command        string
-		format         string
+		format         types.Format
 		includeDevDeps bool
 	}
 	tests := []struct {
@@ -367,7 +367,7 @@ func TestRepository(t *testing.T) {
 				command = tt.args.command
 			}
 
-			format := "json"
+			format := types.FormatJSON
 			if tt.args.format != "" {
 				format = tt.args.format
 			}
@@ -380,7 +380,7 @@ func TestRepository(t *testing.T) {
 				"--skip-db-update",
 				"--skip-policy-update",
 				"--format",
-				format,
+				string(format),
 				"--offline-scan",
 			}
 
@@ -464,11 +464,11 @@ func TestRepository(t *testing.T) {
 
 			// Compare want and got
 			switch format {
-			case "cyclonedx":
+			case types.FormatCycloneDX:
 				compareCycloneDX(t, tt.golden, outputFile)
-			case "spdx-json":
+			case types.FormatSPDXJSON:
 				compareSpdxJson(t, tt.golden, outputFile)
-			case "json":
+			case types.FormatJSON:
 				compareReports(t, tt.golden, outputFile, tt.override)
 			default:
 				require.Fail(t, "invalid format", "format: %s", format)

diff --git a/integration/sbom_test.go b/integration/sbom_test.go
@@ -56,7 +56,7 @@ func TestSBOM(t *testing.T) {
 				format:       "json",
 				artifactType: "cyclonedx",
 			},
-			golden: "testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden",
+			golden: "testdata/fluentd-multiple-lockfiles.json.golden",
 		},
 		{
 			name: "centos7 in in-toto attestation",