diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go index 25e35d7f952..ae071ca3cf7 100644 --- a/internal/testing/testdata/testdata.go +++ b/internal/testing/testdata/testdata.go @@ -1099,7 +1099,10 @@ var ( CdxQuarkusHasSBOM = []assembler.HasSBOMIngest{ { - Pkg: cdxTopQuarkusPack, + Artifact: &model.ArtifactInputSpec{ + Algorithm: "sha3-512", + Digest: "85240ed8faa3cc4493db96d0223094842e7153890b091ff364040ad3ad89363157fc9d1bd852262124aec83134f0c19aa4fd0fa482031d38a76d74dfd36b7964", + }, HasSBOM: &model.HasSBOMInputSpec{ Uri: "urn:uuid:0697952e-9848-4785-95bf-f81ff9731682", Algorithm: "sha256", diff --git a/pkg/ingestor/parser/cyclonedx/parser_cyclonedx_test.go b/pkg/ingestor/parser/cyclonedx/parser_cyclonedx_test.go index 1ad93d88a09..3b06b80780c 100644 --- a/pkg/ingestor/parser/cyclonedx/parser_cyclonedx_test.go +++ b/pkg/ingestor/parser/cyclonedx/parser_cyclonedx_test.go @@ -52,7 +52,7 @@ func Test_cyclonedxParser(t *testing.T) { wantPredicates: &testdata.CdxIngestionPredicates, wantErr: false, }, { - name: "valid small CycloneDX document with package dependencies", + name: "valid small CycloneDX document with package dependencies and a hash", doc: &processor.Document{ Blob: testdata.CycloneDXExampleSmallDeps, Format: processor.FormatJSON, diff --git a/pkg/ingestor/parser/spdx/parse_spdx_test.go b/pkg/ingestor/parser/spdx/parse_spdx_test.go index 5c125387305..260f326760e 100644 --- a/pkg/ingestor/parser/spdx/parse_spdx_test.go +++ b/pkg/ingestor/parser/spdx/parse_spdx_test.go @@ -1096,6 +1096,79 @@ func Test_spdxParser(t *testing.T) { }, wantErr: false, }, + { + name: "SPDX v2.3 with a checksum for the SBOM subject", + additionalOpts: []cmp.Option{ + cmpopts.IgnoreFields(generated.HasSBOMInputSpec{}, + "KnownSince"), + }, doc: &processor.Document{ + Blob: []byte(` + { + "spdxVersion": "SPDX-2.3", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "creationInfo": { + "created": "2024-04-30T01:12:27Z" + }, + "name": "for-testing-with-checksum", + "documentNamespace": "https://example.com/for-testing-with-checksum", + "packages": [ + { + "name": "for-testing-with-checksum", + "SPDXID": "SPDXRef-Package-for-testing-with-checksum", + "downloadLocation": "https://example.com/for-testing-with-checksum", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "22596363b3de40b06f981fb85d82312e8c0ed511" + } + ] + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relationshipType": "DESCRIBES", + "relatedSpdxElement": "SPDXRef-Package-for-testing-with-checksum" + } + ] + } + `), + Format: processor.FormatJSON, + Type: processor.DocumentSPDX, + SourceInformation: processor.SourceInformation{ + Collector: "TestCollector", + Source: "TestSource", + }, + }, + wantPredicates: &assembler.IngestPredicates{ + HasSBOM: []assembler.HasSBOMIngest{ + { + Artifact: &generated.ArtifactInputSpec{Algorithm: "sha1", Digest: "22596363b3de40b06f981fb85d82312e8c0ed511"}, + HasSBOM: &generated.HasSBOMInputSpec{ + Uri: "https://example.com/for-testing-with-checksum", + Algorithm: "sha256", + Digest: "247359f8e0b7b4ce1c512589b250081899e61fc5db513f43ed5a7beadae2245b", + DownloadLocation: "TestSource", + }, + }, + }, + IsOccurrence: []assembler.IsOccurrenceIngest{ + { + Pkg: &generated.PkgInputSpec{ + Type: "guac", + Namespace: ptrfrom.String("pkg"), + Name: "for-testing-with-checksum", + Version: &packageOfEmptyString, + Subpath: &packageOfEmptyString, + }, + Artifact: &generated.ArtifactInputSpec{Algorithm: "sha1", Digest: "22596363b3de40b06f981fb85d82312e8c0ed511"}, + IsOccurrence: &generated.IsOccurrenceInputSpec{Justification: "spdx package with checksum"}, + }, + }, + }, + wantErr: false, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {