Gitiles
Code Review Sign In
gerrit.omnirom.org / android_build / dec97b146231ab8128c35ccd43238d9ea377608a / . / tools / sbom / sbom_writers_test.py
blob: 4db2bb76018cec89b6b6a95d32fbd447b1920c2c [file] [log] [blame]
Wei Lidec97b12023-04-07 16:45:17 -0700[diff] [blame^]1#!/usr/bin/env python3
2#
3# Copyright (C) 2023 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17import io
18import pathlib
19import unittest
20import sbom_data
21import sbom_writers
22
23BUILD_FINGER_PRINT = 'build_finger_print'
24SUPPLIER_GOOGLE = 'Organization: Google'
25SUPPLIER_UPSTREAM = 'Organization: upstream'
26
27SPDXID_PREBUILT_PACKAGE1 = 'SPDXRef-PREBUILT-package1'
28SPDXID_SOURCE_PACKAGE1 = 'SPDXRef-SOURCE-package1'
29SPDXID_UPSTREAM_PACKAGE1 = 'SPDXRef-UPSTREAM-package1'
30
31SPDXID_FILE1 = 'SPDXRef-file1'
32SPDXID_FILE2 = 'SPDXRef-file2'
33SPDXID_FILE3 = 'SPDXRef-file3'
34
35
36class SBOMWritersTest(unittest.TestCase):
37
38 def setUp(self):
39 # SBOM of a product
40 self.sbom_doc = sbom_data.Document(name='test doc',
41 namespace='http://www.google.com/sbom/spdx/android',
42 creators=[SUPPLIER_GOOGLE],
43 created='2023-03-31T22:17:58Z',
44 describes=sbom_data.SPDXID_PRODUCT)
45 self.sbom_doc.add_external_ref(
46 sbom_data.DocumentExternalReference(id='DocumentRef-external_doc_ref',
47 uri='external_doc_uri',
48 checksum='SHA1: 1234567890'))
49 self.sbom_doc.add_package(
50 sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
51 name=sbom_data.PACKAGE_NAME_PRODUCT,
52 supplier=SUPPLIER_GOOGLE,
53 version=BUILD_FINGER_PRINT,
54 files_analyzed=True,
55 verification_code='123456',
56 file_ids=[SPDXID_FILE1, SPDXID_FILE2, SPDXID_FILE3]))
57
58 self.sbom_doc.add_package(
59 sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
60 name=sbom_data.PACKAGE_NAME_PLATFORM,
61 supplier=SUPPLIER_GOOGLE,
62 version=BUILD_FINGER_PRINT,
63 ))
64
65 self.sbom_doc.add_package(
66 sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
67 name='Prebuilt package1',
68 supplier=SUPPLIER_GOOGLE,
69 version=BUILD_FINGER_PRINT,
70 ))
71
72 self.sbom_doc.add_package(
73 sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
74 name='Source package1',
75 supplier=SUPPLIER_GOOGLE,
76 version=BUILD_FINGER_PRINT,
77 external_refs=[sbom_data.PackageExternalRef(
78 category=sbom_data.PackageExternalRefCategory.SECURITY,
79 type=sbom_data.PackageExternalRefType.cpe22Type,
80 locator='cpe:/a:jsoncpp_project:jsoncpp:1.9.4')]
81 ))
82
83 self.sbom_doc.add_package(
84 sbom_data.Package(id=SPDXID_UPSTREAM_PACKAGE1,
85 name='Upstream package1',
86 supplier=SUPPLIER_UPSTREAM,
87 version='1.1',
88 ))
89
90 self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_SOURCE_PACKAGE1,
91 relationship=sbom_data.RelationshipType.VARIANT_OF,
92 id2=SPDXID_UPSTREAM_PACKAGE1))
93
94 self.sbom_doc.files.append(
95 sbom_data.File(id=SPDXID_FILE1, name='/bin/file1', checksum='SHA1: 11111'))
96 self.sbom_doc.files.append(
97 sbom_data.File(id=SPDXID_FILE2, name='/bin/file2', checksum='SHA1: 22222'))
98 self.sbom_doc.files.append(
99 sbom_data.File(id=SPDXID_FILE3, name='/bin/file3', checksum='SHA1: 33333'))
100
101 self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
102 relationship=sbom_data.RelationshipType.GENERATED_FROM,
103 id2=sbom_data.SPDXID_PLATFORM))
104 self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE2,
105 relationship=sbom_data.RelationshipType.GENERATED_FROM,
106 id2=SPDXID_PREBUILT_PACKAGE1))
107 self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE3,
108 relationship=sbom_data.RelationshipType.GENERATED_FROM,
109 id2=SPDXID_SOURCE_PACKAGE1
110 ))
111
112 # SBOM fragment of a APK
113 self.unbundled_sbom_doc = sbom_data.Document(name='test doc',
114 namespace='http://www.google.com/sbom/spdx/android',
115 creators=[SUPPLIER_GOOGLE],
116 created='2023-03-31T22:17:58Z',
117 describes=SPDXID_FILE1)
118
119 self.unbundled_sbom_doc.files.append(
120 sbom_data.File(id=SPDXID_FILE1, name='/bin/file1.apk', checksum='SHA1: 11111'))
121 self.unbundled_sbom_doc.add_package(
122 sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
123 name='Unbundled apk package',
124 supplier=SUPPLIER_GOOGLE,
125 version=BUILD_FINGER_PRINT))
126 self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
127 relationship=sbom_data.RelationshipType.GENERATED_FROM,
128 id2=SPDXID_SOURCE_PACKAGE1))
129
130 def test_tagvalue_writer(self):
131 with io.StringIO() as output:
132 sbom_writers.TagValueWriter.write(self.sbom_doc, output)
133 expected_output = pathlib.Path('testdata/expected_tagvalue_sbom.spdx').read_text()
134 self.maxDiff = None
135 self.assertEqual(expected_output, output.getvalue())
136
137 def test_tagvalue_writer_unbundled(self):
138 with io.StringIO() as output:
139 sbom_writers.TagValueWriter.write(self.unbundled_sbom_doc, output, fragment=True)
140 expected_output = pathlib.Path('testdata/expected_tagvalue_sbom_unbundled.spdx').read_text()
141 self.maxDiff = None
142 self.assertEqual(expected_output, output.getvalue())
143
144 def test_json_writer(self):
145 with io.StringIO() as output:
146 sbom_writers.JSONWriter.write(self.sbom_doc, output)
147 expected_output = pathlib.Path('testdata/expected_json_sbom.spdx.json').read_text()
148 self.maxDiff = None
149 self.assertEqual(expected_output, output.getvalue())
150
151
152if __name__ == '__main__':
153 unittest.main(verbosity=2)