paketo-buildpacks · sophiewigmore · May 9, 2023 · May 8, 2023 · May 9, 2023
@@ -9,7 +9,7 @@ require (
 	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b
 	github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501
 	github.com/anchore/stereoscope v0.0.0-20230412183729-8602f1afc574
-	github.com/anchore/syft v0.79.0
+	github.com/anchore/syft v0.80.0
 	github.com/apex/log v1.9.0
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5
 	github.com/gabriel-vasile/mimetype v1.4.2

@@ -37,14 +37,7 @@ func FromSnapshot() ImageOption {
 	}
 }
 
-type Type int
-
-const (
-	TypePlain Type = iota
-	TypeJson
-)
-
-func AssertEncoderAgainstGoldenImageSnapshot(t *testing.T, format sbom.Format, sbom sbom.SBOM, testImage string, updateSnapshot bool, contentType Type, redactors ...redactor) {
+func AssertEncoderAgainstGoldenImageSnapshot(t *testing.T, format sbom.Format, sbom sbom.SBOM, testImage string, updateSnapshot bool, json bool, redactors ...redactor) {
 	var buffer bytes.Buffer
 
 	// grab the latest image contents and persist
@@ -61,16 +54,10 @@ func AssertEncoderAgainstGoldenImageSnapshot(t *testing.T, format sbom.Format, s
 		testutils.UpdateGoldenFileContents(t, actual)
 	}
 
-	var expected = testutils.GetGoldenFileContents(t)
-
-	// remove dynamic values, which should be tested independently
-	redactors = append(redactors, carriageRedactor)
-	for _, r := range redactors {
-		actual = r(actual)
-		expected = r(expected)
-	}
+	actual = redact(actual, redactors...)
+	expected := redact(testutils.GetGoldenFileContents(t), redactors...)
 
-	if contentType == TypeJson {
+	if json {
 		require.JSONEq(t, string(expected), string(actual))
 	} else if !bytes.Equal(expected, actual) {
 		// assert that the golden file snapshot matches the actual contents
@@ -80,7 +67,7 @@ func AssertEncoderAgainstGoldenImageSnapshot(t *testing.T, format sbom.Format, s
 	}
 }
 
-func AssertEncoderAgainstGoldenSnapshot(t *testing.T, format sbom.Format, sbom sbom.SBOM, updateSnapshot bool, contentType Type, redactors ...redactor) {
+func AssertEncoderAgainstGoldenSnapshot(t *testing.T, format sbom.Format, sbom sbom.SBOM, updateSnapshot bool, json bool, redactors ...redactor) {
 	var buffer bytes.Buffer
 
 	err := format.Encode(&buffer, sbom)
@@ -92,16 +79,10 @@ func AssertEncoderAgainstGoldenSnapshot(t *testing.T, format sbom.Format, sbom s
 		testutils.UpdateGoldenFileContents(t, actual)
 	}
 
-	var expected = testutils.GetGoldenFileContents(t)
-
-	// remove dynamic values, which should be tested independently
-	redactors = append(redactors, carriageRedactor)
-	for _, r := range redactors {
-		actual = r(actual)
-		expected = r(expected)
-	}
+	actual = redact(actual, redactors...)
+	expected := redact(testutils.GetGoldenFileContents(t), redactors...)
 
-	if contentType == TypeJson {
+	if json {
 		require.JSONEq(t, string(expected), string(actual))
 	} else if !bytes.Equal(expected, actual) {
 		dmp := diffmatchpatch.New()
@@ -114,7 +95,7 @@ func AssertEncoderAgainstGoldenSnapshot(t *testing.T, format sbom.Format, sbom s
 
 func ImageInput(t testing.TB, testImage string, options ...ImageOption) sbom.SBOM {
 	t.Helper()
-	catalog := pkg.NewCatalog()
+	catalog := pkg.NewCollection()
 	var cfg imageCfg
 	var img *image.Image
 	for _, opt := range options {
@@ -138,7 +119,7 @@ func ImageInput(t testing.TB, testImage string, options ...ImageOption) sbom.SBO
 
 	return sbom.SBOM{
 		Artifacts: sbom.Artifacts{
-			PackageCatalog: catalog,
+			Packages: catalog,
 			LinuxDistribution: &linux.Release{
 				PrettyName: "debian",
 				Name:       "debian",
@@ -166,7 +147,7 @@ func carriageRedactor(s []byte) []byte {
 	return []byte(msg)
 }
 
-func populateImageCatalog(catalog *pkg.Catalog, img *image.Image) {
+func populateImageCatalog(catalog *pkg.Collection, img *image.Image) {
 	_, ref1, _ := img.SquashedTree().File("/somefile-1.txt", filetree.FollowBasenameLinks)
 	_, ref2, _ := img.SquashedTree().File("/somefile-2.txt", filetree.FollowBasenameLinks)
 
@@ -219,7 +200,7 @@ func DirectoryInput(t testing.TB) sbom.SBOM {
 
 	return sbom.SBOM{
 		Artifacts: sbom.Artifacts{
-			PackageCatalog: catalog,
+			Packages: catalog,
 			LinuxDistribution: &linux.Release{
 				PrettyName: "debian",
 				Name:       "debian",
@@ -242,8 +223,39 @@ func DirectoryInput(t testing.TB) sbom.SBOM {
 	}
 }
 
-func newDirectoryCatalog() *pkg.Catalog {
-	catalog := pkg.NewCatalog()
+func DirectoryInputWithAuthorField(t testing.TB) sbom.SBOM {
+	catalog := newDirectoryCatalogWithAuthorField()
+
+	src, err := source.NewFromDirectory("/some/path")
+	assert.NoError(t, err)
+
+	return sbom.SBOM{
+		Artifacts: sbom.Artifacts{
+			Packages: catalog,
+			LinuxDistribution: &linux.Release{
+				PrettyName: "debian",
+				Name:       "debian",
+				ID:         "debian",
+				IDLike:     []string{"like!"},
+				Version:    "1.2.3",
+				VersionID:  "1.2.3",
+			},
+		},
+		Source: src.Metadata,
+		Descriptor: sbom.Descriptor{
+			Name:    "syft",
+			Version: "v0.42.0-bogus",
+			// the application configuration should be persisted here, however, we do not want to import
+			// the application configuration in this package (it's reserved only for ingestion by the cmd package)
+			Configuration: map[string]string{
+				"config-key": "config-value",
+			},
+		},
+	}
+}
+
+func newDirectoryCatalog() *pkg.Collection {
+	catalog := pkg.NewCollection()
 
 	// populate catalog with test data
 	catalog.Add(pkg.Package{
@@ -293,9 +305,61 @@ func newDirectoryCatalog() *pkg.Catalog {
 	return catalog
 }
 
+func newDirectoryCatalogWithAuthorField() *pkg.Collection {
+	catalog := pkg.NewCollection()
+
+	// populate catalog with test data
+	catalog.Add(pkg.Package{
+		Name:    "package-1",
+		Version: "1.0.1",
+		Type:    pkg.PythonPkg,
+		FoundBy: "the-cataloger-1",
+		Locations: source.NewLocationSet(
+			source.NewLocation("/some/path/pkg1"),
+		),
+		Language:     pkg.Python,
+		MetadataType: pkg.PythonPackageMetadataType,
+		Licenses:     []string{"MIT"},
+		Metadata: pkg.PythonPackageMetadata{
+			Name:    "package-1",
+			Version: "1.0.1",
+			Author:  "test-author",
+			Files: []pkg.PythonFileRecord{
+				{
+					Path: "/some/path/pkg1/dependencies/foo",
+				},
+			},
+		},
+		PURL: "a-purl-2", // intentionally a bad pURL for test fixtures
+		CPEs: []cpe.CPE{
+			cpe.Must("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*"),
+		},
+	})
+	catalog.Add(pkg.Package{
+		Name:    "package-2",
+		Version: "2.0.1",
+		Type:    pkg.DebPkg,
+		FoundBy: "the-cataloger-2",
+		Locations: source.NewLocationSet(
+			source.NewLocation("/some/path/pkg1"),
+		),
+		MetadataType: pkg.DpkgMetadataType,
+		Metadata: pkg.DpkgMetadata{
+			Package: "package-2",
+			Version: "2.0.1",
+		},
+		PURL: "pkg:deb/debian/package-2@2.0.1",
+		CPEs: []cpe.CPE{
+			cpe.Must("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*"),
+		},
+	})
+
+	return catalog
+}
+
 //nolint:gosec
 func AddSampleFileRelationships(s *sbom.SBOM) {
-	catalog := s.Artifacts.PackageCatalog.Sorted()
+	catalog := s.Artifacts.Packages.Sorted()
 	s.Artifacts.FileMetadata = map[source.Coordinates]source.FileMetadata{}
 
 	files := []string{"/f1", "/f2", "/d1/f3", "/d2/f4", "/z1/f5", "/a1/f6"}
@@ -314,3 +378,12 @@ func AddSampleFileRelationships(s *sbom.SBOM) {
 		})
 	}
 }
+
+// remove dynamic values, which should be tested independently
+func redact(b []byte, redactors ...redactor) []byte {
+	redactors = append(redactors, carriageRedactor)
+	for _, r := range redactors {
+		b = r(b)
+	}
+	return b
+}
@@ -31,7 +31,7 @@ func ToFormatModel(s sbom.SBOM) *cyclonedx.BOM {
 	cdxBOM.SerialNumber = uuid.New().URN()
 	cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, versionInfo.Version, s.Source)
 
-	packages := s.Artifacts.PackageCatalog.Sorted()
+	packages := s.Artifacts.Packages.Sorted()
 	components := make([]cyclonedx.Component, len(packages))
 	for i, p := range packages {
 		components[i] = encodeComponent(p)

@@ -15,7 +15,7 @@ func TestCycloneDxDirectoryEncoder(t *testing.T) {
 		Format(),
 		testutils.DirectoryInput(t),
 		*updateCycloneDx,
-		testutils.TypeJson,
+		true,
 		cycloneDxRedactor,
 	)
 }
@@ -27,20 +27,24 @@ func TestCycloneDxImageEncoder(t *testing.T) {
 		testutils.ImageInput(t, testImage),
 		testImage,
 		*updateCycloneDx,
-		testutils.TypeJson,
+		true,
 		cycloneDxRedactor,
 	)
 }
 
 func cycloneDxRedactor(s []byte) []byte {
-	serialPattern := regexp.MustCompile(`urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`)
-	rfc3339Pattern := regexp.MustCompile(`([0-9]+)-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])[Tt]([01][0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9]|60)(\.[0-9]+)?(([Zz])|([\+|\-]([01][0-9]|2[0-3]):[0-5][0-9]))`)
-	sha256Pattern := regexp.MustCompile(`sha256:[A-Fa-f0-9]{64}`)
-	for _, pattern := range []*regexp.Regexp{serialPattern, rfc3339Pattern, sha256Pattern} {
-		s = pattern.ReplaceAll(s, []byte("redacted"))
+	replacements := map[string]string{
+		// UUIDs
+		`urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`: `urn:uuid:redacted`,
+		// timestamps
+		`([0-9]+)-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])[Tt]([01][0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9]|60)(\.[0-9]+)?(([Zz])|([+|\-]([01][0-9]|2[0-3]):[0-5][0-9]))`: `timestamp:redacted`,
+		// image hashes
+		`sha256:[A-Fa-f0-9]{64}`: `sha256:redacted`,
+		// bom-refs
+		`"bom-ref":\s*"[^"]+"`: `"bom-ref": "redacted"`,
+	}
+	for pattern, replacement := range replacements {
+		s = regexp.MustCompile(pattern).ReplaceAll(s, []byte(replacement))
 	}
-	// the bom-ref will be autogenerated every time, the value here should not be directly tested in snapshot tests
-	s = regexp.MustCompile(`      "bom-ref": .*\n`).ReplaceAll(s, []byte(""))
-
 	return s
 }
@@ -15,7 +15,7 @@ func TestSPDXJSONDirectoryEncoder(t *testing.T) {
 		Format(),
 		testutils.DirectoryInput(t),
 		*updateSpdxJson,
-		testutils.TypeJson,
+		true,
 		spdxJsonRedactor,
 	)
 }
@@ -27,7 +27,7 @@ func TestSPDXJSONImageEncoder(t *testing.T) {
 		testutils.ImageInput(t, testImage, testutils.FromSnapshot()),
 		testImage,
 		*updateSpdxJson,
-		testutils.TypeJson,
+		true,
 		spdxJsonRedactor,
 	)
 }
@@ -41,7 +41,7 @@ func TestSPDXRelationshipOrder(t *testing.T) {
 		s,
 		testImage,
 		*updateSpdxJson,
-		testutils.TypeJson,
+		true,
 		spdxJsonRedactor,
 	)
 }

@@ -34,7 +34,7 @@ func ToSyftModel(doc *spdx.Document) (*sbom.SBOM, error) {
 	s := &sbom.SBOM{
 		Source: src,
 		Artifacts: sbom.Artifacts{
-			PackageCatalog:    pkg.NewCatalog(),
+			Packages:          pkg.NewCollection(),
 			FileMetadata:      map[source.Coordinates]source.FileMetadata{},
 			FileDigests:       map[source.Coordinates][]file.Digest{},
 			LinuxDistribution: findLinuxReleaseByPURL(doc),
@@ -112,7 +112,7 @@ func collectSyftPackages(s *sbom.SBOM, spdxIDMap map[string]interface{}, doc *sp
 	for _, p := range doc.Packages {
 		syftPkg := toSyftPackage(p)
 		spdxIDMap[string(p.PackageSPDXIdentifier)] = syftPkg
-		s.Artifacts.PackageCatalog.Add(*syftPkg)
+		s.Artifacts.Packages.Add(*syftPkg)
 	}
 }
 

@@ -90,7 +90,7 @@ func TestToSyftModel(t *testing.T) {
 
 	assert.NotNil(t, sbom)
 
-	pkgs := sbom.Artifacts.PackageCatalog.Sorted()
+	pkgs := sbom.Artifacts.Packages.Sorted()
 
 	assert.Len(t, pkgs, 2)
 

@@ -123,13 +123,13 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
 			// Cardinality: mandatory, one
 			Created: time.Now().UTC().Format(time.RFC3339),
 		},
-		Packages:      toPackages(s.Artifacts.PackageCatalog, s),
+		Packages:      toPackages(s.Artifacts.Packages, s),
 		Files:         toFiles(s),
 		Relationships: relationships,
 	}
 }
 
-func toPackages(catalog *pkg.Catalog, sbom sbom.SBOM) (results []*spdx.Package) {
+func toPackages(catalog *pkg.Collection, sbom sbom.SBOM) (results []*spdx.Package) {
 	for _, p := range catalog.Sorted() {
 		// name should be guaranteed to be unique, but semantically useful and stable
 		id := toSPDXID(p)

@@ -418,7 +418,7 @@ func Test_H1Digest(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			catalog := pkg.NewCatalog(test.pkg)
+			catalog := pkg.NewCollection(test.pkg)
 			pkgs := toPackages(catalog, sbom)
 			require.Len(t, pkgs, 1)
 			for _, p := range pkgs {