package cli import ( "strings" "testing" ) func TestPackagesCmdFlags(t *testing.T) { coverageImage := "docker-archive:" + getFixtureImage(t, "image-pkg-coverage") badBinariesImage := "docker-archive:" + getFixtureImage(t, "image-bad-binaries") tests := []struct { name string args []string env map[string]string assertions []traitAssertion }{ { name: "no-args-shows-help", args: []string{"packages"}, assertions: []traitAssertion{ assertInOutput("an image/directory argument is required"), // specific error that should be shown assertInOutput("Generate a packaged-based Software Bill Of Materials"), // excerpt from help description assertFailingReturnCode, }, }, { name: "json-output-flag", args: []string{"packages", "-o", "json", coverageImage}, assertions: []traitAssertion{ assertJsonReport, assertSuccessfulReturnCode, }, }, { name: "regression-survive-bad-binaries", // this image has all sorts of rich binaries from the clang-13 test suite that should do pretty bad things // to the go cataloger binary path. We should NEVER let a panic stop the cataloging process for these // specific cases. // this is more of an integration test, however, to assert the output we want to see from the application // a CLI test is much easier. args: []string{"packages", "-vv", badBinariesImage}, assertions: []traitAssertion{ assertInOutput("could not parse possible go binary"), assertSuccessfulReturnCode, }, }, { name: "output-env-binding", env: map[string]string{ "SYFT_OUTPUT": "json", }, args: []string{"packages", coverageImage}, assertions: []traitAssertion{ assertJsonReport, assertSuccessfulReturnCode, }, }, { name: "table-output-flag", args: []string{"packages", "-o", "table", coverageImage}, assertions: []traitAssertion{ assertTableReport, assertSuccessfulReturnCode, }, }, { name: "default-output-flag", args: []string{"packages", coverageImage}, assertions: []traitAssertion{ assertTableReport, assertSuccessfulReturnCode, }, }, { name: "squashed-scope-flag", args: []string{"packages", "-o", "json", "-s", "squashed", coverageImage}, assertions: []traitAssertion{ assertPackageCount(20), assertSuccessfulReturnCode, }, }, { name: "all-layers-scope-flag", args: []string{"packages", "-o", "json", "-s", "all-layers", coverageImage}, assertions: []traitAssertion{ assertPackageCount(22), assertSuccessfulReturnCode, }, }, { name: "all-layers-scope-flag-by-env", args: []string{"packages", "-o", "json", coverageImage}, env: map[string]string{ "SYFT_PACKAGE_CATALOGER_SCOPE": "all-layers", }, assertions: []traitAssertion{ assertPackageCount(22), assertSuccessfulReturnCode, }, }, { name: "attempt-upload-on-cli-switches", args: []string{"packages", "-vv", "-H", "localhost:8080", "-u", "the-username", "-d", "test-fixtures/image-pkg-coverage/Dockerfile", "--overwrite-existing-image", coverageImage}, env: map[string]string{ "SYFT_ANCHORE_PATH": "path/to/api", "SYFT_ANCHORE_PASSWORD": "the-password", }, assertions: []traitAssertion{ // we cannot easily assert a successful upload behavior, so instead we are doing the next best thing // and asserting that the parsed configuration has the expected values and we see log entries // indicating an upload attempt. assertNotInOutput("the-username"), assertNotInOutput("the-password"), assertInOutput("uploading results to localhost:8080"), assertInOutput(`dockerfile: test-fixtures/image-pkg-coverage/Dockerfile`), assertInOutput(`overwrite-existing-image: true`), assertInOutput(`path: path/to/api`), assertInOutput(`host: localhost:8080`), assertFailingReturnCode, // upload can't go anywhere, so if this passes that would be surprising }, }, { name: "dockerfile-without-upload-is-invalid", args: []string{"packages", "-vv", "-d", "test-fixtures/image-pkg-coverage/Dockerfile", coverageImage}, assertions: []traitAssertion{ assertNotInOutput("uploading results to localhost:8080"), assertInOutput("invalid application config: cannot provide dockerfile option without enabling upload"), assertFailingReturnCode, }, }, { name: "attempt-upload-with-env-host-set", args: []string{"packages", "-vv", coverageImage}, env: map[string]string{ "SYFT_ANCHORE_HOST": "localhost:8080", }, assertions: []traitAssertion{ assertInOutput("uploading results to localhost:8080"), assertFailingReturnCode, // upload can't go anywhere, so if this passes that would be surprising }, }, { // we want to make certain that syft can catalog a single go binary and get a SBOM report that is not empty name: "catalog-single-go-binary", args: []string{"packages", "-o", "json", getSyftBinaryLocation(t)}, assertions: []traitAssertion{ assertJsonReport, assertStdoutLengthGreaterThan(1000), assertSuccessfulReturnCode, }, }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { cmd, stdout, stderr := runSyft(t, test.env, test.args...) for _, traitFn := range test.assertions { traitFn(t, stdout, stderr, cmd.ProcessState.ExitCode()) } if t.Failed() { t.Log("STDOUT:\n", stdout) t.Log("STDERR:\n", stderr) t.Log("COMMAND:", strings.Join(cmd.Args, " ")) } }) } } func TestRegistryAuth(t *testing.T) { tests := []struct { name string args []string env map[string]string assertions []traitAssertion }{ { name: "fallback to keychain", args: []string{"packages", "-vv", "registry:localhost:5000/something:latest"}, assertions: []traitAssertion{ assertInOutput("source=OciRegistry"), assertInOutput("localhost:5000/something:latest"), assertInOutput("no registry credentials configured, using the default keychain"), }, }, { name: "use creds", args: []string{"packages", "-vv", "registry:localhost:5000/something:latest"}, env: map[string]string{ "SYFT_REGISTRY_AUTH_AUTHORITY": "localhost:5000", "SYFT_REGISTRY_AUTH_USERNAME": "username", "SYFT_REGISTRY_AUTH_PASSWORD": "password", }, assertions: []traitAssertion{ assertInOutput("source=OciRegistry"), assertInOutput("localhost:5000/something:latest"), assertInOutput(`using basic auth for registry "localhost:5000"`), }, }, { name: "use token", args: []string{"packages", "-vv", "registry:localhost:5000/something:latest"}, env: map[string]string{ "SYFT_REGISTRY_AUTH_AUTHORITY": "localhost:5000", "SYFT_REGISTRY_AUTH_TOKEN": "token", }, assertions: []traitAssertion{ assertInOutput("source=OciRegistry"), assertInOutput("localhost:5000/something:latest"), assertInOutput(`using token for registry "localhost:5000"`), }, }, { name: "not enough info fallsback to keychain", args: []string{"packages", "-vv", "registry:localhost:5000/something:latest"}, env: map[string]string{ "SYFT_REGISTRY_AUTH_AUTHORITY": "localhost:5000", }, assertions: []traitAssertion{ assertInOutput("source=OciRegistry"), assertInOutput("localhost:5000/something:latest"), assertInOutput(`no registry credentials configured, using the default keychain`), }, }, { name: "allows insecure http flag", args: []string{"packages", "-vv", "registry:localhost:5000/something:latest"}, env: map[string]string{ "SYFT_REGISTRY_INSECURE_USE_HTTP": "true", }, assertions: []traitAssertion{ assertInOutput("insecure-use-http: true"), }, }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { cmd, stdout, stderr := runSyft(t, test.env, test.args...) for _, traitAssertionFn := range test.assertions { traitAssertionFn(t, stdout, stderr, cmd.ProcessState.ExitCode()) } if t.Failed() { t.Log("STDOUT:\n", stdout) t.Log("STDERR:\n", stderr) t.Log("COMMAND:", strings.Join(cmd.Args, " ")) } }) } }