oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2026-05-20 12:15:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
syft/syft/cpe/cpe_test.go
Alex Goodman b5e85c3ea5
chore: migrate fixtures to testdata (#4651) 
* migrate fixtures to testdata

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix: correct broken symlinks after testdata migration

The migration from test-fixtures to testdata broke several symlinks:
- elf-test-fixtures symlinks pointed to old test-fixtures paths
- elf-test-fixtures needed to be renamed to elf-testdata
- image-pkg-coverage symlink pointed to test-fixtures instead of testdata

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix: handle missing classifiers/bin directory in Makefile

The clean-fingerprint target was failing when classifiers/bin doesn't
exist (e.g., on fresh clone without downloaded binaries).

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix: add gitignore negation for jar/zip fixtures in test/cli

The jar and zip files in test/cli/testdata/image-unknowns were being
gitignored by the root .gitignore patterns. This caused them to be
untracked and not included when building docker images in CI, resulting
in Test_Unknowns failures since the test expects errors from corrupt
archive files that weren't present.

Add a .gitignore in test/cli/testdata to negate the exclusions for
these specific test fixture files.

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* switch fixture cache to v2

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* test: update expected versions for rebuilt fixtures

Update test expectations for packages that have been updated in
upstream repositories when docker images are rebuilt:
- glibc: 2.42-r4 → 2.43-r1 (wolfi)
- php: 8.2.29 → 8.2.30 (ubuntu/apache)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* upgrade go

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix: add go-shlex dependency for testdata manager tool

The manager tool in syft/pkg/cataloger/binary/testdata/ imports
go-shlex, but since it's in a testdata directory, Go doesn't track
its dependencies. This caused CI failures when go.mod didn't
explicitly list the dependency.

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* refactor: move binary classifier manager to internal/

Move the manager tool from testdata/manager to internal/manager so
that Go properly tracks its dependencies. Code in testdata directories
is ignored by Go for dependency tracking, which caused CI failures
when go.mod didn't explicitly list transitive dependencies.

This is a cleaner solution than manually adding dependencies to go.mod
for code that happens to live in testdata.

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix: add gitignore negations for test fixtures blocked by root patterns

Multiple test fixtures were being blocked by root-level gitignore patterns
like bin/, *.jar, *.tar, and *.exe. This adds targeted .gitignore files with
negation patterns to allow these specific test fixtures to be tracked:

- syft/linux/testdata/os/busybox/bin/busybox (blocked by bin/)
- syft/pkg/cataloger/java/testdata/corrupt/example.{jar,tar} (blocked by *.jar, *.tar)
- syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/**/bin/go (blocked by bin/)
- syft/pkg/cataloger/bitnami/testdata/no-rel/.../bin/redis-server (blocked by bin/)

Also updates the bitnami test expectation to include the newly required
.gitignore files in the test fixture.

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* test: update glibc version expectation (2.43-r1 -> 2.43-r2)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add capability drift check as unit step

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* dont clear test observations before drift detection

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* bump stereoscope commit to main

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-03-06 19:42:04 +00:00

237 lines
6.1 KiB
Go
Raw Blame History

package cpe
import (
"encoding/json"
"fmt"
"os"
"strings"
"testing"
"github.com/google/go-cmp/cmp"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func Test_NewAttributes(t *testing.T) {
tests := []struct {
name string
input string
expected Attributes
wantErr require.ErrorAssertionFunc
}{
{
name: "gocase",
input: `cpe:/a:10web:form_maker:1.0.0::~~~wordpress~~`,
expected: MustAttributes(`cpe:2.3:a:10web:form_maker:1.0.0:*:*:*:*:wordpress:*:*`),
},
{
name: "dashes",
input: `cpe:/a:7-zip:7-zip:4.56:beta:~~~windows~~`,
expected: MustAttributes(`cpe:2.3:a:7-zip:7-zip:4.56:beta:*:*:*:windows:*:*`),
},
{
name: "URL escape characters",
input: `cpe:/a:%240.99_kindle_books_project:%240.99_kindle_books:6::~~~android~~`,
expected: MustAttributes(`cpe:2.3:a:\$0.99_kindle_books_project:\$0.99_kindle_books:6:*:*:*:*:android:*:*`),
},
{
name: "null byte in version for some reason",
input: "cpe:2.3:a:oracle:openjdk:11.0.22+7\u0000-J-ms8m:*:*:*:*:*:*:*",
wantErr: require.Error,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
actual, err := NewAttributes(test.input)
if test.wantErr != nil {
test.wantErr(t, err)
return
}
require.NoError(t, err)
if d := cmp.Diff(actual, test.expected); d != "" {
t.Errorf("Attributes mismatch (-want +got):\n%s", d)
}
})
}
}
func Test_normalizeCpeField(t *testing.T) {
tests := []struct {
field string
expected string
}{
{
field: "something",
expected: "something",
},
{
field: "some\\thing",
expected: `some\thing`,
},
{
field: "*",
expected: "",
},
{
field: "",
expected: "",
},
}
for _, test := range tests {
t.Run(test.field, func(t *testing.T) {
assert.Equal(t, test.expected, normalizeField(test.field))
})
}
}
func Test_CPEParser(t *testing.T) {
var testCases []struct {
CPEString string `json:"cpe-string"`
CPEUrl string `json:"cpe-url"`
WFN Attributes `json:"wfn"`
}
out, err := os.ReadFile("testdata/cpe-data.json")
require.NoError(t, err)
require.NoError(t, json.Unmarshal(out, &testCases))
for _, test := range testCases {
t.Run(test.CPEString, func(t *testing.T) {
c1, err := NewAttributes(test.CPEString)
assert.NoError(t, err)
c2, err := NewAttributes(test.CPEUrl)
assert.NoError(t, err)
assert.Equal(t, c1, c2)
assert.Equal(t, c1, test.WFN)
assert.Equal(t, c2, test.WFN)
assert.Equal(t, test.WFN.String(), test.CPEString)
})
}
}
func Test_InvalidCPE(t *testing.T) {
type testcase struct {
name string
in string
expected string
expectedErr bool
}
tests := []testcase{
{
// 5.3.2: The underscore (x5f) MAY be used, and it SHOULD be used in place of whitespace characters (which SHALL NOT be used)
name: "translates spaces",
in: "cpe:2.3:a:some-vendor:name:1 2:*:*:*:*:*:*:*",
expected: "cpe:2.3:a:some-vendor:name:1_2:*:*:*:*:*:*:*",
},
{
// it isn't easily possible in the string formatted string to detect improper escaping of : (it will fail parsing)
name: "unescaped ':' cannot be helped -- too many fields",
in: "cpe:2.3:a:some-vendor:name:::*:*:*:*:*:*:*",
expectedErr: true,
},
{
name: "too few fields",
in: "cpe:2.3:a:some-vendor:name:*:*:*:*:*:*:*",
expected: "cpe:2.3:a:some-vendor:name:*:*:*:*:*:*:*:*",
},
// Note: though the CPE spec does not allow for ? and * as escaped character input, these seem to be allowed in
// the NVD CPE validator for this reason these edge cases were removed
}
// the wfn library does not account for escapes of . and -
exceptions := ".-"
// it isn't easily possible in the string formatted string to detect improper escaping of : (it will fail parsing)
skip := ":"
// make escape exceptions for section 5.3.2 of the CPE spec (2.3)
for _, char := range allowedCPEPunctuation {
if strings.Contains(skip, string(char)) {
continue
}
in := fmt.Sprintf("cpe:2.3:a:some-vendor:name:*:%s:*:*:*:*:*:*", string(char))
exp := fmt.Sprintf(`cpe:2.3:a:some-vendor:name:*:\%s:*:*:*:*:*:*`, string(char))
if strings.Contains(exceptions, string(char)) {
exp = in
}
tests = append(tests, testcase{
name: fmt.Sprintf("allowes future escape of character (%s)", string(char)),
in: in,
expected: exp,
expectedErr: false,
})
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
c, err := NewAttributes(test.in)
if test.expectedErr {
assert.Error(t, err)
if t.Failed() {
t.Logf("got Attributes: %q details: %+v", c, c)
}
return
}
require.NoError(t, err)
assert.Equal(t, test.expected, c.String())
})
}
}
func Test_RoundTrip(t *testing.T) {
tests := []struct {
name string
cpe string
parsedCPE Attributes
}{
{
name: "normal",
cpe: "cpe:2.3:a:some-vendor:name:3.2:*:*:*:*:*:*:*",
parsedCPE: Attributes{
Part: "a",
Vendor: "some-vendor",
Product: "name",
Version: "3.2",
},
},
{
name: "escaped colon",
cpe: "cpe:2.3:a:some-vendor:name:1\\:3.2:*:*:*:*:*:*:*",
parsedCPE: Attributes{
Part: "a",
Vendor: "some-vendor",
Product: "name",
Version: "1:3.2",
},
},
{
name: "escaped forward slash",
cpe: "cpe:2.3:a:test\\/some-vendor:name:3.2:*:*:*:*:*:*:*",
parsedCPE: Attributes{
Part: "a",
Vendor: "test/some-vendor",
Product: "name",
Version: "3.2",
},
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
// Attributes string must be preserved through a round trip
assert.Equal(t, test.cpe, MustAttributes(test.cpe).String())
// The parsed Attributes must be the same after a round trip
assert.Equal(t, MustAttributes(test.cpe), MustAttributes(MustAttributes(test.cpe).String()))
// The test case parsed Attributes must be the same after parsing the input string
assert.Equal(t, test.parsedCPE, MustAttributes(test.cpe))
// The test case parsed Attributes must produce the same string as the input cpe
assert.Equal(t, test.parsedCPE.String(), test.cpe)
})
}
}
Reference in New Issue View Git Blame Copy Permalink