merge_cachi2_sboms: test merging Syft SBOMs

Test that merging the 4 Syft SBOMs from the test data returns the expected SBOM. Test that the merged SBOM is similar to (but better than) the result of merging the same input SBOMs using Syft itself. Signed-off-by: Adam Cmiel <[email protected]>
konflux-ci · Dec 19, 2024 · 7077ab9 · 7077ab9
1 parent 7786686
commit 7077ab9
Showing 1 changed file with 39 additions and 0 deletions.
diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py
@@ -31,6 +31,14 @@
     },
 }
 
+# relative to data_dir
+INDIVIDUAL_SYFT_SBOMS = [
+    "syft-sboms/gomod-pandemonium.bom.json",
+    "syft-sboms/npm-cachi2-smoketest.bom.json",
+    "syft-sboms/pip-e2e-test.bom.json",
+    "syft-sboms/ubi-micro.bom.json",
+]
+
 
 @pytest.fixture
 def data_dir() -> Path:
@@ -65,6 +73,37 @@ def run_main(args: list[str], monkeypatch: pytest.MonkeyPatch, capsys: pytest.Ca
     return capsys.readouterr()
 
 
+def test_merge_n_syft_sboms(
+    data_dir: Path,
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture,
+) -> None:
+    monkeypatch.chdir(data_dir)
+
+    args = [f"syft:{sbom_path}" for sbom_path in INDIVIDUAL_SYFT_SBOMS]
+    result, _ = run_main(args, monkeypatch, capsys)
+
+    with open("syft.merged-by-us.bom.json") as f:
+        merged_by_us = json.load(f)
+
+    assert json.loads(result) == merged_by_us
+
+    with open("syft.merged-by-syft.bom.json") as f:
+        merged_by_syft = json.load(f)
+
+    compared_to_syft = diff_counts(count_components(merged_by_us), count_components(merged_by_syft))
+    assert compared_to_syft == {
+        # All of these golang purls appear twice in the SBOM merged by syft
+        # (they already appear twice in the individual gomod SBOM).
+        # They only appear once in the SBOM merged by us, which seems better.
+        "pkg:golang/github.com/Azure/[email protected]": -1,
+        "pkg:golang/github.com/moby/[email protected]": -1,
+        "pkg:golang/golang.org/x/[email protected]": -1,
+        # The [email protected] component doesn't have a purl. Syft drops it when merging, we keep it.
+        "[email protected]": 1,
+    }
+
+
 @pytest.mark.parametrize(
     "args",
     [