tests: pulled latest test resources

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

tests/_data/schemaTestData/1.6/invalid-license-declared-concluded-mix-1.6.json

@@ -0,0 +1,79 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42",
+  "version": 1,
+  "metadata": {
+    "lifecycles": [{"phase": "design"}]
+  },
+  "components": [
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-A",
+      "version": "1",
+      "description": "Multiple licenses: declared ids/names, and a concluded expression",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "license": {
+            "id": "PostgreSQL",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "license": {
+            "name": "Apache Software License",
+            "acknowledgement": "declared"
+          }
+        },
+        {
+          "expression": "(MIT OR PostgreSQL OR Apache-2.0)",
+          "acknowledgement": "concluded"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-B",
+      "version": "1",
+      "description": "Multiple license expressions: one declared, one concluded",
+      "licenses": [
+        {
+          "expression": "MIT OR (GPL-3.0 OR GPL-2.0)",
+          "acknowledgement": "declared"
+        },
+        {
+          "expression": "(GPL-3.0-only AND LGPL-2.0-only)",
+          "acknowledgement": "concluded"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "group": "com.example",
+      "name": "situation-C",
+      "version": "1",
+      "description": "Multiple license: one declared expression, one concluded id",
+      "licenses": [
+        {
+          "expression": "GPL-3.0-or-later OR GPL-2.0",
+          "acknowledgement": "declared"
+        },
+        {
+          "license": {
+            "id": "GPL-3.0-only",
+            "acknowledgement": "concluded"
+          }
+        }
+      ]
+    }
+  ]
+}

tests/_data/schemaTestData/1.6/invalid-license-declared-concluded-mix-1.6.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6"
+     serialNumber="urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42"
+>
+    <!--
+    All license posture in here is for show-case ony.
+    This is not a real law-case!
+    -->
+    <metadata>
+        <lifecycles><lifecycle><phase>design</phase></lifecycle></lifecycles>
+    </metadata>
+    <components>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-A</name>
+            <version>1</version>
+            <description>Multiple licenses: declared ids/names, and a concluded expression</description>
+            <licenses>
+                <license acknowledgement="declared"><id>MIT</id></license>
+                <license acknowledgement="declared"><id>PostgreSQL</id></license>
+                <license acknowledgement="declared"><name>Apache Software License</name></license>
+                <expression acknowledgement="concluded">(MIT OR PostgreSQL OR Apache-2.0)</expression>
+            </licenses>
+        </component>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-B</name>
+            <version>1</version>
+            <description>Multiple license expressions: one declared, one concluded</description>
+            <licenses>
+                <expression acknowledgement="declared">MIT OR (GPL-3.0 OR GPL-2.0)</expression>
+                <expression acknowledgement="concluded">(GPL-3.0-only AND LGPL-2.0-only)</expression>
+            </licenses>
+        </component>
+        <component type="library">
+            <group>com.example</group>
+            <name>situation-C</name>
+            <version>1</version>
+            <description>Multiple license: one declared expression, one concluded id</description>
+            <licenses>
+                <expression acknowledgement="declared">GPL-3.0-or-later OR GPL-2.0</expression>
+                <license acknowledgement="concluded"><id>GPL-3.0-only</id></license>
+            </licenses>
+        </component>
+    </components>
+</bom>

tests/_data/schemaTestData/1.6/valid-cryptography-full-1.6.json

@@ -65,7 +65,16 @@
                 "0xC0"
               ]
             }
-          ]
+          ],
+          "ikev2TransformTypes": {
+            "encr": ["bom-ref-to-encr"],
+            "prf": ["bom-ref-to-prf"],
+            "integ": ["bom-ref-to-integ"],
+            "ke": ["bom-ref-to-ke"],
+            "esn": true,
+            "auth": ["bom-ref-to-auth"]
+          },
+          "cryptoRefArray": ["asset-4"]
         },
         "oid": "oid:1.2.3.4.5.6.7.8.9"
       }

tests/_data/schemaTestData/1.6/valid-cryptography-full-1.6.xml

@@ -40,6 +40,30 @@
                     <certificateFormat>X.509</certificateFormat>
                     <certificateExtension>crt</certificateExtension>
                 </certificateProperties>
+                <protocolProperties>
+                    <type>tls</type>
+                    <version>1.3</version>
+                    <cipherSuites>
+                        <cipherSuite>
+                            <name>TLS_DHE_RSA_WITH_AES_128_CCM</name>
+                            <algorithms>
+                                <algorithm>bom-ref-to-algorithm</algorithm>
+                            </algorithms>
+                            <identifiers>
+                                <identifier>0xC0</identifier>
+                            </identifiers>
+                        </cipherSuite>
+                    </cipherSuites>
+                    <ikev2TransformTypes>
+                        <encr>bom-ref-to-encr</encr>
+                        <prf>bom-ref-to-prf</prf>
+                        <integ>bom-ref-to-integ</integ>
+                        <ke>bom-ref-to-ke</ke>
+                        <esn>true</esn>
+                        <auth>bom-ref-to-auth</auth>
+                    </ikev2TransformTypes>
+                    <cryptoRef>asset-4</cryptoRef>
+                </protocolProperties>
                 <oid>oid:1.2.3.4.5.6.7.8.9</oid>
             </cryptoProperties>
         </component>

tests/_data/schemaTestData/1.7/informal-invalid-component-versionRange-non-external-explicit.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <!--
+    this would be formal, if the support for XSD1.1's `assert` was properly implemented
+    in validators and tools digesting XML.
+    -->
+    <components>
+        <component type="library" isExternal="false">
+            <name>InvalidVersions</name>
+            <versionRange><![CDATA[vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1]]></versionRange>
+            <description>versionRange may only exist on extraneous components, set `isExternal` explicit</description>
+        </component>
+    </components>
+</bom>

tests/_data/schemaTestData/1.7/informal-invalid-component-versionRange-non-external-implicit.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1"
+>
+    <!--
+    this would be formal, if the support for XSD1.1's `assert` was properly implemented
+    in validators and tools digesting XML.
+    -->
+    <components>
+        <component type="library">
+            <!-- @isExternal defaults to `false` -->
+            <name>InvalidVersions</name>
+            <versionRange><![CDATA[vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1]]></versionRange>
+            <description>versionRange may only exist on extraneous components, set `isExternal` implicit by default value</description>
+        </component>
+    </components>
+</bom>

tests/_data/schemaTestData/1.7/invalid-bomformat-1.7.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "AnotherFormat",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+  ]
+}

tests/_data/schemaTestData/1.7/invalid-citations-1.7.json

@@ -0,0 +1,40 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2025-05-01T14:23:00Z"
+  },
+  "components": [
+    {
+      "type": "library",
+      "bom-ref": "component-1",
+      "name": "example-lib",
+      "version": "1.2.3",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        }
+      ]
+    }
+  ],
+  "citations": [
+    {
+      "bom-ref": "citation-1",
+      "pointers": ["/components/0/name"],
+      "timestamp": "2025-05-01T14:00:00Z",
+      "note": "Should have at least one of the following property sets: property 'attributedTo' or property 'process'"
+    },
+    {
+      "bom-ref": "citation-1",
+      "pointers": ["/components/0/name"],
+      "expressions": ["$..[?(@.bom-ref=='component-1')].version"],
+      "timestamp": "2025-05-01T14:00:00Z",
+      "note": "Should not have both a pointer and expression."
+    }
+  ]
+}

tests/_data/schemaTestData/1.7/invalid-citations-1.7.xml

@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.7"
+     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+     version="1"
+>
+    <metadata>
+        <timestamp>2025-05-01T14:23:00Z</timestamp>
+        <authors>
+            <author bom-ref="person-1">
+                <name>Alice Example</name>
+                <email>[email protected]</email>
+            </author>
+        </authors>
+    </metadata>
+    <components>
+        <component type="library" bom-ref="component-1">
+            <name>example-lib</name>
+            <version>1.2.3</version>
+            <licenses>
+                <license>
+                    <id>Apache-2.0</id>
+                </license>
+            </licenses>
+        </component>
+    </components>
+    <formulation>
+        <formula bom-ref="formula-1">
+            <components>
+                <component type="application" bom-ref="scan-tool-1">
+                    <name>My Scan Tool</name>
+                </component>
+            </components>
+            <workflows>
+                <workflow bom-ref="workflow-1">
+                    <uid>259bae74-5ec4-4de8-9386-c91b1f7719b8</uid>
+                    <name>My workflow</name>
+                    <tasks>
+                        <task bom-ref="task-license-scan">
+                            <uid>6d75f8d6-a008-41cf-8b65-c4129fc249f9</uid>
+                            <description>License scan of the source files using OpenSourceScanner v2.1</description>
+                            <taskTypes>
+                                <taskType>scan</taskType>
+                            </taskTypes>
+                        </task>
+                        <task bom-ref="task-license-scan-2">
+                            <uid>dfc0268a-89cb-4823-bb88-84115a06b64d</uid>
+                            <description>License scan of the source files using [REDACTED]</description>
+                            <taskTypes>
+                                <taskType>scan</taskType>
+                            </taskTypes>
+                        </task>
+                    </tasks>
+                    <taskTypes>
+                        <taskType>scan</taskType>
+                    </taskTypes>
+                </workflow>
+            </workflows>
+        </formula>
+    </formulation>
+    <citations>
+        <!-- spec-requirement that is not formalized in the XSD:
+        <citation bom-ref="citation-1">
+            <pointers>
+                <pointer>/components/0/name</pointer>
+            </pointers>
+            <timestamp>2025-05-01T14:00:00Z</timestamp>
+            <note>Should have at least one of the following children 'attributedTo' or 'process'</note>
+        </citation>
+        -->
+        <citation bom-ref="citation-2">
+            <pointers>
+                <pointer>/components/0/licenses/0/license/id</pointer>
+            </pointers>
+            <timestamp>2025-05-01T14:05:00Z</timestamp>
+            <attributedTo>person-1</attributedTo>
+            <attributedTo>scan-tool-1</attributedTo>
+            <note>Should have at max one 'attributedTo'</note>
+        </citation>
+        <citation bom-ref="citation-3">
+            <pointers>
+                <pointer>/components/0/licenses/0/license/id</pointer>
+            </pointers>
+            <timestamp>2025-05-01T14:05:00Z</timestamp>
+            <process>task-license-scan</process>
+            <process>task-license-scan-2</process>
+            <note>Should have at max one 'process'</note>
+        </citation>
+        <citation bom-ref="citation-4">
+            <pointers>
+                <pointer>/components/0/licenses/0/license/id</pointer>
+            </pointers>
+            <expressions>
+                <expression>//*[@bom-ref='component-1']/version</expression>
+            </expressions>
+            <timestamp>2025-05-01T14:05:00Z</timestamp>
+            <process>task-license-scan</process>
+            <note>Should not have both a pointer and expression.</note>
+        </citation>
+    </citations>
+</bom>

tests/_data/schemaTestData/1.7/invalid-component-external-version-and-range.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "name": "InvalidVersions",
+      "description": "may have `version` or `versionRange`, not both. This one does - it is invalid",
+      "version": "9.0.14",
+      "versionRange": "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1",
+      "isExternal": true
+    }
+  ]
+}