Refactor the SCA test module to simplify addition of new tools #1726

Signed-off-by: tdruez <[email protected]>

Author: tdruez

scanpipe/tests/test_sca_integrations.py

@@ -20,168 +20,175 @@
 # ScanCode.io is a free software code scanning tool from nexB Inc. and others.
 # Visit https://github.com/nexB/scancode.io for support and download.
 
-from pathlib import Path
+"""
+Test suite for validating ScanCode.io integrations with third-party SCA SBOM tools.
 
-from django.test import TestCase
+Each test ensures that SBOM files generated by tools such as Anchore Grype,
+CycloneDX (cdxgen), osv-scanner, Trivy, SBOM Tool, and more.
 
-from scanpipe.tests import make_project
+Adding new test data
+====================
 
+1. Generate an SBOM with the tool you want to test. For example with Trivy:
 
-class ScanPipeSCAIntegrationsTest(TestCase):
-    data = Path(__file__).parent / "data"
+    trivy image --scanners vuln,license --format cyclonedx \
+        --output trivy-alpine-3.17-sbom.json alpine:3.17.0
 
-    def test_scanpipe_scan_integrations_load_sbom_trivy(self):
-        # Input file generated with:
-        # $ trivy image --scanners vuln,license --format cyclonedx \
-        #     --output trivy-alpine-3.17-sbom.json alpine:3.17.0
-        input_location = self.data / "sca-integrations" / "trivy-alpine-3.17-sbom.json"
+2. Save the SBOM file under:
+    tests/data/sca-integrations/
 
-        pipeline_name = "load_sbom"
-        project1 = make_project()
-        project1.copy_input_from(input_location)
+3. Add expected counts for that SBOM to ``SCA_INTEGRATIONS_TEST_DATA`` below.
 
-        run = project1.add_pipeline(pipeline_name)
-        pipeline = run.make_pipeline_instance()
+Example:
+    "trivy-alpine-3.17-sbom.json": {
+        "resources": 1,
+        "packages": 16,
+        "packages_vulnerable": 7,
+        "dependencies": 25,
+    },
 
-        exitcode, out = pipeline.execute()
-        self.assertEqual(0, exitcode, msg=out)
+   Tip: run the test once without expected values, check the counts from the
+   failure messages, then update the dictionary accordingly.
 
-        self.assertEqual(1, project1.codebaseresources.count())
-        self.assertEqual(16, project1.discoveredpackages.count())
-        self.assertEqual(7, project1.discoveredpackages.vulnerable().count())
-        self.assertEqual(25, project1.discovereddependencies.count())
-
-    def test_scanpipe_scan_integrations_load_sbom_anchore(self):
-        # Input file generated with:
-        # $ grype -v -o cyclonedx-json \
-        #     --file anchore-alpine-3.17-sbom.json alpine:3.17.0
-        input_location = (
-            self.data / "sca-integrations" / "anchore-alpine-3.17-sbom.json"
-        )
+4. Run the test suite:
 
-        pipeline_name = "load_sbom"
-        project1 = make_project()
-        project1.copy_input_from(input_location)
-
-        run = project1.add_pipeline(pipeline_name)
-        pipeline = run.make_pipeline_instance()
+    ./manage.py test scanpipe.tests.test_sca_integrations
 
-        exitcode, out = pipeline.execute()
-        self.assertEqual(0, exitcode, msg=out)
+5. Commit both the SBOM file and dictionary entry.
 
-        self.assertEqual(1, project1.codebaseresources.count())
-        self.assertEqual(94, project1.discoveredpackages.count())
-        self.assertEqual(7, project1.discoveredpackages.vulnerable().count())
-        self.assertEqual(20, project1.discovereddependencies.count())
+"""
 
-    def test_scanpipe_scan_integrations_load_sbom_cdxgen(self):
-        # Input file generated with:
-        # $ cdxgen alpine:3.17.0 --type docker --spec-version 1.6 --json-pretty \
-        #     --output cdxgen-alpine-3.17-sbom.json
-        input_location = self.data / "sca-integrations" / "cdxgen-alpine-3.17-sbom.json"
+from pathlib import Path
 
-        pipeline_name = "load_sbom"
-        project1 = make_project()
-        project1.copy_input_from(input_location)
+from django.test import TestCase
 
-        run = project1.add_pipeline(pipeline_name)
-        pipeline = run.make_pipeline_instance()
+from scanpipe.tests import make_project
 
-        exitcode, out = pipeline.execute()
-        self.assertEqual(0, exitcode, msg=out)
+# Mapping of SBOM filenames to expected counts.
+# Each SBOM is stored under ``tests/data/sca-integrations/``.
+# Keys are filenames, values are dicts with expected numbers of:
+# - ``resources``: CodebaseResource
+# - ``packages``: DiscoveredPackages
+# - ``packages_vulnerable``: Vulnerable DiscoveredPackages
+# - ``dependencies``: DiscoveredDependencies
+SCA_INTEGRATIONS_TEST_DATA = {
+    ### Anchore Grype
+    #   $ grype -v -o cyclonedx-json \
+    #       --file anchore-alpine-3.17-sbom.json alpine:3.17.0
+    "anchore-alpine-3.17-sbom.json": {
+        "resources": 1,
+        "packages": 94,
+        "packages_vulnerable": 7,
+        "dependencies": 20,
+    },
+    ### CycloneDX cdxgen
+    #   $ cdxgen alpine:3.17.0 --type docker --spec-version 1.6 --json-pretty \
+    #       --output cdxgen-alpine-3.17-sbom.json
+    "cdxgen-alpine-3.17-sbom.json": {
+        "resources": 1,
+        "packages": 14,
+        "packages_vulnerable": 0,
+        "dependencies": 0,
+    },
+    ### OWASP dep-scan
+    #   $ depscan --src alpine:3.17.0 --type docker
+    "depscan-alpine-3.17-sbom.json": {
+        "resources": 1,
+        "packages": 33,
+        "packages_vulnerable": 3,
+        "dependencies": 20,
+    },
+    ### OSV-Scanner
+    #   $ osv-scanner scan image alpine:3.17.0 \
+    #       --all-packages \
+    #       --format spdx-2-3 \
+    #       --output osv-scanner-alpine-3.17-sbom.spdx.json
+    "osv-scanner-alpine-3.17-sbom.spdx.json": {
+        "resources": 1,
+        "packages": 16,
+        "packages_vulnerable": 0,
+        "dependencies": 15,
+    },
+    # Example file from osv-scanner documentation:
+    # https://google.github.io/osv-scanner/output/#cyclonedx
+    "osv-scanner-vulns-sbom.cdx.json": {
+        "resources": 1,
+        "packages": 3,
+        "packages_vulnerable": 1,
+        "dependencies": 0,
+    },
+    ### SBOM Tool
+    #   $ sbom-tool generate -di alpine:3.17.0 \
+    #       -pn DockerImage -pv 1.0.0 -ps Company -nsb https://sbom.company.com
+    "sbom-tool-alpine-3.17-sbom.spdx.json": {
+        "resources": 1,
+        "packages": 16,
+        "packages_vulnerable": 0,
+        "dependencies": 15,
+    },
+    ### Trivy
+    #   $ trivy image --scanners vuln,license --format cyclonedx \
+    #       --output trivy-alpine-3.17-sbom.json alpine:3.17.0
+    "trivy-alpine-3.17-sbom.json": {
+        "resources": 1,
+        "packages": 16,
+        "packages_vulnerable": 7,
+        "dependencies": 25,
+    },
+}
 
-        self.assertEqual(1, project1.codebaseresources.count())
-        self.assertEqual(14, project1.discoveredpackages.count())
-        self.assertEqual(0, project1.discoveredpackages.vulnerable().count())
-        self.assertEqual(0, project1.discovereddependencies.count())
 
-    def test_scanpipe_scan_integrations_load_sbom_depscan(self):
-        # Input file generated with:
-        # $ depscan --src alpine:3.17.0 --type docker
-        input_location = (
-            self.data / "sca-integrations" / "depscan-alpine-3.17-sbom.json"
-        )
+class ScanPipeSCAIntegrationsTest(TestCase):
+    """
+    Run consistency checks across all SBOM integration test files.
 
-        pipeline_name = "load_sbom"
-        project1 = make_project()
-        project1.copy_input_from(input_location)
+    For each SBOM listed in ``SCA_INTEGRATIONS_TEST_DATA``, this test:
+    - Loads the SBOM into a temporary ScanCode.io project.
+    - Executes the ``load_sbom`` pipeline.
+    - Verifies that the number of resources, packages, vulnerable packages,
+      and dependencies match the expected values.
+    """
 
-        run = project1.add_pipeline(pipeline_name)
-        pipeline = run.make_pipeline_instance()
+    data = Path(__file__).parent / "data"
 
-        exitcode, out = pipeline.execute()
-        self.assertEqual(0, exitcode, msg=out)
+    def test_scanpipe_sca_integrations_tools(self):
+        """Loop through all SBOM files and run integration checks."""
+        for sbom_filename, expected_results in SCA_INTEGRATIONS_TEST_DATA.items():
+            self._test_scanpipe_sca_integrations_tool(sbom_filename, expected_results)
 
-        self.assertEqual(1, project1.codebaseresources.count())
-        self.assertEqual(33, project1.discoveredpackages.count())
-        self.assertEqual(3, project1.discoveredpackages.vulnerable().count())
-        self.assertEqual(20, project1.discovereddependencies.count())
-
-    def test_scanpipe_scan_integrations_load_sbom_sbomtool(self):
-        # Input file generated with:
-        # $ sbom-tool generate -di alpine:3.17.0 \
-        #   -pn DockerImage -pv 1.0.0 -ps Company -nsb https://sbom.company.com
-        input_location = (
-            self.data / "sca-integrations" / "sbom-tool-alpine-3.17-sbom.spdx.json"
-        )
+    def _test_scanpipe_sca_integrations_tool(self, sbom_filename, expected_results):
+        """Run a single SBOM integration test."""
+        input_location = self.data / "sca-integrations" / sbom_filename
 
-        pipeline_name = "load_sbom"
-        project1 = make_project()
-        project1.copy_input_from(input_location)
+        # Create a fresh project and load the SBOM into it
+        project = make_project()
+        project.copy_input_from(input_location)
 
-        run = project1.add_pipeline(pipeline_name)
+        run = project.add_pipeline(pipeline_name="load_sbom")
         pipeline = run.make_pipeline_instance()
 
         exitcode, out = pipeline.execute()
+        # Ensure the SBOM is properly loaded
         self.assertEqual(0, exitcode, msg=out)
 
-        self.assertEqual(1, project1.codebaseresources.count())
-        self.assertEqual(16, project1.discoveredpackages.count())
-        self.assertEqual(0, project1.discoveredpackages.vulnerable().count())
-        self.assertEqual(15, project1.discovereddependencies.count())
-
-    def test_scanpipe_scan_integrations_load_sbom_osv_scanner(self):
-        # Input file generated with:
-        # $ osv-scanner scan image alpine:3.17.0 \
-        #     --all-packages \
-        #     --format spdx-2-3 \
-        #     --output osv-scanner-alpine-3.17-sbom.spdx.json
-        input_location = (
-            self.data / "sca-integrations" / "osv-scanner-alpine-3.17-sbom.spdx.json"
+        # Verify resource, package, vulnerability, and dependency counts
+        self.assertEqual(
+            expected_results["resources"],
+            project.codebaseresources.count(),
+            msg=sbom_filename,
         )
-
-        pipeline_name = "load_sbom"
-        project1 = make_project()
-        project1.copy_input_from(input_location)
-
-        run = project1.add_pipeline(pipeline_name)
-        pipeline = run.make_pipeline_instance()
-
-        exitcode, out = pipeline.execute()
-        self.assertEqual(0, exitcode, msg=out)
-
-        self.assertEqual(1, project1.codebaseresources.count())
-        self.assertEqual(16, project1.discoveredpackages.count())
-        self.assertEqual(0, project1.discoveredpackages.vulnerable().count())
-        self.assertEqual(15, project1.discovereddependencies.count())
-
-    def test_scanpipe_scan_integrations_load_sbom_osv_scanner_cdx_vulnerabilities(self):
-        # Input file taken from: https://google.github.io/osv-scanner/output/#cyclonedx
-        input_location = (
-            self.data / "sca-integrations" / "osv-scanner-vulns-sbom.cdx.json"
+        self.assertEqual(
+            expected_results["packages"],
+            project.discoveredpackages.count(),
+            msg=sbom_filename,
+        )
+        self.assertEqual(
+            expected_results["packages_vulnerable"],
+            project.discoveredpackages.vulnerable().count(),
+            msg=sbom_filename,
+        )
+        self.assertEqual(
+            expected_results["dependencies"],
+            project.discovereddependencies.count(),
+            msg=sbom_filename,
         )
-
-        pipeline_name = "load_sbom"
-        project1 = make_project()
-        project1.copy_input_from(input_location)
-
-        run = project1.add_pipeline(pipeline_name)
-        pipeline = run.make_pipeline_instance()
-
-        exitcode, out = pipeline.execute()
-        self.assertEqual(0, exitcode, msg=out)
-
-        self.assertEqual(1, project1.codebaseresources.count())
-        self.assertEqual(3, project1.discoveredpackages.count())
-        self.assertEqual(1, project1.discoveredpackages.vulnerable().count())
-        self.assertEqual(0, project1.discovereddependencies.count())