Use benchmark.compare_purls to assert the SBOM PURLs #1726

tdruez · tdruez · commit 5b94506cc43e · 2025-09-04T16:42:56.000+04:00
Signed-off-by: tdruez &lt;tdruez@nexb.com&gt;
diff --git a/scanpipe/pipes/benchmark.py b/scanpipe/pipes/benchmark.py
@@ -49,6 +49,18 @@ def get_expected_purls(project):
     return sorted(set(expected_purls))
 
 
+def get_unique_project_purls(project):
+    """
+    Return the sorted list of unique Package URLs (PURLs) discovered in the project.
+
+    Extracts the ``purl`` field from all discovered packages, removes duplicates,
+    and sorts the result to provide a deterministic list of project PURLs.
+    """
+    project_packages = project.discoveredpackages.only_package_url_fields()
+    sorted_unique_purls = sorted({package.purl for package in project_packages})
+    return sorted_unique_purls
+
+
 def compare_purls(project, expected_purls):
     """
     Compare discovered project PURLs against the expected PURLs.
@@ -57,10 +69,10 @@ def compare_purls(project, expected_purls):
     - Lines starting with '-' are missing from the project.
     - Lines starting with '+' are unexpected in the project.
     """
-    project_packages = project.discoveredpackages.only_package_url_fields()
-    sorted_unique_purls = sorted({package.purl for package in project_packages})
+    sorted_project_purls = get_unique_project_purls(project)
+    print(sorted_project_purls)
 
-    diff_result = difflib.ndiff(sorted_unique_purls, expected_purls)
+    diff_result = difflib.ndiff(sorted_project_purls, expected_purls)
 
     # Keep only lines that are diffs (- or +)
     filtered_diff = [line for line in diff_result if line.startswith(("-", "+"))]
diff --git a/scanpipe/tests/test_sca_integrations.py b/scanpipe/tests/test_sca_integrations.py
@@ -45,6 +45,9 @@
         "packages": 16,
         "packages_vulnerable": 7,
         "dependencies": 25,
+        "purls": [
+            "pkg:unknown/alpine@3.17.0",
+        ],
     },
 
    Tip: run the test once without expected values, check the counts from the
@@ -62,6 +65,7 @@
 
 from django.test import TestCase
 
+from scanpipe.pipes import benchmark
 from scanpipe.tests import make_project
 
 # Mapping of SBOM filenames to expected counts.
@@ -71,6 +75,7 @@
 # - ``packages``: DiscoveredPackages
 # - ``packages_vulnerable``: Vulnerable DiscoveredPackages
 # - ``dependencies``: DiscoveredDependencies
+# - ``purls``: The list of PURLs present in the SBOM
 SCA_INTEGRATIONS_TEST_DATA = {
     ### Anchore Grype
     #   $ grype -v -o cyclonedx-json \
@@ -80,6 +85,102 @@
         "packages": 94,
         "packages_vulnerable": 7,
         "dependencies": 20,
+        "purls": [
+            "pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&distro=alpine-3.17.0&upstream=alpine-baselayout",
+            "pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&distro=alpine-3.17.0",
+            "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=alpine-3.17.0",
+            "pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&distro=alpine-3.17.0",
+            "pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&distro=alpine-3.17.0&upstream=busybox",
+            "pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&distro=alpine-3.17.0",
+            "pkg:apk/alpine/ca-certificates-bundle@20220614-r2?arch=x86_64&distro=alpine-3.17.0&upstream=ca-certificates",
+            "pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&distro=alpine-3.17.0&upstream=libc-dev",
+            "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=alpine-3.17.0&upstream=openssl",
+            "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=alpine-3.17.0&upstream=openssl",
+            "pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&distro=alpine-3.17.0&upstream=musl",
+            "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=alpine-3.17.0",
+            "pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&distro=alpine-3.17.0&upstream=pax-utils",
+            "pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&distro=alpine-3.17.0&upstream=busybox",
+            "pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&distro=alpine-3.17.0",
+            "pkg:unknown/alpine@3.17.0",
+            "pkg:unknown/bin/busybox",
+            "pkg:unknown/etc/apk/keys/alpine-devel%40lists.alpinelinux.org-4a6a0840.rsa.pub",
+            "pkg:unknown/etc/apk/keys/alpine-devel%40lists.alpinelinux.org-5243ef4b.rsa.pub",
+            "pkg:unknown/etc/apk/keys/alpine-devel%40lists.alpinelinux.org-5261cecb.rsa.pub",
+            "pkg:unknown/etc/apk/keys/alpine-devel%40lists.alpinelinux.org-6165ee59.rsa.pub",
+            "pkg:unknown/etc/apk/keys/alpine-devel%40lists.alpinelinux.org-61666e3f.rsa.pub",
+            "pkg:unknown/etc/crontabs/root",
+            "pkg:unknown/etc/fstab",
+            "pkg:unknown/etc/group",
+            "pkg:unknown/etc/hostname",
+            "pkg:unknown/etc/hosts",
+            "pkg:unknown/etc/inittab",
+            "pkg:unknown/etc/logrotate.d/acpid",
+            "pkg:unknown/etc/modprobe.d/aliases.conf",
+            "pkg:unknown/etc/modprobe.d/blacklist.conf",
+            "pkg:unknown/etc/modprobe.d/i386.conf",
+            "pkg:unknown/etc/modprobe.d/kms.conf",
+            "pkg:unknown/etc/modules",
+            "pkg:unknown/etc/motd",
+            "pkg:unknown/etc/network/if-up.d/dad",
+            "pkg:unknown/etc/nsswitch.conf",
+            "pkg:unknown/etc/passwd",
+            "pkg:unknown/etc/profile",
+            "pkg:unknown/etc/profile.d/README",
+            "pkg:unknown/etc/profile.d/color_prompt.sh.disabled",
+            "pkg:unknown/etc/profile.d/locale.sh",
+            "pkg:unknown/etc/protocols",
+            "pkg:unknown/etc/securetty",
+            "pkg:unknown/etc/services",
+            "pkg:unknown/etc/shadow",
+            "pkg:unknown/etc/shells",
+            "pkg:unknown/etc/ssl/certs/ca-certificates.crt",
+            "pkg:unknown/etc/ssl/ct_log_list.cnf",
+            "pkg:unknown/etc/ssl/ct_log_list.cnf.dist",
+            "pkg:unknown/etc/ssl/misc/CA.pl",
+            "pkg:unknown/etc/ssl/misc/tsget.pl",
+            "pkg:unknown/etc/ssl/openssl.cnf",
+            "pkg:unknown/etc/ssl/openssl.cnf.dist",
+            "pkg:unknown/etc/sysctl.conf",
+            "pkg:unknown/etc/udhcpd.conf",
+            "pkg:unknown/lib/apk/db/installed",
+            "pkg:unknown/lib/ld-musl-x86_64.so.1",
+            "pkg:unknown/lib/libapk.so.3.12.0",
+            "pkg:unknown/lib/libcrypto.so.3",
+            "pkg:unknown/lib/libssl.so.3",
+            "pkg:unknown/lib/libz.so.1.2.13",
+            "pkg:unknown/lib/sysctl.d/00-alpine.conf",
+            "pkg:unknown/sbin/apk",
+            "pkg:unknown/sbin/ldconfig",
+            "pkg:unknown/usr/bin/getconf",
+            "pkg:unknown/usr/bin/getent",
+            "pkg:unknown/usr/bin/iconv",
+            "pkg:unknown/usr/bin/ldd",
+            "pkg:unknown/usr/bin/scanelf",
+            "pkg:unknown/usr/bin/ssl_client",
+            "pkg:unknown/usr/lib/engines-3/afalg.so",
+            "pkg:unknown/usr/lib/engines-3/capi.so",
+            "pkg:unknown/usr/lib/engines-3/loader_attic.so",
+            "pkg:unknown/usr/lib/engines-3/padlock.so",
+            "pkg:unknown/usr/lib/ossl-modules/legacy.so",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-4a6a0840.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-5243ef4b.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-524d27bb.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-5261cecb.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-58199dcc.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-58cbb476.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-58e4f17d.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-5e69ca50.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-60ac2099.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-6165ee59.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-61666e3f.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-616a9724.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-616abc23.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-616ac3bc.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-616adfeb.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-616ae350.rsa.pub",
+            "pkg:unknown/usr/share/apk/keys/alpine-devel%40lists.alpinelinux.org-616db30d.rsa.pub",
+            "pkg:unknown/usr/share/udhcpc/default.script",
+        ],
     },
     ### CycloneDX cdxgen
     #   $ cdxgen alpine:3.17.0 --type docker --spec-version 1.6 --json-pretty \
@@ -89,6 +190,22 @@
         "packages": 14,
         "packages_vulnerable": 0,
         "dependencies": 0,
+        "purls": [
+            "pkg:generic/apk",
+            "pkg:generic/busybox",
+            "pkg:generic/getconf",
+            "pkg:generic/getent",
+            "pkg:generic/iconv",
+            "pkg:generic/ld-musl-x86_64.so.1",
+            "pkg:generic/ldconfig",
+            "pkg:generic/ldd",
+            "pkg:generic/libapk.so.3.12.0",
+            "pkg:generic/libcrypto.so.3",
+            "pkg:generic/libssl.so.3",
+            "pkg:generic/libz.so.1.2.13",
+            "pkg:generic/scanelf",
+            "pkg:generic/ssl_client",
+        ],
     },
     ### OWASP dep-scan
     #   $ depscan --src alpine:3.17.0 --type docker
@@ -97,6 +214,41 @@
         "packages": 33,
         "packages_vulnerable": 3,
         "dependencies": 20,
+        "purls": [
+            "pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/ca-certificates-bundle@20220614-r2?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/ca-certificates@20220614-r2?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/libc-dev@0.7.2-r3?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/openssl@3.0.7-r0?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/pax-utils@1.3.5-r1?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&distro=alpine-3.17.0&distro_name=alpine-3.17",
+            "pkg:generic/apk",
+            "pkg:generic/busybox",
+            "pkg:generic/getconf",
+            "pkg:generic/getent",
+            "pkg:generic/iconv",
+            "pkg:generic/ld-musl-x86_64.so.1",
+            "pkg:generic/ldconfig",
+            "pkg:generic/ldd",
+            "pkg:generic/libapk.so.3.12.0",
+            "pkg:generic/libcrypto.so.3",
+            "pkg:generic/libssl.so.3",
+            "pkg:generic/libz.so.1.2.13",
+            "pkg:generic/scanelf",
+            "pkg:generic/ssl_client",
+        ],
     },
     ### OSV-Scanner
     #   $ osv-scanner scan image alpine:3.17.0 \
@@ -108,6 +260,24 @@
         "packages": 16,
         "packages_vulnerable": 0,
         "dependencies": 15,
+        "purls": [
+            "pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&distro=3.17.0&origin=alpine-baselayout",
+            "pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&distro=3.17.0&origin=alpine-baselayout",
+            "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.17.0&origin=alpine-keys",
+            "pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&distro=3.17.0&origin=apk-tools",
+            "pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&distro=3.17.0&origin=busybox",
+            "pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&distro=3.17.0&origin=busybox",
+            "pkg:apk/alpine/ca-certificates-bundle@20220614-r2?arch=x86_64&distro=3.17.0&origin=ca-certificates",
+            "pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&distro=3.17.0&origin=libc-dev",
+            "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0&origin=openssl",
+            "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0&origin=openssl",
+            "pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&distro=3.17.0&origin=musl",
+            "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0&origin=musl",
+            "pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&distro=3.17.0&origin=pax-utils",
+            "pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&distro=3.17.0&origin=busybox",
+            "pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&distro=3.17.0&origin=zlib",
+            "pkg:unknown/main@0",
+        ],
     },
     # Example file from osv-scanner documentation:
     # https://google.github.io/osv-scanner/output/#cyclonedx
@@ -116,6 +286,11 @@
         "packages": 3,
         "packages_vulnerable": 1,
         "dependencies": 0,
+        "purls": [
+            "pkg:composer/league/flysystem@1.0.8",
+            "pkg:npm/has-flag@4.0.0",
+            "pkg:npm/wrappy@1.0.2",
+        ],
     },
     ### SBOM Tool
     #   $ sbom-tool generate -di alpine:3.17.0 \
@@ -125,6 +300,24 @@
         "packages": 16,
         "packages_vulnerable": 0,
         "dependencies": 15,
+        "purls": [
+            "pkg:swid/Company/sbom.company.com/DockerImage@1.0.0?tag_id=60e3f440-f9a8-449e-b516-da3049700fff",
+            "pkg:unknown/alpine-baselayout-data@3.4.0-r0",
+            "pkg:unknown/alpine-baselayout@3.4.0-r0",
+            "pkg:unknown/alpine-keys@2.4-r1",
+            "pkg:unknown/apk-tools@2.12.10-r1",
+            "pkg:unknown/busybox-binsh@1.35.0-r29",
+            "pkg:unknown/busybox@1.35.0-r29",
+            "pkg:unknown/ca-certificates-bundle@20220614-r2",
+            "pkg:unknown/libc-utils@0.7.2-r3",
+            "pkg:unknown/libcrypto3@3.0.7-r0",
+            "pkg:unknown/libssl3@3.0.7-r0",
+            "pkg:unknown/musl-utils@1.2.3-r4",
+            "pkg:unknown/musl@1.2.3-r4",
+            "pkg:unknown/scanelf@1.3.5-r1",
+            "pkg:unknown/ssl_client@1.35.0-r29",
+            "pkg:unknown/zlib@1.2.13-r0",
+        ],
     },
     ### Trivy
     #   $ trivy image --scanners vuln,license --format cyclonedx \
@@ -134,6 +327,24 @@
         "packages": 16,
         "packages_vulnerable": 7,
         "dependencies": 25,
+        "purls": [
+            "pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/ca-certificates-bundle@20220614-r2?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&distro=3.17.0",
+            "pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&distro=3.17.0",
+            "pkg:unknown/alpine@3.17.0",
+        ],
     },
 }
 
@@ -192,3 +403,10 @@ def _test_scanpipe_sca_integrations_tool(self, sbom_filename, expected_results):
             project.discovereddependencies.count(),
             msg=sbom_filename,
         )
+
+        # Verify that all the expected PURLs are present in the project
+        expected_purls = expected_results.get("purls", [])
+        if expected_purls:
+            purls_diff = benchmark.compare_purls(project, expected_purls)
+            formatted_diff = "\n".join(purls_diff)
+            self.assertFalse(purls_diff, msg=f"\n{sbom_filename}\n{formatted_diff}")
