From 52fb507e9d2ed262bcccc1a8451291672d5a764f Mon Sep 17 00:00:00 2001
From: Ramkumar Chinchani <45800463+rchincha@users.noreply.github.com>
Date: Thu, 18 Jan 2024 09:45:08 -0800
Subject: [PATCH] test: add unit tests for rpm and apk distros (#54)

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
---
 pkg/bom/doc.go        | 10 ----------
 pkg/distro/distro.go  |  3 +++
 pkg/distro/rpm/rpm.go | 13 ++++++++++++-
 test/bom.bats         | 42 +++++++++++++++++++++++++++++++++++++++++-
 4 files changed, 56 insertions(+), 12 deletions(-)

diff --git a/pkg/bom/doc.go b/pkg/bom/doc.go
index 1597481..7b83b47 100644
--- a/pkg/bom/doc.go
+++ b/pkg/bom/doc.go
@@ -31,16 +31,6 @@ func WriteDocument(doc *spdx.Document, path string) error {
 	if err := os.WriteFile(path, []byte(markup), 0o644); err != nil { //nolint:gosec,gomnd // G306: Expect WriteFile
 		return fmt.Errorf("writing SBOM: %w", err)
 	}
-	/*
-		// Export the SBOM as in-toto provenance
-		if opts.provenancePath != "" {
-			if err := doc.WriteProvenanceStatement(
-				spdx.DefaultProvenanceOptions, opts.provenancePath,
-			); err != nil {
-				return fmt.Errorf("writing SBOM as provenance statement: %w", err)
-			}
-		}
-	*/
 
 	return nil
 }
diff --git a/pkg/distro/distro.go b/pkg/distro/distro.go
index 3ca7cc8..8e08913 100644
--- a/pkg/distro/distro.go
+++ b/pkg/distro/distro.go
@@ -17,16 +17,19 @@ type Distro interface {
 }
 
 func InstalledPackages(doc *spdx.Document) error {
+	// check assuming deb
 	deberr := deb.InstalledPackages(doc)
 	if deberr == nil {
 		return nil
 	}
 
+	// check assuming rpm
 	rpmerr := rpm.InstalledPackages(doc)
 	if rpmerr == nil {
 		return nil
 	}
 
+	// check assuming apk
 	apkerr := apk.InstalledPackages(doc)
 	if apkerr == nil {
 		return nil
diff --git a/pkg/distro/rpm/rpm.go b/pkg/distro/rpm/rpm.go
index 39ac247..434397b 100644
--- a/pkg/distro/rpm/rpm.go
+++ b/pkg/distro/rpm/rpm.go
@@ -193,6 +193,8 @@ func InstalledPackage(doc *spdx.Document, pkg *rpmdb.PackageInfo) error {
 		return err
 	}
 
+	filesFound := false
+
 	for _, ifile := range ifiles {
 		info, err := os.Lstat(ifile.Path)
 		if err != nil {
@@ -205,6 +207,8 @@ func InstalledPackage(doc *spdx.Document, pkg *rpmdb.PackageInfo) error {
 			continue
 		}
 
+		filesFound = true
+
 		fhandle, err := os.Open(ifile.Path)
 		if err != nil {
 			return err
@@ -263,6 +267,12 @@ func InstalledPackage(doc *spdx.Document, pkg *rpmdb.PackageInfo) error {
 		}
 	}
 
+	if !filesFound {
+		log.Info().Str("package", pkg.Name).Msg("ignoring empty package")
+
+		return nil
+	}
+
 	if err := doc.AddPackage(spkg); err != nil {
 		log.Error().Err(err).Msg("unable to add package to doc")
 
@@ -295,7 +305,8 @@ func InstalledPackages(doc *spdx.Document) error {
 			continue
 		}
 
-		log.Info().Str("package", pkg.Name).Str("version", pkg.Version).Msg("discovered installed package")
+		log.Info().Str("package", pkg.Name).Str("version", pkg.Version).
+			Str("license", pkg.License).Msg("discovered installed package")
 	}
 
 	return nil
diff --git a/test/bom.bats b/test/bom.bats
index a7d0b7e..2720c8d 100644
--- a/test/bom.bats
+++ b/test/bom.bats
@@ -10,7 +10,7 @@ function teardown() {
   common_teardown
 }
 
-@test "bom workflow" {
+@test "deb bom workflow" {
   # inventory
   docker run -v ${TOPDIR}/bin:/opt/bin -v ${BOMD}:/stacker-artifacts -i ubuntu:latest /opt/bin/stacker-bom-linux-amd64 inventory -x /proc,/sys,/dev,/tmp,/opt,/var/lib/dpkg/info,/var/log,/var/cache,/var/lib/systemd,/var/lib/dpkg,/var/lib/apt,/var/lib/pam,/var/lib/shells.state,/.dockerenv,/usr/share/info,/usr/sbin/policy-rc.d,/etc,/run,/root,/usr/bin/man,/usr/local/sbin/unminimize,/usr/sbin/initctl,/stacker-artifacts -o /stacker-artifacts/inventory.json
   [ -f ${BOMD}/inventory.json ]
@@ -29,3 +29,43 @@ function teardown() {
   regctl artifact put --artifact-type application/org.spdx+json -f ${BOMD}/discover.json --subject ${ZOT_HOST}:${ZOT_PORT}/ubuntu:latest
   regctl artifact tree ${ZOT_HOST}:${ZOT_PORT}/ubuntu:latest
 }
+
+@test "apk bom workflow" {
+  # inventory
+  docker run -v ${TOPDIR}/bin:/opt/bin -v ${BOMD}:/stacker-artifacts -i alpine:edge /opt/bin/stacker-bom-linux-amd64 inventory -x /proc,/sys,/dev,/tmp,/opt,/lib/apk/db,/var/log,/var/cache,/var/lib/systemd,/var/lib/pam,/var/lib/shells.state,/.dockerenv,/usr/share/info,/usr/sbin/policy-rc.d,/etc,/run,/root,/usr/bin/man,/usr/local/sbin/unminimize,/usr/sbin/initctl,/stacker-artifacts -o /stacker-artifacts/inventory.json
+  [ -f ${BOMD}/inventory.json ]
+  # discover installed packages
+  docker run -v ${TOPDIR}/bin:/opt/bin -v ${BOMD}:/stacker-artifacts -i alpine:edge /opt/bin/stacker-bom-linux-amd64 discover -o /stacker-artifacts/discover.json
+  [ -f ${BOMD}/discover.json ]
+  # verify against inventory
+  docker run -v ${TOPDIR}/bin:/opt/bin -v ${BOMD}:/stacker-artifacts -i alpine:edge /opt/bin/stacker-bom-linux-amd64 verify -i /stacker-artifacts/discover.json -t  /stacker-artifacts/inventory.json -m  /stacker-artifacts/missing.json
+  [ ! -f ${BOMD}/missing.json ]
+  # push the image
+  skopeo copy --format=oci --dest-tls-verify=false docker://alpine:edge docker://${ZOT_HOST}:${ZOT_PORT}/alpine:edge
+  # validate the sbom
+  bom document outline ${BOMD}/discover.json
+  # attach bom artifacts as references
+  regctl artifact put --artifact-type application/vnd.stacker-bom.inventory -f ${BOMD}/inventory.json --subject ${ZOT_HOST}:${ZOT_PORT}/alpine:edge
+  regctl artifact put --artifact-type application/org.spdx+json -f ${BOMD}/discover.json --subject ${ZOT_HOST}:${ZOT_PORT}/alpine:edge
+  regctl artifact tree ${ZOT_HOST}:${ZOT_PORT}/alpine:edge
+}
+
+@test "rpm bom workflow" {
+  # inventory
+  docker run -v ${TOPDIR}/bin:/opt/bin -v ${BOMD}:/stacker-artifacts -i rockylinux:9 /opt/bin/stacker-bom-linux-amd64 inventory -x /proc,/sys,/dev,/tmp,/opt,/var/log,/var/lib/rpm,/var/lib/alternatives,/root,/etc,/.dockerenv,/stacker-artifacts -o /stacker-artifacts/inventory.json
+  [ -f ${BOMD}/inventory.json ]
+  # discover installed packages
+  docker run -v ${TOPDIR}/bin:/opt/bin -v ${BOMD}:/stacker-artifacts -i rockylinux:9 /opt/bin/stacker-bom-linux-amd64 discover -o /stacker-artifacts/discover.json
+  [ -f ${BOMD}/discover.json ]
+  # verify against inventory
+  docker run -v ${TOPDIR}/bin:/opt/bin -v ${BOMD}:/stacker-artifacts -i rockylinux:9 /opt/bin/stacker-bom-linux-amd64 verify -i /stacker-artifacts/discover.json -t  /stacker-artifacts/inventory.json -m  /stacker-artifacts/missing.json
+  [ ! -f ${BOMD}/missing.json ]
+  # push the image
+  skopeo copy --format=oci --dest-tls-verify=false docker://rockylinux:9 docker://${ZOT_HOST}:${ZOT_PORT}/rockylinux:9
+  # validate the sbom
+  bom document outline ${BOMD}/discover.json
+  # attach bom artifacts as references
+  regctl artifact put --artifact-type application/vnd.stacker-bom.inventory -f ${BOMD}/inventory.json --subject ${ZOT_HOST}:${ZOT_PORT}/rockylinux:9
+  regctl artifact put --artifact-type application/org.spdx+json -f ${BOMD}/discover.json --subject ${ZOT_HOST}:${ZOT_PORT}/rockylinux:9
+  regctl artifact tree ${ZOT_HOST}:${ZOT_PORT}/rockylinux:9
+}