Skip to content

Commit 6d11233

Browse files
csasalusimonbaird
authored andcommitted
Apply suggestions from code review
Co-authored-by: Simon Baird <simon.baird@gmail.com>
1 parent 6aa4490 commit 6d11233

2 files changed

Lines changed: 58 additions & 24 deletions

File tree

policy/lib/sbom/maven.rego

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,7 @@
55
# and SPDX SBOM formats.
66
package lib.sbom
77

8-
import future.keywords.contains
9-
import future.keywords.if
10-
import future.keywords.in
8+
import rego.v1
119

1210
packages contains pkg if {
1311
some pkg in _cyclonedx_maven_packages
@@ -25,7 +23,7 @@ _cyclonedx_maven_packages contains pkg if {
2523

2624
repos := {ref.url |
2725
some ref in component.externalRefs
28-
ref.type in ["distribution", "artifact-repository"]
26+
ref.type in {"distribution", "artifact-repository"}
2927
}
3028

3129
final_repos := _empty_to_default(repos)
@@ -46,7 +44,7 @@ _spdx_maven_packages contains pkg if {
4644

4745
repos := {ref.referenceLocator |
4846
some ref in item.externalRefs
49-
ref.referenceType in ["distribution", "repository"]
47+
ref.referenceType in {"distribution", "repository"}
5048
}
5149

5250
final_repos := _empty_to_default(repos)
@@ -59,6 +57,10 @@ _spdx_maven_packages contains pkg if {
5957
}
6058
}
6159

60+
# _empty_to_default ensures that packages without explicit repository URLs
61+
# are still processed. If the input repo_set is empty, it returns {""}.
62+
# In the context of this policy, a blank repository URL is considered
63+
# to be Maven Central (https://repo.maven.apache.org/maven2/).
6264
_empty_to_default(repo_set) := repo_set if {
6365
count(repo_set) > 0
6466
} else := {""}

policy/lib/sbom/maven_test.rego

Lines changed: 51 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
package lib.sbom_test
22

3+
import data.lib
34
import data.lib.sbom
45
import future.keywords.if
56
import future.keywords.in
@@ -11,21 +12,21 @@ test_cyclonedx_maven_extraction if {
1112
"externalRefs": [{"type": "distribution", "url": "https://repo.maven.apache.org/maven2/"}],
1213
}]
1314

14-
res := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
15-
16-
res == {{
15+
expected := {{
1716
"name": "auth-lib",
1817
"purl": "pkg:maven/org.example/auth@1.0",
1918
"repository_url": "https://repo.maven.apache.org/maven2/",
2019
}}
20+
21+
result := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
22+
23+
lib.assert_equal(expected, result)
2124
}
2225

2326
test_cyclonedx_ignores_non_maven if {
2427
mock_components := [{"name": "react", "purl": "pkg:npm/react@18.2.0"}]
2528

26-
res := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
27-
28-
count(res) == 0
29+
lib.assert_empty(sbom.packages) with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
2930
}
3031

3132
test_cyclonedx_empty_repo_url if {
@@ -35,10 +36,15 @@ test_cyclonedx_empty_repo_url if {
3536
"externalRefs": [],
3637
}]
3738

38-
res := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
39+
expected := {{
40+
"name": "no-repo",
41+
"purl": "pkg:maven/org.example/no-repo@1.0",
42+
"repository_url": "",
43+
}}
44+
45+
result := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
3946

40-
some pkg in res
41-
pkg.repository_url == ""
47+
lib.assert_equal(expected, result)
4248
}
4349

4450
test_spdx_maven_extraction if {
@@ -51,13 +57,15 @@ test_spdx_maven_extraction if {
5157
}],
5258
}]
5359

54-
res := sbom.packages with sbom.spdx_sboms as [_spdx_sbom(mock_packages)]
55-
56-
res == {{
60+
expected := {{
5761
"name": "data-service",
5862
"purl": "pkg:maven/org.example/data@2.5",
5963
"repository_url": "https://internal.jfrog.io/artifactory",
6064
}}
65+
66+
result := sbom.packages with sbom.spdx_sboms as [_spdx_sbom(mock_packages)]
67+
68+
lib.assert_equal(expected, result)
6169
}
6270

6371
test_combined_sources if {
@@ -76,10 +84,23 @@ test_combined_sources if {
7684
}],
7785
}]
7886

79-
res := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_cdx)]
87+
expected := {
88+
{
89+
"name": "cdx-pkg",
90+
"purl": "pkg:maven/cdx/pkg@1",
91+
"repository_url": "url1",
92+
},
93+
{
94+
"name": "spdx-pkg",
95+
"purl": "pkg:maven/spdx/pkg@1",
96+
"repository_url": "url2",
97+
},
98+
}
99+
100+
result := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_cdx)]
80101
with sbom.spdx_sboms as [_spdx_sbom(mock_spdx)]
81102

82-
count(res) == 2
103+
lib.assert_equal(expected, result)
83104
}
84105

85106
test_cyclonedx_multiple_repo_capture if {
@@ -92,11 +113,22 @@ test_cyclonedx_multiple_repo_capture if {
92113
],
93114
}]
94115

95-
pkg_list := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
96-
97-
count(pkg_list) == 2
98-
urls := {p.repository_url | some p in pkg_list}
99-
urls == {"https://repo-a.com", "https://repo-b.com"}
116+
expected := {
117+
{
118+
"name": "multi-repo-lib",
119+
"purl": "pkg:maven/org.example/multi@1.0",
120+
"repository_url": "https://repo-a.com",
121+
},
122+
{
123+
"name": "multi-repo-lib",
124+
"purl": "pkg:maven/org.example/multi@1.0",
125+
"repository_url": "https://repo-b.com",
126+
},
127+
}
128+
129+
result := sbom.packages with sbom.cyclonedx_sboms as [_cyclonedx_sbom(mock_components)]
130+
131+
lib.assert_equal(expected, result)
100132
}
101133

102134
_cyclonedx_sbom(components) := {"components": components}

0 commit comments

Comments
 (0)