@@ -152,3 +152,65 @@ test_spdx_multiple_refs_behavior if {
152152 urls := {p.repository_url | some p in pkg_list}
153153 urls == {" https://primary.repo.com" , " https://mirror.repo.com" }
154154}
155+
156+ test_repo_url_errors_collision_from_mixed_sources if {
157+ mock_cdx := {" components" : [{
158+ " name" : " shared-lib" ,
159+ " purl" : " pkg:maven/org.example/shared@1.0" ,
160+ " externalRefs" : [{" type" : " distribution" , " url" : " https://untrusted-cdx.com" }],
161+ }]}
162+
163+ mock_spdx := {" packages" : [{
164+ " name" : " shared-lib" ,
165+ " purl" : " pkg:maven/org.example/shared@1.0" ,
166+ " externalRefs" : [{" referenceType" : " repository" , " referenceLocator" : " https://untrusted-spdx.com" }],
167+ }]}
168+
169+ expected := {
170+ {
171+ " code" : " release.maven_repos.deny_unpermitted_urls" ,
172+ " effective_on" : " 2026-05-10T00:00:00Z" ,
173+ " msg" : " Package \" pkg:maven/org.example/shared@1.0\" (source: \" https://untrusted-cdx.com\" ) is not in the permitted list" ,
174+ " term" : " pkg:maven/org.example/shared@1.0" ,
175+ },
176+ {
177+ " code" : " release.maven_repos.deny_unpermitted_urls" ,
178+ " effective_on" : " 2026-05-10T00:00:00Z" ,
179+ " msg" : " Package \" pkg:maven/org.example/shared@1.0\" (source: \" https://untrusted-spdx.com\" ) is not in the permitted list" ,
180+ " term" : " pkg:maven/org.example/shared@1.0" ,
181+ },
182+ }
183+
184+ result := maven_repos.deny with sbom.cyclonedx_sboms as [mock_cdx]
185+ with sbom.spdx_sboms as [mock_spdx]
186+ with data .rule_data as mock_data
187+
188+ lib.assert_equal (expected, result)
189+ }
190+
191+ test_repo_url_errors_mixed_permitted_and_unpermitted if {
192+ mock_cdx := {" components" : [{
193+ " name" : " shared-lib" ,
194+ " purl" : " pkg:maven/org.example/shared@1.0" ,
195+ " externalRefs" : [{" type" : " distribution" , " url" : " https://repo.maven.apache.org/maven2/" }],
196+ }]}
197+
198+ mock_spdx := {" packages" : [{
199+ " name" : " shared-lib" ,
200+ " purl" : " pkg:maven/org.example/shared@1.0" ,
201+ " externalRefs" : [{" referenceType" : " repository" , " referenceLocator" : " https://untrusted-spdx.com" }],
202+ }]}
203+
204+ expected := {{
205+ " code" : " release.maven_repos.deny_unpermitted_urls" ,
206+ " effective_on" : " 2026-05-10T00:00:00Z" ,
207+ " msg" : " Package \" pkg:maven/org.example/shared@1.0\" (source: \" https://untrusted-spdx.com\" ) is not in the permitted list" ,
208+ " term" : " pkg:maven/org.example/shared@1.0" ,
209+ }}
210+
211+ result := maven_repos.deny with sbom.cyclonedx_sboms as [mock_cdx]
212+ with sbom.spdx_sboms as [mock_spdx]
213+ with data .rule_data as mock_data
214+
215+ lib.assert_equal (expected, result)
216+ }
0 commit comments