@@ -17,7 +17,7 @@ test_cyclonedx_permitted if {
1717 " externalRefs" : [{" type" : " distribution" , " url" : " https://repo.maven.apache.org/maven2/" }],
1818 }]}
1919
20- lib.assert_empty (maven_repos.deny) with data .rule_data as mock_data
20+ lib.assertions. assert_empty (maven_repos.deny) with data .rule_data as mock_data
2121 with sbom.cyclonedx_sboms as [cdx_input]
2222}
2323
@@ -31,7 +31,7 @@ test_spdx_permitted if {
3131 }],
3232 }]}
3333
34- lib.assert_empty (maven_repos.deny) with data .rule_data as mock_data
34+ lib.assertions. assert_empty (maven_repos.deny) with data .rule_data as mock_data
3535 with sbom.spdx_sboms as [spdx_input]
3636}
3737
@@ -42,7 +42,7 @@ test_default_maven_central_pass if {
4242 " externalRefs" : [],
4343 }]}
4444
45- lib.assert_empty (maven_repos.deny) with data .rule_data as mock_data
45+ lib.assertions. assert_empty (maven_repos.deny) with data .rule_data as mock_data
4646 with sbom.cyclonedx_sboms as [cdx_input]
4747}
4848
@@ -67,7 +67,7 @@ test_default_cdx_fail if {
6767 " term" : " pkg:maven/org.base/no-url@1.0" ,
6868 }}
6969
70- lib.assert_equal (maven_repos.deny, expected) with data .rule_data as restricted_data
70+ lib.assertions. assert_equal (maven_repos.deny, expected) with data .rule_data as restricted_data
7171 with sbom.cyclonedx_sboms as [mock_cdx]
7272}
7373
@@ -90,7 +90,7 @@ test_missing_rule_data if {
9090 " effective_on" : " 2022-01-01T00:00:00Z" ,
9191 " msg" : " Policy data is missing the required \" allowed_maven_repositories\" list" ,
9292 }}
93- lib.assert_equal (maven_repos.deny, expected) with data .rule_data as {}
93+ lib.assertions. assert_equal (maven_repos.deny, expected) with data .rule_data as {}
9494}
9595
9696test_get_effective_url_provided if {
@@ -152,3 +152,65 @@ test_spdx_multiple_refs_behavior if {
152152 urls := {p.repository_url | some p in pkg_list}
153153 urls == {" https://primary.repo.com" , " https://mirror.repo.com" }
154154}
155+
156+ test_repo_url_errors_collision_from_mixed_sources if {
157+ mock_cdx := {" components" : [{
158+ " name" : " shared-lib" ,
159+ " purl" : " pkg:maven/org.example/shared@1.0" ,
160+ " externalRefs" : [{" type" : " distribution" , " url" : " https://untrusted-cdx.com" }],
161+ }]}
162+
163+ mock_spdx := {" packages" : [{
164+ " name" : " shared-lib" ,
165+ " purl" : " pkg:maven/org.example/shared@1.0" ,
166+ " externalRefs" : [{" referenceType" : " repository" , " referenceLocator" : " https://untrusted-spdx.com" }],
167+ }]}
168+
169+ expected := {
170+ {
171+ " code" : " release.maven_repos.deny_unpermitted_urls" ,
172+ " effective_on" : " 2026-05-10T00:00:00Z" ,
173+ " msg" : " Package \" pkg:maven/org.example/shared@1.0\" (source: \" https://untrusted-cdx.com\" ) is not in the permitted list" ,
174+ " term" : " pkg:maven/org.example/shared@1.0" ,
175+ },
176+ {
177+ " code" : " release.maven_repos.deny_unpermitted_urls" ,
178+ " effective_on" : " 2026-05-10T00:00:00Z" ,
179+ " msg" : " Package \" pkg:maven/org.example/shared@1.0\" (source: \" https://untrusted-spdx.com\" ) is not in the permitted list" ,
180+ " term" : " pkg:maven/org.example/shared@1.0" ,
181+ },
182+ }
183+
184+ result := maven_repos.deny with sbom.cyclonedx_sboms as [mock_cdx]
185+ with sbom.spdx_sboms as [mock_spdx]
186+ with data .rule_data as mock_data
187+
188+ lib.assertions.assert_equal (expected, result)
189+ }
190+
191+ test_repo_url_errors_mixed_permitted_and_unpermitted if {
192+ mock_cdx := {" components" : [{
193+ " name" : " shared-lib" ,
194+ " purl" : " pkg:maven/org.example/shared@1.0" ,
195+ " externalRefs" : [{" type" : " distribution" , " url" : " https://repo.maven.apache.org/maven2/" }],
196+ }]}
197+
198+ mock_spdx := {" packages" : [{
199+ " name" : " shared-lib" ,
200+ " purl" : " pkg:maven/org.example/shared@1.0" ,
201+ " externalRefs" : [{" referenceType" : " repository" , " referenceLocator" : " https://untrusted-spdx.com" }],
202+ }]}
203+
204+ expected := {{
205+ " code" : " release.maven_repos.deny_unpermitted_urls" ,
206+ " effective_on" : " 2026-05-10T00:00:00Z" ,
207+ " msg" : " Package \" pkg:maven/org.example/shared@1.0\" (source: \" https://untrusted-spdx.com\" ) is not in the permitted list" ,
208+ " term" : " pkg:maven/org.example/shared@1.0" ,
209+ }}
210+
211+ result := maven_repos.deny with sbom.cyclonedx_sboms as [mock_cdx]
212+ with sbom.spdx_sboms as [mock_spdx]
213+ with data .rule_data as mock_data
214+
215+ lib.assertions.assert_equal (expected, result)
216+ }
0 commit comments