Added go-tests, and fixed BL config parsing

Author: magerstam

internal/image/imageinspect/bootloader_config.go

@@ -58,15 +58,6 @@ func parseGrubConfigContent(content string) BootloaderConfig {
 		cfg.ConfigRaw["grub.cfg"] = content
 	}
 
-	// Extract UUID-like tokens from config content
-	uuids := extractUUIDsFromString(content)
-	for _, uuid := range uuids {
-		cfg.UUIDReferences = append(cfg.UUIDReferences, UUIDReference{
-			UUID:    uuid,
-			Context: "grub_config",
-		})
-	}
-
 	// Extract critical metadata from the config
 	lines := strings.Split(content, "\n")
 	var configfilePath string
@@ -299,9 +290,12 @@ func parseGrubMenuEntry(menuLine string) *BootEntry {
 		}
 	}
 
-	// Fallback: extract whatever is between menuentry and {
-	if idx := strings.Index(menuLine, "{"); idx > 0 {
-		entry.Name = strings.TrimSpace(menuLine[9:idx])
+	// Fallback: extract whatever is between "menuentry" and "{", if safely available.
+	prefix := "menuentry"
+	if strings.HasPrefix(menuLine, prefix) {
+		if idx := strings.Index(menuLine, "{"); idx > len(prefix) {
+			entry.Name = strings.TrimSpace(menuLine[len(prefix):idx])
+		}
 	}
 
 	return entry

internal/image/imageinspect/bootloader_config_test.go

@@ -151,6 +151,20 @@ func TestCompareBootloaderConfigs(t *testing.T) {
 		t.Errorf("Expected 2 boot entry changes (1 modified, 1 added), got %d", len(diff.BootEntryChanges))
 	}
 
+	modifiedFound := false
+	for _, change := range diff.BootEntryChanges {
+		if change.Status != "modified" || change.Name != "Linux (old)" {
+			continue
+		}
+		modifiedFound = true
+		if change.InitrdFrom != "/initrd-5.14" || change.InitrdTo != "/initrd-5.15" {
+			t.Errorf("Expected initrd change /initrd-5.14 -> /initrd-5.15, got %q -> %q", change.InitrdFrom, change.InitrdTo)
+		}
+	}
+	if !modifiedFound {
+		t.Errorf("Expected modified boot entry change for Linux (old)")
+	}
+
 	// Should detect kernel reference changes
 	// Old vmlinuz-5.14 removed, vmlinuz-5.15 modified, vmlinuz-5.16 added = 3 changes
 	if len(diff.KernelRefChanges) != 3 {

internal/image/imageinspect/bootloader_efi.go

@@ -270,27 +270,3 @@ func parseOSRelease(raw string) (map[string]string, []KeyValue) {
 
 	return m, sorted
 }
-
-// BootloaderConfigPaths returns the filesystem paths to check for bootloader config files
-// based on the bootloader kind.
-func BootloaderConfigPaths(kind BootloaderKind) []string {
-	switch kind {
-	case BootloaderGrub:
-		return []string{
-			"/EFI/grub/grub.cfg",
-			"/efi/grub/grub.cfg",
-			"/boot/grub/grub.cfg",
-			"/boot/grub2/grub.cfg",
-			"/grub/grub.cfg",
-		}
-	case BootloaderSystemdBoot:
-		return []string{
-			"/loader/loader.conf",
-			"/loader/entries/",
-			"/EFI/systemd/loader.conf",
-			"/efi/systemd/loader.conf",
-		}
-	default:
-		return nil
-	}
-}

internal/image/imageinspect/compare.go

@@ -226,6 +226,8 @@ type BootEntryChange struct {
 	Status      string `json:"status" yaml:"status"` // "added", "removed", "modified"
 	KernelFrom  string `json:"kernelFrom,omitempty" yaml:"kernelFrom,omitempty"`
 	KernelTo    string `json:"kernelTo,omitempty" yaml:"kernelTo,omitempty"`
+	InitrdFrom  string `json:"initrdFrom,omitempty" yaml:"initrdFrom,omitempty"`
+	InitrdTo    string `json:"initrdTo,omitempty" yaml:"initrdTo,omitempty"`
 	CmdlineFrom string `json:"cmdlineFrom,omitempty" yaml:"cmdlineFrom,omitempty"`
 	CmdlineTo   string `json:"cmdlineTo,omitempty" yaml:"cmdlineTo,omitempty"`
 }
@@ -1088,6 +1090,8 @@ func tallyBootloaderConfigDiff(t *diffTally, diff *BootloaderConfigDiff, efiKey
 			// vs just the display name changed
 			if be.KernelFrom != be.KernelTo {
 				t.addMeaningful(1, "BootConfig["+efiKey+"] boot entry kernel changed: "+be.Name)
+			} else if be.InitrdFrom != be.InitrdTo {
+				t.addMeaningful(1, "BootConfig["+efiKey+"] boot entry initrd changed: "+be.Name)
 			} else if normalizeKernelCmdline(be.CmdlineFrom) != normalizeKernelCmdline(be.CmdlineTo) {
 				t.addMeaningful(1, "BootConfig["+efiKey+"] boot entry cmdline changed: "+be.Name)
 			} else {

internal/image/imageinspect/compare_efi.go

@@ -364,23 +364,27 @@ func compareBootEntries(a, b []BootEntry) []BootEntryChange {
 				Name:        name,
 				Status:      "removed",
 				KernelFrom:  entryA.Kernel,
+				InitrdFrom:  entryA.Initrd,
 				CmdlineFrom: entryA.Cmdline,
 			})
 		case entryA == nil && entryB != nil:
 			changes = append(changes, BootEntryChange{
 				Name:      name,
 				Status:    "added",
 				KernelTo:  entryB.Kernel,
+				InitrdTo:  entryB.Initrd,
 				CmdlineTo: entryB.Cmdline,
 			})
 		case entryA != nil && entryB != nil:
 			// Check for changes within the entry
-			if entryA.Kernel != entryB.Kernel || entryA.Cmdline != entryB.Cmdline {
+			if entryA.Kernel != entryB.Kernel || entryA.Initrd != entryB.Initrd || entryA.Cmdline != entryB.Cmdline {
 				changes = append(changes, BootEntryChange{
 					Name:        name,
 					Status:      "modified",
 					KernelFrom:  entryA.Kernel,
 					KernelTo:    entryB.Kernel,
+					InitrdFrom:  entryA.Initrd,
+					InitrdTo:    entryB.Initrd,
 					CmdlineFrom: entryA.Cmdline,
 					CmdlineTo:   entryB.Cmdline,
 				})
@@ -471,6 +475,16 @@ func compareUUIDReferences(a, b []UUIDReference) []UUIDRefChange {
 					MismatchTo:   refB.Mismatch,
 				})
 			}
+			if refA.Context != refB.Context {
+				if refA.Mismatch == refB.Mismatch {
+					changes = append(changes, UUIDRefChange{
+						UUID:        uuid,
+						Status:      "modified",
+						ContextFrom: refA.Context,
+						ContextTo:   refB.Context,
+					})
+				}
+			}
 		}
 	}
 

internal/image/imageinspect/compare_test.go

@@ -1,6 +1,7 @@
 package imageinspect
 
 import (
+	"strings"
 	"testing"
 )
 
@@ -975,3 +976,201 @@ func TestCompareImages_EFISigningStatusChanges(t *testing.T) {
 		t.Fatalf("expected signed false->true, got %v->%v", res.Diff.EFIBinaries.Modified[0].From.Signed, res.Diff.EFIBinaries.Modified[0].To.Signed)
 	}
 }
+func TestCompareUUIDReferences_Branches(t *testing.T) {
+	from := []UUIDReference{
+		{UUID: "00000000-0000-0000-0000-000000000001", Context: "kernel_cmdline", Mismatch: false}, // removed
+		{UUID: "00000000-0000-0000-0000-000000000002", Context: "kernel_cmdline", Mismatch: false}, // mismatch changed
+		{UUID: "00000000-0000-0000-0000-000000000003", Context: "grub_search", Mismatch: false},    // context changed only
+		{UUID: "00000000-0000-0000-0000-000000000004", Context: "root_device", Mismatch: true},     // unchanged
+	}
+	to := []UUIDReference{
+		{UUID: "00000000-0000-0000-0000-000000000002", Context: "root_device", Mismatch: true},
+		{UUID: "00000000-0000-0000-0000-000000000003", Context: "kernel_cmdline", Mismatch: false},
+		{UUID: "00000000-0000-0000-0000-000000000004", Context: "root_device", Mismatch: true},
+		{UUID: "00000000-0000-0000-0000-000000000005", Context: "kernel_cmdline", Mismatch: false}, // added
+	}
+
+	changes := compareUUIDReferences(from, to)
+	if len(changes) != 4 {
+		t.Fatalf("expected 4 UUID reference changes, got %d: %+v", len(changes), changes)
+	}
+
+	byUUID := map[string]UUIDRefChange{}
+	for _, ch := range changes {
+		byUUID[ch.UUID] = ch
+	}
+
+	removed, ok := byUUID["00000000-0000-0000-0000-000000000001"]
+	if !ok || removed.Status != "removed" || removed.ContextFrom != "kernel_cmdline" || removed.MismatchFrom {
+		t.Fatalf("unexpected removed UUID change: %+v", removed)
+	}
+
+	added, ok := byUUID["00000000-0000-0000-0000-000000000005"]
+	if !ok || added.Status != "added" || added.ContextTo != "kernel_cmdline" || added.MismatchTo {
+		t.Fatalf("unexpected added UUID change: %+v", added)
+	}
+
+	mismatchChanged, ok := byUUID["00000000-0000-0000-0000-000000000002"]
+	if !ok || mismatchChanged.Status != "modified" || mismatchChanged.MismatchFrom != false || mismatchChanged.MismatchTo != true {
+		t.Fatalf("unexpected mismatch-changed UUID entry: %+v", mismatchChanged)
+	}
+
+	contextChanged, ok := byUUID["00000000-0000-0000-0000-000000000003"]
+	if !ok || contextChanged.Status != "modified" || contextChanged.ContextFrom != "grub_search" || contextChanged.ContextTo != "kernel_cmdline" {
+		t.Fatalf("unexpected context-changed UUID entry: %+v", contextChanged)
+	}
+}
+
+func TestUkiOnlyVolatile_Branches(t *testing.T) {
+	tests := []struct {
+		name string
+		mod  ModifiedEFIBinaryEvidence
+		want bool
+	}{
+		{
+			name: "kernel hash changed is meaningful",
+			mod: ModifiedEFIBinaryEvidence{
+				UKI: &UKIDiff{KernelSHA256: &ValueDiff[string]{From: "k1", To: "k2"}, Changed: true},
+			},
+			want: false,
+		},
+		{
+			name: "uname hash changed is meaningful",
+			mod: ModifiedEFIBinaryEvidence{
+				UKI: &UKIDiff{UnameSHA256: &ValueDiff[string]{From: "u1", To: "u2"}, Changed: true},
+			},
+			want: false,
+		},
+		{
+			name: "cmdline changed only by UUID is volatile",
+			mod: ModifiedEFIBinaryEvidence{
+				From: EFIBinaryEvidence{Cmdline: "root=UUID=11111111-1111-1111-1111-111111111111 ro quiet"},
+				To:   EFIBinaryEvidence{Cmdline: "root=UUID=22222222-2222-2222-2222-222222222222 ro quiet"},
+				UKI:  &UKIDiff{CmdlineSHA256: &ValueDiff[string]{From: "c1", To: "c2"}, Changed: true},
+			},
+			want: true,
+		},
+		{
+			name: "cmdline semantic change is meaningful",
+			mod: ModifiedEFIBinaryEvidence{
+				From: EFIBinaryEvidence{Cmdline: "root=UUID=11111111-1111-1111-1111-111111111111 ro quiet"},
+				To:   EFIBinaryEvidence{Cmdline: "root=UUID=22222222-2222-2222-2222-222222222222 rw quiet"},
+				UKI:  &UKIDiff{CmdlineSHA256: &ValueDiff[string]{From: "c1", To: "c2"}, Changed: true},
+			},
+			want: false,
+		},
+		{
+			name: "no uki details defaults volatile",
+			mod:  ModifiedEFIBinaryEvidence{},
+			want: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := ukiOnlyVolatile(tc.mod)
+			if got != tc.want {
+				t.Fatalf("expected %v, got %v", tc.want, got)
+			}
+		})
+	}
+}
+func TestCompareVerity_NilCasesAndFieldChanges(t *testing.T) {
+	if got := compareVerity(nil, nil); got != nil {
+		t.Fatalf("expected nil diff when both verity values are nil")
+	}
+
+	added := compareVerity(nil, &VerityInfo{Enabled: true, Method: "systemd-verity", RootDevice: "/dev/vda2", HashPartition: 3})
+	if added == nil || !added.Changed || added.Added == nil {
+		t.Fatalf("expected added verity diff")
+	}
+
+	removed := compareVerity(&VerityInfo{Enabled: true, Method: "systemd-verity"}, nil)
+	if removed == nil || !removed.Changed || removed.Removed == nil {
+		t.Fatalf("expected removed verity diff")
+	}
+
+	from := &VerityInfo{
+		Enabled:       true,
+		Method:        "systemd-verity",
+		RootDevice:    "/dev/vda2",
+		HashPartition: 3,
+	}
+	to := &VerityInfo{
+		Enabled:       false,
+		Method:        "custom-initramfs",
+		RootDevice:    "/dev/vda3",
+		HashPartition: 4,
+	}
+
+	changed := compareVerity(from, to)
+	if changed == nil || !changed.Changed {
+		t.Fatalf("expected changed verity diff")
+	}
+	if changed.Enabled == nil || changed.Enabled.From != true || changed.Enabled.To != false {
+		t.Fatalf("expected enabled diff to be set")
+	}
+	if changed.Method == nil || changed.Method.From != "systemd-verity" || changed.Method.To != "custom-initramfs" {
+		t.Fatalf("expected method diff to be set")
+	}
+	if changed.RootDevice == nil || changed.RootDevice.From != "/dev/vda2" || changed.RootDevice.To != "/dev/vda3" {
+		t.Fatalf("expected root device diff to be set")
+	}
+	if changed.HashPartition == nil || changed.HashPartition.From != 3 || changed.HashPartition.To != 4 {
+		t.Fatalf("expected hash partition diff to be set")
+	}
+}
+
+func TestTallyBootloaderConfigDiff_ClassificationCoverage(t *testing.T) {
+	tally := &diffTally{}
+	d := &BootloaderConfigDiff{
+		ConfigFileChanges: []ConfigFileChange{
+			{Path: "/boot/grub/grub.cfg", Status: "added"},
+			{Path: "/loader/entries/old.conf", Status: "removed"},
+			{Path: "/loader/entries/default.conf", Status: "modified"},
+		},
+		BootEntryChanges: []BootEntryChange{
+			{Name: "entry-added", Status: "added"},
+			{Name: "entry-removed", Status: "removed"},
+			{Name: "entry-kernel", Status: "modified", KernelFrom: "/vmlinuz-a", KernelTo: "/vmlinuz-b"},
+			{Name: "entry-initrd", Status: "modified", KernelFrom: "/vmlinuz", KernelTo: "/vmlinuz", InitrdFrom: "/initrd-a", InitrdTo: "/initrd-b"},
+			{Name: "entry-cmdline", Status: "modified", KernelFrom: "/vmlinuz", KernelTo: "/vmlinuz", InitrdFrom: "/initrd", InitrdTo: "/initrd", CmdlineFrom: "root=UUID=11111111-1111-1111-1111-111111111111 ro", CmdlineTo: "root=UUID=22222222-2222-2222-2222-222222222222 rw"},
+			{Name: "entry-meta", Status: "modified", KernelFrom: "/vmlinuz", KernelTo: "/vmlinuz", InitrdFrom: "/initrd", InitrdTo: "/initrd", CmdlineFrom: " root=UUID=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa  ro ", CmdlineTo: "root=UUID=bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb ro"},
+		},
+		KernelRefChanges: []KernelRefChange{
+			{Path: "EFI/Linux/new.efi", Status: "added"},
+			{Path: "EFI/Linux/old.efi", Status: "removed"},
+			{Path: "EFI/Linux/uuid.efi", Status: "modified", UUIDFrom: "u1", UUIDTo: "u2"},
+			{Path: "EFI/Linux/meta.efi", Status: "modified", UUIDFrom: "same", UUIDTo: "same"},
+		},
+		UUIDReferenceChanges: []UUIDRefChange{
+			{UUID: "a", Status: "added", MismatchTo: true},
+			{UUID: "b", Status: "added", MismatchTo: false},
+			{UUID: "c", Status: "removed", MismatchFrom: true},
+			{UUID: "d", Status: "removed", MismatchFrom: false},
+			{UUID: "e", Status: "modified", MismatchFrom: false, MismatchTo: true},
+			{UUID: "f", Status: "modified", MismatchFrom: false, MismatchTo: false},
+		},
+		NotesAdded:   []string{"note-a", "note-b"},
+		NotesRemoved: []string{"note-c"},
+	}
+
+	tallyBootloaderConfigDiff(tally, d, "EFI/BOOT/BOOTX64.EFI")
+
+	if tally.meaningful != 14 {
+		t.Fatalf("expected meaningful=14, got %d (reasons=%v)", tally.meaningful, tally.mReasons)
+	}
+	if tally.volatile != 8 {
+		t.Fatalf("expected volatile=8, got %d (reasons=%v)", tally.volatile, tally.vReasons)
+	}
+
+	meaningfulJoined := strings.Join(tally.mReasons, "\n")
+	volatileJoined := strings.Join(tally.vReasons, "\n")
+
+	if !strings.Contains(meaningfulJoined, "boot entry initrd changed: entry-initrd") {
+		t.Fatalf("expected initrd change to be classified meaningful, reasons=%v", tally.mReasons)
+	}
+	if !strings.Contains(volatileJoined, "boot entry metadata changed: entry-meta") {
+		t.Fatalf("expected metadata-only boot entry change to be classified volatile, reasons=%v", tally.vReasons)
+	}
+}

internal/image/imageinspect/renderer_text.go

@@ -741,8 +741,17 @@ func renderBootloaderConfigDetails(w io.Writer, efiPath string, cfg *BootloaderC
 
 	// Config file hashes and content preview
 	if len(cfg.ConfigFiles) > 0 {
+		fmt.Fprintf(w, "EFI Path: %s\n", efiPath)
 		fmt.Fprintln(w, "Config files:")
-		for path, hash := range cfg.ConfigFiles {
+
+		// Collect and sort paths for deterministic output
+		paths := make([]string, 0, len(cfg.ConfigFiles))
+		for path := range cfg.ConfigFiles {
+			paths = append(paths, path)
+		}
+		sort.Strings(paths)
+		for _, path := range paths {
+			hash := cfg.ConfigFiles[path]
 			fmt.Fprintf(w, "  %s: %s\n", path, shortHash(hash))
 
 			// Show raw config content (first 30 lines or up to 2KB)
@@ -880,6 +889,9 @@ func renderBootloaderConfigDiffText(w io.Writer, diff *BootloaderConfigDiff, ind
 				if change.KernelFrom != change.KernelTo {
 					fmt.Fprintf(w, "%s    kernel: %s -> %s\n", indent, change.KernelFrom, change.KernelTo)
 				}
+				if change.InitrdFrom != change.InitrdTo {
+					fmt.Fprintf(w, "%s    initrd: %s -> %s\n", indent, change.InitrdFrom, change.InitrdTo)
+				}
 				if change.CmdlineFrom != change.CmdlineTo {
 					if len(change.CmdlineFrom) > 80 {
 						fmt.Fprintf(w, "%s    cmdline: %s... -> %s...\n", indent, change.CmdlineFrom[:77], change.CmdlineTo[:77])