1#!/usr/bin/env python3
2#
3# Copyright (C) 2023 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9#      http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17import hashlib
18import unittest
19import sbom_data
20
21BUILD_FINGER_PRINT = 'build_finger_print'
22SUPPLIER_GOOGLE = 'Organization: Google'
23SUPPLIER_UPSTREAM = 'Organization: upstream'
24
25SPDXID_PREBUILT_PACKAGE1 = 'SPDXRef-PREBUILT-package1'
26SPDXID_PREBUILT_PACKAGE2 = 'SPDXRef-PREBUILT-package2'
27SPDXID_SOURCE_PACKAGE1 = 'SPDXRef-SOURCE-package1'
28SPDXID_UPSTREAM_PACKAGE1 = 'SPDXRef-UPSTREAM-package1'
29
30SPDXID_FILE1 = 'SPDXRef-file1'
31SPDXID_FILE2 = 'SPDXRef-file2'
32SPDXID_FILE3 = 'SPDXRef-file3'
33SPDXID_FILE4 = 'SPDXRef-file4'
34
35SPDXID_LICENSE1 = "SPDXRef-License-1"
36SPDXID_LICENSE2 = "SPDXRef-License-2"
37
38
39class SBOMDataTest(unittest.TestCase):
40
41  def setUp(self):
42    # SBOM of a product
43    self.sbom_doc = sbom_data.Document(name='test doc',
44                                       namespace='http://www.google.com/sbom/spdx/android',
45                                       creators=[SUPPLIER_GOOGLE],
46                                       created='2023-03-31T22:17:58Z',
47                                       describes=sbom_data.SPDXID_PRODUCT)
48    self.sbom_doc.add_external_ref(
49        sbom_data.DocumentExternalReference(id='DocumentRef-external_doc_ref',
50                                            uri='external_doc_uri',
51                                            checksum='SHA1: 1234567890'))
52    self.sbom_doc.add_package(
53        sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
54                          name=sbom_data.PACKAGE_NAME_PRODUCT,
55                          download_location=sbom_data.VALUE_NONE,
56                          supplier=SUPPLIER_GOOGLE,
57                          version=BUILD_FINGER_PRINT,
58                          files_analyzed=True,
59                          verification_code='',
60                          file_ids=[SPDXID_FILE1, SPDXID_FILE2, SPDXID_FILE3, SPDXID_FILE4]))
61
62    self.sbom_doc.add_package(
63        sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
64                          name=sbom_data.PACKAGE_NAME_PLATFORM,
65                          download_location=sbom_data.VALUE_NONE,
66                          supplier=SUPPLIER_GOOGLE,
67                          version=BUILD_FINGER_PRINT,
68                          ))
69
70    self.sbom_doc.add_package(
71        sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
72                          name='Prebuilt package1',
73                          download_location=sbom_data.VALUE_NONE,
74                          supplier=SUPPLIER_GOOGLE,
75                          version=BUILD_FINGER_PRINT,
76                          ))
77
78    self.sbom_doc.add_package(
79        sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
80                          name='Source package1',
81                          download_location=sbom_data.VALUE_NONE,
82                          supplier=SUPPLIER_GOOGLE,
83                          version=BUILD_FINGER_PRINT,
84                          external_refs=[sbom_data.PackageExternalRef(
85                              category=sbom_data.PackageExternalRefCategory.SECURITY,
86                              type=sbom_data.PackageExternalRefType.cpe22Type,
87                              locator='cpe:/a:jsoncpp_project:jsoncpp:1.9.4')]
88                          ))
89
90    self.sbom_doc.add_package(
91        sbom_data.Package(id=SPDXID_UPSTREAM_PACKAGE1,
92                          name='Upstream package1',
93                          supplier=SUPPLIER_UPSTREAM,
94                          version='1.1',
95                          ))
96
97    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_SOURCE_PACKAGE1,
98                                                          relationship=sbom_data.RelationshipType.VARIANT_OF,
99                                                          id2=SPDXID_UPSTREAM_PACKAGE1))
100
101    self.sbom_doc.files.append(
102        sbom_data.File(id=SPDXID_FILE1, name='/bin/file1',
103                       checksum='SHA1: 356a192b7913b04c54574d18c28d46e6395428ab'))  # sha1 hash of 1
104    self.sbom_doc.files.append(
105        sbom_data.File(id=SPDXID_FILE2, name='/bin/file2',
106                       checksum='SHA1: da4b9237bacccdf19c0760cab7aec4a8359010b0'))  # sha1 hash of 2
107    self.sbom_doc.files.append(
108        sbom_data.File(id=SPDXID_FILE3, name='/bin/file3',
109                       checksum='SHA1: 77de68daecd823babbb58edb1c8e14d7106e83bb'))  # sha1 hash of 3
110    self.sbom_doc.files.append(
111        sbom_data.File(id=SPDXID_FILE4, name='file4.a',
112                       checksum='SHA1: 1b6453892473a467d07372d45eb05abc2031647a'))  # sha1 of 4
113
114    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
115                                                          relationship=sbom_data.RelationshipType.GENERATED_FROM,
116                                                          id2=sbom_data.SPDXID_PLATFORM))
117    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE2,
118                                                          relationship=sbom_data.RelationshipType.GENERATED_FROM,
119                                                          id2=SPDXID_PREBUILT_PACKAGE1))
120    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE3,
121                                                          relationship=sbom_data.RelationshipType.GENERATED_FROM,
122                                                          id2=SPDXID_SOURCE_PACKAGE1
123                                                          ))
124    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
125                                                          relationship=sbom_data.RelationshipType.STATIC_LINK,
126                                                          id2=SPDXID_FILE4
127                                                          ))
128
129  def test_package_verification_code(self):
130    checksums = []
131    for file in self.sbom_doc.files:
132      checksums.append(file.checksum.split(': ')[1])
133      checksums.sort()
134    h = hashlib.sha1()
135    h.update(''.join(checksums).encode(encoding='utf-8'))
136    expected_package_verification_code = h.hexdigest()
137
138    self.sbom_doc.generate_packages_verification_code()
139    self.assertEqual(expected_package_verification_code, self.sbom_doc.packages[0].verification_code)
140
141  def test_add_package_(self):
142    self.sbom_doc.add_package(sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE2,
143                                                name='Prebuilt package2',
144                                                download_location=sbom_data.VALUE_NONE,
145                                                supplier=SUPPLIER_GOOGLE,
146                                                version=BUILD_FINGER_PRINT,
147                                                ))
148    p = next((p for p in self.sbom_doc.packages if p.id == SPDXID_PREBUILT_PACKAGE2), None)
149    self.assertNotEqual(p, None)
150    self.assertEqual(p.declared_license_ids, [])
151
152    # Add same package with license 1
153    self.sbom_doc.add_package(sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE2,
154                                                name='Prebuilt package2',
155                                                download_location=sbom_data.VALUE_NONE,
156                                                supplier=SUPPLIER_GOOGLE,
157                                                version=BUILD_FINGER_PRINT,
158                                                declared_license_ids=[SPDXID_LICENSE1]
159                                                ))
160    self.assertEqual(p.declared_license_ids, [SPDXID_LICENSE1])
161
162    # Add same package with license 2
163    self.sbom_doc.add_package(sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE2,
164                                                name='Prebuilt package2',
165                                                download_location=sbom_data.VALUE_NONE,
166                                                supplier=SUPPLIER_GOOGLE,
167                                                version=BUILD_FINGER_PRINT,
168                                                declared_license_ids=[SPDXID_LICENSE2]
169                                                ))
170    self.assertEqual(p.declared_license_ids, [SPDXID_LICENSE1, SPDXID_LICENSE2])
171
172    # Add same package with license 2 again
173    self.sbom_doc.add_package(sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE2,
174                                                name='Prebuilt package2',
175                                                download_location=sbom_data.VALUE_NONE,
176                                                supplier=SUPPLIER_GOOGLE,
177                                                version=BUILD_FINGER_PRINT,
178                                                declared_license_ids=[SPDXID_LICENSE2]
179                                                ))
180    self.assertEqual(p.declared_license_ids, [SPDXID_LICENSE1, SPDXID_LICENSE2])
181
182
183if __name__ == '__main__':
184  unittest.main(verbosity=2)
185