Add tests for spdx "relationshipType": "PACKAGE_OF"

modules/analysis/src/endpoints/test.rs

@@ -6,7 +6,7 @@ use serde_json::{json, Value};
 use std::collections::HashMap;
 use test_context::test_context;
 use test_log::test;
-use trustify_test_context::{call::CallService, TrustifyContext};
+use trustify_test_context::{call::CallService, subset::ContainsSubset, TrustifyContext};
 
 #[test_context(TrustifyContext)]
 #[test(actix_web::test)]
@@ -654,28 +654,35 @@ async fn spdx_package_of(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
     let uri = format!("/api/v2/analysis/dep/{}", urlencoding::encode(purl));
     let request: Request = TestRequest::get().uri(&uri).to_request();
     let response: Value = app.call_and_read_body_json(request).await;
-    log::debug!("{response:#?}");
+    log::debug!("{}", serde_json::to_string_pretty(&response)?);
 
-    let sbom = &response["items"][0];
-    let matches: Vec<_> = sbom["deps"]
-        .as_array()
-        .into_iter()
-        .flatten()
-        .filter(|m| {
-            m == &&json!({
-                "sbom_id": sbom["sbom_id"],
-                "node_id": "SPDXRef-83c9faa0-ca85-4e48-9165-707b2f9a324b",
+    assert!(response.contains_deep_subset(json!({
+        "items": [ {
+            "deps": [ {
                 "relationship": "PackageOf",
-                "purl": [],
-                "cpe": m["cpe"], // long list assume it's correct
                 "name": "SATELLITE-6.15-RHEL-8",
                 "version": "6.15",
-                "deps": [],
-            })
-        })
-        .collect();
+            }]
+        }]
+    })));
 
-    assert_eq!(1, matches.len());
+    let uri = format!(
+        "/api/v2/analysis/root-component?q={}",
+        urlencoding::encode("SATELLITE-6.15-RHEL-8")
+    );
+    let request: Request = TestRequest::get().uri(&uri).to_request();
+    let response: Value = app.call_and_read_body_json(request).await;
+    log::debug!("{}", serde_json::to_string_pretty(&response)?);
+
+    assert!(response.contains_deep_subset(json!({
+        "items": [ {
+            "ancestors": [ {
+                "relationship": "PackageOf",
+                "name": "rubygem-google-cloud-compute",
+                "version": "0.5.0-1.el8sat"
+            }]
+        }]
+    })));
 
     Ok(())
 }

test-context/src/lib.rs

@@ -4,6 +4,7 @@ pub mod app;
 pub mod auth;
 pub mod call;
 pub mod spdx;
+pub mod subset;
 
 use futures::Stream;
 use peak_alloc::PeakAlloc;

test-context/src/subset.rs

@@ -0,0 +1,90 @@
+use serde_json::Value;
+
+pub trait ContainsSubset {
+    // Returns true if the value is a subset of the receiver.
+    fn contains_subset(&self, value: Value) -> bool;
+    // Returns true if the value a deep subset of the receiver.
+    fn contains_deep_subset(&self, value: Value) -> bool;
+}
+
+impl ContainsSubset for Value {
+    fn contains_subset(&self, value: Value) -> bool {
+        match (self, &value) {
+            (Value::Object(src), Value::Object(subset)) => subset
+                .iter()
+                .all(|(k, v)| src.get(k).is_some_and(|x| x == v)),
+
+            (Value::Array(src), Value::Array(subset)) => {
+                subset.iter().all(|v| src.iter().any(|x| x == v))
+            }
+
+            _ => value == *self,
+        }
+    }
+
+    fn contains_deep_subset(&self, subset: Value) -> bool {
+        match (self, &subset) {
+            (Value::Object(src), Value::Object(tgt)) => tgt.iter().all(|(k, v)| {
+                src.get(k)
+                    .is_some_and(|x| x.contains_deep_subset(v.clone()))
+            }),
+
+            (Value::Array(src), Value::Array(subset)) => subset
+                .iter()
+                .all(|v| src.iter().any(|x| x.contains_deep_subset(v.clone()))),
+
+            _ => subset == *self,
+        }
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use crate::subset::ContainsSubset;
+    use serde_json::json;
+
+    #[test]
+    fn test_is_subset() {
+        // actual can have additional fields
+        let actual = json!({
+            "relationship": "PackageOf",
+            "other": "test",
+        });
+        assert!(actual.contains_subset(json!({
+                "relationship": "PackageOf",
+        })));
+
+        // case where an expected field does not match
+        let actual = json!({
+            "relationship": "PackageOf",
+            "other": "test",
+        });
+        assert!(!actual.contains_subset(json!({
+            "relationship": "bad",
+        })));
+
+        // case where an expected field is missing
+        let actual = json!({
+            "relationship": "PackageOf",
+            "other": "test",
+        });
+        assert!(!actual.contains_subset(json!({
+                "name": "SATELLITE-6.15-RHEL-8",
+        })));
+    }
+
+    #[test]
+    fn test_array_subset() {
+        // actual can have additional fields
+        let actual = json!([1, 2, 3]);
+        assert!(actual.contains_subset(json!([2])));
+
+        // other values can be interleaved.
+        let actual = json!([1, 2, 3]);
+        assert!(actual.contains_subset(json!([1, 3])));
+
+        // case where a value is missing
+        let actual = json!([1, 2, 3]);
+        assert!(!actual.contains_subset(json!([0])));
+    }
+}