TC-1814 SPDX SBOM describing multiple packages/artifacts (guacsec#146)

Signed-off-by: mrizzi <[email protected]>

demo/graphql/queries-trustification.gql

@@ -448,3 +448,20 @@ query TC_1757_Package_aarch64 {
     ...allPkgTree
   }
 }
+
+query TC_1814_HasSBOM {
+  HasSBOM (hasSBOMSpec: {uri: "http://spdx.org/spdxdocs/spdx-example-json-2.2-444504E0-4F89-41D3-9A0C-0305E82C3301"}) {
+    ...allHasSBOMTree
+  }
+}
+
+query TC_1814_FindVulnerabilityBySbomURI {
+  findVulnerabilityBySbomURI (sbomURI:"http://spdx.org/spdxdocs/spdx-example-json-2.2-444504E0-4F89-41D3-9A0C-0305E82C3301") {
+    ... on CertifyVuln {
+      ...allCertifyVulnTree
+    }
+    ... on CertifyVEXStatement {
+      ...allCertifyVEXStatementTree
+    }
+  }
+}

internal/testing/e2e-trustification/e2e

@@ -143,4 +143,15 @@ echo @@@@ Running TC-1802 queries and validating output
 cat "$queries" | gql-cli http://localhost:8080/query -o TC_1802_HasSBOM | jq --sort-keys 'del(.. | .id?) | del(.. | .downloadLocation?) | del(.. | .origin?) | .HasSBOM[] ' > "${GUAC_DIR}/gotTC_1802_HasSBOM.json"
 diff -u "${SCRIPT_DIR}/expectTC_1802_HasSBOM.json" "${GUAC_DIR}/gotTC_1802_HasSBOM.json"
 
+echo @@@@ Ingesting TC-1814-SPDX-Tools-v2.0.json into server
+time go run ./cmd/guacone collect files ${GUAC_DIR}/internal/testing/testdata/exampledata/TC-1814-SPDX-Tools-v2.0.json;
+
+echo @@@@ Running TC-1814 queries and validating output
+
+cat "$queries" | gql-cli http://localhost:8080/query -o TC_1814_HasSBOM | jq --sort-keys 'del(.. | .id?) | del(.. | .downloadLocation?) | del(.. | .origin?) | .HasSBOM | sort_by(.subject.digest) ' > "${GUAC_DIR}/gotTC_1814_HasSBOM.json"
+diff -u "${SCRIPT_DIR}/expectTC_1814_HasSBOM.json" "${GUAC_DIR}/gotTC_1814_HasSBOM.json"
+
+cat "$queries" | gql-cli http://localhost:8080/query -o TC_1814_FindVulnerabilityBySbomURI | jq ' .findVulnerabilityBySbomURI ' > "${GUAC_DIR}/gotTC_1814_FindVulnerabilityBySbomURI.json"
+diff -u "${SCRIPT_DIR}/expectTC_1814_FindVulnerabilityBySbomURI.json" "${GUAC_DIR}/gotTC_1814_FindVulnerabilityBySbomURI.json"
+
 # Note: graphql_playground is left running, CI will clean it up

internal/testing/e2e-trustification/expectTC_1814_FindVulnerabilityBySbomURI.json

@@ -0,0 +1 @@
+[]

internal/testing/e2e-trustification/expectTC_1814_HasSBOM.json

@@ -0,0 +1,46 @@
+[
+  {
+    "algorithm": "sha256",
+    "collector": "FileCollector",
+    "digest": "113d8e59fc85b85c08ac059eb17cf5e7e1757f5dbb7ea1df89f9c5b2250d31a1",
+    "subject": {
+      "__typename": "Artifact",
+      "algorithm": "sha256",
+      "digest": "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd"
+    },
+    "uri": "http://spdx.org/spdxdocs/spdx-example-json-2.2-444504E0-4F89-41D3-9A0C-0305E82C3301"
+  },
+  {
+    "algorithm": "sha256",
+    "collector": "FileCollector",
+    "digest": "113d8e59fc85b85c08ac059eb17cf5e7e1757f5dbb7ea1df89f9c5b2250d31a1",
+    "subject": {
+      "__typename": "Artifact",
+      "algorithm": "md5",
+      "digest": "624c1abb3664f4b35547e7c73864ad24"
+    },
+    "uri": "http://spdx.org/spdxdocs/spdx-example-json-2.2-444504E0-4F89-41D3-9A0C-0305E82C3301"
+  },
+  {
+    "algorithm": "sha256",
+    "collector": "FileCollector",
+    "digest": "113d8e59fc85b85c08ac059eb17cf5e7e1757f5dbb7ea1df89f9c5b2250d31a1",
+    "subject": {
+      "__typename": "Artifact",
+      "algorithm": "sha1",
+      "digest": "85ed0817af83a24ad8da68c2b5094de69833983c"
+    },
+    "uri": "http://spdx.org/spdxdocs/spdx-example-json-2.2-444504E0-4F89-41D3-9A0C-0305E82C3301"
+  },
+  {
+    "algorithm": "sha256",
+    "collector": "FileCollector",
+    "digest": "113d8e59fc85b85c08ac059eb17cf5e7e1757f5dbb7ea1df89f9c5b2250d31a1",
+    "subject": {
+      "__typename": "Artifact",
+      "algorithm": "sha1",
+      "digest": "d6a770ba38583ed4bb4525bd96e50461655d2758"
+    },
+    "uri": "http://spdx.org/spdxdocs/spdx-example-json-2.2-444504E0-4F89-41D3-9A0C-0305E82C3301"
+  }
+]