From 8102ad4edc60a0b13cc144b05517163bbb338a2a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Apr 2023 10:20:12 -0400 Subject: [PATCH] chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.1-0.20221222100750-41a1ac565cce to 0.7.1 (#1706) --- go.mod | 2 +- go.sum | 4 +-- syft/formats/cyclonedxjson/encoder_test.go | 20 +++++++----- .../TestCycloneDxDirectoryEncoder.golden | 11 ++++--- .../snapshot/TestCycloneDxImageEncoder.golden | 17 +++++----- syft/formats/internal/testutils/utils.go | 31 ++++++++----------- 6 files changed, 43 insertions(+), 42 deletions(-) diff --git a/go.mod b/go.mod index 1d0c045e9..8ac8848ae 100644 --- a/go.mod +++ b/go.mod @@ -49,7 +49,7 @@ require ( ) require ( - github.com/CycloneDX/cyclonedx-go v0.7.1-0.20221222100750-41a1ac565cce + github.com/CycloneDX/cyclonedx-go v0.7.1 github.com/Masterminds/sprig/v3 v3.2.3 github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8 github.com/anchore/stereoscope v0.0.0-20230412183729-8602f1afc574 diff --git a/go.sum b/go.sum index d7bf28600..b2b227ed5 100644 --- a/go.sum +++ b/go.sum @@ -54,8 +54,8 @@ github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg6 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/CycloneDX/cyclonedx-go v0.7.1-0.20221222100750-41a1ac565cce h1:o5r3msApzvtE5LhcMkxWaKernD/PK0HpMccu7ywBj5Q= -github.com/CycloneDX/cyclonedx-go v0.7.1-0.20221222100750-41a1ac565cce/go.mod h1:XURd0m8zvnLE5aIRqg6JOVRl7qZ/pWBtuFa9EHjQwFc= +github.com/CycloneDX/cyclonedx-go v0.7.1 h1:5w1SxjGm9MTMNTuRbEPyw21ObdbaagTWF/KfF0qHTRE= +github.com/CycloneDX/cyclonedx-go v0.7.1/go.mod h1:N/nrdWQI2SIjaACyyDs/u7+ddCkyl/zkNs8xFsHF2Ps= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/DataDog/zstd v1.4.5 h1:EndNeuB0l9syBZhut0wns3gV1hL8zX8LIu6ZiVHWLIQ= github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= diff --git a/syft/formats/cyclonedxjson/encoder_test.go b/syft/formats/cyclonedxjson/encoder_test.go index 4649ad317..2159fca5e 100644 --- a/syft/formats/cyclonedxjson/encoder_test.go +++ b/syft/formats/cyclonedxjson/encoder_test.go @@ -33,14 +33,18 @@ func TestCycloneDxImageEncoder(t *testing.T) { } func cycloneDxRedactor(s []byte) []byte { - serialPattern := regexp.MustCompile(`urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`) - rfc3339Pattern := regexp.MustCompile(`([0-9]+)-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])[Tt]([01][0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9]|60)(\.[0-9]+)?(([Zz])|([+|\-]([01][0-9]|2[0-3]):[0-5][0-9]))`) - sha256Pattern := regexp.MustCompile(`sha256:[A-Fa-f0-9]{64}`) - for _, pattern := range []*regexp.Regexp{serialPattern, rfc3339Pattern, sha256Pattern} { - s = pattern.ReplaceAll(s, []byte("")) + replacements := map[string]string{ + // UUIDs + `urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`: `urn:uuid:redacted`, + // timestamps + `([0-9]+)-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])[Tt]([01][0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9]|60)(\.[0-9]+)?(([Zz])|([+|\-]([01][0-9]|2[0-3]):[0-5][0-9]))`: `timestamp:redacted`, + // image hashes + `sha256:[A-Fa-f0-9]{64}`: `sha256:redacted`, + // bom-refs + `"bom-ref":\s*"[^"]+"`: `"bom-ref": "redacted"`, + } + for pattern, replacement := range replacements { + s = regexp.MustCompile(pattern).ReplaceAll(s, []byte(replacement)) } - // the bom-ref will be autogenerated every time, the value here should not be directly tested in snapshot tests - s = regexp.MustCompile(`\s+"bom-ref":\s*"[^"]+",?\n`).ReplaceAll(s, []byte("")) - return s } diff --git a/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden index 7e7a3cdfe..a40a1ff52 100644 --- a/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden +++ b/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden @@ -1,10 +1,11 @@ { + "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", - "serialNumber": "urn:uuid:0b628da1-274e-4c24-821c-f9452f37db54", + "serialNumber": "urn:uuid:redacted", "version": 1, "metadata": { - "timestamp": "2022-12-22T18:33:51-05:00", + "timestamp": "timestamp:redacted", "tools": [ { "vendor": "anchore", @@ -13,14 +14,14 @@ } ], "component": { - "bom-ref": "163686ac6e30c752", + "bom-ref": "redacted", "type": "file", "name": "/some/path" } }, "components": [ { - "bom-ref": "1b1d0be59ac59d2c", + "bom-ref": "redacted", "type": "library", "name": "package-1", "version": "1.0.1", @@ -57,7 +58,7 @@ ] }, { - "bom-ref": "pkg:deb/debian/package-2@2.0.1?package-id=db4abfe497c180d3", + "bom-ref": "redacted", "type": "library", "name": "package-2", "version": "2.0.1", diff --git a/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden index de3018170..aa71909a6 100644 --- a/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden +++ b/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden @@ -1,10 +1,11 @@ { + "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", - "serialNumber": "urn:uuid:542fc1a1-81ac-4b76-b9e2-8e6b9d8c840a", + "serialNumber": "urn:uuid:redacted", "version": 1, "metadata": { - "timestamp": "2022-12-22T18:33:51-05:00", + "timestamp": "timestamp:redacted", "tools": [ { "vendor": "anchore", @@ -13,15 +14,15 @@ } ], "component": { - "bom-ref": "ffd645a093c0fe70", + "bom-ref": "redacted", "type": "container", "name": "user-image-input", - "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368" + "version": "sha256:redacted" } }, "components": [ { - "bom-ref": "66ba429119b8bec6", + "bom-ref": "redacted", "type": "library", "name": "package-1", "version": "1.0.1", @@ -53,7 +54,7 @@ }, { "name": "syft:location:0:layerID", - "value": "sha256:62058900d4ce269c900160b8dd255fe310c3a459dda236d041102fa070f84406" + "value": "sha256:redacted" }, { "name": "syft:location:0:path", @@ -62,7 +63,7 @@ ] }, { - "bom-ref": "pkg:deb/debian/package-2@2.0.1?package-id=958443e2d9304af4", + "bom-ref": "redacted", "type": "library", "name": "package-2", "version": "2.0.1", @@ -83,7 +84,7 @@ }, { "name": "syft:location:0:layerID", - "value": "sha256:623ad97366f39ae279f1925673cdacb4851ddf2e3266f04e63010ec080a098c1" + "value": "sha256:redacted" }, { "name": "syft:location:0:path", diff --git a/syft/formats/internal/testutils/utils.go b/syft/formats/internal/testutils/utils.go index ef03bf195..168a0ddd4 100644 --- a/syft/formats/internal/testutils/utils.go +++ b/syft/formats/internal/testutils/utils.go @@ -47,21 +47,14 @@ func AssertEncoderAgainstGoldenImageSnapshot(t *testing.T, format sbom.Format, s err := format.Encode(&buffer, sbom) assert.NoError(t, err) - actual := buffer.Bytes() + actual := redact(buffer.Bytes(), redactors...) // replace the expected snapshot contents with the current encoder contents if updateSnapshot { testutils.UpdateGoldenFileContents(t, actual) } - var expected = testutils.GetGoldenFileContents(t) - - // remove dynamic values, which should be tested independently - redactors = append(redactors, carriageRedactor) - for _, r := range redactors { - actual = r(actual) - expected = r(expected) - } + expected := redact(testutils.GetGoldenFileContents(t), redactors...) if json { require.JSONEq(t, string(expected), string(actual)) @@ -78,21 +71,14 @@ func AssertEncoderAgainstGoldenSnapshot(t *testing.T, format sbom.Format, sbom s err := format.Encode(&buffer, sbom) assert.NoError(t, err) - actual := buffer.Bytes() + actual := redact(buffer.Bytes(), redactors...) // replace the expected snapshot contents with the current encoder contents if updateSnapshot { testutils.UpdateGoldenFileContents(t, actual) } - var expected = testutils.GetGoldenFileContents(t) - - // remove dynamic values, which should be tested independently - redactors = append(redactors, carriageRedactor) - for _, r := range redactors { - actual = r(actual) - expected = r(expected) - } + expected := redact(testutils.GetGoldenFileContents(t), redactors...) if json { require.JSONEq(t, string(expected), string(actual)) @@ -390,3 +376,12 @@ func AddSampleFileRelationships(s *sbom.SBOM) { }) } } + +// remove dynamic values, which should be tested independently +func redact(b []byte, redactors ...redactor) []byte { + redactors = append(redactors, carriageRedactor) + for _, r := range redactors { + b = r(b) + } + return b +}