Add tests for spdx "relationshipType": "PACKAGE_OF" #1186
Conversation
Verify the relationship type shows up in `/api/v2/analysis/root-component` API calls. Part of issue trustification#1140 Signed-off-by: Hiram Chirino <[email protected]>
| log::debug!("{response:#?}"); | ||
| log::debug!("{}", serde_json::to_string_pretty(&response)?); |
There was a problem hiding this comment.
I really wish serde's impl of :#? used to_string_pretty. I can remember the former, but never the latter. :)
| ); | ||
| let request: Request = TestRequest::get().uri(&uri).to_request(); | ||
| let response: Value = app.call_and_read_body_json(request).await; | ||
| log::info!("{}", serde_json::to_string_pretty(&response)?); |
There was a problem hiding this comment.
Please use log::debug! inside tests. Our default test output is noisy enough.
There was a problem hiding this comment.
your right.. will fix.
| m == &&json!({ | ||
| "sbom_id": sbom["sbom_id"], | ||
| "node_id": m["node_id"], | ||
| "relationship": "PackageOf", | ||
| "purl": m["purl"], // long list assume it's correct | ||
| "cpe": m["cpe"], // long list assume it's correct | ||
| "name": "rubygem-google-cloud-compute", | ||
| "version": "0.5.0-1.el8sat" | ||
| }) |
There was a problem hiding this comment.
To me, this is a brittle test. I'd want my expectation to be the minimum required to affirm the test. If some future change adds or takes away one of the fields that has nothing to do with this test, it's still gonna break. Is that good or annoying? I'd rather something like this, maybe even omitting name and version, too:
| m == &&json!({ | |
| "sbom_id": sbom["sbom_id"], | |
| "node_id": m["node_id"], | |
| "relationship": "PackageOf", | |
| "purl": m["purl"], // long list assume it's correct | |
| "cpe": m["cpe"], // long list assume it's correct | |
| "name": "rubygem-google-cloud-compute", | |
| "version": "0.5.0-1.el8sat" | |
| }) | |
| m["sbom_id"] == sbom["sbom_id"] | |
| && m["relationship"] == "PackageOf" | |
| && m["name"] == "rubygem-google-cloud-compute" | |
| && m["version"] == "0.5.0-1.el8sat" |
There was a problem hiding this comment.
I kinda was thinking about similar lines. Is there an existing function that can test if an actual Value matches a partial set of fields of another expected Value? The assertion would become more concise and less brittle then.
There was a problem hiding this comment.
Not that I know of. You can always downcast the Value to an AncestorSummary or DepSummary, but I'm not sure m["name"] is all that better or worse than m.name.
Another option is to use Value::pointer, but I haven't personally tried that.
modules/analysis/src/test.rs
Outdated
| // This function checks if the actual JSON object has all the fields of the expected JSON object. | ||
| pub fn has_json_fields(actual: &Value, expected: &Value) -> bool { | ||
| match (actual.as_object(), expected.as_object()) { | ||
| (Some(actual), Some(expected)) => { | ||
| for (key, value_a) in expected { | ||
| if Some(value_a) != actual.get(key.as_str()) { | ||
| return false; | ||
| } | ||
| } | ||
| true | ||
| } | ||
| _ => false, | ||
| } | ||
| } |
There was a problem hiding this comment.
This is a very cool idea! I want it to do more, though, so forgive me for challenging you. 😄
The function expects Value's, but fails if they're not a specific type of Value. Make it work for any kind of Value. If it's an object, then use recursion to compare the key/value pairs. Probably want to rename the function to is_same or subset or contains or some such.
You'll essentially have two branches:
pub fn is_subset(actual: &Value, expected: &Value) -> bool {
if expected.is_object() {
expected.iter().all(|(k, v)| is_subset(&actual[k], v))
} else {
expected == actual
}
}
And no, that won't actually compile due to Value's overly-complicated API, but you can make it work!
And this will be useful all over, so let's stick it somewhere in test-context maybe?
There was a problem hiding this comment.
Even better...
pub trait Contains {
fn contains(&self, subset: Value) -> bool;
}
impl Contains for Value {
fn contains(&self, subset: Value) -> bool {
match (self.as_object(), subset.as_object()) {
(Some(src), Some(tgt)) => tgt
.iter()
.all(|(k, v)| src.get(k).is_some_and(|x| x.contains(v.clone()))),
_ => subset == *self,
}
}
}Accepting a reference to self and taking ownership of subset allows you to clean up your calling code a bit, e.g.
.filter(|m| {
m.contains(json!({
"relationship": "PackageOf",
"name": "rubygem-google-cloud-compute",
"version": "0.5.0-1.el8sat"
}))
})Deciding to take a reference instead of ownership would be determined by whether we think most of our test subsets will be "one-off's". If we often re-use the same one, we might take a reference to avoid having to .clone() the subset each time we pass it. But I tend to think it's more likely we'll call json! every time we call .contains so taking ownership seems reasonable.
Make sense?
There was a problem hiding this comment.
I couldn't help myself...
If you add a branch for Value::Array types...
impl Contains for Value {
fn contains(&self, subset: Value) -> bool {
match (self, &subset) {
(Value::Object(src), Value::Object(tgt)) => tgt
.iter()
.all(|(k, v)| src.get(k).is_some_and(|x| x.contains(v.clone()))),
(Value::Array(src), Value::Array(tgt)) => tgt
.iter()
.all(|v| src.iter().any(|x| x.contains(v.clone()))),
_ => subset == *self,
}
}
}You can assert things like this:
assert!(response.contains(json!({
"items": [
{
"deps": [
{
"relationship": "PackageOf",
"name": "SATELLITE-6.15-RHEL-8",
"version": "6.15",
}
]
}
]
})));There's a tradeoff, though. Sometimes you might want arrays to match on the exact contents, e.g. you might want to assert that "purls": ["pkg:blah"] has exactly one element in it, and removing that Value::Array arm would do that.
There was a problem hiding this comment.
Great ideas.. my next commit will have a version of it.
modules/analysis/src/test.rs
Outdated
| use trustify_test_context::{ | ||
| call::{self, CallService}, | ||
| TrustifyContext, | ||
| }; | ||
|
|
||
| // This function checks if the actual JSON object has all the fields of the expected JSON object. | ||
| pub fn has_json_fields(actual: &Value, expected: &Value) -> bool { |
There was a problem hiding this comment.
@jcrossley3 is there a better file to place this in? Or a better way to implement it?
modules/analysis/src/test.rs
Outdated
| // This function checks if the actual JSON object has all the fields of the expected JSON object. | ||
| pub fn has_json_fields(actual: &Value, expected: &Value) -> bool { | ||
| match (actual.as_object(), expected.as_object()) { | ||
| (Some(actual), Some(expected)) => { | ||
| for (key, value_a) in expected { | ||
| if Some(value_a) != actual.get(key.as_str()) { | ||
| return false; | ||
| } | ||
| } | ||
| true | ||
| } | ||
| _ => false, | ||
| } | ||
| } |
There was a problem hiding this comment.
Great ideas.. my next commit will have a version of it.
test-context/src/lib.rs
Outdated
| fn contains_subset(&self, value: Value) -> bool; | ||
| // Returns true if the value a deep subset of the receiver. | ||
| fn contains_deep_subset(&self, value: Value) -> bool; |
There was a problem hiding this comment.
@jcrossley3 did a shallow and a deep version so that the caller can choose how strict the field matching is.
There was a problem hiding this comment.
Very nice! I might suggest putting the trait, impl and tests in another module, maybe test-context/src/subset.rs? lib.rs is getting kinda crowded, I think.
Added a ContainsSubset trait which allows you to Test if a value has a subset of elements/fields And also deep version which does it recursively. Signed-off-by: Hiram Chirino <[email protected]>
| let response: Value = app.call_and_read_body_json(request).await; | ||
| log::debug!("{}", serde_json::to_string_pretty(&response)?); | ||
|
|
||
| let sbom = &response["items"][0]; |
There was a problem hiding this comment.
I think this line is why the test is failing. There are actually 2 items returned in the list. You could either filter them further to construct your matches or just replace all of it with:
assert!(response.contains_deep_subset(json!({
"items": [
{
"ancestors": [
{
"relationship": "PackageOf",
"name": "rubygem-google-cloud-compute",
"version": "0.5.0-1.el8sat"
}
]
}
]
})));There was a problem hiding this comment.
your right.. lets do it the easy way.
| (Value::Array(src), Value::Array(subset)) => { | ||
| subset.iter().all(|v| src.iter().any(|x| x == v)) | ||
| } |
There was a problem hiding this comment.
I don't think this is necessary, because contains_deep_subset already does this. We want to be able to pass in an array and have it match explicitly, e.g. m.contains_subset(json!({"purl": [ "pkg:rpm/redhat/[email protected]?arch=src" ]}))
There was a problem hiding this comment.
This is so that:
let actual = json!([{"a":1}]);
actual.contains_subset(json!([{"a":1, "b":2}])); // should return falseif we used contains_deep_subset then it would return true.
There was a problem hiding this comment.
I would expect the absence of b to cause that to return false. I'm not sure how that Value::Array branch would even come into play here. What am I missing?
There was a problem hiding this comment.
confirmed:
let actual = json!([{"a":1}]);
assert!(!actual.contains_subset(json!([{"a":1, "b":2}])));
assert!(!actual.contains_deep_subset(json!([{"a":1, "b":2}])));Maybe add that to test_array_subset?
There was a problem hiding this comment.
This works as I'd expect, too:
let actual = json!([{"a":1, "b": 2}]);
assert!(!actual.contains_subset(json!([{"a":1}])));
assert!(actual.contains_deep_subset(json!([{"a":1}])));Maybe contains_partial_subset seems best in light of those?
| // actual can have additional fields | ||
| let actual = json!([1, 2, 3]); | ||
| assert!(actual.contains_subset(json!([2]))); | ||
|
|
||
| // other values can be interleaved. | ||
| let actual = json!([1, 2, 3]); | ||
| assert!(actual.contains_subset(json!([1, 3]))); | ||
|
|
||
| // case where a value is missing | ||
| let actual = json!([1, 2, 3]); | ||
| assert!(!actual.contains_subset(json!([0]))); |
There was a problem hiding this comment.
Maybe "strict" or "fuzzy" or "partial" are better descriptors than "deep". The crucial idea is that we need both a way to test for an explicit match and a way to ask "are all of these in the other one?"
I think this test is more accurate thusly:
| // actual can have additional fields | |
| let actual = json!([1, 2, 3]); | |
| assert!(actual.contains_subset(json!([2]))); | |
| // other values can be interleaved. | |
| let actual = json!([1, 2, 3]); | |
| assert!(actual.contains_subset(json!([1, 3]))); | |
| // case where a value is missing | |
| let actual = json!([1, 2, 3]); | |
| assert!(!actual.contains_subset(json!([0]))); | |
| let actual = json!([1, 2, 3]); | |
| assert!(actual.contains_subset(json!([1, 2, 3]))); | |
| assert!(!actual.contains_subset(json!([2]))); | |
| assert!(actual.contains_deep_subset(json!([2]))); | |
| assert!(actual.contains_deep_subset(json!([1, 3]))); | |
| assert!(!actual.contains_deep_subset(json!([0]))); |
But again, I'm not sure "deep" is the right word. We should always recurse through a recursive structure.
There was a problem hiding this comment.
Yeah. I'd be happy with any of those options.
Signed-off-by: Hiram Chirino <[email protected]>
|
Looking at it again after my walk, I noticed that I do find the But I'll approve the PR and leave it to you. As we integrate the feature into more tests, hopefully The Right Way will reveal itself. |
|
@jcrossley3 thanks for all the help and guidance on this PR. I'll queue to merge as is, but feel free to rename those functions if you have a better option. Naming is hard. Additional options:
|
Amen! I enjoyed the collaboration! |
Verify the relationship type shows up in
/api/v2/analysis/root-componentAPI calls.Part of issue #1140