Add test suite and GitHub Actions CI

sethmlarson · hugovk · web-flow · commit 8650935702f3 · 2024-02-08T15:11:00.000-06:00
Co-authored-by: Hugo van Kemenade &lt;1324225+hugovk@users.noreply.github.com&gt;
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,17 @@
+on: [push, pull_request, workflow_dispatch]
+
+env:
+  FORCE_COLOR: 1
+
+jobs:
+  tests:
+    name: "Tests"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v5.0.0
+        with:
+          python-version: 3.x
+      - run: |
+          python -m pip install -r dev-requirements.txt
+          pytest tests/
diff --git a/dev-requirements.in b/dev-requirements.in
@@ -0,0 +1 @@
+pytest
diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -0,0 +1,30 @@
+#
+# This file is autogenerated by pip-compile with Python 3.10
+# by the following command:
+#
+#    pip-compile --generate-hashes --output-file=dev-requirements.txt dev-requirements.in
+#
+exceptiongroup==1.2.0 \
+    --hash=sha256:4bfd3996ac73b41e9b9628b04e079f193850720ea5945fc96a08633c66912f14 \
+    --hash=sha256:91f5c769735f051a4290d52edd0858999b57e5876e9f85937691bd4c9fa3ed68
+    # via pytest
+iniconfig==2.0.0 \
+    --hash=sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3 \
+    --hash=sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374
+    # via pytest
+packaging==23.2 \
+    --hash=sha256:048fb0e9405036518eaaf48a55953c750c11e1a1b68e0dd1a9d62ed0c092cfc5 \
+    --hash=sha256:8c491190033a9af7e1d931d0b5dacc2ef47509b34dd0de67ed209b5203fc88c7
+    # via pytest
+pluggy==1.4.0 \
+    --hash=sha256:7db9f7b503d67d1c5b95f59773ebb58a8c1c288129a88665838012cfb07b8981 \
+    --hash=sha256:8c85c2876142a764e5b7548e7d9a0e0ddb46f5185161049a79b7e974454223be
+    # via pytest
+pytest==8.0.0 \
+    --hash=sha256:249b1b0864530ba251b7438274c4d251c58d868edaaec8762893ad4a0d71c36c \
+    --hash=sha256:50fb9cbe836c3f20f0dfa99c565201fb75dc54c8d76373cd1bde06b06657bdb6
+    # via -r dev-requirements.in
+tomli==2.0.1 \
+    --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \
+    --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f
+    # via pytest
diff --git a/tests/__init__.py b/tests/__init__.py
diff --git a/tests/test_sbom.py b/tests/test_sbom.py
@@ -0,0 +1,44 @@
+import pytest
+import random
+import hashlib
+import sbom
+
+
+@pytest.mark.parametrize(
+    ["package_sha1s", "package_verification_code"],
+    [
+        # No files -> empty SHA1
+        ([], hashlib.sha1().hexdigest()),
+        # One file -> SHA1(SHA1(file))
+        (["F" * 40], hashlib.sha1(b"f" * 40).hexdigest()),
+        # Tests ordering and lowercasing of SHA1s
+        (["0" * 40, "e" * 40, "F" * 40], hashlib.sha1((b"0" * 40) + (b"e" * 40) + (b"f" * 40)).hexdigest())
+    ]
+)
+def test_calculate_package_verification_code(package_sha1s, package_verification_code):
+    # Randomize because PackageVerificationCode is deterministic.
+    random.shuffle(package_sha1s)
+
+    input_sbom = {
+        "files": [
+            {
+                "SPDXID": f"SPDXRef-FILE-{package_sha1}",
+                "checksums": [{"algorithm": "SHA1", "checksumValue": package_sha1}]
+            } for package_sha1 in package_sha1s
+        ],
+        "packages": [{"SPDXID": "SPDXRef-PACKAGE", "filesAnalyzed": True}],
+        "relationships": [
+            {
+                "spdxElementId": "SPDXRef-PACKAGE",
+                "relatedSpdxElement": f"SPDXRef-FILE-{package_sha1}",
+                "relationshipType": "CONTAINS"
+            }
+            for package_sha1 in package_sha1s
+        ]
+    }
+
+    sbom.calculate_package_verification_codes(input_sbom)
+
+    assert input_sbom["packages"][0]["packageVerificationCode"] == {
+        "packageVerificationCodeValue": package_verification_code
+    }
