test-data

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Author: jkowalleck

.isort.cfg

@@ -9,6 +9,7 @@ skip_glob =
     .git/*,.tox/*,.venv/*,venv/*,.venv*/*,venv*/*,
     _OLD/*,_TEST/*,
     docs/*
+    examples/*
 combine_as_imports = true
 default_section = THIRDPARTY
 ensure_newline_before_comments = true

tests/data.py

@@ -130,19 +130,34 @@ def get_bom_with_dependencies_valid() -> Bom:
         ]
     )
 
+
 def get_bom_with_dependencies_hanging() -> Bom:
-    """A bom with a RootCOmponent. but all dependencies are not conected to the root. """
-    c1 = get_component_setuptools_simple()
-    c2 = get_component_toml_with_hashes_with_references()
-    return Bom(
-        metadata=BomMetaData(component=Component(name='rootComponent', type=ComponentType.APPLICATION)),
-        components=[c1, c2], dependencies=[
-            Dependency(ref=c1.bom_ref, dependencies=[
-                Dependency(ref=c2.bom_ref)
+    """
+    A bom with a RootComponent and components,
+    but no dependencies are connected to RootComponent.
+    """
+    c1 = get_component_setuptools_simple('setuptools')
+    c2 = get_component_toml_with_hashes_with_references('toml')
+    bom = Bom(
+        serial_number=UUID(hex='12345678395b41f5a30f1234567890ab'),
+        version=23,
+        metadata=BomMetaData(
+            component=Component(name='rootComponent', type=ComponentType.APPLICATION, bom_ref='root-component'),
+        ),
+        components=[c1, c2],
+        dependencies=[
+            Dependency(c1.bom_ref, [
+                Dependency(c2.bom_ref)
             ]),
-            Dependency(ref=c2.bom_ref)
+            Dependency(c2.bom_ref)
         ]
     )
+    bom.metadata.tools.clear()
+    bom.metadata.timestamp = datetime(
+        year=2023, month=6, day=1,
+        hour=3, minute=3, second=7, microsecond=0,
+        tzinfo=timezone.utc)
+    return bom
 
 
 def get_bom_with_dependencies_invalid() -> Bom:

tests/fixtures/json/1.4/bom_with_dependencies_hanging.json

@@ -0,0 +1,70 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:12345678-395b-41f5-a30f-1234567890ab",
+  "version": 23,
+  "metadata": {
+    "component": {
+      "bom-ref": "root-component",
+      "name": "rootComponent",
+      "type": "application"
+    },
+    "timestamp": "2023-06-01T03:03:07+00:00"
+  },
+  "components": [
+    {
+      "author": "Test Author",
+      "bom-ref": "setuptools",
+      "licenses": [
+        {
+          "expression": "MIT License"
+        }
+      ],
+      "name": "setuptools",
+      "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz",
+      "type": "library",
+      "version": "50.3.2"
+    },
+    {
+      "bom-ref": "toml",
+      "externalReferences": [
+        {
+          "comment": "No comment",
+          "hashes": [
+            {
+              "alg": "SHA-256",
+              "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"
+            }
+          ],
+          "type": "distribution",
+          "url": "https://cyclonedx.org"
+        }
+      ],
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"
+        }
+      ],
+      "name": "toml",
+      "purl": "pkg:pypi/toml@0.10.2?extension=tar.gz",
+      "type": "library",
+      "version": "0.10.2"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "root-component"
+    },
+    {
+      "ref": "setuptools",
+      "dependsOn": [
+        "toml"
+      ]
+    },
+    {
+      "ref": "toml"
+    }
+  ]
+}

tests/fixtures/xml/1.4/bom_with_dependencies_hanging.xml

@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4"
+     serialNumber="urn:uuid:12345678-395b-41f5-a30f-1234567890ab"
+     version="23">
+    <metadata>
+        <timestamp>2023-06-01T03:03:07+00:00</timestamp>
+        <component type="application" bom-ref="root-component">
+            <name>rootComponent</name>
+        </component>
+    </metadata>
+    <components>
+        <component type="library" bom-ref="setuptools">
+            <author>Test Author</author>
+            <name>setuptools</name>
+            <version>50.3.2</version>
+            <licenses>
+                <expression>MIT License</expression>
+            </licenses>
+            <purl>pkg:pypi/setuptools@50.3.2?extension=tar.gz</purl>
+        </component>
+        <component type="library" bom-ref="toml">
+            <name>toml</name>
+            <version>0.10.2</version>
+            <hashes>
+                <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+            </hashes>
+            <purl>pkg:pypi/toml@0.10.2?extension=tar.gz</purl>
+            <externalReferences>
+                <reference type="distribution">
+                    <url>https://cyclonedx.org</url>
+                    <comment>No comment</comment>
+                    <hashes>
+                        <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+                    </hashes>
+                </reference>
+            </externalReferences>
+        </component>
+    </components>
+    <dependencies>
+        <dependency ref="root-component"/>
+        <dependency ref="setuptools">
+            <dependency ref="toml"/>
+        </dependency>
+        <dependency ref="toml"/>
+    </dependencies>
+</bom>
+

tests/test_output_json.py

@@ -42,6 +42,7 @@
     get_bom_with_component_setuptools_with_release_notes,
     get_bom_with_component_setuptools_with_vulnerability,
     get_bom_with_component_toml_1,
+    get_bom_with_dependencies_hanging,
     get_bom_with_dependencies_valid,
     get_bom_with_external_references,
     get_bom_with_metadata_component_and_dependencies,
@@ -384,6 +385,13 @@ def test_bom_v1_2_issue_275_components(self) -> None:
             fixture='bom_issue_275_components.json'
         )
 
+    def test_bom_v1_4_warn_dependencies(self) -> None:
+        with self.assertWarns(UserWarning):
+            self._validate_json_bom(
+                bom=get_bom_with_dependencies_hanging(), schema_version=SchemaVersion.V1_4,
+                fixture='bom_with_dependencies_hanging.json'
+            )
+
     # region Helper methods
 
     def _validate_json_bom(self, bom: Bom, schema_version: SchemaVersion, fixture: str) -> None:

tests/test_output_xml.py

@@ -41,6 +41,7 @@
     get_bom_with_component_setuptools_with_release_notes,
     get_bom_with_component_setuptools_with_vulnerability,
     get_bom_with_component_toml_1,
+    get_bom_with_dependencies_hanging,
     get_bom_with_dependencies_valid,
     get_bom_with_external_references,
     get_bom_with_metadata_component_and_dependencies,
@@ -514,6 +515,14 @@ def test_bom_v1_0_issue_275_components(self) -> None:
             fixture='bom_issue_275_components.xml'
         )
 
+    def test_bom_v1_4_warn_dependencies(self) -> None:
+        with self.assertWarns(UserWarning):
+            self._validate_xml_bom(
+                bom=get_bom_with_dependencies_hanging(), schema_version=SchemaVersion.V1_4,
+                fixture='bom_with_dependencies_hanging.xml'
+            )
+
+
     # region Helper methods
 
     def _validate_xml_bom(self, bom: Bom, schema_version: SchemaVersion, fixture: str) -> None: