sbom-tools 0.1.18

Semantic SBOM diff and analysis tool
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

//! Calibration tests for the software complexity index.
//!
//! These tests ARE the spec — weights in `compute_complexity` must be tuned
//! until all assertions pass. Each fixture SBOM has a known structure that
//! should produce reasonable complexity values.

use sbom_tools::parse_sbom;
use sbom_tools::quality::{DependencyMetrics, QualityScorer, ScoringProfile};
use std::path::Path;

/// Helper: compute dependency metrics from a fixture file
fn metrics_for(fixture: &str) -> DependencyMetrics {
    let sbom = parse_sbom(Path::new(fixture)).unwrap_or_else(|e| panic!("{fixture}: {e}"));
    DependencyMetrics::from_sbom(&sbom)
}

/// Helper: get simplicity index, panicking if None
fn simplicity_for(fixture: &str) -> f32 {
    let m = metrics_for(fixture);
    m.software_complexity_index
        .unwrap_or_else(|| panic!("{fixture}: complexity was None (graph_analysis_skipped)"))
}

// ============================================================================
// Minimal / empty SBOMs should be very simple
// ============================================================================

#[test]
fn minimal_cyclonedx_is_simple() {
    let s = simplicity_for("tests/fixtures/cyclonedx/minimal.cdx.json");
    assert!(
        s >= 70.0,
        "Minimal CycloneDX simplicity {s} should be >= 70"
    );
}

#[test]
fn minimal_spdx_is_simple() {
    let s = simplicity_for("tests/fixtures/spdx/minimal.spdx.json");
    assert!(s >= 70.0, "Minimal SPDX simplicity {s} should be >= 70");
}

#[test]
fn with_vulnerabilities_is_simple() {
    let s = simplicity_for("tests/fixtures/cyclonedx/with-vulnerabilities.cdx.json");
    assert!(
        s >= 70.0,
        "With-vulnerabilities simplicity {s} should be >= 70"
    );
}

// ============================================================================
// Demo SBOMs should produce non-degenerate complexity (20-95 range)
// ============================================================================

#[test]
fn demo_sboms_in_range() {
    let fixtures = [
        "tests/fixtures/demo-old.cdx.json",
        "tests/fixtures/demo-new.cdx.json",
        "tests/fixtures/demo-eol-old.cdx.json",
        "tests/fixtures/demo-eol-new.cdx.json",
    ];

    for fixture in &fixtures {
        let s = simplicity_for(fixture);
        assert!(
            (20.0..=95.0).contains(&s),
            "{fixture}: simplicity {s} should be in 20-95 range"
        );
    }
}

// ============================================================================
// Complexity fields are populated when graph analysis runs
// ============================================================================

#[test]
fn complexity_fields_populated() {
    let m = metrics_for("tests/fixtures/demo-new.cdx.json");
    assert!(
        !m.graph_analysis_skipped,
        "Graph analysis should not be skipped for demo fixture"
    );
    assert!(m.software_complexity_index.is_some());
    assert!(m.complexity_level.is_some());
    assert!(m.complexity_factors.is_some());

    let factors = m.complexity_factors.unwrap();
    // All factors should be in [0, 1]
    for (name, val) in [
        ("dependency_volume", factors.dependency_volume),
        ("normalized_depth", factors.normalized_depth),
        ("fanout_concentration", factors.fanout_concentration),
        ("cycle_ratio", factors.cycle_ratio),
        ("fragmentation", factors.fragmentation),
    ] {
        assert!(
            (0.0..=1.0).contains(&val),
            "Factor {name} = {val} should be in [0, 1]"
        );
    }
}

// ============================================================================
// Recommendations generated for complex SBOMs
// ============================================================================

#[test]
fn recommendations_include_complexity_when_applicable() {
    // Score a demo SBOM and check that complexity recommendations exist
    // when the complexity level warrants it
    let sbom = parse_sbom(Path::new("tests/fixtures/demo-new.cdx.json")).unwrap();
    let scorer = QualityScorer::new(ScoringProfile::Standard);
    let report = scorer.score(&sbom);

    // The report should have dependency_metrics with complexity
    assert!(
        report
            .dependency_metrics
            .software_complexity_index
            .is_some()
    );

    // If complexity is High or VeryHigh, there should be a matching recommendation
    if let Some(level) = &report.dependency_metrics.complexity_level {
        use sbom_tools::quality::ComplexityLevel;
        if matches!(level, ComplexityLevel::High | ComplexityLevel::VeryHigh) {
            let has_complexity_rec = report
                .recommendations
                .iter()
                .any(|r| r.message.contains("complex"));
            assert!(
                has_complexity_rec,
                "High/VeryHigh complexity should produce a recommendation"
            );
        }
    }
}

// ============================================================================
// max_out_degree is always populated
// ============================================================================

#[test]
fn max_out_degree_for_graph_with_edges() {
    let m = metrics_for("tests/fixtures/cyclonedx/minimal.cdx.json");
    // Minimal CycloneDX has 1 edge, so max_out_degree should be 1
    assert_eq!(
        m.max_out_degree, 1,
        "max_out_degree should be 1 for minimal fixture with 1 edge"
    );
}