sbom-tools 0.1.22

Semantic SBOM diff and analysis tool
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159

//! End-to-end checks that multi-SBOM commands honor their advertised flags.
//!
//! Covers the contract fixed in `fix(cli): multi-SBOM commands honor
//! graph/filter/rules flags and output formats`:
//! - `--graph-max-depth` actually changes graph-diff output,
//! - `--fail-on-vex-gap` can reach exit code 4 for multi commands,
//! - an unsupported `-o` value fails with a clear, actionable error.

use std::path::{Path, PathBuf};
use std::process::{Command, Output};

const FIXTURES_DIR: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/tests/fixtures");

fn fixture_path(name: &str) -> PathBuf {
    Path::new(FIXTURES_DIR).join(name)
}

fn base_command() -> Command {
    let mut cmd = Command::new(env!("CARGO_BIN_EXE_sbom-tools"));
    cmd.arg("--no-color");
    cmd.env("RUST_LOG", "error");
    cmd.env("RUST_LOG_STYLE", "never");
    cmd
}

fn stdout(output: &Output) -> String {
    String::from_utf8(output.stdout.clone()).expect("stdout should be utf-8")
}

fn stderr(output: &Output) -> String {
    String::from_utf8(output.stderr.clone()).expect("stderr should be utf-8")
}

/// Parse the JSON object emitted on stdout (skipping any leading log noise).
fn json_stdout(output: &Output) -> serde_json::Value {
    let text = stdout(output);
    let start = text.find('{').expect("stdout should contain a JSON object");
    serde_json::from_str(&text[start..]).expect("stdout payload should be valid json")
}

fn first_comparison_graph_change_count(value: &serde_json::Value) -> usize {
    value["comparisons"][0]["diff"]["graph_changes"]
        .as_array()
        .map_or(0, Vec::len)
}

#[test]
fn diff_multi_graph_max_depth_changes_output() {
    let baseline = fixture_path("showcase/graph-baseline.cdx.json");
    let reorg = fixture_path("showcase/graph-reorg.cdx.json");

    let unlimited = base_command()
        .arg("diff-multi")
        .arg(&baseline)
        .arg(&reorg)
        .args(["-o", "json", "--graph-diff", "--graph-max-depth", "0"])
        .output()
        .expect("diff-multi should run");
    assert!(unlimited.status.success(), "{}", stderr(&unlimited));

    let shallow = base_command()
        .arg("diff-multi")
        .arg(&baseline)
        .arg(&reorg)
        .args(["-o", "json", "--graph-diff", "--graph-max-depth", "1"])
        .output()
        .expect("diff-multi should run");
    assert!(shallow.status.success(), "{}", stderr(&shallow));

    let unlimited_changes = first_comparison_graph_change_count(&json_stdout(&unlimited));
    let shallow_changes = first_comparison_graph_change_count(&json_stdout(&shallow));

    // Limiting the analysis depth must prune deeper graph changes; if the flag
    // were ignored (the old GraphDiffConfig::default() bug) the two counts
    // would be identical.
    assert!(
        shallow_changes < unlimited_changes,
        "--graph-max-depth 1 ({shallow_changes}) should yield fewer graph changes \
         than unlimited ({unlimited_changes})"
    );
}

#[test]
fn diff_multi_fail_on_vex_gap_returns_exit_4() {
    let baseline = fixture_path("showcase/supply-chain-baseline.cdx.json");
    let incident = fixture_path("showcase/supply-chain-incident.cdx.json");

    let output = base_command()
        .arg("diff-multi")
        .arg(&baseline)
        .arg(&incident)
        .args(["-o", "json", "--fail-on-vex-gap"])
        .output()
        .expect("diff-multi should run");

    assert_eq!(
        output.status.code(),
        Some(4),
        "introduced vulns without VEX should yield exit 4; stderr: {}",
        stderr(&output)
    );
    assert!(
        stderr(&output).contains("VEX gap"),
        "stderr should explain the VEX gap: {}",
        stderr(&output)
    );
}

#[test]
fn diff_multi_rejects_unsupported_output_format() {
    let baseline = fixture_path("showcase/graph-baseline.cdx.json");
    let reorg = fixture_path("showcase/graph-reorg.cdx.json");

    let output = base_command()
        .arg("diff-multi")
        .arg(&baseline)
        .arg(&reorg)
        .args(["-o", "table"])
        .output()
        .expect("diff-multi should run");

    assert!(
        !output.status.success(),
        "an unsupported -o value should fail rather than emit JSON"
    );
    let err = stderr(&output);
    assert!(
        err.contains("not supported for multi-SBOM commands"),
        "error should name the limitation: {err}"
    );
    assert!(
        err.contains("tui, json"),
        "error should list the supported formats: {err}"
    );
}

#[test]
fn matrix_rejects_unsupported_output_format() {
    let a = fixture_path("showcase/fleet-v1.cdx.json");
    let b = fixture_path("showcase/fleet-v2.cdx.json");

    let output = base_command()
        .arg("matrix")
        .arg(&a)
        .arg(&b)
        .args(["-o", "markdown"])
        .output()
        .expect("matrix should run");

    assert!(
        !output.status.success(),
        "an unsupported -o value should fail rather than emit JSON"
    );
    assert!(
        stderr(&output).contains("not supported for multi-SBOM commands"),
        "error should name the limitation: {}",
        stderr(&output)
    );
}