chore: added error output for multiple sbom discovery; added unit tes…

…t for custom named maven sboms

Signed-off-by: Ben Selwyn-Smith <[email protected]>

src/macaron/dependency_analyzer/cyclonedx_mvn.py

@@ -69,6 +69,9 @@ def collect_dependencies(self, dir_path: str) -> dict[str, DependencyInfo]:
             # If the expected bom file does not exist, allow other named .json files instead.
             possible_paths = glob.glob(os.path.join(dir_path, "target", "*.json"))
             if possible_paths:
+                if len(possible_paths) > 1:
+                    logger.error("Too many JSON SBOM files found. Expected: 1, Found: %s", len(possible_paths))
+                    return {}
                 top_path = Path(possible_paths[0])
                 top_path_altered = True
 

tests/dependency_analyzer/cyclonedx/resources/target/custom_bom.json

@@ -0,0 +1,116 @@
+{
+  "bomFormat" : "CycloneDX",
+  "specVersion" : "1.4",
+  "serialNumber" : "urn:uuid:53576e41-735f-4da4-9249-7f63234ebd94",
+  "version" : 1,
+  "metadata" : {
+    "timestamp" : "2023-10-23T00:57:55Z",
+    "tools" : [
+      {
+        "vendor" : "OWASP Foundation",
+        "name" : "CycloneDX Maven plugin",
+        "version" : "2.6.2",
+        "hashes" : [
+          {
+            "alg" : "MD5",
+            "content" : "ff29fc50797fce0b33058a6b2b283f64"
+          },
+          {
+            "alg" : "SHA-1",
+            "content" : "597e59ebf21c3b8bfb1faeb622569df324eca956"
+          },
+          {
+            "alg" : "SHA-256",
+            "content" : "3cf9130fcac45a7beb6df2ae9c3fc9c062d1fddd0731d6a302968586f0aa586e"
+          },
+          {
+            "alg" : "SHA-384",
+            "content" : "8111a6788c959305af23daecbc79defd4478c1e274cba65bfe860e09b30cd9fe29822d5d3d3eea608e4926a9418f92e3"
+          },
+          {
+            "alg" : "SHA-512",
+            "content" : "2bea87b7bcd70897bf46a28a806b6064a6708d0a45e884e1ceddc25f97ca7bdf4ed190f30d9a28cc9416b6c66176d518c5876fd25bc06bdcb00d39367215e56e"
+          },
+          {
+            "alg" : "SHA3-256",
+            "content" : "f0f7b771749955e7898665c2fff8f4f2cd734d9cbe4d29883292db772f1be00e"
+          },
+          {
+            "alg" : "SHA3-384",
+            "content" : "a87d4c18bac4d48a46c0b8611ab92934e457fcd55bd4d39dbc9c4e5044d2736d3bda991c43d67b0987eddcf4c88510ff"
+          },
+          {
+            "alg" : "SHA3-512",
+            "content" : "90c38f168600787fc90b7e37e743b386b7296bceb10152190de6e30e0f251da3e01698d1b1e11ad84f207532b5a0743aac105f3c5006ff4607d21f30c9ea779f"
+          }
+        ]
+      }
+    ],
+    "component" : {
+      "group" : "com.example",
+      "name" : "cyclonedx-test",
+      "version" : "1.0-SNAPSHOT",
+      "licenses" : [ ],
+      "purl" : "pkg:maven/com.example/[email protected]?type=jar",
+      "type" : "library",
+      "bom-ref" : "pkg:maven/com.example/[email protected]?type=jar"
+    }
+  },
+  "components" : [
+    {
+      "group" : "com.example",
+      "name" : "cyclonedx-test-dep",
+      "version" : "1",
+      "scope" : "optional",
+      "hashes" : [
+        {
+          "alg" : "MD5",
+          "content" : "c7b63da4c25c163825cca671e7899fbe"
+        },
+        {
+          "alg" : "SHA-1",
+          "content" : "5aa25ee1bf1ffd60b76f16fe0a8edd76f870958c"
+        },
+        {
+          "alg" : "SHA-256",
+          "content" : "c38cef49f7676227c1d4cf98e59b96f7a6bf33704d10314d83d682acd2b47d10"
+        },
+        {
+          "alg" : "SHA-384",
+          "content" : "7afa5feaa7d3a4ca4ecba7d4bd1b093e75be2ee2a25eefbc5fd90eb8b9a4712fa1a720265765a28d858fc64412dbed2b"
+        },
+        {
+          "alg" : "SHA-512",
+          "content" : "bf69097c4c0d165e5521a918ee79c1e5e211e9e74410d48042994c4c6cf5788cf4d62129e7c0d7a22294835178398c91c31929ce6861068c71ea14059f6f6e56"
+        },
+        {
+          "alg" : "SHA3-256",
+          "content" : "ba7656644f127c4b10d53c777aee2ed023ac3caf7f420ecb4ca48a909d775a17"
+        },
+        {
+          "alg" : "SHA3-384",
+          "content" : "1244f326a9b0b165b27b0061f1fcdf2580e3b64681cc3f09df3afd9a4526ab5491a20213a8fb9edcc671fbae8b51a010"
+        },
+        {
+          "alg" : "SHA3-512",
+          "content" : "e6020e5b9adbe61f1c53e575ab0c51b9eef7dbea3dbe21f970607002ed0373b322c893433fd429b04acde5eb58e1d9ca356a0ae9b6c485d239174f642082cb7a"
+        }
+      ],
+      "purl" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar",
+      "type" : "library",
+      "bom-ref" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar"
+    }
+  ],
+  "dependencies" : [
+    {
+      "ref" : "pkg:maven/com.example/[email protected]?type=jar",
+      "dependsOn" : [
+        "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar"
+      ]
+    },
+    {
+      "ref" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar",
+      "dependsOn" : [ ]
+    }
+  ]
+}

tests/dependency_analyzer/cyclonedx/test_cyclonedx.py

@@ -15,6 +15,7 @@
     get_dep_components,
     get_deps_from_sbom,
 )
+from macaron.dependency_analyzer.cyclonedx_mvn import CycloneDxMaven
 from macaron.dependency_analyzer.dependency_resolver import DependencyInfo
 
 RESOURCES_DIR = Path(__file__).parent.joinpath("resources")
@@ -106,3 +107,12 @@ def test_multiple_versions(snapshot: dict[str, DependencyInfo]) -> None:
     bom_path = Path(RESOURCES_DIR, "bom_multi_versions.json")
     result = get_deps_from_sbom(bom_path)
     assert snapshot == result
+
+
+def test_custom_sbom_name_with_maven() -> None:
+    """Test reading cyclonedx maven sbom that was created using a custom name."""
+    cyclonedx: CycloneDxMaven = CycloneDxMaven(
+        "", "bom.json", "maven", defaults.get("dependency.resolver", "dep_tool_maven"), "localhost"
+    )
+    deps_resolved = cyclonedx.collect_dependencies(str(RESOURCES_DIR))
+    assert deps_resolved