further testing and unit tests for JSON BOM deserialization

madpah · madpah · commit 51a4198fe3bf · 2023-01-26T17:09:56.000Z
Signed-off-by: Paul Horton &lt;paul.horton@owasp.org&gt;
diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py
@@ -520,13 +520,15 @@ def register_dependency(self, target: Dependable, depends_on: Optional[Iterable[
         _d = next(filter(lambda _d: _d.ref == target.bom_ref, self.dependencies), None)
 
         if _d and depends_on:
+            # Dependency Target already registered - but it might have new dependencies to add
             _d.dependencies = _d.dependencies.union(  # type: ignore
                 set(map(lambda _d: Dependency(ref=_d.bom_ref), depends_on)) if depends_on else []
             )
         elif not _d:
+            # First time we are seeing this target as a Dependency
             self._dependencies.add(Dependency(
                 ref=target.bom_ref,
-                dependencies=list(map(lambda _d: Dependency(ref=_d.bom_ref), depends_on)) if depends_on else []
+                dependencies=list(map(lambda _dep: Dependency(ref=_dep.bom_ref), depends_on)) if depends_on else []
             ))
 
         # Ensure dependents are registered with no further dependents in the Dependency Graph as per CDX specification
diff --git a/cyclonedx/model/component.py b/cyclonedx/model/component.py
@@ -20,7 +20,7 @@
 import warnings
 from enum import Enum
 from os.path import exists
-from typing import Any, Iterable, Optional, Set
+from typing import Any, Iterable, Optional, Set, Union
 
 # See https://github.com/package-url/packageurl-python/issues/65
 import serializable
@@ -751,7 +751,7 @@ def for_file(absolute_file_path: str, path_for_bom: Optional[str]) -> 'Component
         )
 
     def __init__(self, *, name: str, type_: ComponentType = ComponentType.LIBRARY,
-                 mime_type: Optional[str] = None, bom_ref: Optional[str] = None,
+                 mime_type: Optional[str] = None, bom_ref: Optional[Union[str, BomRef]] = None,
                  supplier: Optional[OrganizationalEntity] = None, author: Optional[str] = None,
                  publisher: Optional[str] = None, group: Optional[str] = None, version: Optional[str] = None,
                  description: Optional[str] = None, scope: Optional[ComponentScope] = None,
@@ -767,7 +767,7 @@ def __init__(self, *, name: str, type_: ComponentType = ComponentType.LIBRARY,
                  ) -> None:
         self.type_ = type_
         self.mime_type = mime_type
-        self._bom_ref = BomRef(value=bom_ref)
+        self._bom_ref = BomRef(value=bom_ref) if type(bom_ref) == str else bom_ref
         self.supplier = supplier
         self.author = author
         self.publisher = publisher
diff --git a/cyclonedx/model/dependency.py b/cyclonedx/model/dependency.py
@@ -80,7 +80,7 @@ def __hash__(self) -> int:
         return hash((self.ref, tuple(self.dependencies)))
 
     def __repr__(self) -> str:
-        return f'<Dependency ref={self.ref.value}, targets={len(self.dependencies)}>'
+        return f'<Dependency ref={self.ref}, targets={len(self.dependencies)}>'
 
 
 class Dependable(ABC):
diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py
@@ -15,7 +15,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
-from typing import Any, Iterable, Optional
+from typing import Any, Iterable, Optional, Union
 
 import serializable
 from sortedcontainers import SortedSet
@@ -53,7 +53,7 @@ class Service(Dependable):
         See the CycloneDX schema: https://cyclonedx.org/docs/1.4/xml/#type_service
     """
 
-    def __init__(self, *, name: str, bom_ref: Optional[str] = None, provider: Optional[OrganizationalEntity] = None,
+    def __init__(self, *, name: str, bom_ref: Optional[Union[str, BomRef]] = None, provider: Optional[OrganizationalEntity] = None,
                  group: Optional[str] = None, version: Optional[str] = None, description: Optional[str] = None,
                  endpoints: Optional[Iterable[XsUri]] = None, authenticated: Optional[bool] = None,
                  x_trust_boundary: Optional[bool] = None, data: Optional[Iterable[DataClassification]] = None,
@@ -63,7 +63,7 @@ def __init__(self, *, name: str, bom_ref: Optional[str] = None, provider: Option
                  services: Optional[Iterable['Service']] = None,
                  release_notes: Optional[ReleaseNotes] = None,
                  ) -> None:
-        self._bom_ref = BomRef(value=bom_ref)
+        self._bom_ref = BomRef(value=bom_ref) if type(bom_ref) == str else bom_ref
         self.provider = provider
         self.group = group
         self.name = name
diff --git a/cyclonedx/model/vulnerability.py b/cyclonedx/model/vulnerability.py
@@ -821,7 +821,7 @@ class Vulnerability:
         See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType
     """
 
-    def __init__(self, *, bom_ref: Optional[str] = None, id_: Optional[str] = None,
+    def __init__(self, *, bom_ref: Optional[Union[str, BomRef]] = None, id_: Optional[str] = None,
                  source: Optional[VulnerabilitySource] = None,
                  references: Optional[Iterable[VulnerabilityReference]] = None,
                  ratings: Optional[Iterable[VulnerabilityRating]] = None, cwes: Optional[Iterable[int]] = None,
@@ -835,7 +835,7 @@ def __init__(self, *, bom_ref: Optional[str] = None, id_: Optional[str] = None,
                  # Deprecated Parameters kept for backwards compatibility
                  source_name: Optional[str] = None, source_url: Optional[str] = None,
                  recommendations: Optional[Iterable[str]] = None) -> None:
-        self._bom_ref = BomRef(value=bom_ref)
+        self._bom_ref = BomRef(value=bom_ref) if type(bom_ref) == str else bom_ref
         self.id_ = id_
         self.source = source
         self.references = references or []  # type: ignore
diff --git a/tests/fixtures/json/1.2/bom_external_references.json b/tests/fixtures/json/1.2/bom_external_references.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.2",
-  "serialNumber": "urn:uuid:b254c902-deb4-4298-9969-027541ee365c",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T13:45:57.467119+00:00",
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",
diff --git a/tests/fixtures/json/1.2/bom_setuptools.json b/tests/fixtures/json/1.2/bom_setuptools.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.2",
-  "serialNumber": "urn:uuid:21a3711c-be49-4007-b4df-c90af6eb8725",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T13:45:59.330881+00:00",
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",
diff --git a/tests/fixtures/json/1.2/bom_setuptools_with_cpe.json b/tests/fixtures/json/1.2/bom_setuptools_with_cpe.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.2",
-  "serialNumber": "urn:uuid:65baf289-d8ad-4128-800d-b5292c938c3a",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T13:45:59.351895+00:00",
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",
diff --git a/tests/fixtures/json/1.3/bom_external_references.json b/tests/fixtures/json/1.3/bom_external_references.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.3a.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.3",
-  "serialNumber": "urn:uuid:00236b4e-8837-423e-8789-734863b0f78a",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T13:45:57.491496+00:00",
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",
diff --git a/tests/fixtures/json/1.3/bom_setuptools.json b/tests/fixtures/json/1.3/bom_setuptools.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.3a.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.3",
-  "serialNumber": "urn:uuid:8d1060a2-afd0-4540-b145-9d936fe333e6",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T13:45:59.372749+00:00",
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",
diff --git a/tests/fixtures/json/1.3/bom_setuptools_with_cpe.json b/tests/fixtures/json/1.3/bom_setuptools_with_cpe.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.3a.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.3",
-  "serialNumber": "urn:uuid:bdec9cb1-c5d2-4c5e-ab73-98ed27724e8b",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T13:45:59.396073+00:00",
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",
diff --git a/tests/fixtures/json/1.4/bom_external_references.json b/tests/fixtures/json/1.4/bom_external_references.json
@@ -5,7 +5,7 @@
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T13:45:57.516433+00:00",
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",
diff --git a/tests/fixtures/json/1.4/bom_setuptools.json b/tests/fixtures/json/1.4/bom_setuptools.json
@@ -5,7 +5,7 @@
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T13:45:57.516433+00:00",
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",
diff --git a/tests/fixtures/json/1.4/bom_setuptools_complete.json b/tests/fixtures/json/1.4/bom_setuptools_complete.json
@@ -5,7 +5,7 @@
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "timestamp": "2021-09-01T10:50:42.051979+00:00",
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",
diff --git a/tests/fixtures/json/1.4/bom_setuptools_with_cpe.json b/tests/fixtures/json/1.4/bom_setuptools_with_cpe.json
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:71991e19-af7c-4887-9a37-d8d759ecdd8b",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T13:45:59.453146+00:00",
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",
diff --git a/tests/test_deserialize_json.py b/tests/test_deserialize_json.py
@@ -26,43 +26,135 @@
 from uuid import UUID
 
 from cyclonedx.model.bom import Bom
-from cyclonedx.output import SchemaVersion
+from cyclonedx.output import LATEST_SUPPORTED_SCHEMA_VERSION, OutputFormat, SchemaVersion, get_instance
 from tests.base import BaseJsonTestCase
-from tests.data import MOCK_BOM_UUID_1, get_bom_with_component_setuptools_basic, get_bom_with_external_references
+from tests.data import (
+    MOCK_BOM_UUID_1,
+    MOCK_UUID_6,
+    get_bom_with_component_setuptools_basic,
+    get_bom_with_component_setuptools_complete,
+    get_bom_with_component_setuptools_with_cpe,
+    get_bom_with_external_references,
+)
 
 logger = logging.getLogger('serializable')
 logger.setLevel(logging.DEBUG)
 formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
 
 
+def fixed_date_time() -> datetime:
+    return datetime.fromisoformat('2023-01-07 13:44:32.312678+00:00')
+
+
 @patch('cyclonedx.model.ThisTool._version', 'TESTING')
+@patch('cyclonedx.model.bom.get_now_utc', fixed_date_time)
 class TestOutputJson(BaseJsonTestCase):
 
-    @classmethod
-    def setUpClass(cls) -> None:
-        cls._bom_timestamp = datetime.fromisoformat('2023-01-07 13:45:57.516433+00:00')
-
     @patch('cyclonedx.model.bom.uuid4', return_value=UUID(MOCK_BOM_UUID_1))
     def test_bom_external_references_v1_4(self, mock_uuid: Mock) -> None:
-        bom = get_bom_with_external_references()
-        self._validate_json_bom(bom=bom, schema_version=SchemaVersion.V1_4, fixture='bom_external_references.json')
+        self._validate_json_bom(
+            bom=get_bom_with_external_references(), schema_version=SchemaVersion.V1_4,
+            fixture='bom_external_references.json'
+        )
+        mock_uuid.assert_called()
+
+    @patch('cyclonedx.model.bom.uuid4', return_value=UUID(MOCK_BOM_UUID_1))
+    def test_bom_external_references_v1_3(self, mock_uuid: Mock) -> None:
+        self._validate_json_bom(
+            bom=get_bom_with_external_references(), schema_version=SchemaVersion.V1_3,
+            fixture='bom_external_references.json'
+        )
+        mock_uuid.assert_called()
+
+    @patch('cyclonedx.model.bom.uuid4', return_value=UUID(MOCK_BOM_UUID_1))
+    def test_bom_external_references_v1_2(self, mock_uuid: Mock) -> None:
+        self._validate_json_bom(
+            bom=get_bom_with_external_references(), schema_version=SchemaVersion.V1_2,
+            fixture='bom_external_references.json'
+        )
         mock_uuid.assert_called()
 
     @patch('cyclonedx.model.bom.uuid4', return_value=UUID(MOCK_BOM_UUID_1))
     def test_simple_bom_v1_4(self, mock_uuid: Mock) -> None:
-        bom = get_bom_with_component_setuptools_basic()
-        self._validate_json_bom(bom=bom, schema_version=SchemaVersion.V1_4, fixture='bom_setuptools.json')
+        self._validate_json_bom(
+            bom=get_bom_with_component_setuptools_basic(), schema_version=SchemaVersion.V1_4,
+            fixture='bom_setuptools.json'
+        )
+        mock_uuid.assert_called()
+
+    @patch('cyclonedx.model.bom.uuid4', return_value=UUID(MOCK_BOM_UUID_1))
+    def test_simple_bom_v1_3(self, mock_uuid: Mock) -> None:
+        self._validate_json_bom(
+            bom=get_bom_with_component_setuptools_basic(), schema_version=SchemaVersion.V1_3,
+            fixture='bom_setuptools.json'
+        )
+        mock_uuid.assert_called()
+
+    @patch('cyclonedx.model.bom.uuid4', return_value=UUID(MOCK_BOM_UUID_1))
+    def test_simple_bom_v1_2(self, mock_uuid: Mock) -> None:
+        self._validate_json_bom(
+            bom=get_bom_with_component_setuptools_basic(), schema_version=SchemaVersion.V1_2,
+            fixture='bom_setuptools.json'
+        )
+        mock_uuid.assert_called()
+
+    @patch('cyclonedx.model.bom.uuid4', return_value=UUID(MOCK_BOM_UUID_1))
+    def test_simple_bom_v1_4_with_cpe(self, mock_uuid: Mock) -> None:
+        self._validate_json_bom(
+            bom=get_bom_with_component_setuptools_with_cpe(), schema_version=SchemaVersion.V1_4,
+            fixture='bom_setuptools_with_cpe.json'
+        )
+        mock_uuid.assert_called()
+
+    @patch('cyclonedx.model.bom.uuid4', return_value=UUID(MOCK_BOM_UUID_1))
+    def test_simple_bom_v1_3_with_cpe(self, mock_uuid: Mock) -> None:
+        self._validate_json_bom(
+            bom=get_bom_with_component_setuptools_with_cpe(), schema_version=SchemaVersion.V1_3,
+            fixture='bom_setuptools_with_cpe.json'
+        )
+        mock_uuid.assert_called()
+
+    @patch('cyclonedx.model.bom.uuid4', return_value=UUID(MOCK_BOM_UUID_1))
+    def test_simple_bom_v1_2_with_cpe(self, mock_uuid: Mock) -> None:
+        self._validate_json_bom(
+            bom=get_bom_with_component_setuptools_with_cpe(), schema_version=SchemaVersion.V1_2,
+            fixture='bom_setuptools_with_cpe.json'
+        )
         mock_uuid.assert_called()
 
+    @patch('cyclonedx.model.bom_ref.uuid4', return_value=MOCK_UUID_6)
+    @patch('cyclonedx.model.bom.uuid4', return_value=UUID(MOCK_BOM_UUID_1))
+    def test_bom_v1_4_full_component(self, mock1: Mock, mock2: Mock) -> None:
+        self.maxDiff = None
+        self._validate_json_bom(
+            bom=get_bom_with_component_setuptools_complete(), schema_version=SchemaVersion.V1_4,
+            fixture='bom_setuptools_complete.json'
+        )
+        mock1.assert_called()
+        mock2.assert_called()
+
+    # --
+
     # Helper methods
     def _validate_json_bom(self, bom: Bom, schema_version: SchemaVersion, fixture: str) -> None:
-        bom.metadata.timestamp = self._bom_timestamp
+        bom.metadata.timestamp = fixed_date_time()
         bom.validate()
 
+        if schema_version != LATEST_SUPPORTED_SCHEMA_VERSION:
+            # Rewind the BOM to only have data supported by the SchemaVersion in question
+            outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=schema_version)
+            bom = cast(Bom, Bom.from_json(data=json.loads(outputter.output_as_string())))
+
         with open(
-                join(dirname(__file__), f'fixtures/json/{schema_version.to_version()}/{fixture}')) as input_json:
+            join(dirname(__file__), f'fixtures/json/{schema_version.to_version()}/{fixture}')) as input_json:
             deserialized_bom = cast(Bom, Bom.from_json(data=json.loads(input_json.read())))
+
             self.assertEqual(bom.metadata, deserialized_bom.metadata)
-            self.assertEqual(bom.components, deserialized_bom.components)
-            self.assertEqual(bom.dependencies, deserialized_bom.dependencies)
+
+            # This comparison fails for Dependencies despite the SortedSet's being identical
+            # self.assertEqual(bom.dependencies, deserialized_bom.dependencies)
+            self.assertSetEqual(set(bom.dependencies), set(deserialized_bom.dependencies))
+
+            self.assertEqual(bom.vulnerabilities, deserialized_bom.vulnerabilities)
+
             self.assertEqual(bom, deserialized_bom)
diff --git a/tests/test_deserialize_xml.py b/tests/test_deserialize_xml.py
@@ -62,10 +62,6 @@ def fixed_date_time() -> datetime:
 @patch('cyclonedx.model.bom.get_now_utc', fixed_date_time)
 class TestDeserializeXml(BaseXmlTestCase):
 
-    @classmethod
-    def setUpClass(cls) -> None:
-        cls._bom_timestamp = datetime.fromisoformat('2023-01-07 13:44:32.312678+00:00')
-
     @patch('cyclonedx.model.bom.uuid4', return_value=UUID(MOCK_BOM_UUID_1))
     def test_bom_external_references_v1_4(self, mock_uuid: Mock) -> None:
         self._validate_xml_bom(
@@ -662,7 +658,7 @@ def test_bom_v1_0_issue_275_components(self, mock_uuid: Mock) -> None:
 
     # Helper methods
     def _validate_xml_bom(self, bom: Bom, schema_version: SchemaVersion, fixture: str) -> None:
-        bom.metadata.timestamp = self._bom_timestamp
+        bom.metadata.timestamp = fixed_date_time()
         bom.validate()
 
         if schema_version != LATEST_SUPPORTED_SCHEMA_VERSION:
