STRLCPY/syft

fix: cyclonedx depends-on relationship inverted (#1816)
```
Signed-off-by: Shane Alvarez <[email protected]>
```
Shane Alvarez committed with GitHub 12 months ago

8046f095

1 parent b4ed5994

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

syft/formats/common/cyclonedxhelpers/decoder.go

		skipped 205 lines
206	206		return
207	207		}
208	208		for _, d := range *bom.Dependencies {
209		-	from, fromExists := idMap[d.Ref].(artifact.Identifiable)
	209	+	to, fromExists := idMap[d.Ref].(artifact.Identifiable)
210	210		if !fromExists {
211	211		continue
212	212		}
		skipped 3 lines
216	216		}
217	217
218	218		for _, t := range *d.Dependencies {
219		-	to, toExists := idMap[t].(artifact.Identifiable)
	219	+	from, toExists := idMap[t].(artifact.Identifiable)
220	220		if !toExists {
221	221		continue
222	222		}
		skipped 52 lines

■ ■ ■ ■ ■ ■

syft/formats/common/cyclonedxhelpers/decoder_test.go

		skipped 7 lines
8	8
9	9		"github.com/CycloneDX/cyclonedx-go"
10	10		"github.com/stretchr/testify/assert"
	11	+
	12	+	"github.com/anchore/syft/syft/artifact"
	13	+	"github.com/anchore/syft/syft/sbom"
11	14		)
12	15
13	16		func Test_decode(t *testing.T) {
		skipped 170 lines
184	187		ver: "1.2.3",
185	188		},
186	189		{
187		-	pkg: "package-1",
188		-	ver: "1.0.1",
189		-	cpe: "cpe:2.3::some:package:1:::::::",
190		-	purl: "pkg:some/[email protected]?arch=arm64&upstream=upstream1&distro=alpine-1",
191		-	relation: "package-2",
	190	+	pkg: "package-1",
	191	+	ver: "1.0.1",
	192	+	cpe: "cpe:2.3::some:package:1:::::::",
	193	+	purl: "pkg:some/[email protected]?arch=arm64&upstream=upstream1&distro=alpine-1",
192	194		},
193	195		{
194		-	pkg: "package-2",
195		-	ver: "2.0.2",
196		-	purl: "pkg:apk/alpine/[email protected]?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.14.2",
	196	+	pkg: "package-2",
	197	+	ver: "2.0.2",
	198	+	purl: "pkg:apk/alpine/[email protected]?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.14.2",
	199	+	relation: "package-1",
197	200		},
198	201		},
199	202		},
		skipped 55 lines
255	258		}
256	259		})
257	260		}
	261	+	}
	262	+
	263	+	func Test_relationshipDirection(t *testing.T) {
	264	+	cyclonedx_bom := cyclonedx.BOM{Metadata: nil,
	265	+	Components: &[]cyclonedx.Component{
	266	+	{
	267	+	BOMRef: "p1",
	268	+	Type: cyclonedx.ComponentTypeLibrary,
	269	+	Name: "package-1",
	270	+	Version: "1.0.1",
	271	+	PackageURL: "pkg:some/[email protected]?arch=arm64&upstream=upstream1&distro=alpine-1",
	272	+	},
	273	+	{
	274	+	BOMRef: "p2",
	275	+	Type: cyclonedx.ComponentTypeLibrary,
	276	+	Name: "package-2",
	277	+	Version: "2.0.2",
	278	+	PackageURL: "pkg:some/[email protected]?arch=arm64&upstream=upstream1&distro=alpine-1",
	279	+	},
	280	+	},
	281	+	Dependencies: &[]cyclonedx.Dependency{
	282	+	{
	283	+	Ref: "p1",
	284	+	Dependencies: &[]string{"p2"},
	285	+	},
	286	+	}}
	287	+	sbom, err := ToSyftModel(&cyclonedx_bom)
	288	+	assert.Nil(t, err)
	289	+	assert.Len(t, sbom.Relationships, 1)
	290	+	relationship := sbom.Relationships[0]
	291	+
	292	+	// check that p2 -- dependency of --> p1
	293	+	// same as p1 -- depends on --> p2
	294	+	assert.Equal(t, artifact.DependencyOfRelationship, relationship.Type)
	295	+	assert.Equal(t, "package-2", packageNameFromIdentifier(sbom, relationship.From))
	296	+	assert.Equal(t, "package-1", packageNameFromIdentifier(sbom, relationship.To))
	297	+	}
	298	+
	299	+	func packageNameFromIdentifier(model *sbom.SBOM, identifier artifact.Identifiable) string {
	300	+	return model.Artifacts.Packages.Package(identifier.ID()).Name
258	301		}
259	302
260	303		func Test_missingDataDecode(t *testing.T) {
		skipped 37 lines

fix: cyclonedx depends-on relationship inverted (#1816)