Add unittest and fuzzing test for SBOM Conversion #13
Conversation
|
Cool! Do we have CI tests for this repo? I don't see anything running. |
|
@puerco @veramine @manifestori , I would greatly appreciate it if you could take some time to review the changes I've made. |
|
@wei-deepbits, are you able to add these tests, or some subset of them, to the CI (i.e. put this in a GH action), so that these tests (or some subset of these tests) runs on every PR? Or did you intentionally not add these tests to GH actions? |
|
@jspeed-meyers , Okay, I will attempt to add them to the GitHub action. I believe I may not have the necessary permissions for the sbom-convert repository, but I will try it on my forked repository first. |
|
Sounds good. And I should be able to help with permissions, so let me know what you think you need! |
|
@wei-deepbits, I added you as a maintainer :) |
|
Thanks. I'll let you know once I've figured it out. |
|
Hi @jspeed-meyers , I have added unit tests and fuzzing tests to the GitHub Action for the current code. The current code of protobom is unable to pass both the unit tests and fuzzing tests due to some issues. Regarding the unit tests, the current code of protobom cannot process all SPDX format SBOM files generated by Syft. It results in a runtime error: "panic: runtime error: invalid memory address or nil pointer dereference." As for the fuzzing tests, the current code of protobom is unable to handle a simple automatically generated fuzzing input: "{"spdxVersion": "SPDX-2.3"}." |
|
@wei-deepbits, this is really helpful. Thank you! @puerco, @manifestori, @houdini91, @veramine: Do any of you have time to diagnose these bugs? We should probably fix these bugs first and then later merge this PR. Nice work, @wei-deepbits, on finding what appears to be bugs. |
|
oh goodness! We should always gracefully fail on bad input, and not panic! @wei-deepbits can you attach the SBOM files here that cause the panic? If I can reproduce, I will check in fixes! |
|
@veramine , you can download those SBOM files here: Thanks. |
|
Alright, thanks. Here's the protobom from the first one. Did that error for you? Or did only the second one error? |
|
@veramine The first one also exhibits the panic error in my environment. Here is the log for reference: |
|
Aha, that's in the serializing code path. I only tested unserializing. Okay I'll look, thanks! |
|
The CDX serializer was unexpectedly not including a root component in this test case. I added that check with protobom/protobom#109 |
|
@veramine , I appreciate your help in resolving these issues. |
|
No problem, thanks for fuzzing! |
|
@veramine , Using a CycloneDX format SBOM as the seed input for fuzzing can lead to the generation of a simple json: that triggers a panic in unserializer_cdx14.go: Perhaps you could address this issue as well. Thanks! |
|
Yep, added two more checks. protobom/protobom#110 |
|
Hey @veramine , In pull request protobom/protobom#109, you've implemented a check to return an error if the native serializer doesn't return a valid root node. However, it's worth noting that the native serializer is unable to handle all SPDX format SBOM files generated by Syft. In light of this limitation, I suggest that we should work on finding a way to handle these files correctly, instead of simply returning an error. |
|
Hi @veramine , what are your thoughts on this? |
|
Ahhh let me check with @puerco about what to do with an sbom with no root. Could you attach a valid SBOM here that returns an error? |
|
I tried the /home/wei/code/repos/python/abhiTronix/vidgear syft-generated SBOM and protobom was able to ingest that ok. But attach some specific troublesome examples here and I'll see if we can find a way to handle them. Thanks! |
|
@veramine , A Syft-generated SPDX SBOM won't trigger an error; instead, it will result in a "serializing SBOM to native format: No SBOM root component" message, halting the conversion to CycloneDX format. It renders our tool unusable for it purposes. |
|
Aha, I see that. |
|
In that sample, there is a root node, it's below.. why do we think we don't have a root node, I wonder.. Investigating.. { |
|
We need to find a root node in this situation. I filed a protobom issue to look at it closer: protobom/protobom#126 |
Signed-off-by: Wei Song <[email protected]>
Signed-off-by: Wei Song <[email protected]>
Signed-off-by: Wei Song <[email protected]>
2) add parameters for tests Signed-off-by: Wei Song <[email protected]>
Signed-off-by: Wei Song <[email protected]>
Signed-off-by: Wei Song <[email protected]>
Signed-off-by: Wei Song <[email protected]>
Signed-off-by: Wei Song <[email protected]>
Signed-off-by: Wei Song <[email protected]>
wei-deepbits
force-pushed
the
unittest_fuzztest
branch
from
fd9e6d8 to
ec66c1c
Compare
Signed-off-by: Wei Song <[email protected]>
|
@veramine , could you please take a look at this pull request? Thanks. |
| return | ||
| } | ||
|
|
||
| SBOM_CONVERT_PATH := "../../dist/sbom-convert_linux_amd64_v1/sbom-convert" |
There was a problem hiding this comment.
I got stuck here momentarily as I was testing on mac/darwin but figured it out.
There was a problem hiding this comment.
This is fine with me. I was able to replicate unittest and fuzztest locally. I do wonder if unittest might be more suited as a conformance test on protobom directly - you might get more from your effort by joining forces with @puerco on that effort. But if you want to continue to use this repo for testing, that's fine with me. I'll approve this. I'm not sure if we are ready for a deluge of fuzzing related bugs yet 😳 but I don't want to hold this up any longer than I already have!! Thanks for the contribution!
|
@veramine , I will add platform detection for the path of sbom-convert later and investigate whether we should test protobom directly. Thank you for your review. |
|
Hey sorry for being out for awhile, any updates @wei-deepbits? |
| } | ||
|
|
||
| func DownloadSBOMs() { | ||
| fileURL := "https://drive.usercontent.google.com/download?id=1LgGlq3g_H02mhzkc94cUd0zzxy0JhFim&export=download&authuser=0&confirm=t&uuid=483eac07-f1af-4356-abeb-4ba254e32b86&at=APZUnTWjSNLUgCQ8wwFZjsLS7Y36:1694113089657" |
There was a problem hiding this comment.
This is scary. Who controls this content? Can it be changed without the end user's knowledge? I don't see a checksum, etc for us to use to know the target is what we expect?
There was a problem hiding this comment.
Hi @wei-deepbits, I noticed that you are downloading a 100mb SBOM, extracting, converting and drilling into the results. Is this supposed to be a unit test for the convert package?
I appreciate the effort you put in, but I'm afraid this doesn't qualify as a unit test. In unit tests, we test the functionality of the package itself, including the functions and methods, the constructor with happy/sad results, and cover as many cases as possible.
I argue that this is more of an e2e test, but unfortunately, the framework is not there yet. We should test the code state and not the binary we generated. Therefore, we should test the main entry point of the application, or at least the CLI.
Furthermore, we cannot download an external file from Google Drive with fixtures. Please commit a subset of test cases into this repository so we can know those files are secure. Put them under testdata folder, this way go compiler won't read them.
There was a problem hiding this comment.
When comparing fixtures to results, you can use snapshots or gocmp with filters. Complex testing code is hard to maintain. Those tools use reflection to compare structs, making most of the comparison functionality obsolete.
There was a problem hiding this comment.
I do see the value of counting statistics. How about opening a PR that adds those statistics to the conversion results output? maybe a subcommand or a flag sbom-convert convert ... --show-diff? or sbom-convert convert --benchmark ?
We've discussed those a few times, of a way to show "what is data is missing from the original sbom"
There was a problem hiding this comment.
Hi @manifestori , appreciate your valuable suggestions. I will try to fix them accordingly.
| f.Add(string(content)) | ||
|
|
||
| f.Fuzz(func(t *testing.T, orig string) { | ||
| ParseStreamWrapper(orig) |
There was a problem hiding this comment.
So this is basically the test?
There was a problem hiding this comment.
I like that, Looking neat. but what are we testing here? can you explain more how it works?
There was a problem hiding this comment.
This is just the first step to do the fuzzing tests for our tool. It generates new inputs for the ParseStream() function in protobom and verifies whether it can cause a crash. It helped to find errors in unserializing. we can add more functions for testing.
|
This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
|
This PR was closed because it has been stalled for 10 days with no activity. |
This pull request focuses on implementing unit and fuzz tests for SBOM conversion.
For the unit tests, the following steps are performed:
sbom-converttool to convert SBOMs from one format to another.The fuzzing tests involve generating new inputs through mutations and evaluating whether the binary encounters failures when exposed to specific corner cases.