Add unittest and fuzzing test for SBOM Conversion #13
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| name: Unit Tests and Fuzzing Tests | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
|
|
||
| push: | ||
| branches: | ||
| - main | ||
|
|
||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@v2 | ||
| with: | ||
| go-version: 1.21.0 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v2 | ||
| with: | ||
| node-version: 16.x | ||
|
|
||
| - name: Build bootstrap | ||
| run: make bootstrap | ||
|
|
||
| - name: Build upstream-protobom | ||
| run: make upstream-protobom | ||
|
|
||
| - name: Copy goreleaser.yaml | ||
| run: cp .goreleaser.yaml ./.tmp/goreleaser.yaml | ||
|
|
||
| - name: Build binary | ||
| run: make binary | ||
|
|
||
| - name: Run unit tests | ||
| run: make unittest | ||
|
|
||
| # - name: Run fuzzing tests | ||
| # run: make fuzztest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # Unit and Fuzz Testing for SBOM Conversion | ||
|
|
||
| This repository contains a Go unit test file aimed at evaluating the accuracy and integrity of the Software Bill of Materials (SBOM) conversion process. It ensures that the SBOM conversion maintains specific properties and is error-free. | ||
|
|
||
| ## How it Functions | ||
|
|
||
| This unit test file operates through the following steps to validate SBOM conversion: | ||
|
|
||
| 1. **Unit Test**: | ||
| - Automatically Download our shared [SBOM dataset](https://drive.google.com/file/d/1LgGlq3g_H02mhzkc94cUd0zzxy0JhFim/view?usp=sharing), comprising 10,494 SBOM files in both SPDX and CycloneDX formats. | ||
| - Utilize the sbom-convert tool for converting SBOMs from one format to another. | ||
| - Verify that the sbom-convert tool does not encounter any errors. | ||
| - Compare the counts of PURLs in the original and converted SBOMs. | ||
| - Compare the counts of licenses in the original and converted SBOMs. | ||
|
|
||
| 2. **Fuzzing Test**: | ||
| - The fuzzer takes seed inputs and generates new inputs through mutations. | ||
| - It then checks if the binary fails when exposed to certain corner cases. | ||
|
|
||
| ## Getting Started | ||
|
|
||
| ### Running the Unit Test | ||
|
|
||
| 1. **Run the Unit Test**: Execute the following command in your project's root directory: | ||
|
|
||
| ```bash | ||
| make unittest | ||
| ``` | ||
|
|
||
| 2. **Run the Fuzzing Test**: Execute the following command in your project's root directory: | ||
|
|
||
| ```bash | ||
| make fuzztest | ||
| ``` | ||
|
|
||
| ## Contribution | ||
|
|
||
| The current unit tests primarily focus on conversion, PURL counts, and license counts. Additional unit tests will be added in the future. If you have suggestions, improvements, or bug fixes, please don't hesitate to reach out and contribute to the project. Your input is highly valued. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| package convert | ||
|
|
||
| import ( | ||
| "flag" | ||
| "fmt" | ||
| "io" | ||
| "log" | ||
| "os" | ||
| "path/filepath" | ||
| "strings" | ||
| "testing" | ||
|
|
||
| "github.com/bom-squad/protobom/pkg/reader" | ||
| ) | ||
|
|
||
| var ( | ||
| seed_input string | ||
| ) | ||
|
|
||
| func init() { | ||
| flag.StringVar(&seed_input, "seed_input", "fuzz_seed_spdx.json", "Seed input file path") | ||
| } | ||
|
|
||
| type ReadWriteSeeker struct { | ||
| *os.File | ||
| } | ||
|
|
||
| func (rws *ReadWriteSeeker) Close() error { | ||
| return rws.File.Close() | ||
| } | ||
|
|
||
| func WriteStringToTempFile(content string) (io.ReadSeekCloser, error) { | ||
| // Create a temporary file | ||
| tempFile, err := os.CreateTemp("", "tempfile") | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| // Write the content to the temporary file | ||
| _, err = tempFile.WriteString(content) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| // Close the file to make sure all data is flushed to disk | ||
| err = tempFile.Close() | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| // Reopen the temporary file for reading and seeking | ||
| file, err := os.OpenFile(tempFile.Name(), os.O_RDWR, 0644) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| return &ReadWriteSeeker{file}, nil | ||
| } | ||
|
|
||
| func ParseStreamWrapper(content string) { | ||
| t := io.NopCloser(strings.NewReader(content)) | ||
| r := reader.New() | ||
| t, _ = WriteStringToTempFile(content) | ||
| t2 := t.(io.ReadSeekCloser) | ||
| r.ParseStream(t2) | ||
| } | ||
|
|
||
| func FuzzParseStream(f *testing.F) { | ||
| absPath, _ := filepath.Abs(seed_input) | ||
| fmt.Println(absPath) | ||
| content, err := os.ReadFile(absPath) | ||
| if err != nil { | ||
| log.Fatal(err) | ||
| } | ||
| f.Add(string(content)) | ||
|
|
||
| f.Fuzz(func(t *testing.T, orig string) { | ||
| ParseStreamWrapper(orig) | ||
|
There was a problem hiding this comment. So this is basically the test? |
||
| }) | ||
| } | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like that, Looking neat. but what are we testing here? can you explain more how it works?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just the first step to do the fuzzing tests for our tool. It generates new inputs for the ParseStream() function in protobom and verifies whether it can cause a crash. It helped to find errors in unserializing. we can add more functions for testing.