conformance/

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

Links

Open Source Insights

README ¶

Protobom Conformance Testing

This directory contains the protobom conformance test framework. It is still under construction but it already runs along the other project tests.

Conformance Testing Overview

The main goal of the protobom conformance testing framework is to ensure that each protobom serialization or unserialization result in equivalent documents every time.

SBOM diffing is a complex problem. SBOMs cannot be compared as simple strings or comparing data structs. Verifying that documents are equivalent needs more precise, semantic comparison.

The approach the protrobom conformance tests take is to ask the same group of questions to a generated and to its equivalent golden sample and contrast the answers. The more questions we ask, the stronger asurance the project can give of consistent parsing and serialization.

Some sample questions that can be asked of documents:

Are the number of nodes the same?
Are the NodeLists of both documents Equal()?
Do the hashes of the files match?
Do both documents have the same structure?
Does the generated document contain the same identifiers?

Adding more tests that ask questions like these and compare the answers can be done at any time and it can be a good opportunity for new contributors. Please check the open issues, there may be some ideas already there.

Running the Conformance Tests

Conformance tests will run along all go test runs in the project presubmits. To manually run the conformance tests just run:

make conformance-test

Test Data Structure

The test fixtures for the conformance suite are stored in directories broken into the following pattern: format → version → encoding. Here is how the spdx 2.3 json samples are stored:

test/conformance/
└── testdata
    └── spdx
        └── 2.3
            └── json
                ├── curl.spdx.json
                └── curl.spdx.json.proto

The conformance suite will descend into all known format directories and use the sample SBOMs and autogenerated protobuf blobs to run the conformance tests. There can be more than one sbom/proto sample per directory, in fact it is encouraged to add more data.

Generating the protrobuf Blobs

When there is a structural change in protobom that results in expected changes to the parsed documents or serialized SBOMs, the protobuf blobs need to be regenerated. The conformance directory contains a generator utility in test/conformance/generator.

Run the utility by running make conformance, it will cycle through all the supported formats and regenerate all protobuf blobs from sample SBOMs it finds.

make conformance

INFO[0000] Wrote text/spdx+json;version=2.3 sample to test/conformance/testdata/spdx/2.3/json/curl.spdx.json.proto

Please note that rebuilds of the blobs are not expected to be reproducible so all executions of the generator will result in a sizeable diff.

Directories ¶

Path	Synopsis
generator

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL