tests/test_spdx.py
1.8 KB · 49 lines · python Raw
1 """Tests for SPDX 2.3 import/export."""
2
3 from __future__ import annotations
4
5 import json
6
7 import pytest
8
9 from pqc_mbom import MBOM, from_spdx_json, to_spdx_json
10 from pqc_mbom.errors import SPDXConversionError
11
12
13 def test_to_spdx_has_packages(sample_mbom: MBOM) -> None:
14 blob = to_spdx_json(sample_mbom)
15 doc = json.loads(blob)
16 assert doc["spdxVersion"] == "SPDX-2.3"
17 assert doc["SPDXID"] == "SPDXRef-DOCUMENT"
18 assert len(doc["packages"]) == len(sample_mbom.components)
19 # each package has a checksum
20 for pkg in doc["packages"]:
21 assert pkg["checksums"][0]["algorithm"] == "SHA3-256"
22
23
24 def test_roundtrip_preserves_component_names(sample_mbom: MBOM) -> None:
25 blob = to_spdx_json(sample_mbom)
26 restored = from_spdx_json(blob)
27 assert restored.model_name == sample_mbom.model_name
28 assert restored.model_version == sample_mbom.model_version
29 assert len(restored.components) == len(sample_mbom.components)
30 names_before = sorted(c.name for c in sample_mbom.components)
31 names_after = sorted(c.name for c in restored.components)
32 assert names_before == names_after
33 # Content hashes preserved
34 hashes_before = sorted(c.content_hash for c in sample_mbom.components)
35 hashes_after = sorted(c.content_hash for c in restored.components)
36 assert hashes_before == hashes_after
37
38
39 def test_invalid_spdx_raises() -> None:
40 with pytest.raises(SPDXConversionError):
41 from_spdx_json("{not valid json")
42 with pytest.raises(SPDXConversionError):
43 from_spdx_json(json.dumps({"spdxVersion": "SPDX-1.0"}))
44 with pytest.raises(SPDXConversionError):
45 from_spdx_json(json.dumps({"spdxVersion": "SPDX-2.3", "SPDXID": "wrong"}))
46 with pytest.raises(SPDXConversionError):
47 # Valid doc shell but no packages
48 from_spdx_json(json.dumps({"spdxVersion": "SPDX-2.3", "SPDXID": "SPDXRef-DOCUMENT"}))
49