From f663da0c92ad1e0d3444efb93c7563ebe818cdba Mon Sep 17 00:00:00 2001 From: Rajan Ravi Date: Mon, 3 Feb 2025 12:17:57 +0530 Subject: [PATCH 1/2] Updated test scenarios Signed-off-by: Rajan Ravi --- tests/features/licenseexport_cdx.feature | 152 +++++++++++++++++++--- tests/features/licenseexport_spdx.feature | 71 +++++++--- 2 files changed, 190 insertions(+), 33 deletions(-) diff --git a/tests/features/licenseexport_cdx.feature b/tests/features/licenseexport_cdx.feature index 5b01f5b..3078afb 100644 --- a/tests/features/licenseexport_cdx.feature +++ b/tests/features/licenseexport_cdx.feature @@ -36,38 +36,158 @@ Scenario: User Downloads license information for CycloneDX SBOM from SBOM Explor Scenario: Verify the files on downloaded CycloneDX SBOM license ZIP Given User has Downloaded the License information for CycloneDX SBOM When User extracts the Downloaded license ZIP file - Then Extracted files should contain two CSVs, one for Package License combination and another one for License reference + Then Extracted files should contain two CSVs, one for Package license information and another one for License reference Scenario: Verify the headers on CycloneDX SBOM package License CSV file Given User extracted the CycloneDX SBOM license compressed file - When User Opens the package license combination file - Then The file should have the following headers - name, namespace, group, version, package reference, license, license name and alternate package reference + When User Opens the package license information file + Then The file should have the following headers - name, namespace, group, version, package reference, license, license name, license expression and alternate package reference Scenario: Verify the headers on CycloneDX SBOM License reference CSV file Given User extracted the CycloneDX SBOM license compressed file When User Opens the license reference file Then The file should have the following headers - licenseId, name, extracted text and comment -Scenario: Verify the license information for a package on the CycloneDX SBOM with single license - Given User is on package license combination file - When User selects a package with Single license information - Then name column should contain the value of component.name field from SBOM json +Scenario: Verify the contents on CycloneDX SBOM license reference CSV file + Given User is on license reference file + When User selects a license from the list of licenses + Then The License reference CSV should be empty + +Scenario: Verify the license information for a package on the CycloneDX SBOM with single license id + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - cdx_sbom.json package - pkg:maven/io.quarkus/quarkus-resteasy@2.13.7.Final?type=jar + Given User is on SBOM license information file + When User selects a package with Single license id + Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json And namespace column should be empty - And group column should contain the value of component.group field from SBOM json - And version column should contain the value of component.version field from SBOM json + And group column should contain the value of metadata.component.group field from SBOM json + And version column should contain the value of metadata.component.version field from SBOM json And package reference column should contain the value of components.purl from SBOM json And license column should contain the value of components.license.id field from SBOM json - And license name column should contain the value of components.license.name field from SBOM json + And license name column should be empty + And license expression column should be empty + And alternate package reference column should be empty + +Scenario: Verify the license information for a package on the CycloneDX SBOM with single license id with alternate package reference + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - tc_1730_license_escape.json package - pkg:pkg:npm/%40gradio/accordion@0.3.4 + Given User is on SBOM license information file + When User selects a package with Single license id with cpe information + Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json + And namespace column should be empty + And group column should contain the value of metadata.component.group field from SBOM json + And version column should contain the value of metadata.component.version field from SBOM json + And package reference column should contain the value of components.purl from SBOM json + And license column should contain the value of components.license.id field from SBOM json + And license name column should be empty + And license expression column should be empty + And alternate package reference column should contain the value of CPE from components.cpe field from SBOM json + +Scenario: Verify the license information for a package on the CycloneDX SBOM with single license name + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - cdx_sbom.json package - pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.68?type=jar + Given User is on SBOM license information file + When User selects a package with Single license name + Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json + And namespace column should be empty + And group column should contain the value of metadata.component.group field from SBOM json + And version column should contain the value of metadata.component.version field from SBOM json + And package reference column should contain the value of components.purl from SBOM json + And license column should be empty + And license name column should contain the value of license name from components.license.name field from SBOM json + And license expression column should be empty + And alternate package reference column should be empty + +Scenario: Verify the license information for a package on the CycloneDX SBOM with single license name with alternate package reference + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - tc_1730_license_escape.json package - pkg:pypi/PyGObject@3.40.1 + Given User is on SBOM license information file + When User selects a package with Single license name with cpe information + Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json + And namespace column should be empty + And group column should contain the value of metadata.component.group field from SBOM json + And version column should contain the value of metadata.component.version field from SBOM json + And package reference column should contain the value of components.purl from SBOM json + And license column should be empty + And license name column should contain the value of license name from components.license.name field from SBOM json + And license expression column should be empty + And alternate package reference column should contain the value of CPE from components.cpe field from SBOM json + +Scenario: Verify the license information for a package on the CycloneDX SBOM with single license expression + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - cdx_sbom.json package - pkg:maven/javax.activation/javax.activation-api@1.2.0?type=jar + Given User is on SBOM license information file + When User selects a package with Single license expression + Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json + And namespace column should be empty + And group column should contain the value of metadata.component.group field from SBOM json + And version column should contain the value of metadata.component.version field from SBOM json + And package reference column should contain the value of components.purl from SBOM json + And license column should be empty + And license name column should be empty + And license expression column should contain the value of whole license expression in a single row from components.license.expression field from SBOM json + And alternate package reference column should be empty + +Scenario: Verify the license information for a package on the CycloneDX SBOM with single license expression with alternate package reference + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - tc_1730_license_escape.json package - pkg:rpm/rhel/annobin@12.31-2.el9?arch=x86_64&upstream=annobin-12.31-2.el9.src.rpm&distro=rhel-9.4 + Given User is on SBOM license information file + When User selects a package with Single license expression with cpe information + Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json + And namespace column should be empty + And group column should contain the value of metadata.component.group field from SBOM json + And version column should contain the value of metadata.component.version field from SBOM json + And package reference column should contain the value of components.purl from SBOM json + And license column should be empty + And license name column should be empty + And license expression column should contain the value of whole license expression in a single row from components.license.expression field from SBOM json + And alternate package reference column should contain the value of CPE from components.cpe field from SBOM json + +Scenario: Verify the license information for a package on the CycloneDX SBOM with multiple license ids + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - cdx_sbom.json package - pkg:maven/jakarta.el/jakarta.el-api@3.0.3?type=jar + Given User is on SBOM license information file + When User selects a package with multiple license sections + Then The report should have multiple rows for the same package corresponding to each license section + And Values on columns name, namespace, group, version, package reference, license name, license expression and alternate package reference should be same for all the rows + And Column license id for each row should contain the value from the components.license.id field of the corresponding license section + +Scenario: Verify the license information for a package on the CycloneDX SBOM with multiple license names + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - cdx_sbom.json package - pkg:maven/xpp3/xpp3_min@1.1.4c?type=jar + Given User is on SBOM license information file + When User selects a package with multiple license sections + Then The report should have multiple rows for the same package corresponding to each license section + And Values on columns name, namespace, group, version, package reference, license id, license expression and alternate package reference should be same for all the rows + And Column license name for each row should contain the value from the components.license.name field of the corresponding license section + +Scenario: Verify the license information for a package on the CycloneDX SBOM with license id and license name + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - cdx_sbom.json package -pkg:maven/ch.qos.logback/logback-core@1.1.10?type=jar + Given User is on SBOM license information file + When User selects a package with multiple license sections + Then The report should have multiple rows for the same package corresponding to each license section + And Values on columns name, namespace, group, version, package reference, license expression and alternate package reference should be same for all the rows + And Column license id should contain the value of components.license.id field on one row and on the same row license.name column should be empty + And Column license name should contain the value of the components.license.name on another row and on the same row license.id column should be empty + +Scenario: Verify CycloneDX SBOM level license information on license export + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - cdx_sbom.json + Given User is on SBOM license information file + Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json + And namespace column should be empty + And group column should contain the value of metadata.component.group field from SBOM json + And version column should contain the value of metadata.component.version field from SBOM json + And package reference column should contain the value of metadata.component.purl from SBOM json + And license column should contain the value from metadata.component.licenses.license.id field of the SBOM json + And license name column should be empty + And license expression column should be empty And alternate package reference column should be empty Scenario: Verify the license information for a package on the CycloneDX SBOM with multiple licenses - Given User is on package license combination file + Given User is on SBOM license information file When User selects a package with multiple license information Then Package should have Rows equivalent to number of licenses And All the package rows should be loaded with identical values for the columns name, namespace, group, version, package And License column should be loaded with the unique licenses of the package from SBOM json - -Scenario: Verify the contents on CycloneDX SBOM license reference CSV file - Given User is on license reference file - When User selects a license from the list of licenses - Then The License reference CSV should be empty diff --git a/tests/features/licenseexport_spdx.feature b/tests/features/licenseexport_spdx.feature index 0a67649..50da62c 100644 --- a/tests/features/licenseexport_spdx.feature +++ b/tests/features/licenseexport_spdx.feature @@ -36,12 +36,12 @@ Scenario: User Downloads license information for SPDX SBOM from SBOM Explorer pa Scenario: Verify the files on downloaded SPDX SBOM license ZIP Given User has Downloaded the License information for SPDX SBOM When User extracts the Downloaded license ZIP file - Then Extracted files should contain two CSVs, one for Package License combination and another one for License reference + Then Extracted files should contain two CSVs, one for Package license information and another one for License reference Scenario: Verify the headers on SPDX SBOM package License CSV file Given User extracted the SPDX SBOM license compressed file - When User Opens the package license combination file - Then The file should have the following headers - name, namespace, group, version, package reference, license, license name and alternate package reference + When User Opens the package license information file + Then The file should have the following headers - name, namespace, group, version, package reference, license, license name, license expression and alternate package reference Scenario: Verify the headers on SPDX SBOM License reference CSV file Given User extracted the SPDX SBOM license compressed file @@ -49,28 +49,65 @@ Scenario: Verify the headers on SPDX SBOM License reference CSV file Then The file should have the following headers - licenseId, name, extracted text and comment Scenario: Verify the license information for a package with single license - Given User is on package license combination file + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - rhoai-2.15.json package - pkg:rpm/redhat/popt@1.18-1.el8?arch=x86_64 + Given User is on SBOM license information file When User selects a package with Single license information Then name column should contain the value of name field from SBOM json And namespace column should contain the value of documentNamespace field from SBOM json And group column should be empty And version column should be empty And package reference column should contain the value of packages.externalRefs.referenceLocator field for purl referenceType from SBOM json - And license column should contain the value of packages.licenseDeclared field from SBOM json - And license name column should be populated in reference to license reference CSV file - And alternate package reference column should contain the arrays of values of packages.externalRefs.referenceLocator field for referenceType other than purl + And license column should be empty + And license name column should be empty + And license expression column should contain the value from licenseDeclared field of the SBOM json + And alternate package reference column should be empty -Scenario: Verify the license information for a package with multiple licenses - Given User is on package license combination file - When User selects a package with multiple license information - Then Package should have Rows equivalent to number of licenses - And All the package rows should be loaded with identical values for the columns name, namespace, group, version, package - And License column should be loaded with the unique licenses of the package from SBOM json +Scenario: Verify the license information for a package with single license with alternate package reference referenceLocator + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - RHOSE-4.14.json package - pkg:rpm/redhat/skopeo@1.11.3-4.rhaos4.14.el9?arch=src&epoch=2 + Given User is on SBOM license information file + When User selects a package with Single license information + Then name column should contain the value of name field from SBOM json + And namespace column should contain the value of documentNamespace field from SBOM json + And group column should be empty + And version column should be empty + And package reference column should contain the value of packages.externalRefs.referenceLocator field for purl referenceType from SBOM json + And license column should be empty + And license name column should be empty + And license expression column should contain the value from licenseDeclared field of the SBOM json + And alternate package reference column should contain the value of packages.externalRefs.referenceLocator field for cpe referenceType from SBOM json + +Scenario: Verify the license information for a package with multiple licenses with alternate package reference referenceLocator + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - RHOSE-4.14.json package - pkg:rpm/redhat/NetworkManager@1.42.2-24.el9_2?arch=src&epoch=1 + Given User is on SBOM license information file + When User selects a package with multiple licenses information + Then name column should contain the value of name field from SBOM json + And namespace column should contain the value of documentNamespace field from SBOM json + And group column should be empty + And version column should be empty + And package reference column should contain the value of packages.externalRefs.referenceLocator field for purl referenceType from SBOM json + And license column should be empty + And license name column should be empty + And license expression column should contain the whole value from licenseDeclared field of the SBOM json in a single row + And alternate package reference column should contain the value of packages.externalRefs.referenceLocator field for cpe referenceType from SBOM json + +Scenario: Verify SPDX SBOM level license information on license export + # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link + # sbom - RHOSE-4.6.Z.json + Given User is on SBOM license information file + Then name column should contain the value of name field from SBOM json + And namespace column should contain the value of documentNamespace field from SBOM json + And group column should be empty + And version column should be empty + And package reference column should be empty + And license column should be empty + And license name column should be empty + And license expression column should contain the whole value from licenseDeclared field in a single row for the packages entry of the SBOM + And alternate package reference column should contain the value of packages.externalRefs.referenceLocator field for cpe referenceType from SBOM json Scenario: Verify the contents on SPDX SBOM license reference CSV file Given User is on license reference file When User selects a license from the list of licenses - Then The unique values of licenceDeclared field from SPDX SBOM file should be listed - And licenseId column should be loaded with unique license id - And license column should be loaded with the name of the license - And extracted text and comment columns should be loaded in reference to the template file + Then Values hasExtractedLicensingInfos section of the SPDX SBOM json should be listed under the Reference CSV file From 6f6c04573bc2c5189aa200ba6775c51e6037dd2b Mon Sep 17 00:00:00 2001 From: Rajan Ravi Date: Wed, 5 Feb 2025 20:31:20 +0530 Subject: [PATCH 2/2] Removed test data reference + Updated steps Signed-off-by: Rajan Ravi --- tests/features/licenseexport_cdx.feature | 161 ++++++++-------------- tests/features/licenseexport_spdx.feature | 70 ++++------ 2 files changed, 83 insertions(+), 148 deletions(-) diff --git a/tests/features/licenseexport_cdx.feature b/tests/features/licenseexport_cdx.feature index 3078afb..d737afb 100644 --- a/tests/features/licenseexport_cdx.feature +++ b/tests/features/licenseexport_cdx.feature @@ -41,7 +41,7 @@ Scenario: Verify the files on downloaded CycloneDX SBOM license ZIP Scenario: Verify the headers on CycloneDX SBOM package License CSV file Given User extracted the CycloneDX SBOM license compressed file When User Opens the package license information file - Then The file should have the following headers - name, namespace, group, version, package reference, license, license name, license expression and alternate package reference + Then The file should have the following headers - name, namespace, group, version, package reference, license id, license name, license expression and alternate package reference Scenario: Verify the headers on CycloneDX SBOM License reference CSV file Given User extracted the CycloneDX SBOM license compressed file @@ -50,144 +50,101 @@ Scenario: Verify the headers on CycloneDX SBOM License reference CSV file Scenario: Verify the contents on CycloneDX SBOM license reference CSV file Given User is on license reference file - When User selects a license from the list of licenses Then The License reference CSV should be empty Scenario: Verify the license information for a package on the CycloneDX SBOM with single license id - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - cdx_sbom.json package - pkg:maven/io.quarkus/quarkus-resteasy@2.13.7.Final?type=jar Given User is on SBOM license information file When User selects a package with Single license id - Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json - And namespace column should be empty - And group column should contain the value of metadata.component.group field from SBOM json - And version column should contain the value of metadata.component.version field from SBOM json - And package reference column should contain the value of components.purl from SBOM json - And license column should contain the value of components.license.id field from SBOM json - And license name column should be empty - And license expression column should be empty - And alternate package reference column should be empty + Then "name" column should match "metadata.component.name" from SBOM + And "group" column should match "metadata.component.group" from SBOM + And "version" column should match "metadata.component.version" from SBOM + And "package reference" column should match "components.purl" from SBOM + And "license id" column should match "components.license.id" from SBOM + And The columns "namespace", "license name", "license expression", "alternate package reference" should be empty Scenario: Verify the license information for a package on the CycloneDX SBOM with single license id with alternate package reference - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - tc_1730_license_escape.json package - pkg:pkg:npm/%40gradio/accordion@0.3.4 Given User is on SBOM license information file When User selects a package with Single license id with cpe information - Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json - And namespace column should be empty - And group column should contain the value of metadata.component.group field from SBOM json - And version column should contain the value of metadata.component.version field from SBOM json - And package reference column should contain the value of components.purl from SBOM json - And license column should contain the value of components.license.id field from SBOM json - And license name column should be empty - And license expression column should be empty - And alternate package reference column should contain the value of CPE from components.cpe field from SBOM json + Then "name" column should match "metadata.component.name" from SBOM + And "group" column should match "metadata.component.group" from SBOM + And "version" column should match metadata.component.version from SBOM + And "package reference" column should match "components.purl" from SBOM + And "license id" column should match "components.license.id" from SBOM + And "alternate package reference" column should match "components.cpe" from SBOM + And The columns "namespace", "license name", "license expression" should be empty Scenario: Verify the license information for a package on the CycloneDX SBOM with single license name - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - cdx_sbom.json package - pkg:maven/org.bouncycastle/bcpkix-jdk15on@1.68?type=jar Given User is on SBOM license information file When User selects a package with Single license name - Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json - And namespace column should be empty - And group column should contain the value of metadata.component.group field from SBOM json - And version column should contain the value of metadata.component.version field from SBOM json - And package reference column should contain the value of components.purl from SBOM json - And license column should be empty - And license name column should contain the value of license name from components.license.name field from SBOM json - And license expression column should be empty - And alternate package reference column should be empty + Then "name" column should match "metadata.component.name" from SBOM + And "group" column should match "metadata.component.group" from SBOM + And "version" column should match metadata.component.version from SBOM + And "package reference" column should match "components.purl" from SBOM + And "license name" column should match "components.license.name" from SBOM + And The columns "namespace", "license id", "license expression", "alternate package reference" should be empty Scenario: Verify the license information for a package on the CycloneDX SBOM with single license name with alternate package reference - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - tc_1730_license_escape.json package - pkg:pypi/PyGObject@3.40.1 Given User is on SBOM license information file - When User selects a package with Single license name with cpe information - Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json - And namespace column should be empty - And group column should contain the value of metadata.component.group field from SBOM json - And version column should contain the value of metadata.component.version field from SBOM json - And package reference column should contain the value of components.purl from SBOM json - And license column should be empty - And license name column should contain the value of license name from components.license.name field from SBOM json - And license expression column should be empty - And alternate package reference column should contain the value of CPE from components.cpe field from SBOM json + When User selects a package with Single license id with cpe information + Then "name" column should match "metadata.component.name" from SBOM + And "group" column should match "metadata.component.group" from SBOM + And "version" column should match metadata.component.version from SBOM + And "package reference" column should match "components.purl" from SBOM + And "license name" column should match "components.license.name" from SBOM + And "alternate package reference" column should match "components.cpe" from SBOM + And The columns "namespace", "license id", "license expression" should be empty Scenario: Verify the license information for a package on the CycloneDX SBOM with single license expression - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - cdx_sbom.json package - pkg:maven/javax.activation/javax.activation-api@1.2.0?type=jar Given User is on SBOM license information file - When User selects a package with Single license expression - Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json - And namespace column should be empty - And group column should contain the value of metadata.component.group field from SBOM json - And version column should contain the value of metadata.component.version field from SBOM json - And package reference column should contain the value of components.purl from SBOM json - And license column should be empty - And license name column should be empty - And license expression column should contain the value of whole license expression in a single row from components.license.expression field from SBOM json - And alternate package reference column should be empty + When User selects a package with Single license name + Then "name" column should match "metadata.component.name" from SBOM + And "group" column should match "metadata.component.group" from SBOM + And "version" column should match metadata.component.version from SBOM + And "package reference" column should match "components.purl" from SBOM + And "license expression" column should match "components.license.name" from SBOM + And The columns "namespace", "license id", "license name", "alternate package reference" should be empty Scenario: Verify the license information for a package on the CycloneDX SBOM with single license expression with alternate package reference - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - tc_1730_license_escape.json package - pkg:rpm/rhel/annobin@12.31-2.el9?arch=x86_64&upstream=annobin-12.31-2.el9.src.rpm&distro=rhel-9.4 Given User is on SBOM license information file - When User selects a package with Single license expression with cpe information - Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json - And namespace column should be empty - And group column should contain the value of metadata.component.group field from SBOM json - And version column should contain the value of metadata.component.version field from SBOM json - And package reference column should contain the value of components.purl from SBOM json - And license column should be empty - And license name column should be empty - And license expression column should contain the value of whole license expression in a single row from components.license.expression field from SBOM json - And alternate package reference column should contain the value of CPE from components.cpe field from SBOM json + When User selects a package with Single license name + Then "name" column should match "metadata.component.name" from SBOM + And "group" column should match "metadata.component.group" from SBOM + And "version" column should match metadata.component.version from SBOM + And "package reference" column should match "components.purl" from SBOM + And "license expression" column should match "components.license.name" from SBOM + And "alternate package reference" column should match "components.cpe" from SBOM + And The columns "namespace", "license id", "license name" should be empty Scenario: Verify the license information for a package on the CycloneDX SBOM with multiple license ids - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - cdx_sbom.json package - pkg:maven/jakarta.el/jakarta.el-api@3.0.3?type=jar Given User is on SBOM license information file When User selects a package with multiple license sections Then The report should have multiple rows for the same package corresponding to each license section - And Values on columns name, namespace, group, version, package reference, license name, license expression and alternate package reference should be same for all the rows - And Column license id for each row should contain the value from the components.license.id field of the corresponding license section + And Values on columns "name", "group", "version", "package reference" should be same for all the rows from SBOM + And "license id" for each row should match the value from the components.license.id field of the corresponding license section + And The columns "namespace", "license name", "license expression", "alternate package reference" should be empty Scenario: Verify the license information for a package on the CycloneDX SBOM with multiple license names - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - cdx_sbom.json package - pkg:maven/xpp3/xpp3_min@1.1.4c?type=jar Given User is on SBOM license information file When User selects a package with multiple license sections Then The report should have multiple rows for the same package corresponding to each license section - And Values on columns name, namespace, group, version, package reference, license id, license expression and alternate package reference should be same for all the rows - And Column license name for each row should contain the value from the components.license.name field of the corresponding license section + And Values on columns "name", "group", "version", "package reference", "alternate package reference" should be same for all the rows from SBOM + And "license id" for each row should match the value from the components.license.id field of the corresponding license section + And The columns "namespace", "license name", "license expression" should be empty Scenario: Verify the license information for a package on the CycloneDX SBOM with license id and license name - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - cdx_sbom.json package -pkg:maven/ch.qos.logback/logback-core@1.1.10?type=jar Given User is on SBOM license information file When User selects a package with multiple license sections Then The report should have multiple rows for the same package corresponding to each license section - And Values on columns name, namespace, group, version, package reference, license expression and alternate package reference should be same for all the rows - And Column license id should contain the value of components.license.id field on one row and on the same row license.name column should be empty - And Column license name should contain the value of the components.license.name on another row and on the same row license.id column should be empty + And Values on columns "name", "group", "version", "package reference" should be same for all the rows from SBOM + And Column "license id" should match "components.license.id" on one row and on the same row license.name column should be empty + And Column "license name" should match the "components.license.name" on another row and on the same row license.id column should be empty + And The columns "namespace","license expression", "alternate package reference" should be empty Scenario: Verify CycloneDX SBOM level license information on license export - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - cdx_sbom.json - Given User is on SBOM license information file - Then name column should contain the value of SBOM name from metadata.component.name field from SBOM json - And namespace column should be empty - And group column should contain the value of metadata.component.group field from SBOM json - And version column should contain the value of metadata.component.version field from SBOM json - And package reference column should contain the value of metadata.component.purl from SBOM json - And license column should contain the value from metadata.component.licenses.license.id field of the SBOM json - And license name column should be empty - And license expression column should be empty - And alternate package reference column should be empty - -Scenario: Verify the license information for a package on the CycloneDX SBOM with multiple licenses Given User is on SBOM license information file - When User selects a package with multiple license information - Then Package should have Rows equivalent to number of licenses - And All the package rows should be loaded with identical values for the columns name, namespace, group, version, package - And License column should be loaded with the unique licenses of the package from SBOM json + Then "name" column should match "metadata.component.name" from SBOM + And "group" column should match "metadata.component.group" from SBOM + And "version" column should match "metadata.component.version" from SBOM + And "package reference" column should match "metadata.component.purl" from SBOM + And "license id" column should match "metadata.component.licenses.license.id" from SBOM + And The columns "namespace", "license name", "license expression", "alternate package reference" should be empty diff --git a/tests/features/licenseexport_spdx.feature b/tests/features/licenseexport_spdx.feature index 50da62c..8a82ce6 100644 --- a/tests/features/licenseexport_spdx.feature +++ b/tests/features/licenseexport_spdx.feature @@ -41,7 +41,7 @@ Scenario: Verify the files on downloaded SPDX SBOM license ZIP Scenario: Verify the headers on SPDX SBOM package License CSV file Given User extracted the SPDX SBOM license compressed file When User Opens the package license information file - Then The file should have the following headers - name, namespace, group, version, package reference, license, license name, license expression and alternate package reference + Then The file should have the following headers - name, namespace, group, version, package reference, license id, license name, license expression and alternate package reference Scenario: Verify the headers on SPDX SBOM License reference CSV file Given User extracted the SPDX SBOM license compressed file @@ -49,63 +49,41 @@ Scenario: Verify the headers on SPDX SBOM License reference CSV file Then The file should have the following headers - licenseId, name, extracted text and comment Scenario: Verify the license information for a package with single license - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - rhoai-2.15.json package - pkg:rpm/redhat/popt@1.18-1.el8?arch=x86_64 Given User is on SBOM license information file When User selects a package with Single license information - Then name column should contain the value of name field from SBOM json - And namespace column should contain the value of documentNamespace field from SBOM json - And group column should be empty - And version column should be empty - And package reference column should contain the value of packages.externalRefs.referenceLocator field for purl referenceType from SBOM json - And license column should be empty - And license name column should be empty - And license expression column should contain the value from licenseDeclared field of the SBOM json - And alternate package reference column should be empty + Then "name" column should match "name" from SBOM + And "namespace" column should match "documentNamespace" from SBOM + And "package reference" column should match "packages.externalRefs.referenceLocator" of "packages.externalRefs.referenceType" type purl from SBOM + And "license expression" column should match "packages.licenseDeclared" from SBOM + And The columns "group", "version", "license id", "license name", "alternate package reference" should be empty Scenario: Verify the license information for a package with single license with alternate package reference referenceLocator - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - RHOSE-4.14.json package - pkg:rpm/redhat/skopeo@1.11.3-4.rhaos4.14.el9?arch=src&epoch=2 Given User is on SBOM license information file When User selects a package with Single license information - Then name column should contain the value of name field from SBOM json - And namespace column should contain the value of documentNamespace field from SBOM json - And group column should be empty - And version column should be empty - And package reference column should contain the value of packages.externalRefs.referenceLocator field for purl referenceType from SBOM json - And license column should be empty - And license name column should be empty - And license expression column should contain the value from licenseDeclared field of the SBOM json - And alternate package reference column should contain the value of packages.externalRefs.referenceLocator field for cpe referenceType from SBOM json + Then "name" column should match "name" from SBOM + And "namespace" column should match "documentNamespace" from SBOM + And "package reference" column should match "packages.externalRefs.referenceLocator" of "packages.externalRefs.referenceType" purl from SBOM + And "license expression" column should match "packages.licenseDeclared" from SBOM + And "alternate package reference" column should match "packages.externalRefs.referenceLocator" of "packages.externalRefs.referenceType" type cpe from SBOM json + And The columns "group", "version", "license id", "license name" should be empty Scenario: Verify the license information for a package with multiple licenses with alternate package reference referenceLocator - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - RHOSE-4.14.json package - pkg:rpm/redhat/NetworkManager@1.42.2-24.el9_2?arch=src&epoch=1 Given User is on SBOM license information file - When User selects a package with multiple licenses information - Then name column should contain the value of name field from SBOM json - And namespace column should contain the value of documentNamespace field from SBOM json - And group column should be empty - And version column should be empty - And package reference column should contain the value of packages.externalRefs.referenceLocator field for purl referenceType from SBOM json - And license column should be empty - And license name column should be empty - And license expression column should contain the whole value from licenseDeclared field of the SBOM json in a single row - And alternate package reference column should contain the value of packages.externalRefs.referenceLocator field for cpe referenceType from SBOM json + When User selects a package with Single license information + Then "name" column should match "name" from SBOM + And "namespace" column should match "documentNamespace" from SBOM + And "package reference" column should match "packages.externalRefs.referenceLocator" of "packages.externalRefs.referenceType" purl from SBOM + And "license expression" column should match the whole value of "packages.licenseDeclared" from SBOM in a single row + And "alternate package reference" column should match "packages.externalRefs.referenceLocator" of "packages.externalRefs.referenceType" type cpe from SBOM json + And The columns "group", "version", "license id", "license name" should be empty Scenario: Verify SPDX SBOM level license information on license export - # Test data https://drive.google.com/drive/folders/1Z6y6gMegutBeUuc_8LkpYxKeGz_KYG9H?usp=drive_link - # sbom - RHOSE-4.6.Z.json Given User is on SBOM license information file - Then name column should contain the value of name field from SBOM json - And namespace column should contain the value of documentNamespace field from SBOM json - And group column should be empty - And version column should be empty - And package reference column should be empty - And license column should be empty - And license name column should be empty - And license expression column should contain the whole value from licenseDeclared field in a single row for the packages entry of the SBOM - And alternate package reference column should contain the value of packages.externalRefs.referenceLocator field for cpe referenceType from SBOM json + Then "name" column should match "name" from SBOM + And "namespace" column should match "documentNamespace" from SBOM + And "license expression" column should match the whole value from "packages.licenseDeclared" in a single row of the SBOM information under packages section + And "alternate package reference" column should contain the value of "packages.externalRefs.referenceLocator" field for cpe "packages.externalRefs.referenceType" from SBOM json + And The columns "group", "version", "package reference", "license id", "license name" should be empty Scenario: Verify the contents on SPDX SBOM license reference CSV file Given User is on license reference file