Add StandardBomParserTest.testCreateSbomFromScratch() to check for differences in format when updating from upstream

Author: tsjensen

src/test/java/com/siemens/sbom/standardbom/StandardBomParserTest.java

@@ -12,13 +12,26 @@
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.time.LocalDate;
+import java.time.LocalDateTime;
+import java.time.LocalTime;
+import java.time.Month;
+import java.time.ZoneOffset;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import javax.annotation.Nonnull;
 
+import com.github.packageurl.MalformedPackageURLException;
+import com.github.packageurl.PackageURL;
+import com.github.packageurl.PackageURLBuilder;
 import org.cyclonedx.exception.ParseException;
+import org.cyclonedx.model.Component;
+import org.cyclonedx.model.License;
+import org.cyclonedx.model.OrganizationalContact;
+import org.cyclonedx.model.OrganizationalEntity;
 import org.junit.Assert;
 import org.junit.Assume;
 import org.junit.Rule;
@@ -27,6 +40,9 @@
 
 import com.siemens.sbom.standardbom.internal.VersionUtil;
 import com.siemens.sbom.standardbom.model.BomEntry;
+import com.siemens.sbom.standardbom.model.SbomNature;
+import com.siemens.sbom.standardbom.model.SourceArtifactRefLocal;
+import com.siemens.sbom.standardbom.model.SourceArtifactRefUrl;
 import com.siemens.sbom.standardbom.model.StandardBom;
 
 
@@ -202,4 +218,112 @@ private StandardBom parseFile(final String pFilename)
         }
         return null;
     }
+
+
+
+    @Test
+    public void testCreateSbomFromScratch()
+        throws MalformedPackageURLException, IOException, URISyntaxException
+    {
+        final StandardBom sbom = new StandardBom();
+        sbom.setSbomNature(SbomNature.Binary);
+        sbom.setProfile("clearing");
+        LocalDateTime sometime = LocalDate.of(2026, Month.JANUARY, 2).atTime(LocalTime.of(12, 0, 0));
+        sbom.setTimestamp(Date.from(sometime.toInstant(ZoneOffset.UTC)));
+        sbom.setSerialNumber("urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79");
+
+        OrganizationalEntity supplier = new OrganizationalEntity();
+        supplier.setName("ACME");
+        sbom.getMetadata().setSupplier(supplier);
+
+        Component primaryComponent = new Component();
+        primaryComponent.setName("primary");
+        primaryComponent.setDescription("Description of the primary component");
+        primaryComponent.setVersion("2.0.0");
+        primaryComponent.setGroup("com.example");
+        sbom.getMetadata().setComponent(primaryComponent);
+
+        // actual content:
+        sbom.addComponent(buildComponentEntry());
+
+        final File outputFile = tempDir.newFile("scratch-actual.cdx.json");
+        new StandardBomParser().save(sbom, outputFile);
+        Assert.assertTrue(outputFile.canRead());
+
+        @SuppressWarnings("ConstantConditions")
+        byte[] expBytes = Files.readAllBytes(Paths.get(getClass().getResource("scratch-expected.cdx.json").toURI()));
+        String expected = new String(expBytes, StandardCharsets.UTF_8);
+        expected = expected.replaceAll(Pattern.quote("${libraryVersion}"), Matcher.quoteReplacement(LIBRARY_VERSION));
+        expected = expected.replaceAll(Pattern.quote("${formatVersion}"), Matcher.quoteReplacement(FORMAT_VERSION));
+        final String actual = new String(Files.readAllBytes(Paths.get(outputFile.toURI())), StandardCharsets.UTF_8);
+
+        Assert.assertEquals(expected, actual);
+    }
+
+
+
+    private BomEntry buildComponentEntry()
+        throws MalformedPackageURLException
+    {
+        final BomEntry component = new BomEntry();
+        component.setType(Component.Type.LIBRARY);
+        component.setGroup("com.siemens.sbom");
+        component.setName("component1");
+        component.setVersion("1.0.0");
+
+        component.setPurl(PackageURLBuilder.aPackageURL()
+            .withType(PackageURL.StandardTypes.MAVEN)
+            .withNamespace("com.siemens.sbom")
+            .withName("component1")
+            .withVersion("1.0.0")
+            .build().toString());
+        component.setBomRef(component.getPurl());
+
+        OrganizationalContact author1 = new OrganizationalContact();
+        author1.setName("author1");
+        author1.setEmail("author1@example.com");
+        OrganizationalContact author2 = new OrganizationalContact();
+        author2.setName("author2");
+        author2.setEmail("author2@example.com");
+        component.setAuthors(Arrays.asList(author1, author2));
+
+        component.setCopyright("(c) the copyright holders");
+        component.setThirdPartyNotices("line1\nline2\nline3");
+        component.setDescription("This is the description of component1");
+        component.setDirectDependency(true);
+        component.setCpe("cpe:2.3:a:com.siemens.sbom:component1:-:*:*:*:*:*:*:*");
+        component.setFilename("component1.jar");
+        component.setLegalRemark("a legal remark");
+        component.setPrimaryLanguage("Java");
+        component.setInternal(false);
+        component.setWebsite("https://example.com");
+        component.setRepoUrl("https://example.com/component1.git");
+        component.setRelativePath("file:///binaries/d771af8e336e372fb5399c99edabe0919aeaf5b2/component1.jar");
+        component.setMd5("15f41a7cddbf60f741bc49966c38f75b");
+        component.setSha1("d771af8e336e372fb5399c99edabe0919aeaf5b2");
+
+        License license1 = new License();
+        license1.setName("The Apache Software License, version 2.0");
+        license1.setUrl("https://www.apache.org/licenses/LICENSE-2.0.txt");
+        component.addLicense(license1);
+        License license2 = new License();
+        license2.setId("MIT");
+        license2.setUrl("https://www.opensource.org/licenses/mit-license.php");
+        component.addLicense(license2);
+
+        SourceArtifactRefUrl comp1SourceUrl = new SourceArtifactRefUrl();
+        comp1SourceUrl.setUrl("https://example.com/sources/component1-sources.jar");
+        comp1SourceUrl.setMd5("11141a7cddbf60f741bc49966c38f111");
+        comp1SourceUrl.setSha1("7771af8e336e372fb5399c99edabe0919aeaf777");
+        component.addSources(comp1SourceUrl);
+
+        SourceArtifactRefLocal comp1SourceArchive = new SourceArtifactRefLocal();
+        comp1SourceArchive.setRelativePath(
+            "file:///sources/7771af8e336e372fb5399c99edabe0919aeaf777/component1-sources.jar");
+        comp1SourceArchive.setMd5("11141a7cddbf60f741bc49966c38f111");
+        comp1SourceArchive.setSha1("7771af8e336e372fb5399c99edabe0919aeaf777");
+        component.addSources(comp1SourceArchive);
+
+        return component;
+    }
 }

src/test/resources/com/siemens/sbom/standardbom/scratch-expected.cdx.json

@@ -0,0 +1,183 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat" : "CycloneDX",
+  "specVersion" : "1.6",
+  "serialNumber" : "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version" : 1,
+  "metadata" : {
+    "timestamp" : "2026-01-02T12:00:00Z",
+    "tools" : {
+      "components" : [
+        {
+          "type" : "library",
+          "supplier" : {
+            "name" : "Siemens AG"
+          },
+          "group" : "com.siemens.sbom.standardbom",
+          "name" : "standard-bom-java",
+          "version" : "${libraryVersion}",
+          "description" : "Standard BOM helper library for Java",
+          "externalReferences" : [
+            {
+              "type" : "website",
+              "url" : "https://github.com/siemens/standard-bom-java"
+            }
+          ]
+        }
+      ]
+    },
+    "component" : {
+      "group" : "com.example",
+      "name" : "primary",
+      "version" : "2.0.0",
+      "description" : "Description of the primary component"
+    },
+    "supplier" : {
+      "name" : "ACME"
+    },
+    "properties" : [
+      {
+        "name" : "siemens:sbomNature",
+        "value" : "binary"
+      },
+      {
+        "name" : "siemens:profile",
+        "value" : "clearing"
+      }
+    ]
+  },
+  "components" : [
+    {
+      "type" : "library",
+      "bom-ref" : "pkg:maven/com.siemens.sbom/component1@1.0.0",
+      "authors" : [
+        {
+          "name" : "author1",
+          "email" : "author1@example.com"
+        },
+        {
+          "name" : "author2",
+          "email" : "author2@example.com"
+        }
+      ],
+      "group" : "com.siemens.sbom",
+      "name" : "component1",
+      "version" : "1.0.0",
+      "description" : "This is the description of component1",
+      "hashes" : [
+        {
+          "alg" : "MD5",
+          "content" : "15f41a7cddbf60f741bc49966c38f75b"
+        },
+        {
+          "alg" : "SHA-1",
+          "content" : "d771af8e336e372fb5399c99edabe0919aeaf5b2"
+        }
+      ],
+      "licenses" : [
+        {
+          "license" : {
+            "name" : "The Apache Software License, version 2.0",
+            "url" : "https://www.apache.org/licenses/LICENSE-2.0.txt"
+          }
+        },
+        {
+          "license" : {
+            "id" : "MIT",
+            "url" : "https://www.opensource.org/licenses/mit-license.php"
+          }
+        }
+      ],
+      "copyright" : "(c) the copyright holders",
+      "cpe" : "cpe:2.3:a:com.siemens.sbom:component1:-:*:*:*:*:*:*:*",
+      "purl" : "pkg:maven/com.siemens.sbom/component1@1.0.0",
+      "externalReferences" : [
+        {
+          "type" : "website",
+          "url" : "https://example.com"
+        },
+        {
+          "type" : "vcs",
+          "url" : "https://example.com/component1.git"
+        },
+        {
+          "type" : "distribution",
+          "url" : "file:///binaries/d771af8e336e372fb5399c99edabe0919aeaf5b2/component1.jar",
+          "comment" : "relativePath"
+        },
+        {
+          "type" : "source-distribution",
+          "url" : "https://example.com/sources/component1-sources.jar",
+          "hashes" : [
+            {
+              "alg" : "MD5",
+              "content" : "11141a7cddbf60f741bc49966c38f111"
+            },
+            {
+              "alg" : "SHA-1",
+              "content" : "7771af8e336e372fb5399c99edabe0919aeaf777"
+            }
+          ]
+        },
+        {
+          "type" : "distribution",
+          "url" : "file:///sources/7771af8e336e372fb5399c99edabe0919aeaf777/component1-sources.jar",
+          "comment" : "source archive (local copy)",
+          "hashes" : [
+            {
+              "alg" : "MD5",
+              "content" : "11141a7cddbf60f741bc49966c38f111"
+            },
+            {
+              "alg" : "SHA-1",
+              "content" : "7771af8e336e372fb5399c99edabe0919aeaf777"
+            }
+          ]
+        }
+      ],
+      "properties" : [
+        {
+          "name" : "siemens:direct",
+          "value" : "true"
+        },
+        {
+          "name" : "siemens:filename",
+          "value" : "component1.jar"
+        },
+        {
+          "name" : "siemens:internal",
+          "value" : "false"
+        },
+        {
+          "name" : "siemens:legalRemark",
+          "value" : "a legal remark"
+        },
+        {
+          "name" : "siemens:primaryLanguage",
+          "value" : "Java"
+        },
+        {
+          "name" : "siemens:thirdPartyNotices",
+          "value" : "line1\nline2\nline3"
+        }
+      ]
+    }
+  ],
+  "definitions" : {
+    "standards" : [
+      {
+        "name" : "Standard BOM",
+        "version" : "${formatVersion}",
+        "description" : "The Standard for Software Bills of Materials in Siemens",
+        "owner" : "Siemens AG",
+        "externalReferences" : [
+          {
+            "type" : "website",
+            "url" : "https://sbom.siemens.io/"
+          }
+        ],
+        "bom-ref" : "standard-bom"
+      }
+    ]
+  }
+}