test: Add comprehensive SBOM policy test cases for PURL builtins

anivar · anivar · commit b0ce34b7c3ef · 2025-10-08T17:34:57.000+05:30
- Test vulnerable package detection scenarios
- Test registry policy enforcement
- Test license compliance checking
- Test supply chain verification requirements
- Test high-risk package identification

These tests verify the SBOM examples in the documentation work correctly
with the PURL builtin functions.

Signed-off-by: Anivar A Aravind &lt;ping@anivar.net&gt;
diff --git a/v1/test/cases/testdata/v1/purlbuiltins/test-sbom-examples.yaml b/v1/test/cases/testdata/v1/purlbuiltins/test-sbom-examples.yaml
@@ -0,0 +1,199 @@
+---
+cases:
+  # Vulnerable package detection
+  - note: purlbuiltins/sbom_vulnerable_log4j
+    query: data.security.sbom.deny = x
+    modules:
+      - |
+        package security.sbom
+        import rego.v1
+
+        vulnerable_packages := [
+            {"type": "npm", "name": "lodash", "version": "4.17.19"},
+            {"type": "maven", "namespace": "org.apache.logging.log4j", "name": "log4j-core", "version": "2.14.0"},
+            {"type": "pypi", "name": "tensorflow", "version": "2.5.0"}
+        ]
+
+        deny contains msg if {
+            some component in input.components
+            pkg := purl.parse(component.purl)
+
+            some vuln in vulnerable_packages
+            pkg.type == vuln.type
+            pkg.name == vuln.name
+            pkg.namespace == vuln.namespace
+            pkg.version == vuln.version
+
+            msg := sprintf("Vulnerable package detected: %s", [component.purl])
+        }
+    data:
+      input:
+        components:
+          - purl: "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.0"
+          - purl: "pkg:npm/express@4.17.1"
+    want_result:
+      - x:
+        - "Vulnerable package detected: pkg:maven/org.apache.logging.log4j/log4j-core@2.14.0"
+
+  # Test non-vulnerable package passes
+  - note: purlbuiltins/sbom_safe_package
+    query: data.security.sbom.deny = x
+    modules:
+      - |
+        package security.sbom
+        import rego.v1
+
+        vulnerable_packages := [
+            {"type": "npm", "name": "lodash", "version": "4.17.19"},
+            {"type": "maven", "namespace": "org.apache.logging.log4j", "name": "log4j-core", "version": "2.14.0"}
+        ]
+
+        deny contains msg if {
+            some component in input.components
+            pkg := purl.parse(component.purl)
+
+            some vuln in vulnerable_packages
+            pkg.type == vuln.type
+            pkg.name == vuln.name
+            pkg.namespace == vuln.namespace
+            pkg.version == vuln.version
+
+            msg := sprintf("Vulnerable package detected: %s", [component.purl])
+        }
+    data:
+      input:
+        components:
+          - purl: "pkg:maven/org.apache.logging.log4j/log4j-core@2.17.0"  # Safe version
+          - purl: "pkg:npm/express@4.17.1"
+    want_result:
+      - x: []
+
+  # Registry policy enforcement
+  - note: purlbuiltins/registry_policy_violation
+    query: data.registry.policy.violations = x
+    modules:
+      - |
+        package registry.policy
+        import rego.v1
+
+        allowed_registries := {
+            "docker": ["docker.io", "gcr.io"]
+        }
+
+        violations contains msg if {
+            some component in input.components
+            pkg := purl.parse(component.purl)
+            pkg.type == "docker"
+
+            # Check qualifiers for repository_url
+            repository := pkg.qualifiers.repository_url
+            not allowed_registry(repository)
+
+            msg := sprintf("Unapproved registry: %s", [repository])
+        }
+
+        allowed_registry(repo) if {
+            some allowed in allowed_registries.docker
+            contains(repo, allowed)
+        }
+    data:
+      input:
+        components:
+          - purl: "pkg:docker/myapp@1.0.0?repository_url=unauthorized.registry.io"
+          - purl: "pkg:docker/nginx@latest?repository_url=docker.io"
+    want_result:
+      - x:
+        - "Unapproved registry: unauthorized.registry.io"
+
+  # License compliance check
+  - note: purlbuiltins/license_compliance_violation
+    query: data.compliance.licenses.violations = x
+    modules:
+      - |
+        package compliance.licenses
+        import rego.v1
+
+        prohibited_licenses := {"GPL-3.0", "AGPL-3.0"}
+
+        violations contains msg if {
+            some component in input.components
+            pkg := purl.parse(component.purl)
+
+            some license in component.licenses
+            license.id in prohibited_licenses
+
+            msg := sprintf("Package %s/%s@%s uses prohibited license %s",
+                           [pkg.type, pkg.name, pkg.version, license.id])
+        }
+    data:
+      input:
+        components:
+          - purl: "pkg:npm/some-package@1.0.0"
+            licenses:
+              - id: "GPL-3.0"
+              - id: "MIT"
+          - purl: "pkg:npm/safe-package@2.0.0"
+            licenses:
+              - id: "MIT"
+    want_result:
+      - x:
+        - "Package npm/some-package@1.0.0 uses prohibited license GPL-3.0"
+
+  # Supply chain verification - missing checksums
+  - note: purlbuiltins/supply_chain_missing_verification
+    query: data.supply_chain.require_verification = x
+    modules:
+      - |
+        package supply_chain
+        import rego.v1
+
+        require_verification contains msg if {
+            some component in input.components
+            pkg := purl.parse(component.purl)
+
+            not component.hashes
+            not pkg.qualifiers.checksum
+
+            msg := sprintf("Package lacks verification: %s", [component.purl])
+        }
+    data:
+      input:
+        components:
+          - purl: "pkg:npm/unverified@1.0.0"
+          - purl: "pkg:npm/verified@1.0.0"
+            hashes:
+              - alg: "SHA-256"
+                content: "abcd1234"
+    want_result:
+      - x:
+        - "Package lacks verification: pkg:npm/unverified@1.0.0"
+
+  # High risk packages without namespace
+  - note: purlbuiltins/high_risk_packages
+    query: data.supply_chain.high_risk_packages = x
+    modules:
+      - |
+        package supply_chain
+        import rego.v1
+
+        high_risk_packages contains pkg if {
+            some component in input.components
+            pkg := purl.parse(component.purl)
+
+            pkg.type in {"npm", "pypi", "gem"}
+            not pkg.namespace
+        }
+    data:
+      input:
+        components:
+          - purl: "pkg:npm/lodash@4.17.21"  # No namespace
+          - purl: "pkg:npm/@angular/core@12.0.0"  # Has namespace
+          - purl: "pkg:pypi/requests@2.28.0"  # No namespace
+    want_result:
+      - x:
+        - type: "npm"
+          name: "lodash"
+          version: "4.17.21"
+        - type: "pypi"
+          name: "requests"
+          version: "2.28.0"
