Skip to content

test(sbom): pin declared-dependency SBOM for native Maven uploads (#870)#222

Merged
brandonrc merged 2 commits into
mainfrom
test/sbom-declared-deps-870
Jun 1, 2026
Merged

test(sbom): pin declared-dependency SBOM for native Maven uploads (#870)#222
brandonrc merged 2 commits into
mainfrom
test/sbom-declared-deps-870

Conversation

@brandonrc

@brandonrc brandonrc commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a release-gate E2E that pins the declared-dependency SBOM invariant for native Maven uploads, the exact gap #220 describes.

A Maven jar PUT does not trigger a scan, so there are no scan_packages rows. Before the fix the SBOM read path returned an empty component list, and a customer fetched "components": [] for an artifact whose POM names real dependencies. The companion backend fix (artifact-keeper#1553, closes artifact-keeper#870) adds a declared-dependency source so the SBOM is populated from the POM regardless of scanning. This test pins that behavior.

What the test does (tests/security/test-sbom-declared-deps.sh)

Publishes a placeholder jar plus a POM declaring two compile dependencies (one ${property}-versioned, one literal) and one test-scoped dependency, then asserts:

  • POST /api/v1/sbom returns component_count >= 2
  • the property-versioned guava resolves to pkg:maven/com.google.guava/guava@32.1.3-jre (exercises the storage POM fallback and <properties> interpolation in the backend fix)
  • commons-lang3 appears with its maven purl
  • the test-scoped junit-jupiter is excluded
  • the document carries a declared/partial completeness signal, never an authoritative complete with an empty inventory

Why it complements the existing gate

tests/release-gate/sbom-correctness-gate.sh covers the npm + lockfile, scanner-derived path. This covers the opposite case the existing gate cannot: declared dependencies with no scanner inventory at all.

Portability

Gated behind a new require_feature "sbom_declared_dependencies" flag (min backend 1.2.0, registered in tests/lib/common.sh) so pre-1.2.0 backends skip loudly instead of flapping on the structurally-empty case. The test is auto-discovered by the security suite, which release-gate.yml already runs.

Note: #220 was written assuming this slipped to v1.2.1. The backend fix landed for v1.2.0 (artifact-keeper#1553), so the feature gate targets 1.2.0.

Validation

  • bash -n: clean
  • shellcheck tests/security/test-sbom-declared-deps.sh: clean (exit 0)
  • Live run pending a backend image built from artifact-keeper#1553; the test skips on backends that predate the fix.

Closes #220

brandonrc added 2 commits June 1, 2026 13:55
@brandonrc
test(sbom): pin declared-dependency SBOM for native Maven uploads (#870)
1fc8d0e 
Adds tests/security/test-sbom-declared-deps.sh, a release-gate E2E that proves
the declared-dependency SBOM source landed in artifact-keeper#870 / PR #1553.

A Maven jar PUT does not trigger a scan, so there are no scan_packages rows.
Before the fix the SBOM read path returned an empty component list and the
customer fetched "components": [] for an artifact whose POM names real
dependencies. The test publishes a placeholder jar plus a POM declaring two
compile dependencies (one ${property}-versioned, one literal) and one
test-scoped dependency, then asserts:

- POST /api/v1/sbom returns component_count >= 2
- the property-versioned guava resolves to pkg:maven/com.google.guava/guava@32.1.3-jre
  (exercises the storage POM fallback + <properties> interpolation)
- commons-lang3 appears with its maven purl
- the test-scoped junit-jupiter is excluded
- the document carries a declared/partial completeness signal, never an
  authoritative "complete" with an empty inventory

Gated behind a new require_feature flag sbom_declared_dependencies (>= 1.2.0)
so pre-fix backends skip loudly instead of flapping. Auto-discovered by the
security suite, which release-gate.yml already runs.

Closes #220
@brandonrc
test(sbom): enable sbom_declared_dependencies in 1.2.x branch feature…
5e03060 
… set

The release gate resolves require_feature via the branch-aware AK_FEATURES env
(feature-flags.sh), not the version probe. Without registering the new flag in
AK_BACKEND_BRANCH_1_2_X, the gate treated it as explicitly-disabled and skipped
test-sbom-declared-deps.sh on main/1.2.x. Add it so the test runs against a
backend carrying artifact-keeper#870 (PR #1553).
@brandonrc brandonrc merged commit d444d62 into main Jun 1, 2026
2 of 4 checks passed
@brandonrc brandonrc deleted the test/sbom-declared-deps-870 branch June 1, 2026 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

test(sbom): pin native-protocol SBOM components-populated regression (artifact-keeper#870)

1 participant

@brandonrc