TC-1757 Fix SPDX SBOM ingestion with multiple purls in externalRefs a…

…rray (#122)

Signed-off-by: mrizzi <[email protected]>

demo/graphql/queries-trustification.gql

@@ -380,3 +380,27 @@ query TC_1609_HasMetadata {
     }
   }
 }
+
+query TC_1757_Package_x86_64 {
+  packages (pkgSpec:{
+    name:"openssl",
+    qualifiers: [
+      {key:"arch", value:"src"},
+      {key:"repository_id", value:"rhel-9-for-x86_64-baseos-eus-source-rpms"}
+    ]
+  }) {
+    ...allPkgTree
+  }
+}
+
+query TC_1757_Package_aarch64 {
+  packages (pkgSpec:{
+    name:"openssl",
+    qualifiers: [
+      {key:"arch", value:"src"},
+      {key:"repository_id", value:"rhel-9-for-aarch64-baseos-eus-source-rpms"}
+    ]
+  }) {
+    ...allPkgTree
+  }
+}

internal/testing/e2e-trustification/e2e

@@ -107,4 +107,15 @@ echo @@@@ Running TC_1609 queries and validating output
 cat "$queries" | gql-cli http://localhost:8080/query -o TC_1609_HasMetadata | jq 'del(.. | .id?) | .HasMetadata | sort ' > "${GUAC_DIR}/gotTC_1609_HasMetadata.json"
 diff -u "${SCRIPT_DIR}/expectTC_1609_HasMetadata.json" "${GUAC_DIR}/gotTC_1609_HasMetadata.json"
 
+echo @@@@ Ingesting TC_1757_openssl-3.0.7-18.el9_2.spdx.json into server
+time go run ./cmd/guacone collect files ${GUAC_DIR}/internal/testing/testdata/exampledata/TC_1757_openssl-3.0.7-18.el9_2.spdx.json;
+
+echo @@@@ Running TC_1757 queries and validating output
+
+cat "$queries" | gql-cli http://localhost:8080/query -o TC_1757_Package_x86_64 | jq 'del(.. | .id?) | .packages[].namespaces[]?.names[]?.versions[]?.qualifiers? |= sort | .packages ' > "${GUAC_DIR}/gotTC_1757_Package_x86_64.json"
+diff -u "${SCRIPT_DIR}/expectTC_1757_Package_x86_64.json" "${GUAC_DIR}/gotTC_1757_Package_x86_64.json"
+
+cat "$queries" | gql-cli http://localhost:8080/query -o TC_1757_Package_aarch64 | jq 'del(.. | .id?) | .packages[].namespaces[]?.names[]?.versions[]?.qualifiers? |= sort | .packages ' > "${GUAC_DIR}/gotTC_1757_Package_aarch64.json"
+diff -u "${SCRIPT_DIR}/expectTC_1757_Package_aarch64.json" "${GUAC_DIR}/gotTC_1757_Package_aarch64.json"
+
 # Note: graphql_playground is left running, CI will clean it up

internal/testing/e2e-trustification/expectTC_1757_Package_aarch64.json

@@ -0,0 +1,31 @@
+[
+  {
+    "type": "rpm",
+    "namespaces": [
+      {
+        "namespace": "redhat",
+        "names": [
+          {
+            "name": "openssl",
+            "versions": [
+              {
+                "version": "3.0.7-18.el9_2",
+                "qualifiers": [
+                  {
+                    "key": "arch",
+                    "value": "src"
+                  },
+                  {
+                    "key": "repository_id",
+                    "value": "rhel-9-for-aarch64-baseos-eus-source-rpms"
+                  }
+                ],
+                "subpath": ""
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+]

internal/testing/e2e-trustification/expectTC_1757_Package_x86_64.json

@@ -0,0 +1,31 @@
+[
+  {
+    "type": "rpm",
+    "namespaces": [
+      {
+        "namespace": "redhat",
+        "names": [
+          {
+            "name": "openssl",
+            "versions": [
+              {
+                "version": "3.0.7-18.el9_2",
+                "qualifiers": [
+                  {
+                    "key": "arch",
+                    "value": "src"
+                  },
+                  {
+                    "key": "repository_id",
+                    "value": "rhel-9-for-x86_64-baseos-eus-source-rpms"
+                  }
+                ],
+                "subpath": ""
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+]