refactor: use regex for robust UUID replacement in SPDX namespace

leodido · ona-agent · leodido · commit 48794b6201cf · 2025-11-18T19:07:37.000+01:00
Replace manual string manipulation with regex-based UUID matching: - Use regex pattern to find and replace UUIDs - Validate that a UUID exists before attempting replacement - Handle edge cases: UUID at end, in middle, multiple UUIDs, no UUID - Log warning if no UUID found in namespace (unexpected format) - Add comprehensive test coverage for all edge cases Benefits: - More robust: validates UUID format before replacement - Handles any UUID position in the namespace - Fails gracefully with warning instead of silently - Better test coverage for edge cases Addresses review feedback from Cornelius on PR #281. Co-authored-by: Ona <no-reply@ona.com>
diff --git a/pkg/leeway/sbom.go b/pkg/leeway/sbom.go
@@ -12,6 +12,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"regexp"
 	"runtime"
 	"strconv"
 	"strings"
@@ -210,22 +211,16 @@ func normalizeSPDX(sbomPath string, timestamp time.Time) error {
 	contentHash := sha256.Sum256(normalizedForHash)
 	deterministicUUID := generateDeterministicUUID(contentHash[:])
 
-	// Replace UUID in documentNamespace
+	// Replace UUID in documentNamespace using regex for robust matching
 	if originalNamespace != "" {
-		// Extract base URL and replace UUID at the end
-		lastDash := strings.LastIndex(originalNamespace, "-")
-		if lastDash > 0 {
-			// Find the start of the UUID (5 segments separated by dashes)
-			uuidStart := lastDash
-			for i := 0; i < 4; i++ {
-				uuidStart = strings.LastIndex(originalNamespace[:uuidStart], "-")
-				if uuidStart == -1 {
-					break
-				}
-			}
-			if uuidStart > 0 {
-				originalNamespace = originalNamespace[:uuidStart] + "-" + deterministicUUID
-			}
+		// UUID pattern: 8-4-4-4-12 hex digits
+		uuidPattern := regexp.MustCompile(`[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`)
+		if uuidPattern.MatchString(originalNamespace) {
+			// Replace the UUID with our deterministic one
+			originalNamespace = uuidPattern.ReplaceAllString(originalNamespace, deterministicUUID)
+		} else {
+			// Log warning if no UUID found in namespace (unexpected format)
+			log.WithField("documentNamespace", originalNamespace).Warn("No UUID found in SPDX documentNamespace, skipping UUID normalization")
 		}
 		sbom["documentNamespace"] = originalNamespace
 	}
diff --git a/pkg/leeway/sbom_normalize_test.go b/pkg/leeway/sbom_normalize_test.go
@@ -262,90 +262,133 @@ func TestNormalizeCycloneDX(t *testing.T) {
 }
 
 func TestNormalizeSPDX(t *testing.T) {
-	// Create a temporary directory for test files
-	tmpDir := t.TempDir()
-	sbomPath := filepath.Join(tmpDir, "sbom.spdx.json")
-
-	// Create a sample SPDX SBOM
-	sbom := map[string]interface{}{
-		"spdxVersion":       "SPDX-2.3",
-		"dataLicense":       "CC0-1.0",
-		"SPDXID":            "SPDXRef-DOCUMENT",
-		"name":              "test-sbom",
-		"documentNamespace": "https://example.com/test-12345678-1234-1234-1234-123456789abc",
-		"creationInfo": map[string]interface{}{
-			"created": "2023-01-01T00:00:00Z",
-			"creators": []interface{}{
-				"Tool: test-tool",
-			},
+	tests := []struct {
+		name              string
+		documentNamespace string
+		wantUUIDChanged   bool
+	}{
+		{
+			name:              "UUID at end of namespace",
+			documentNamespace: "https://example.com/test-12345678-1234-1234-1234-123456789abc",
+			wantUUIDChanged:   true,
 		},
-		"packages": []interface{}{
-			map[string]interface{}{
-				"SPDXID":  "SPDXRef-Package",
-				"name":    "test-package",
-				"version": "1.0.0",
-			},
+		{
+			name:              "UUID in middle of namespace",
+			documentNamespace: "https://example.com/12345678-1234-1234-1234-123456789abc/test",
+			wantUUIDChanged:   true,
+		},
+		{
+			name:              "multiple UUIDs (replaces all)",
+			documentNamespace: "https://example.com/12345678-1234-1234-1234-123456789abc/test-abcdef01-2345-6789-abcd-ef0123456789",
+			wantUUIDChanged:   true,
+		},
+		{
+			name:              "no UUID in namespace",
+			documentNamespace: "https://example.com/test-no-uuid",
+			wantUUIDChanged:   false,
 		},
 	}
 
-	// Write initial SBOM
-	data, err := json.MarshalIndent(sbom, "", "  ")
-	if err != nil {
-		t.Fatalf("failed to marshal test SBOM: %v", err)
-	}
-	if err := os.WriteFile(sbomPath, data, 0644); err != nil {
-		t.Fatalf("failed to write test SBOM: %v", err)
-	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create a temporary directory for test files
+			tmpDir := t.TempDir()
+			sbomPath := filepath.Join(tmpDir, "sbom.spdx.json")
+
+			// Create a sample SPDX SBOM
+			sbom := map[string]interface{}{
+				"spdxVersion":       "SPDX-2.3",
+				"dataLicense":       "CC0-1.0",
+				"SPDXID":            "SPDXRef-DOCUMENT",
+				"name":              "test-sbom",
+				"documentNamespace": tt.documentNamespace,
+				"creationInfo": map[string]interface{}{
+					"created": "2023-01-01T00:00:00Z",
+					"creators": []interface{}{
+						"Tool: test-tool",
+					},
+				},
+				"packages": []interface{}{
+					map[string]interface{}{
+						"SPDXID":  "SPDXRef-Package",
+						"name":    "test-package",
+						"version": "1.0.0",
+					},
+				},
+			}
 
-	// Normalize with a fixed timestamp
-	fixedTime := time.Unix(1234567890, 0).UTC()
-	if err := normalizeSPDX(sbomPath, fixedTime); err != nil {
-		t.Fatalf("normalizeSPDX failed: %v", err)
-	}
+			// Write initial SBOM
+			data, err := json.MarshalIndent(sbom, "", "  ")
+			if err != nil {
+				t.Fatalf("failed to marshal test SBOM: %v", err)
+			}
+			if err := os.WriteFile(sbomPath, data, 0644); err != nil {
+				t.Fatalf("failed to write test SBOM: %v", err)
+			}
 
-	// Read normalized SBOM
-	normalizedData, err := os.ReadFile(sbomPath)
-	if err != nil {
-		t.Fatalf("failed to read normalized SBOM: %v", err)
-	}
+			// Normalize with a fixed timestamp
+			fixedTime := time.Unix(1234567890, 0).UTC()
+			if err := normalizeSPDX(sbomPath, fixedTime); err != nil {
+				t.Fatalf("normalizeSPDX failed: %v", err)
+			}
 
-	var normalizedSBOM map[string]interface{}
-	if err := json.Unmarshal(normalizedData, &normalizedSBOM); err != nil {
-		t.Fatalf("failed to parse normalized SBOM: %v", err)
-	}
+			// Read normalized SBOM
+			normalizedData, err := os.ReadFile(sbomPath)
+			if err != nil {
+				t.Fatalf("failed to read normalized SBOM: %v", err)
+			}
 
-	// Verify timestamp was updated
-	creationInfo := normalizedSBOM["creationInfo"].(map[string]interface{})
-	created := creationInfo["created"].(string)
-	expectedTimestamp := fixedTime.Format(time.RFC3339)
-	if created != expectedTimestamp {
-		t.Errorf("expected timestamp %s, got %s", expectedTimestamp, created)
-	}
+			var normalizedSBOM map[string]interface{}
+			if err := json.Unmarshal(normalizedData, &normalizedSBOM); err != nil {
+				t.Fatalf("failed to parse normalized SBOM: %v", err)
+			}
 
-	// Verify UUID in documentNamespace was changed
-	namespace := normalizedSBOM["documentNamespace"].(string)
-	if namespace == "https://example.com/test-12345678-1234-1234-1234-123456789abc" {
-		t.Error("UUID in documentNamespace was not changed")
-	}
+			// Verify timestamp was updated
+			creationInfo := normalizedSBOM["creationInfo"].(map[string]interface{})
+			created := creationInfo["created"].(string)
+			expectedTimestamp := fixedTime.Format(time.RFC3339)
+			if created != expectedTimestamp {
+				t.Errorf("expected timestamp %s, got %s", expectedTimestamp, created)
+			}
 
-	// Normalize again with same timestamp - should produce same UUID
-	if err := normalizeSPDX(sbomPath, fixedTime); err != nil {
-		t.Fatalf("second normalizeSPDX failed: %v", err)
-	}
+			// Verify UUID in documentNamespace
+			namespace := normalizedSBOM["documentNamespace"].(string)
+			if tt.wantUUIDChanged {
+				// Should have changed from original
+				if namespace == tt.documentNamespace {
+					t.Error("UUID in documentNamespace was not changed")
+				}
+				// Should not contain the original UUID
+				if contains(namespace, "12345678-1234-1234-1234-123456789abc") {
+					t.Error("original UUID still present in documentNamespace")
+				}
+			} else {
+				// Should remain unchanged if no UUID was present
+				if namespace != tt.documentNamespace {
+					t.Errorf("documentNamespace changed unexpectedly: got %s, want %s", namespace, tt.documentNamespace)
+				}
+			}
 
-	normalizedData2, err := os.ReadFile(sbomPath)
-	if err != nil {
-		t.Fatalf("failed to read normalized SBOM (2nd time): %v", err)
-	}
+			// Normalize again with same timestamp - should produce same result
+			if err := normalizeSPDX(sbomPath, fixedTime); err != nil {
+				t.Fatalf("second normalizeSPDX failed: %v", err)
+			}
 
-	var normalizedSBOM2 map[string]interface{}
-	if err := json.Unmarshal(normalizedData2, &normalizedSBOM2); err != nil {
-		t.Fatalf("failed to parse normalized SBOM (2nd time): %v", err)
-	}
+			normalizedData2, err := os.ReadFile(sbomPath)
+			if err != nil {
+				t.Fatalf("failed to read normalized SBOM (2nd time): %v", err)
+			}
 
-	namespace2 := normalizedSBOM2["documentNamespace"].(string)
-	if namespace != namespace2 {
-		t.Errorf("expected deterministic UUID, got %s and %s", namespace, namespace2)
+			var normalizedSBOM2 map[string]interface{}
+			if err := json.Unmarshal(normalizedData2, &normalizedSBOM2); err != nil {
+				t.Fatalf("failed to parse normalized SBOM (2nd time): %v", err)
+			}
+
+			namespace2 := normalizedSBOM2["documentNamespace"].(string)
+			if namespace != namespace2 {
+				t.Errorf("expected deterministic result, got %s and %s", namespace, namespace2)
+			}
+		})
 	}
 }
 
