Skip to content

test(detectors): fixture-based graph tests for gomod, gradle, maven, syft#181

Merged
bomly-guy merged 1 commit into
mainfrom
test/detector-fixture-tests
Jun 18, 2026
Merged

test(detectors): fixture-based graph tests for gomod, gradle, maven, syft#181
bomly-guy merged 1 commit into
mainfrom
test/detector-fixture-tests

Conversation

@bomly-guy

@bomly-guy bomly-guy commented Jun 18, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Collaborator

What

Adds committed-fixture tests for the four detectors whose graph builders had no testdata-fixture coverage — following the pattern established by the node and python lockfile_integration_test.go. No test invokes a build tool: each drives the parser entrypoint directly against a committed fixture.

Detector Fixture Drives Asserts
gomod testdata/demo/{go.mod, go-list-deps.json} parseGoModFile + depGraphFromGoList package set, transitive edges, runtime vs test-only development scope, stdlib excluded
maven testdata/dependency-tree.tgf depGraphFromMavenTGF edges, compile→runtime / test→development scope
gradle testdata/dependencies.txt depGraphFromGradleOutput edges, runtimeClasspath vs testRuntimeClasspath scope
syft hand-built syft/sbom.SBOM struct graphFromSyftSBOM package→node, dependency-of→edge, license carry-through

gomod / gradle / maven ResolveGraph shells out to the toolchain, so the tests call the lower-level depGraphFrom* parsers with captured output. The syft builtin path consumes the Syft library's SBOM struct rather than a text manifest, so its fixture is the struct itself (behind the same !bomly_external_syft build tag); it invokes no syft binary.

Why only these four

While scoping this I found the rest of the detector suite already has testdata-fixture tests: nuget, cargo, pub, ruby, conan, cocoapods, and githubactions each drive ResolveGraph against a testdata/project/ directory via their committed-lock fast-paths (e.g. nuget's TestDetectorResolveGraphFromFixtureProject, cargo's Detector{WorkingDir:"testdata/project"}). Those are already build-tool-free, so adding more there would be redundant. The genuine gap was the four detectors above.

Notes

  • internal/detectors/sbom tests already write SBOM docs to t.TempDir() and exercise internal/sbom; committed SBOM fixtures there are a possible future nicety but not a coverage gap.

🤖 Generated with Claude Code

Summary by CodeRabbit

Tests

  • Added fixture-based tests for dependency detectors across Go modules, Gradle, Maven, and Syft SBOM formats. Tests validate dependency parsing, graph construction accuracy, scope classification (runtime vs. development), and license information handling.

@bomly-guy @claude
test(detectors): add fixture-based tests for gomod, gradle, maven, syft
9daadbb 
These four detectors had no committed-fixture tests for their graph
builders. Add testdata fixtures + tests that drive the parsers directly,
with no dependency on the go / gradle / mvn / syft tooling:

- gomod: testdata/demo/{go.mod, go-list-deps.json} → parseGoModFile +
  depGraphFromGoList (package set, transitive edges, runtime vs test-only
  development scope).
- maven: testdata/dependency-tree.tgf → depGraphFromMavenTGF (edges,
  compile→runtime / test→development scope).
- gradle: testdata/dependencies.txt → depGraphFromGradleOutput
  (runtimeClasspath vs testRuntimeClasspath scope).
- syft: graphFromSyftSBOM mapping test built from a hand-constructed Syft
  SBOM struct (the builtin path consumes a library struct, not a text
  manifest); asserts package→node, dependency-of→edge, license carry-through.

The other detectors (nuget + cargo/pub/ruby/conan/cocoapods/githubactions)
already drive ResolveGraph against testdata/project fixtures via their
committed-lock fast-paths, so no redundant tests were added there.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 08bf9336-c1f0-4885-bc8a-27dfbd102146

📥 Commits

Reviewing files that changed from the base of the PR and between f9f7c70 and 9daadbb.

⛔ Files ignored due to path filters (4)
  • internal/detectors/gomod/testdata/demo/go-list-deps.json is excluded by !**/testdata/**
  • internal/detectors/gomod/testdata/demo/go.mod is excluded by !**/testdata/**
  • internal/detectors/gradle/testdata/dependencies.txt is excluded by !**/testdata/**
  • internal/detectors/maven/testdata/dependency-tree.tgf is excluded by !**/testdata/**
📒 Files selected for processing (4)
  • internal/detectors/gomod/fixture_test.go
  • internal/detectors/gradle/fixture_test.go
  • internal/detectors/maven/fixture_test.go
  • internal/detectors/syft/graph_mapping_test.go
📝 Walkthrough

Walkthrough

Adds four new fixture-driven test files for the gomod, gradle, maven, and syft detectors. Each test loads committed fixture data (or constructs an in-memory SBOM for syft), invokes the detector's parsing functions, and asserts graph structure including node presence, directed edges, scope classification, and license extraction.

Changes

Detector fixture test suites

Layer / File(s) Summary
gomod fixture: parse go.mod and dependency graph
internal/detectors/gomod/fixture_test.go		 Adds readFixture helper and two tests: one parses a fixture go.mod to assert module identity and requirement counts, the other builds a dependency graph from a fixture go-list-deps.json to assert graph size, stdlib exclusion, and PrimaryScope() for specific modules.
gradle and maven fixture tests with edge/scope helpers
internal/detectors/gradle/fixture_test.go, internal/detectors/maven/fixture_test.go		 Gradle test loads testdata/dependencies.txt, builds a graph for demo-app, and asserts nodes, directed edges, and scopes via requireGradleEdge/requireGradleScope. Maven test loads a TGF fixture, parses via depGraphFromMavenTGF, and performs equivalent assertions via requireMavenEdge/requireMavenScope.
syft SBOM-to-graph mapping: packages, edges, licenses
internal/detectors/syft/graph_mapping_test.go		 Adds TestGraphFromSyftSBOMMapsPackagesEdgesLicenses (build-tag guarded), which constructs an in-memory Syft SBOM with requests and certifi plus a DependencyOfRelationship, converts it via graphFromSyftSBOM, and asserts graph size, dependency direction, and certifi's MPL-2.0 license. Includes nodeByName helper.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'test(detectors): fixture-based graph tests for gomod, gradle, maven, syft' accurately and specifically describes the main change—adding fixture-based tests for four detectors.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch test/detector-fixture-tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bomly Diff Summary

Compared 9cb5b19d630aceea7217f2acc131fe438602c9b3 to 9daadbbb76ec70f90f22307e39dad9cf5f0bb29e.

Overview

Status Manifests Dependencies Findings Duration
✅ Pass +0 / ~0 / -0 +0 / ~0 / -0 0 introduced / 0 persisted / 0 resolved 69189ms

Dependency Changes

✅ No dependency changes.

Vulnerabilities

✅ No vulnerability changes.

License Changes

✅ No license changes.

Project Posture

✅ No project posture changes (or --matchers +scorecard was not selected).

Policy Findings

✅ No policy differences were identified.

@bomly-guy bomly-guy merged commit 85b7c0c into main Jun 18, 2026
13 checks passed
@bomly-guy bomly-guy deleted the test/detector-fixture-tests branch June 18, 2026 23:14
@coderabbitai coderabbitai Bot mentioned this pull request Jun 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bomly-guy