Skip to content

test: add golden tests for AnalyzeLibrary#2475

Closed
kotakanbe wants to merge 1 commit intomasterfrom
diet-trivy-golden-tests
Closed

test: add golden tests for AnalyzeLibrary#2475
kotakanbe wants to merge 1 commit intomasterfrom
diet-trivy-golden-tests

Conversation

@kotakanbe
Copy link
Copy Markdown
Member

@kotakanbe kotakanbe commented Mar 17, 2026

Summary

  • Add golden tests that snapshot the output of AnalyzeLibrary() for all 35 lockfile fixtures in integration/data/lockfile/
  • Establishes a regression baseline before refactoring the Trivy fanal integration
  • No changes to existing code — test additions only

Coverage

All supported languages: npm (v1/v2/v3), yarn, pnpm (v8/v9), bun, pip, pipenv, poetry (v1/v2), uv, bundler, cargo, rust binary, composer, go mod/sum/binary, pom.xml, gradle, JAR/WAR, NuGet, packages.config, deps.json, Directory.Packages.props, conan (v1/v2), pubspec, mix, cocoapods, swift

Usage

# Run golden tests
go test -count=1 -run TestAnalyzeLibrary_Golden ./scanner/...

# Regenerate golden files after intentional changes
go test -count=1 -run TestAnalyzeLibrary_Golden ./scanner/... -args -update

Test plan

  • 35 lockfile fixtures covered (34 golden files — installed.json is not matched by any analyzer)
  • Results sorted by name+version for deterministic comparison
  • 3 consecutive runs all PASS (no flakiness)
  • Existing scanner tests unaffected

🤖 Generated with Claude Code

@kotakanbe @claude
test: add golden tests for AnalyzeLibrary
747814f 
Add golden tests that snapshot the output of AnalyzeLibrary() for all 35
lockfile fixtures in integration/data/lockfile/. This establishes a
regression baseline before refactoring the Trivy fanal integration.

- Covers all supported languages: npm, yarn, pnpm, bun, pip, pipenv,
  poetry, uv, bundler, cargo, composer, go mod/sum/binary, pom.xml,
  gradle, JAR/WAR, NuGet, conan, pubspec, mix, cocoapods, swift
- Results are sorted by name+version for deterministic comparison
- Run with -update flag to regenerate: go test ./scanner/... -args -update

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@kotakanbe kotakanbe requested a review from Copilot March 17, 2026 22:39
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds golden (“snapshot”) tests for AnalyzeLibrary() to establish a regression baseline across the repository’s lockfile fixtures (spanning many ecosystems) prior to refactoring the Trivy fanal integration.

Changes:

  • Introduces TestAnalyzeLibrary_Golden with deterministic normalization (sorting) to stabilize output comparisons.
  • Adds a set of golden JSON snapshots for each lockfile fixture’s AnalyzeLibrary() output.
  • Adds an -update flag to regenerate golden files when intended output changes.

Reviewed changes

Copilot reviewed 32 out of 35 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
scanner/analyze_golden_test.go Golden test harness: loads fixtures, runs AnalyzeLibrary, normalizes output, and compares/updates snapshots.
scanner/testdata/golden/Cargo.lock.golden.json Golden snapshot for Cargo lockfile analysis.
scanner/testdata/golden/Directory.Packages.props.golden.json Golden snapshot for .NET Directory.Packages.props analysis.
scanner/testdata/golden/Gemfile.lock.golden.json Golden snapshot for Bundler lockfile analysis.
scanner/testdata/golden/Package.resolved.golden.json Golden snapshot for Swift Package Manager resolution file analysis.
scanner/testdata/golden/Pipfile.lock.golden.json Golden snapshot for Pipenv lockfile analysis.
scanner/testdata/golden/Podfile.lock.golden.json Golden snapshot for CocoaPods lockfile analysis.
scanner/testdata/golden/bun.lock.golden.json Golden snapshot for Bun lockfile analysis.
scanner/testdata/golden/composer.lock.golden.json Golden snapshot for Composer lockfile analysis.
scanner/testdata/golden/conan-v1_conan.lock.golden.json Golden snapshot for Conan v1 lockfile analysis.
scanner/testdata/golden/conan-v2_conan.lock.golden.json Golden snapshot for Conan v2 lockfile analysis.
scanner/testdata/golden/datacollector.deps.json.golden.json Golden snapshot for .NET deps.json analysis.
scanner/testdata/golden/go.mod.golden.json Golden snapshot for Go module (go.mod) analysis.
scanner/testdata/golden/go.sum.golden.json Golden snapshot for Go sums (go.sum) analysis.
scanner/testdata/golden/gobinary.golden.json Golden snapshot for Go binary analysis.
scanner/testdata/golden/gradle.lockfile.golden.json Golden snapshot for Gradle lockfile analysis.
scanner/testdata/golden/hello-rust.golden.json Golden snapshot for Rust binary analysis.
scanner/testdata/golden/juddiv3-war-3.3.5.war.golden.json Golden snapshot for WAR/JAR contents analysis.
scanner/testdata/golden/log4j-core-2.13.0.jar.golden.json Golden snapshot for JAR analysis.
scanner/testdata/golden/mix.lock.golden.json Golden snapshot for Elixir mix.lock analysis.
scanner/testdata/golden/npm-v1_package-lock.json.golden.json Golden snapshot for npm v1 package-lock analysis.
scanner/testdata/golden/npm-v2_package-lock.json.golden.json Golden snapshot for npm v2 package-lock analysis.
scanner/testdata/golden/npm-v3_package-lock.json.golden.json Golden snapshot for npm v3 package-lock analysis.
scanner/testdata/golden/packages.config.golden.json Golden snapshot for NuGet packages.config analysis.
scanner/testdata/golden/packages.lock.json.golden.json Golden snapshot for NuGet packages.lock.json analysis.
scanner/testdata/golden/pnpm-v9_pnpm-lock.yaml.golden.json Golden snapshot for pnpm v9 lockfile analysis.
scanner/testdata/golden/pnpm_pnpm-lock.yaml.golden.json Golden snapshot for pnpm lockfile analysis.
scanner/testdata/golden/poetry-v1_poetry.lock.golden.json Golden snapshot for Poetry v1 lockfile analysis.
scanner/testdata/golden/poetry-v2_poetry.lock.golden.json Golden snapshot for Poetry v2 lockfile analysis.
scanner/testdata/golden/pom.xml.golden.json Golden snapshot for Maven pom.xml analysis.
scanner/testdata/golden/pubspec.lock.golden.json Golden snapshot for Dart pubspec.lock analysis.
scanner/testdata/golden/requirements.txt.golden.json Golden snapshot for pip requirements.txt analysis.
scanner/testdata/golden/uv.lock.golden.json Golden snapshot for uv.lock analysis.
scanner/testdata/golden/wrong-name-log4j-core.jar.golden.json Golden snapshot for “wrong-name” JAR heuristic/analysis case.
scanner/testdata/golden/yarn.lock.golden.json Golden snapshot for Yarn lockfile analysis.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

scanner/analyze_golden_test.go
Comment on lines +118 to +128
func TestAnalyzeLibrary_Golden(t *testing.T) {
integrationDir := filepath.Join("..", "integration", "data", "lockfile")
goldenDir := filepath.Join("testdata", "golden")

for _, lf := range lockfiles {
t.Run(lf.path, func(t *testing.T) {
srcPath := filepath.Join(integrationDir, lf.path)
contents, err := os.ReadFile(srcPath)
if err != nil {
t.Fatalf("Failed to read %s: %v", srcPath, err)
}
scanner/analyze_golden_test.go
// goldenFileName converts a lockfile path to a golden file name.
// e.g. "npm-v3/package-lock.json" -> "npm-v3_package-lock.json"
func goldenFileName(lockfilePath string) string {
return strings.ReplaceAll(lockfilePath, string(os.PathSeparator), "_") + ".golden.json"
@kotakanbe
Copy link
Copy Markdown
Member Author

kotakanbe commented Mar 18, 2026

Closed in favor of #2476 which includes these golden tests along with the fixture copy for CI compatibility and the fanal removal itself.

@kotakanbe kotakanbe closed this Mar 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kotakanbe