7 files changed, 210 insertions, 79 deletions

diff --git a/spec/lib/api/entities/release_spec.rb b/spec/lib/api/entities/release_spec.rb
index aa2c5126bb9..d1e5f191614 100644
--- a/spec/lib/api/entities/release_spec.rb
+++ b/spec/lib/api/entities/release_spec.rb
@@ -16,13 +16,13 @@ RSpec.describe API::Entities::Release do
   end
 
   describe 'evidences' do
-    context 'when the current user can download code' do
+    context 'when the current user can read code' do
       let(:entity_evidence) { entity[:evidences].first }
 
       it 'exposes the evidence sha and the json path' do
         allow(Ability).to receive(:allowed?).and_call_original
         allow(Ability).to receive(:allowed?)
-          .with(user, :download_code, project).and_return(true)
+          .with(user, :read_code, project).and_return(true)
 
         expect(entity_evidence[:sha]).to eq(evidence.summary_sha)
         expect(entity_evidence[:collected_at]).to eq(evidence.collected_at)
@@ -36,11 +36,11 @@ RSpec.describe API::Entities::Release do
       end
     end
 
-    context 'when the current user cannot download code' do
+    context 'when the current user cannot read code' do
       it 'does not expose any evidence data' do
         allow(Ability).to receive(:allowed?).and_call_original
         allow(Ability).to receive(:allowed?)
-          .with(user, :download_code, project).and_return(false)
+          .with(user, :read_code, project).and_return(false)
 
         expect(entity.keys).not_to include(:evidences)
       end
diff --git a/spec/lib/gitlab/gon_helper_spec.rb b/spec/lib/gitlab/gon_helper_spec.rb
index 94192a9257c..5a1fcc5e2dc 100644
--- a/spec/lib/gitlab/gon_helper_spec.rb
+++ b/spec/lib/gitlab/gon_helper_spec.rb
@@ -41,67 +41,53 @@ RSpec.describe Gitlab::GonHelper do
     end
 
     describe 'sentry configuration' do
-      let(:legacy_clientside_dsn) { 'https://xxx@sentry-legacy.example.com/1' }
       let(:clientside_dsn) { 'https://xxx@sentry.example.com/1' }
-      let(:environment) { 'production' }
+      let(:environment) { 'staging' }
 
-      context 'with enable_old_sentry_clientside_integration enabled' do
+      describe 'sentry integration' do
         before do
-          stub_feature_flags(
-            enable_old_sentry_clientside_integration: true,
-            enable_new_sentry_clientside_integration: false
-          )
-
-          stub_config(sentry: { enabled: true, clientside_dsn: legacy_clientside_dsn, environment: environment })
+          stub_config(sentry: { enabled: true, clientside_dsn: clientside_dsn, environment: environment })
         end
 
         it 'sets sentry dsn and environment from config' do
-          expect(gon).to receive(:sentry_dsn=).with(legacy_clientside_dsn)
+          expect(gon).to receive(:sentry_dsn=).with(clientside_dsn)
           expect(gon).to receive(:sentry_environment=).with(environment)
 
           helper.add_gon_variables
         end
       end
 
-      context 'with enable_new_sentry_clientside_integration enabled' do
+      describe 'new sentry integration' do
         before do
-          stub_feature_flags(
-            enable_old_sentry_clientside_integration: false,
-            enable_new_sentry_clientside_integration: true
-          )
-
           stub_application_setting(sentry_enabled: true)
           stub_application_setting(sentry_clientside_dsn: clientside_dsn)
           stub_application_setting(sentry_environment: environment)
         end
 
-        it 'sets sentry dsn and environment from application settings' do
-          expect(gon).to receive(:sentry_dsn=).with(clientside_dsn)
-          expect(gon).to receive(:sentry_environment=).with(environment)
-
-          helper.add_gon_variables
-        end
-      end
-
-      context 'with enable_old_sentry_clientside_integration and enable_new_sentry_clientside_integration enabled' do
-        before do
-          stub_feature_flags(
-            enable_old_sentry_clientside_integration: true,
-            enable_new_sentry_clientside_integration: true
-          )
+        context 'when enable_new_sentry_clientside_integration is disabled' do
+          before do
+            stub_feature_flags(enable_new_sentry_clientside_integration: false)
+          end
 
-          stub_config(sentry: { enabled: true, clientside_dsn: legacy_clientside_dsn, environment: environment })
+          it 'does not set sentry dsn and environment from config' do
+            expect(gon).not_to receive(:sentry_dsn=).with(clientside_dsn)
+            expect(gon).not_to receive(:sentry_environment=).with(environment)
 
-          stub_application_setting(sentry_enabled: true)
-          stub_application_setting(sentry_clientside_dsn: clientside_dsn)
-          stub_application_setting(sentry_environment: environment)
+            helper.add_gon_variables
+          end
         end
 
-        it 'sets sentry dsn and environment from application settings' do
-          expect(gon).to receive(:sentry_dsn=).with(clientside_dsn)
-          expect(gon).to receive(:sentry_environment=).with(environment)
+        context 'when enable_new_sentry_clientside_integration is enabled' do
+          before do
+            stub_feature_flags(enable_new_sentry_clientside_integration: true)
+          end
 
-          helper.add_gon_variables
+          it 'sets sentry dsn and environment from config' do
+            expect(gon).to receive(:sentry_dsn=).with(clientside_dsn)
+            expect(gon).to receive(:sentry_environment=).with(environment)
+
+            helper.add_gon_variables
+          end
         end
       end
     end
diff --git a/spec/lib/sbom/package_url/argument_validator_spec.rb b/spec/lib/sbom/package_url/argument_validator_spec.rb
new file mode 100644
index 00000000000..246da1c0bda
--- /dev/null
+++ b/spec/lib/sbom/package_url/argument_validator_spec.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'fast_spec_helper'
+require 'rspec-parameterized'
+
+require_relative '../../../support/shared_contexts/lib/sbom/package_url_shared_contexts'
+
+RSpec.describe Sbom::PackageUrl::ArgumentValidator do
+  let(:mock_package_url) { Struct.new(:type, :namespace, :name, :version, :qualifiers, keyword_init: true) }
+  let(:package) do
+    mock_package_url.new(
+      type: type,
+      namespace: namespace,
+      name: name,
+      version: version,
+      qualifiers: qualifiers
+    )
+  end
+
+  subject(:validate) { described_class.new(package).validate! }
+
+  context 'with valid arguments' do
+    include_context 'with valid purl examples'
+
+    with_them do
+      it 'does not raise error' do
+        expect { validate }.not_to raise_error
+      end
+    end
+  end
+
+  context 'with invalid arguments' do
+    include_context 'with invalid purl examples'
+
+    with_them do
+      it 'raises an ArgumentError' do
+        expect { validate }.to raise_error(ArgumentError)
+      end
+    end
+  end
+
+  context 'with multiple errors' do
+    let(:type) { nil }
+    let(:name) { nil }
+    let(:package) { mock_package_url.new(type: type, name: name) }
+
+    it 'reports all errors' do
+      expect { validate }.to raise_error(ArgumentError, 'Type is required, Name is required')
+    end
+  end
+end
diff --git a/spec/lib/sbom/package_url/decoder_spec.rb b/spec/lib/sbom/package_url/decoder_spec.rb
index 1da3c35f403..5b480475b7c 100644
--- a/spec/lib/sbom/package_url/decoder_spec.rb
+++ b/spec/lib/sbom/package_url/decoder_spec.rb
@@ -7,9 +7,9 @@ require_relative '../../../support/shared_contexts/lib/sbom/package_url_shared_c
 
 RSpec.describe Sbom::PackageUrl::Decoder do
   describe '#decode' do
-    subject(:decode) { described_class.new(url).decode! }
+    subject(:decode) { described_class.new(purl).decode! }
 
-    include_context 'with purl matrix'
+    include_context 'with valid purl examples'
 
     with_them do
       it do
@@ -25,7 +25,7 @@ RSpec.describe Sbom::PackageUrl::Decoder do
     end
 
     context 'when no argument is passed' do
-      let(:url) { nil }
+      let(:purl) { nil }
 
       it 'raises an error' do
         expect { decode }.to raise_error(ArgumentError)
@@ -33,17 +33,17 @@ RSpec.describe Sbom::PackageUrl::Decoder do
     end
 
     context 'when an invalid package URL string is passed' do
-      where(:url) { ['invalid', 'pkg:nil'] }
+      include_context 'with invalid purl examples'
 
       with_them do
         it 'raises an error' do
-          expect { decode }.to raise_error(Sbom::PackageUrl::InvalidPackageURL)
+          expect { decode }.to raise_error(Sbom::PackageUrl::InvalidPackageUrl)
         end
       end
     end
 
     context 'when namespace or subpath contains an encoded slash' do
-      where(:url) do
+      where(:purl) do
         [
           'pkg:golang/google.org/golang/genproto#googleapis%2fapi%2fannotations',
           'pkg:golang/google.org%2fgolang/genproto#googleapis/api/annotations'
@@ -51,12 +51,12 @@ RSpec.describe Sbom::PackageUrl::Decoder do
       end
 
       with_them do
-        it { expect { decode }.to raise_error(Sbom::PackageUrl::InvalidPackageURL) }
+        it { expect { decode }.to raise_error(Sbom::PackageUrl::InvalidPackageUrl) }
       end
     end
 
     context 'when name contains an encoded slash' do
-      let(:url) { 'pkg:golang/google.org/golang%2fgenproto#googleapis/api/annotations' }
+      let(:purl) { 'pkg:golang/google.org/golang%2fgenproto#googleapis/api/annotations' }
 
       it do
         is_expected.to have_attributes(
@@ -71,7 +71,7 @@ RSpec.describe Sbom::PackageUrl::Decoder do
     end
 
     context 'with URL encoded segments' do
-      let(:url) do
+      let(:purl) do
         'pkg:golang/namespace%21/google.golang.org%20genproto@version%21?k=v%21#googleapis%20api%20annotations'
       end
 
@@ -88,7 +88,7 @@ RSpec.describe Sbom::PackageUrl::Decoder do
     end
 
     context 'when segments contain empty values' do
-      let(:url) { 'pkg:golang/google.golang.org//.././genproto#googleapis/..//./api/annotations' }
+      let(:purl) { 'pkg:golang/google.golang.org//.././genproto#googleapis/..//./api/annotations' }
 
       it 'removes them from the segments' do
         is_expected.to have_attributes(
@@ -103,7 +103,7 @@ RSpec.describe Sbom::PackageUrl::Decoder do
     end
 
     context 'when qualifiers have no value' do
-      let(:url) { 'pkg:rpm/fedora/curl@7.50.3-1.fc25?arch=i386&distro=fedora-25&foo=&bar=' }
+      let(:purl) { 'pkg:rpm/fedora/curl@7.50.3-1.fc25?arch=i386&distro=fedora-25&foo=&bar=' }
 
       it 'they are ignored' do
         is_expected.to have_attributes(
diff --git a/spec/lib/sbom/package_url/encoder_spec.rb b/spec/lib/sbom/package_url/encoder_spec.rb
index ff672170050..bdbd61636b5 100644
--- a/spec/lib/sbom/package_url/encoder_spec.rb
+++ b/spec/lib/sbom/package_url/encoder_spec.rb
@@ -20,10 +20,10 @@ RSpec.describe Sbom::PackageUrl::Encoder do
 
     subject(:encode) { described_class.new(package).encode }
 
-    include_context 'with purl matrix'
+    include_context 'with valid purl examples'
 
     with_them do
-      it { is_expected.to eq(url) }
+      it { is_expected.to eq(canonical_purl) }
     end
   end
 end
diff --git a/spec/lib/sbom/package_url/normalizer_spec.rb b/spec/lib/sbom/package_url/normalizer_spec.rb
new file mode 100644
index 00000000000..bbc2bd3ca13
--- /dev/null
+++ b/spec/lib/sbom/package_url/normalizer_spec.rb
@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require 'fast_spec_helper'
+require 'rspec-parameterized'
+
+require_relative '../../../support/shared_contexts/lib/sbom/package_url_shared_contexts'
+
+RSpec.describe Sbom::PackageUrl::Normalizer do
+  shared_examples 'name normalization' do
+    context 'with bitbucket url' do
+      let(:type) { 'bitbucket' }
+      let(:text) { 'Purl_Spec' }
+
+      it 'downcases text' do
+        is_expected.to eq('purl_spec')
+      end
+    end
+
+    context 'with github url' do
+      let(:type) { 'github' }
+      let(:text) { 'Purl_Spec' }
+
+      it 'downcases text' do
+        is_expected.to eq('purl_spec')
+      end
+    end
+
+    context 'with pypi url' do
+      let(:type) { 'pypi' }
+      let(:text) { 'Purl_Spec' }
+
+      it 'downcases text and replaces underscores' do
+        is_expected.to eq('purl-spec')
+      end
+    end
+
+    context 'with other urls' do
+      let(:type) { 'npm' }
+      let(:text) { 'Purl_Spec' }
+
+      it 'does not change the text' do
+        is_expected.to eq(text)
+      end
+    end
+  end
+
+  describe '#normalize_name' do
+    subject(:normalize_name) { described_class.new(type: type, text: text).normalize_name }
+
+    it_behaves_like 'name normalization'
+
+    context 'when text is nil' do
+      let(:type) { 'npm' }
+      let(:text) { nil }
+
+      it 'raises an error' do
+        expect { normalize_name }.to raise_error(ArgumentError, 'Name is required')
+      end
+    end
+  end
+
+  describe '#normalize_namespace' do
+    subject(:normalize_namespace) { described_class.new(type: type, text: text).normalize_namespace }
+
+    it_behaves_like 'name normalization'
+
+    context 'when text is nil' do
+      let(:type) { 'npm' }
+      let(:text) { nil }
+
+      it 'allows nil values' do
+        expect(normalize_namespace).to be_nil
+      end
+    end
+  end
+end
diff --git a/spec/lib/sbom/package_url_spec.rb b/spec/lib/sbom/package_url_spec.rb
index 72090c5bd29..6760b0a68e5 100644
--- a/spec/lib/sbom/package_url_spec.rb
+++ b/spec/lib/sbom/package_url_spec.rb
@@ -32,37 +32,46 @@ require_relative '../../support/shared_contexts/lib/sbom/package_url_shared_cont
 RSpec.describe Sbom::PackageUrl do
   include NextInstanceOf
 
-  let(:args) do
-    {
-      type: 'example',
-      namespace: 'test',
-      name: 'test',
-      version: '1.0.0',
-      qualifiers: { 'arch' => 'x86_64' },
-      subpath: 'path/to/package'
-    }
-  end
-
   describe '#initialize' do
-    subject { described_class.new(**args) }
+    subject do
+      described_class.new(
+        type: type,
+        namespace: namespace,
+        name: name,
+        version: version,
+        qualifiers: qualifiers,
+        subpath: subpath
+      )
+    end
 
     context 'with well-formed arguments' do
-      it { is_expected.to have_attributes(**args) }
+      include_context 'with valid purl examples'
+
+      with_them do
+        it do
+          is_expected.to have_attributes(
+            type: type,
+            namespace: namespace,
+            name: name,
+            version: version,
+            qualifiers: qualifiers,
+            subpath: subpath
+          )
+        end
+      end
     end
 
     context 'when no arguments are given' do
       it { expect { described_class.new }.to raise_error(ArgumentError) }
     end
 
-    context 'when required parameters are missing' do
-      where(:param) { %i[type name] }
-
-      before do
-        args[param] = nil
-      end
+    context 'when parameters are invalid' do
+      include_context 'with invalid purl examples'
 
       with_them do
-        it { expect { subject }.to raise_error(ArgumentError) }
+        it 'raises an ArgumentError' do
+          expect { subject }.to raise_error(ArgumentError)
+        end
       end
     end
 
@@ -98,7 +107,7 @@ RSpec.describe Sbom::PackageUrl do
   end
 
   describe '#to_h' do
-    let(:purl) do
+    let(:package) do
       described_class.new(
         type: type,
         namespace: namespace,
@@ -109,9 +118,9 @@ RSpec.describe Sbom::PackageUrl do
       )
     end
 
-    subject(:to_h) { purl.to_h }
+    subject(:to_h) { package.to_h }
 
-    include_context 'with purl matrix'
+    include_context 'with valid purl examples'
 
     with_them do
       it do
@@ -131,7 +140,16 @@ RSpec.describe Sbom::PackageUrl do
   end
 
   describe '#to_s' do
-    let(:package) { described_class.new(**args) }
+    let(:package) do
+      described_class.new(
+        type: 'npm',
+        namespace: nil,
+        name: 'lodash',
+        version: nil,
+        qualifiers: nil,
+        subpath: nil
+      )
+    end
 
     it 'delegates to_s to the encoder' do
       expect_next_instance_of(described_class::Encoder, package) do |encoder|