chore(tests): add test for packages that are not properly installed

Packages that do not have the "installed ok install" line in the dpkg
status file should not appear in SBOMs. Test that.

Signed-off-by: Christoph Steiger <[email protected]>

Author: Urist-McGit

tests/root/apt-sources/var/lib/dpkg/status

@@ -33,3 +33,54 @@ Description: GNU binary utilities for bpf
  users or developers.
 Built-Using: binutils (= 2.40-2)
 Homepage: https://sourceware.org/binutils/
+
+Package: openssh-server
+Status: deinstall ok config-files
+Priority: optional
+Section: net
+Installed-Size: 1930
+Maintainer: Debian OpenSSH Maintainers <[email protected]>
+Architecture: amd64
+Multi-Arch: foreign
+Source: openssh
+Version: 1:9.2p1-2+deb12u4
+Config-Version: 1:9.2p1-2+deb12u4
+Replaces: openssh-client (<< 1:7.9p1-8), ssh, ssh-krb5
+Provides: ssh-server
+Depends: adduser, libpam-modules, libpam-runtime, lsb-base, openssh-client (= 1:9.2p1-2+deb12u4), openssh-sftp-server, procps, ucf, debconf (>= 0.5) | debconf-2.0, runit-helper (>= 2.14.0~), libaudit1 (>= 1:2.2.1), libc6 (>= 2.36), libcom-err2 (>= 1.43.9), libcrypt1 (>= 1:4.1.0), libgssapi-krb5-2 (>= 1.17), libkrb5-3 (>= 1.13~alpha1+dfsg), libpam0g (>= 0.99.7.1), libselinux1 (>= 3.1~), libssl3 (>= 3.0.15), libsystemd0, libwrap0 (>= 7.6-4~), zlib1g (>= 1:1.1.4)
+Pre-Depends: init-system-helpers (>= 1.54~)
+Recommends: default-logind | logind | libpam-systemd, ncurses-term, xauth
+Suggests: molly-guard, monkeysphere, ssh-askpass, ufw
+Breaks: runit (<< 2.1.2-51~)
+Conflicts: sftp, ssh-socks, ssh2
+Conffiles:
+ /etc/default/ssh 500e3cf069fe9a7b9936108eb9d9c035
+ /etc/init.d/ssh 3649a6fe8c18ad1d5245fd91737de507
+ /etc/pam.d/sshd 8b4c7a12b031424b2a9946881da59812
+ /etc/ssh/moduli 1f68f6ab5e45958e61ff32297ea1c3ec
+ /etc/sv/ssh/.meta/installed d41d8cd98f00b204e9800998ecf8427e
+ /etc/sv/ssh/finish f5f032f6f3e569c821346294d410b636
+ /etc/sv/ssh/log/run 63e0ec3e1080dafc68d6d71d42b150a9
+ /etc/sv/ssh/run 411f69ac55d12f0c98998552846b1c78
+ /etc/ufw/applications.d/openssh-server 486b78d54b93cc9fdc950c1d52ff479e
+Description: secure shell (SSH) server, for secure access from remote machines
+ This is the portable version of OpenSSH, a free implementation of
+ the Secure Shell protocol as specified by the IETF secsh working
+ group.
+ .
+ Ssh (Secure Shell) is a program for logging into a remote machine
+ and for executing commands on a remote machine.
+ It provides secure encrypted communications between two untrusted
+ hosts over an insecure network. X11 connections and arbitrary TCP/IP
+ ports can also be forwarded over the secure channel.
+ It can be used to provide applications with a secure communication
+ channel.
+ .
+ This package provides the sshd server.
+ .
+ In some countries it may be illegal to use any encryption at all
+ without a special permit.
+ .
+ sshd replaces the insecure rshd program, which is obsolete for most
+ purposes.
+Homepage: https://www.openssh.com/

tests/test_generation.py

@@ -316,3 +316,21 @@ def test_pkglist_apt_cache(tmpdir, sbom_generator):
     assert binutils_bpf["versionInfo"] == "2.40-2+1-custom"
     # make sure we have no additional information
     assert binutils_bpf["supplier"] == "NOASSERTION"
+
+
+def test_residual_config_packages(tmpdir, sbom_generator):
+    dbom = sbom_generator("tests/root/apt-sources")
+    outdir = Path(tmpdir)
+    dbom.generate(str(outdir / "sbom"), validate=True)
+    with open(outdir / "sbom.spdx.json") as file:
+        spdx_json = json.loads(file.read())
+        packages = spdx_json["packages"]
+        assert "openssh-server" not in [p["name"] for p in packages]
+        # source package for openssh-server
+        assert "openssh" not in [p["name"] for p in packages]
+    with open(outdir / "sbom.cdx.json") as file:
+        spdx_json = json.loads(file.read())
+        components = spdx_json["components"]
+        assert "openssh-server" not in [c["name"] for c in components]
+        # source package for openssh-server
+        assert "openssh" not in [c["name"] for c in components]