test: update tests to use ModelValidator directly

saquibsaifee · claude · saquibsaifee · commit df4fa6770c71 · 2026-04-29T16:42:15.000-04:00
Replace bom.validate() calls with ModelValidator().validate(bom) across
test_model_bom.py and test_real_world_examples.py. Add regression tests for
the two bug fixes (nested component license check, top-level dependency ref).

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
Signed-off-by: Saquib Saifee &lt;saquibsaifee2@gmail.com&gt;
diff --git a/tests/test_model_bom.py b/tests/test_model_bom.py
@@ -32,6 +32,7 @@
 from cyclonedx.model.lifecycle import LifecyclePhase, NamedLifecycle, PredefinedLifecycle
 from cyclonedx.model.tool import Tool
 from cyclonedx.output.json import JsonV1Dot7
+from cyclonedx.validation.model import ModelValidationErrorSeverity, ModelValidator
 from tests import reorder
 from tests._data.models import (
     get_bom_component_licenses_invalid,
@@ -254,7 +255,9 @@ def test_bom_nested_components_issue_275(self) -> None:
         bom = get_bom_for_issue_275_components()
         self.assertIsInstance(bom.metadata.component, Component)
         self.assertEqual(2, len(bom.components))
-        bom.validate()
+        errors = [e for e in ModelValidator().validate(bom)
+                  if e.severity is ModelValidationErrorSeverity.ERROR]
+        self.assertFalse(errors)
 
     @named_data(
         ['metadata_licenses', get_bom_metadata_licenses_invalid],
@@ -266,8 +269,8 @@ def test_bom_nested_components_issue_275(self) -> None:
     )
     def test_validate_with_invalid_license_constellation_throws(self, get_bom: Callable[[], Bom]) -> None:
         bom = get_bom()
-        with self.assertRaises(LicenseExpressionAlongWithOthersException):
-            bom.validate()
+        error_types = [type(e.data) for e in ModelValidator().validate(bom)]
+        self.assertIn(LicenseExpressionAlongWithOthersException, error_types)
 
     # def test_bom_nested_services_issue_275(self) -> None:
     #    """regression test for issue #275
diff --git a/tests/test_real_world_examples.py b/tests/test_real_world_examples.py
@@ -23,6 +23,7 @@
 from unittest.mock import patch
 
 from cyclonedx.model.bom import Bom
+from cyclonedx.validation.model import ModelValidationErrorSeverity, ModelValidator
 from tests import OWN_DATA_DIRECTORY
 
 
@@ -44,15 +45,19 @@ def test_regression_issue677(self, *_: Any, **__: Any) -> None:
             json = json_loads(input_json.read())
         bom = Bom.from_json(json)
         self.assertEqual(4, len(bom.components))
-        bom.validate()
+        errors = [e for e in ModelValidator().validate(bom)
+                  if e.severity is ModelValidationErrorSeverity.ERROR]
+        self.assertFalse(errors)
 
     def test_regression_issue753(self, *_: Any, **__: Any) -> None:
         # tests https://github.com/CycloneDX/cyclonedx-python-lib/issues/753
         with open(join(OWN_DATA_DIRECTORY, 'json', '1.5', 'issue753.json')) as input_json:
             json = json_loads(input_json.read())
         bom = Bom.from_json(json)
         self.assertEqual(2, len(bom.components))
-        bom.validate()
+        errors = [e for e in ModelValidator().validate(bom)
+                  if e.severity is ModelValidationErrorSeverity.ERROR]
+        self.assertFalse(errors)
 
     def test_regression_issue_850(self, *_: Any, **__: Any) -> None:
         # tests https://github.com/CycloneDX/cyclonedx-python-lib/issues/850
diff --git a/tests/test_validation_model.py b/tests/test_validation_model.py
@@ -22,55 +22,84 @@
 from cyclonedx.model.component import Component
 from cyclonedx.model.dependency import Dependency
 from cyclonedx.model.license import DisjunctiveLicense, LicenseExpression
-from cyclonedx.validation.model import ModelValidator
+from cyclonedx.validation.model import ModelValidationErrorSeverity, ModelValidator
 
 
 class TestModelValidator(TestCase):
-    def test_validate_multiple_errors(self) -> None:
+
+    def test_validate_clean_bom(self) -> None:
+        bom = Bom()
+        bom.metadata.component = Component(name='root', version='1.0', bom_ref='root')
+        errors = list(ModelValidator().validate(bom))
+        self.assertEqual(0, len(errors))
+
+    def test_validate_multiple_errors_have_error_severity(self) -> None:
         bom = Bom()
-        # Error 1: Component with multiple licenses including expression
         comp = Component(name='test', version='1.0', bom_ref='test-comp')
         comp.licenses.update([
             DisjunctiveLicense(id='MIT'),
-            LicenseExpression(value='Apache-2.0 OR MIT')
+            LicenseExpression(value='Apache-2.0 OR MIT'),
         ])
         bom.components.add(comp)
-
-        # Error 2: Unknown dependency reference
         bom.dependencies.add(Dependency('test-comp', dependencies=[Dependency('non-existent-ref')]))
 
-        validator = ModelValidator()
-        errors = list(validator.validate(bom))
+        errors = list(ModelValidator().validate(bom))
 
-        self.assertEqual(len(errors), 2)
+        self.assertEqual(2, len(errors))
         error_types = [type(e.data) for e in errors]
         self.assertIn(UnknownComponentDependencyException, error_types)
         self.assertIn(LicenseExpressionAlongWithOthersException, error_types)
+        for error in errors:
+            self.assertEqual(ModelValidationErrorSeverity.ERROR, error.severity)
 
-    def test_validate_clean_bom(self) -> None:
+    def test_validate_unknown_toplevel_dependency_ref_detected(self) -> None:
+        """Regression: top-level d.ref values must also be validated against known BOM components."""
         bom = Bom()
-        bom.metadata.component = Component(name='root', version='1.0', bom_ref='root')
-        validator = ModelValidator()
-        errors = list(validator.validate(bom))
-        self.assertEqual(len(errors), 0)
+        comp = Component(name='real', version='1.0', bom_ref='real-comp')
+        bom.components.add(comp)
+        # 'ghost-ref' is not in the BOM at all
+        bom.dependencies.add(Dependency('ghost-ref'))
 
-    def test_bom_validate_deprecated_behavior(self) -> None:
+        errors = list(ModelValidator().validate(bom))
+
+        error_types = [type(e.data) for e in errors]
+        self.assertIn(UnknownComponentDependencyException, error_types)
+
+    def test_validate_incomplete_dependency_graph_yields_warning(self) -> None:
+        """Check #2 must yield a WARNING-severity error, not a Python UserWarning."""
+        import warnings as _warnings
         bom = Bom()
         bom.metadata.component = Component(name='root', version='1.0', bom_ref='root')
+        bom.components.add(Component(name='dep', version='1.0', bom_ref='dep'))
+
+        with _warnings.catch_warnings():
+            _warnings.simplefilter('error')  # turn any Python warning into an error
+            errors = list(ModelValidator().validate(bom))  # must not raise
 
-        # Verify side effect: register_dependency is called by Bom.validate
-        self.assertEqual(len(bom.dependencies), 0)
-        with self.assertWarns(DeprecationWarning):
-            bom.validate()
-        self.assertEqual(len(bom.dependencies), 1)
-        self.assertEqual(next(iter(bom.dependencies)).ref.value, 'root')
+        warning_errors = [e for e in errors if e.severity == ModelValidationErrorSeverity.WARNING]
+        self.assertEqual(1, len(warning_errors))
+        self.assertIsInstance(warning_errors[0].data, UserWarning)
 
-    def test_model_validator_no_side_effects(self) -> None:
+    def test_validate_nested_root_component_license_invalid(self) -> None:
+        """Regression: nested components under metadata.component must be license-checked."""
         bom = Bom()
-        bom.metadata.component = Component(name='root', version='1.0', bom_ref='root')
+        root = Component(name='root', version='1.0', bom_ref='root')
+        nested = Component(name='nested', version='1.0', bom_ref='nested')
+        nested.licenses.update([
+            DisjunctiveLicense(id='MIT'),
+            LicenseExpression(value='Apache-2.0 OR MIT'),
+        ])
+        root.components.add(nested)
+        bom.metadata.component = root
+
+        errors = list(ModelValidator().validate(bom))
 
-        # Verify NO side effect: ModelValidator should not call register_dependency
-        self.assertEqual(len(bom.dependencies), 0)
-        validator = ModelValidator()
-        list(validator.validate(bom))
-        self.assertEqual(len(bom.dependencies), 0)
+        error_types = [type(e.data) for e in errors]
+        self.assertIn(LicenseExpressionAlongWithOthersException, error_types)
+
+    def test_validate_no_side_effects(self) -> None:
+        bom = Bom()
+        bom.metadata.component = Component(name='root', version='1.0', bom_ref='root')
+        self.assertEqual(0, len(bom.dependencies))
+        list(ModelValidator().validate(bom))
+        self.assertEqual(0, len(bom.dependencies))
