@@ -146,10 +146,10 @@ func TestEvaluateSimplifiedPolicies(t *testing.T) {
146146 require .NotNil (t , result )
147147 assert .False (t , result .Result .Skipped )
148148 assert .Len (t , result .Result .Violations , 1 )
149- assert .Contains (t , result .Result .Violations [0 ], "at least 2 components" )
149+ assert .Contains (t , string ( result .Result .Violations [0 ]) , "at least 2 components" )
150150 })
151151
152- t .Run ("structured violations populated for policies with finding_type " , func (t * testing.T ) {
152+ t .Run ("violations with finding_type use unified format matching attestation storage " , func (t * testing.T ) {
153153 opts := & EvalOptions {
154154 PolicyPath : "testdata/sbom-structured-vuln-policy.yaml" ,
155155 MaterialPath : sbomPath ,
@@ -160,24 +160,23 @@ func TestEvaluateSimplifiedPolicies(t *testing.T) {
160160 require .NotNil (t , result )
161161 assert .False (t , result .Result .Skipped )
162162
163- // Both fields populated: violations (messages) and structured_violations (proto JSON )
163+ // Single unified violations field with full violation objects (same as attestation )
164164 require .Len (t , result .Result .Violations , 1 )
165- assert .Contains (t , result .Result .Violations [0 ], "Vulnerability found in test-component@1.0.0" )
166165
167- require . Len ( t , result . Result . StructuredViolations , 1 )
168- var sv map [ string ] any
169- require . NoError (t , json . Unmarshal ( result . Result . StructuredViolations [ 0 ], & sv ) )
170- assert .Contains (t , sv ["message" ], "Vulnerability found in test-component@1.0.0" )
166+ var v map [ string ] any
167+ require . NoError ( t , json . Unmarshal ( result . Result . Violations [ 0 ], & v ))
168+ assert . Nil (t , v [ "subject" ], "subject should be excluded from eval output" )
169+ assert .Contains (t , v ["message" ], "Vulnerability found in test-component@1.0.0" )
171170
172- vuln , ok := sv ["vulnerability" ].(map [string ]any )
173- require .True (t , ok , "expected vulnerability finding in structured violation" )
171+ vuln , ok := v ["vulnerability" ].(map [string ]any )
172+ require .True (t , ok , "expected vulnerability finding in violation object " )
174173 assert .Equal (t , "CVE-2024-1234" , vuln ["external_id" ])
175174 assert .Equal (t , "pkg:generic/test-component@1.0.0" , vuln ["package_purl" ])
176175 assert .Equal (t , "HIGH" , vuln ["severity" ])
177176 assert .InDelta (t , 7.5 , vuln ["cvss_v3_score" ], 0.001 )
178177 })
179178
180- t .Run ("no structured violations for plain string policies " , func (t * testing.T ) {
179+ t .Run ("violations without finding_type use same unified format " , func (t * testing.T ) {
181180 opts := & EvalOptions {
182181 PolicyPath : "testdata/sbom-min-components-policy.yaml" ,
183182 MaterialPath : sbomPath ,
@@ -187,9 +186,12 @@ func TestEvaluateSimplifiedPolicies(t *testing.T) {
187186 require .NoError (t , err )
188187 require .NotNil (t , result )
189188 require .Len (t , result .Result .Violations , 1 )
190- assert .Contains (t , result .Result .Violations [0 ], "at least 2 components" )
191- // No structured_violations when policy returns plain strings
192- assert .Empty (t , result .Result .StructuredViolations )
189+
190+ // Same structure as attestation: object with message (subject excluded in eval)
191+ var v map [string ]any
192+ require .NoError (t , json .Unmarshal (result .Result .Violations [0 ], & v ))
193+ assert .Nil (t , v ["subject" ], "subject should be excluded from eval output" )
194+ assert .Contains (t , v ["message" ], "at least 2 components" )
193195 })
194196
195197 t .Run ("sbom metadata component policy" , func (t * testing.T ) {
@@ -229,6 +231,6 @@ func TestEvaluateSimplifiedPolicies(t *testing.T) {
229231 require .NotNil (t , result )
230232 assert .False (t , result .Result .Skipped )
231233 assert .Len (t , result .Result .Violations , 1 )
232- assert .Contains (t , result .Result .Violations [0 ], "too few components" )
234+ assert .Contains (t , string ( result .Result .Violations [0 ]) , "too few components" )
233235 })
234236}
0 commit comments