stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Refactor code structure for improved readability and maintainability; optimize performance in key functions.

Browse Source
This commit is contained in:
master
2025-12-22 19:06:31 +02:00
parent dfaa2079aa
commit 0536a4f7d4
1443 changed files with 109671 additions and 7840 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
tests/AGENTS.md
View File

@@ -1,4 +1,4 @@
# tests/AGENTS.md
# tests/AGENTS.md
## Overview
@@ -8,30 +8,30 @@ This document provides guidance for AI agents and developers working in the `tes
```
tests/
├── acceptance/ # Acceptance test suites
├── AirGap/ # Air-gap specific tests
├── authority/ # Authority module tests
├── chaos/ # Chaos engineering tests
├── e2e/ # End-to-end test suites
├── EvidenceLocker/ # Evidence storage tests
├── fixtures/ # Shared test fixtures
│ ├── offline-bundle/ # Offline bundle for air-gap tests
│ ├── images/ # Container image tarballs
│ └── sboms/ # Sample SBOM documents
├── Graph/ # Graph module tests
├── integration/ # Integration test suites
├── interop/ # Interoperability tests
├── load/ # Load testing scripts
├── native/ # Native code tests
├── offline/ # Offline operation tests
├── plugins/ # Plugin tests
├── Policy/ # Policy module tests
├── Provenance/ # Provenance/attestation tests
├── reachability/ # Reachability analysis tests
├── Replay/ # Replay functionality tests
├── security/ # Security tests (OWASP)
├── shared/ # Shared test utilities
└── Vex/ # VEX processing tests
├── acceptance/ # Acceptance test suites
├── AirGap/ # Air-gap specific tests
├── authority/ # Authority module tests
├── chaos/ # Chaos engineering tests
├── e2e/ # End-to-end test suites
├── EvidenceLocker/ # Evidence storage tests
├── fixtures/ # Shared test fixtures
│ ├── offline-bundle/ # Offline bundle for air-gap tests
│ ├── images/ # Container image tarballs
│ └── sboms/ # Sample SBOM documents
├── Graph/ # Graph module tests
├── integration/ # Integration test suites
├── interop/ # Interoperability tests
├── load/ # Load testing scripts
├── native/ # Native code tests
├── offline/ # Offline operation tests
├── plugins/ # Plugin tests
├── Policy/ # Policy module tests
├── Provenance/ # Provenance/attestation tests
├── reachability/ # Reachability analysis tests
├── Replay/ # Replay functionality tests
├── security/ # Security tests (OWASP)
├── shared/ # Shared test utilities
└── Vex/ # VEX processing tests
```
## Test Categories
@@ -185,5 +185,6 @@ services:
For test infrastructure questions, see:
- `docs/19_TEST_SUITE_OVERVIEW.md`
- `docs/implplan/SPRINT_5100_SUMMARY.md`
- `docs/implplan/SPRINT_5100_0000_0000_epic_summary.md`
- Sprint files in `docs/implplan/SPRINT_5100_*.md`

75
tests/fixtures/offline-bundle/README.md vendored Normal file
View File

@@ -0,0 +1,75 @@
# Offline Bundle Test Fixtures
This directory contains test fixtures for offline/air-gap testing.
## Structure
```
offline-bundle/
├── manifest.json # Bundle manifest
├── feeds/ # Vulnerability feed snapshots
│ ├── nvd-snapshot.json
│ ├── ghsa-snapshot.json
│ └── distro/
│ ├── alpine.json
│ ├── debian.json
│ └── rhel.json
├── policies/ # OPA/Rego policies
│ ├── default.rego
│ └── strict.rego
├── keys/ # Test signing keys
│ ├── signing-key.pem
│ └── signing-key.pub
├── certs/ # Test certificates
│ ├── trust-root.pem
│ └── intermediate.pem
├── vex/ # Sample VEX documents
│ └── vendor-vex.json
└── images/ # Test container image tarballs
├── test-image.tar
├── vuln-image.tar
└── vuln-with-vex.tar
```
## Usage
Set the `STELLAOPS_OFFLINE_BUNDLE` environment variable to point to this directory:
```bash
export STELLAOPS_OFFLINE_BUNDLE=/path/to/tests/fixtures/offline-bundle
```
Tests that extend `NetworkIsolatedTestBase` will automatically use this bundle.
## Generating Test Images
To create test image tarballs:
```bash
# Pull and save test images
docker pull alpine:3.18
docker save alpine:3.18 -o images/test-image.tar
# For vulnerable images
docker pull vulnerables/web-dvwa:latest
docker save vulnerables/web-dvwa:latest -o images/vuln-image.tar
```
## Feed Snapshots
Feed snapshots should be representative samples from real feeds, sufficient for testing but small enough to commit to the repo.
## Test Keys
⚠️ **WARNING:** Keys in this directory are for **testing only**. Never use these in production.
To generate test keys:
```bash
# Generate test signing key
openssl genrsa -out keys/signing-key.pem 2048
openssl rsa -in keys/signing-key.pem -pubout -out keys/signing-key.pub
# Generate test CA
openssl req -new -x509 -key keys/signing-key.pem -out certs/trust-root.pem -days 3650
```

38
tests/fixtures/offline-bundle/manifest.json vendored Normal file
View File

@@ -0,0 +1,38 @@
{
"bundleId": "test-offline-bundle-v1",
"schemaVersion": "1.0.0",
"createdAt": "2025-12-22T00:00:00Z",
"description": "Test offline bundle for air-gap testing",
"contents": {
"feeds": [
"feeds/nvd-snapshot.json",
"feeds/ghsa-snapshot.json",
"feeds/distro/alpine.json",
"feeds/distro/debian.json"
],
"policies": [
"policies/default.rego",
"policies/strict.rego"
],
"keys": [
"keys/signing-key.pem",
"keys/signing-key.pub"
],
"certs": [
"certs/trust-root.pem",
"certs/intermediate.pem"
],
"vex": [
"vex/vendor-vex.json"
],
"images": [
"images/test-image.tar",
"images/vuln-image.tar",
"images/vuln-with-vex.tar"
]
},
"integrity": {
"algorithm": "SHA-256",
"manifestDigest": "placeholder"
}
}

117
tests/interop/StellaOps.Interop.Tests/Analysis/FindingsParityAnalyzer.cs Normal file
View File

@@ -0,0 +1,117 @@
namespace StellaOps.Interop.Tests.Analysis;
/// <summary>
/// Analyzes and categorizes differences between tool findings.
/// </summary>
public sealed class FindingsParityAnalyzer
{
/// <summary>
/// Categorizes differences between tools.
/// </summary>
public ParityAnalysisReport Analyze(
IReadOnlyList<Finding> stellaFindings,
IReadOnlyList<GrypeFinding> grypeFindings)
{
var differences = new List<FindingDifference>();
// Category 1: Version matching differences
// (e.g., semver vs non-semver interpretation)
var versionDiffs = AnalyzeVersionMatchingDifferences(stellaFindings, grypeFindings);
differences.AddRange(versionDiffs);
// Category 2: Feed coverage differences
// (e.g., Stella has feed X, Grype doesn't)
var feedDiffs = AnalyzeFeedCoverageDifferences(stellaFindings, grypeFindings);
differences.AddRange(feedDiffs);
// Category 3: Package identification differences
// (e.g., different PURL generation)
var purlDiffs = AnalyzePurlDifferences(stellaFindings, grypeFindings);
differences.AddRange(purlDiffs);
// Category 4: VEX application differences
// (e.g., Stella applies VEX, Grype doesn't)
var vexDiffs = AnalyzeVexDifferences(stellaFindings, grypeFindings);
differences.AddRange(vexDiffs);
return new ParityAnalysisReport
{
TotalDifferences = differences.Count,
VersionMatchingDifferences = versionDiffs,
FeedCoverageDifferences = feedDiffs,
PurlDifferences = purlDiffs,
VexDifferences = vexDiffs,
AcceptableDifferences = differences.Count(d => d.IsAcceptable),
RequiresInvestigation = differences.Count(d => !d.IsAcceptable)
};
}
private static List<FindingDifference> AnalyzeVersionMatchingDifferences(
IReadOnlyList<Finding> stellaFindings,
IReadOnlyList<GrypeFinding> grypeFindings)
{
var differences = new List<FindingDifference>();
// TODO: Implement version matching analysis
// Compare how Stella and Grype interpret version ranges
// e.g., >=1.0.0 vs ^1.0.0
return differences;
}
private static List<FindingDifference> AnalyzeFeedCoverageDifferences(
IReadOnlyList<Finding> stellaFindings,
IReadOnlyList<GrypeFinding> grypeFindings)
{
var differences = new List<FindingDifference>();
// TODO: Implement feed coverage analysis
// Identify which vulnerabilities come from feeds only one tool has
// e.g., Stella has GHSA, Grype doesn't, or vice versa
return differences;
}
private static List<FindingDifference> AnalyzePurlDifferences(
IReadOnlyList<Finding> stellaFindings,
IReadOnlyList<GrypeFinding> grypeFindings)
{
var differences = new List<FindingDifference>();
// TODO: Implement PURL difference analysis
// Compare how packages are identified
// e.g., pkg:npm/package vs pkg:npm/package@version
return differences;
}
private static List<FindingDifference> AnalyzeVexDifferences(
IReadOnlyList<Finding> stellaFindings,
IReadOnlyList<GrypeFinding> grypeFindings)
{
var differences = new List<FindingDifference>();
// TODO: Implement VEX application analysis
// Stella applies VEX documents, Grype may not
// This is an acceptable difference
return differences;
}
}
public sealed class ParityAnalysisReport
{
public int TotalDifferences { get; init; }
public IReadOnlyList<FindingDifference> VersionMatchingDifferences { get; init; } = [];
public IReadOnlyList<FindingDifference> FeedCoverageDifferences { get; init; } = [];
public IReadOnlyList<FindingDifference> PurlDifferences { get; init; } = [];
public IReadOnlyList<FindingDifference> VexDifferences { get; init; } = [];
public int AcceptableDifferences { get; init; }
public int RequiresInvestigation { get; init; }
}
public sealed record FindingDifference(
string Category,
string Description,
bool IsAcceptable,
string? Reason = null);

129
tests/interop/StellaOps.Interop.Tests/CycloneDx/CycloneDxRoundTripTests.cs Normal file
View File

@@ -0,0 +1,129 @@
namespace StellaOps.Interop.Tests.CycloneDx;
[Trait("Category", "Interop")]
[Trait("Format", "CycloneDX")]
public class CycloneDxRoundTripTests : IClassFixture<InteropTestHarness>
{
private readonly InteropTestHarness _harness;
public CycloneDxRoundTripTests(InteropTestHarness harness)
{
_harness = harness;
}
[Theory]
[MemberData(nameof(TestImages))]
public async Task Syft_GeneratesCycloneDx_GrypeCanConsume(string imageRef)
{
// Generate SBOM with Syft
var sbomResult = await _harness.GenerateSbomWithSyft(
imageRef, SbomFormat.CycloneDx16);
sbomResult.Success.Should().BeTrue("Syft should generate CycloneDX SBOM");
// Scan from SBOM with Grype
var grypeResult = await _harness.ScanWithGrypeFromSbom(sbomResult.Path!);
grypeResult.Success.Should().BeTrue("Grype should consume Syft-generated CycloneDX SBOM");
// Grype should be able to parse and find vulnerabilities
grypeResult.Findings.Should().NotBeNull();
}
[Theory]
[MemberData(nameof(TestImages))]
public async Task Stella_GeneratesCycloneDx_GrypeCanConsume(string imageRef)
{
// Generate SBOM with Stella
var sbomResult = await _harness.GenerateSbomWithStella(
imageRef, SbomFormat.CycloneDx16);
sbomResult.Success.Should().BeTrue("Stella should generate CycloneDX SBOM");
// Scan from SBOM with Grype
var grypeResult = await _harness.ScanWithGrypeFromSbom(sbomResult.Path!);
grypeResult.Success.Should().BeTrue("Grype should consume Stella-generated CycloneDX SBOM");
}
[Theory]
[MemberData(nameof(TestImages))]
[Trait("Category", "Parity")]
public async Task Stella_And_Grype_FindingsParity_Above95Percent(string imageRef)
{
// Generate SBOM with Stella
var stellaSbom = await _harness.GenerateSbomWithStella(
imageRef, SbomFormat.CycloneDx16);
stellaSbom.Success.Should().BeTrue();
// TODO: Get Stella findings from scan result
var stellaFindings = new List<Finding>();
// Scan SBOM with Grype
var grypeResult = await _harness.ScanWithGrypeFromSbom(stellaSbom.Path!);
grypeResult.Success.Should().BeTrue();
// Compare findings
var comparison = _harness.CompareFindings(
stellaFindings,
grypeResult.Findings!,
tolerancePercent: 5);
comparison.ParityPercent.Should().BeGreaterOrEqualTo(95,
$"Findings parity {comparison.ParityPercent:F2}% is below 95% threshold. " +
$"Only in Stella: {comparison.OnlyInStella}, Only in Grype: {comparison.OnlyInGrype}");
}
[Theory]
[MemberData(nameof(TestImages))]
[Trait("Category", "Attestation")]
public async Task CycloneDx_Attestation_RoundTrip(string imageRef)
{
// Skip if not in CI - cosign requires credentials
if (string.IsNullOrEmpty(Environment.GetEnvironmentVariable("CI")))
{
// Skip in local dev
return;
}
// Generate SBOM
var sbomResult = await _harness.GenerateSbomWithStella(
imageRef, SbomFormat.CycloneDx16);
sbomResult.Success.Should().BeTrue();
// Attest with cosign
var attestResult = await _harness.AttestWithCosign(
sbomResult.Path!, imageRef);
attestResult.Success.Should().BeTrue("Cosign should attest SBOM");
// TODO: Verify attestation
// var verifyResult = await _harness.VerifyCosignAttestation(imageRef);
// verifyResult.Success.Should().BeTrue();
// Digest should match
// var attestedDigest = verifyResult.PredicateDigest;
// attestedDigest.Should().Be(sbomResult.Digest);
}
[Fact]
[Trait("Category", "Schema")]
public async Task Stella_CycloneDx_ValidatesAgainstSchema()
{
var imageRef = "alpine:3.18";
// Generate SBOM
var sbomResult = await _harness.GenerateSbomWithStella(
imageRef, SbomFormat.CycloneDx16);
sbomResult.Success.Should().BeTrue();
// TODO: Validate against CycloneDX 1.6 JSON schema
sbomResult.Content.Should().NotBeNullOrEmpty();
sbomResult.Content.Should().Contain("\"bomFormat\": \"CycloneDX\"");
sbomResult.Content.Should().Contain("\"specVersion\": \"1.6\"");
}
public static IEnumerable<object[]> TestImages =>
[
["alpine:3.18"],
["debian:12-slim"],
["node:20-alpine"],
["python:3.12-slim"],
["golang:1.22-alpine"]
];
}

254
tests/interop/StellaOps.Interop.Tests/InteropTestHarness.cs Normal file
View File

@@ -0,0 +1,254 @@
namespace StellaOps.Interop.Tests;
using System.Diagnostics;
using System.Security.Cryptography;
using System.Text;
/// <summary>
/// Test harness for SBOM interoperability testing.
/// Coordinates Syft, Grype, Trivy, and cosign tools.
/// </summary>
public sealed class InteropTestHarness : IAsyncLifetime
{
private readonly ToolManager _toolManager;
private readonly string _workDir;
public InteropTestHarness()
{
_workDir = Path.Combine(Path.GetTempPath(), $"interop-{Guid.NewGuid():N}");
_toolManager = new ToolManager(_workDir);
}
public async Task InitializeAsync()
{
Directory.CreateDirectory(_workDir);
// Verify tools are available
await _toolManager.VerifyToolAsync("syft", "--version");
await _toolManager.VerifyToolAsync("grype", "--version");
await _toolManager.VerifyToolAsync("cosign", "version");
}
/// <summary>
/// Generate SBOM using Syft.
/// </summary>
public async Task<SbomResult> GenerateSbomWithSyft(
string imageRef,
SbomFormat format,
CancellationToken ct = default)
{
var formatArg = format switch
{
SbomFormat.CycloneDx16 => "cyclonedx-json",
SbomFormat.Spdx30 => "spdx-json",
_ => throw new ArgumentException($"Unsupported format: {format}")
};
var outputPath = Path.Combine(_workDir, $"sbom-syft-{format}.json");
var result = await _toolManager.RunAsync(
"syft",
$"{imageRef} -o {formatArg}={outputPath}",
ct);
if (!result.Success)
return SbomResult.Failed(result.Error ?? "Syft execution failed");
var content = await File.ReadAllTextAsync(outputPath, ct);
var digest = ComputeDigest(content);
return new SbomResult(
Success: true,
Path: outputPath,
Format: format,
Content: content,
Digest: digest);
}
/// <summary>
/// Generate SBOM using Stella scanner.
/// </summary>
public async Task<SbomResult> GenerateSbomWithStella(
string imageRef,
SbomFormat format,
CancellationToken ct = default)
{
var formatArg = format switch
{
SbomFormat.CycloneDx16 => "cyclonedx",
SbomFormat.Spdx30 => "spdx",
_ => throw new ArgumentException($"Unsupported format: {format}")
};
var outputPath = Path.Combine(_workDir, $"stella-sbom-{format}.json");
var result = await _toolManager.RunAsync(
"stella",
$"scan {imageRef} --sbom-format {formatArg} --sbom-output {outputPath}",
ct);
if (!result.Success)
return SbomResult.Failed(result.Error ?? "Stella execution failed");
var content = await File.ReadAllTextAsync(outputPath, ct);
var digest = ComputeDigest(content);
return new SbomResult(
Success: true,
Path: outputPath,
Format: format,
Content: content,
Digest: digest);
}
/// <summary>
/// Attest SBOM using cosign.
/// </summary>
public async Task<AttestationResult> AttestWithCosign(
string sbomPath,
string imageRef,
CancellationToken ct = default)
{
var result = await _toolManager.RunAsync(
"cosign",
$"attest --predicate {sbomPath} --type cyclonedx {imageRef} --yes",
ct);
if (!result.Success)
return AttestationResult.Failed(result.Error ?? "Cosign attestation failed");
return new AttestationResult(Success: true, ImageRef: imageRef);
}
/// <summary>
/// Scan using Grype from SBOM (no image pull).
/// </summary>
public async Task<GrypeScanResult> ScanWithGrypeFromSbom(
string sbomPath,
CancellationToken ct = default)
{
var outputPath = Path.Combine(_workDir, "grype-findings.json");
var result = await _toolManager.RunAsync(
"grype",
$"sbom:{sbomPath} -o json --file {outputPath}",
ct);
if (!result.Success)
return GrypeScanResult.Failed(result.Error ?? "Grype scan failed");
var content = await File.ReadAllTextAsync(outputPath, ct);
var findings = ParseGrypeFindings(content);
return new GrypeScanResult(
Success: true,
Findings: findings,
RawOutput: content);
}
/// <summary>
/// Compare findings between Stella and Grype.
/// </summary>
public FindingsComparisonResult CompareFindings(
IReadOnlyList<Finding> stellaFindings,
IReadOnlyList<GrypeFinding> grypeFindings,
decimal tolerancePercent = 5)
{
var stellaVulns = stellaFindings
.Select(f => (f.VulnerabilityId, f.PackagePurl))
.ToHashSet();
var grypeVulns = grypeFindings
.Select(f => (f.VulnerabilityId, f.PackagePurl))
.ToHashSet();
var onlyInStella = stellaVulns.Except(grypeVulns).ToList();
var onlyInGrype = grypeVulns.Except(stellaVulns).ToList();
var inBoth = stellaVulns.Intersect(grypeVulns).ToList();
var totalUnique = stellaVulns.Union(grypeVulns).Count();
var parityPercent = totalUnique > 0
? (decimal)inBoth.Count / totalUnique * 100
: 100;
return new FindingsComparisonResult(
ParityPercent: parityPercent,
IsWithinTolerance: parityPercent >= (100 - tolerancePercent),
StellaTotalFindings: stellaFindings.Count,
GrypeTotalFindings: grypeFindings.Count,
MatchingFindings: inBoth.Count,
OnlyInStella: onlyInStella.Count,
OnlyInGrype: onlyInGrype.Count,
OnlyInStellaDetails: onlyInStella,
OnlyInGrypeDetails: onlyInGrype);
}
public Task DisposeAsync()
{
if (Directory.Exists(_workDir))
Directory.Delete(_workDir, recursive: true);
return Task.CompletedTask;
}
private static string ComputeDigest(string content) =>
Convert.ToHexString(SHA256.HashData(Encoding.UTF8.GetBytes(content))).ToLowerInvariant();
private static IReadOnlyList<GrypeFinding> ParseGrypeFindings(string json)
{
// Placeholder: In real implementation, parse Grype JSON output
// For now, return empty list
return Array.Empty<GrypeFinding>();
}
}
public enum SbomFormat
{
CycloneDx16,
Spdx30
}
public sealed record SbomResult(
bool Success,
string? Path = null,
SbomFormat? Format = null,
string? Content = null,
string? Digest = null,
string? Error = null)
{
public static SbomResult Failed(string error) => new(false, Error: error);
}
public sealed record AttestationResult(
bool Success,
string? ImageRef = null,
string? Error = null)
{
public static AttestationResult Failed(string error) => new(false, Error: error);
}
public sealed record GrypeScanResult(
bool Success,
IReadOnlyList<GrypeFinding>? Findings = null,
string? RawOutput = null,
string? Error = null)
{
public static GrypeScanResult Failed(string error) => new(false, Error: error);
}
public sealed record FindingsComparisonResult(
decimal ParityPercent,
bool IsWithinTolerance,
int StellaTotalFindings,
int GrypeTotalFindings,
int MatchingFindings,
int OnlyInStella,
int OnlyInGrype,
IReadOnlyList<(string VulnId, string Purl)> OnlyInStellaDetails,
IReadOnlyList<(string VulnId, string Purl)> OnlyInGrypeDetails);
public sealed record Finding(
string VulnerabilityId,
string PackagePurl,
string Severity);
public sealed record GrypeFinding(
string VulnerabilityId,
string PackagePurl,
string Severity);

98
tests/interop/StellaOps.Interop.Tests/Spdx/SpdxRoundTripTests.cs Normal file
View File

@@ -0,0 +1,98 @@
namespace StellaOps.Interop.Tests.Spdx;
[Trait("Category", "Interop")]
[Trait("Format", "SPDX")]
public class SpdxRoundTripTests : IClassFixture<InteropTestHarness>
{
private readonly InteropTestHarness _harness;
public SpdxRoundTripTests(InteropTestHarness harness)
{
_harness = harness;
}
[Theory]
[MemberData(nameof(TestImages))]
public async Task Syft_GeneratesSpdx_CanBeParsed(string imageRef)
{
// Generate SBOM with Syft
var sbomResult = await _harness.GenerateSbomWithSyft(
imageRef, SbomFormat.Spdx30);
sbomResult.Success.Should().BeTrue("Syft should generate SPDX SBOM");
// Validate basic SPDX structure
sbomResult.Content.Should().Contain("spdxVersion");
sbomResult.Content.Should().Contain("SPDX-3.0");
}
[Theory]
[MemberData(nameof(TestImages))]
public async Task Stella_GeneratesSpdx_CanBeParsed(string imageRef)
{
// Generate SBOM with Stella
var sbomResult = await _harness.GenerateSbomWithStella(
imageRef, SbomFormat.Spdx30);
sbomResult.Success.Should().BeTrue("Stella should generate SPDX SBOM");
// Validate basic SPDX structure
sbomResult.Content.Should().Contain("spdxVersion");
sbomResult.Content.Should().Contain("SPDX-3.0");
}
[Theory]
[MemberData(nameof(TestImages))]
[Trait("Category", "Schema")]
public async Task Stella_Spdx_ValidatesAgainstSchema(string imageRef)
{
// Generate SBOM
var sbomResult = await _harness.GenerateSbomWithStella(
imageRef, SbomFormat.Spdx30);
sbomResult.Success.Should().BeTrue();
// TODO: Validate against SPDX 3.0.1 JSON schema
sbomResult.Content.Should().NotBeNullOrEmpty();
sbomResult.Content.Should().Contain("\"spdxVersion\"");
sbomResult.Content.Should().Contain("\"creationInfo\"");
}
[Fact]
[Trait("Category", "EvidenceChain")]
public async Task Spdx_IncludesEvidenceChain()
{
var imageRef = "alpine:3.18";
// Generate SBOM with evidence
var sbomResult = await _harness.GenerateSbomWithStella(
imageRef, SbomFormat.Spdx30);
sbomResult.Success.Should().BeTrue();
// TODO: Verify evidence chain is included in SPDX document
// SPDX 3.0 supports relationships that can express evidence chains
sbomResult.Content.Should().Contain("\"relationships\"");
}
[Fact]
[Trait("Category", "Interop")]
public async Task Spdx_CompatibleWithConsumers()
{
var imageRef = "debian:12-slim";
// Generate SBOM
var sbomResult = await _harness.GenerateSbomWithStella(
imageRef, SbomFormat.Spdx30);
sbomResult.Success.Should().BeTrue();
// TODO: Test with SPDX consumers/validators
// For now, just verify structure
sbomResult.Content.Should().NotBeNullOrEmpty();
}
public static IEnumerable<object[]> TestImages =>
[
["alpine:3.18"],
["debian:12-slim"],
["ubuntu:22.04"],
["python:3.12-slim"],
["node:20-alpine"]
];
}

32
tests/interop/StellaOps.Interop.Tests/StellaOps.Interop.Tests.csproj Normal file
View File

@@ -0,0 +1,32 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<IsPackable>false</IsPackable>
<IsTestProject>true</IsTestProject>
<LangVersion>preview</LangVersion>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="coverlet.collector" Version="6.0.0">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
<PackageReference Include="FluentAssertions" Version="6.12.0" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
<PackageReference Include="xunit" Version="2.6.6" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.5.6">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
</ItemGroup>
<ItemGroup>
<Using Include="Xunit" />
<Using Include="FluentAssertions" />
<Using Include="System.Collections.Immutable" />
</ItemGroup>
</Project>

124
tests/interop/StellaOps.Interop.Tests/ToolManager.cs Normal file
View File

@@ -0,0 +1,124 @@
namespace StellaOps.Interop.Tests;
using System.Diagnostics;
using System.Text;
/// <summary>
/// Manages execution of external tools for interop testing.
/// </summary>
public sealed class ToolManager
{
private readonly string _workDir;
public ToolManager(string workDir)
{
_workDir = workDir;
}
/// <summary>
/// Verify that a tool is available and executable.
/// </summary>
public async Task<bool> VerifyToolAsync(string toolName, string testArgs, CancellationToken ct = default)
{
try
{
var result = await RunAsync(toolName, testArgs, ct);
return result.Success || result.ExitCode == 0; // Some tools return 0 even on --version
}
catch
{
return false;
}
}
/// <summary>
/// Run an external tool with arguments.
/// </summary>
public async Task<ToolResult> RunAsync(
string toolName,
string arguments,
CancellationToken ct = default,
int timeoutMs = 300000) // 5 minute default timeout
{
var startInfo = new ProcessStartInfo
{
FileName = toolName,
Arguments = arguments,
WorkingDirectory = _workDir,
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false,
CreateNoWindow = true
};
using var process = new Process { StartInfo = startInfo };
var outputBuilder = new StringBuilder();
var errorBuilder = new StringBuilder();
process.OutputDataReceived += (sender, e) =>
{
if (e.Data != null)
outputBuilder.AppendLine(e.Data);
};
process.ErrorDataReceived += (sender, e) =>
{
if (e.Data != null)
errorBuilder.AppendLine(e.Data);
};
try
{
process.Start();
process.BeginOutputReadLine();
process.BeginErrorReadLine();
using var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
cts.CancelAfter(timeoutMs);
await process.WaitForExitAsync(cts.Token);
var output = outputBuilder.ToString();
var error = errorBuilder.ToString();
var exitCode = process.ExitCode;
return new ToolResult(
Success: exitCode == 0,
ExitCode: exitCode,
Output: output,
Error: string.IsNullOrWhiteSpace(error) ? null : error);
}
catch (OperationCanceledException)
{
try
{
if (!process.HasExited)
process.Kill();
}
catch
{
// Ignore kill failures
}
return new ToolResult(
Success: false,
ExitCode: -1,
Output: outputBuilder.ToString(),
Error: $"Tool execution timed out after {timeoutMs}ms");
}
catch (Exception ex)
{
return new ToolResult(
Success: false,
ExitCode: -1,
Output: outputBuilder.ToString(),
Error: $"Tool execution failed: {ex.Message}");
}
}
}
public sealed record ToolResult(
bool Success,
int ExitCode,
string Output,
string? Error = null);

64
tests/offline/StellaOps.Offline.E2E.Tests/NetworkIsolationTests.cs Normal file
View File

@@ -0,0 +1,64 @@
namespace StellaOps.Offline.E2E.Tests;
using StellaOps.Testing.AirGap;
[Trait("Category", "Unit")]
[Trait("Category", "NetworkIsolation")]
public class NetworkIsolationTests : NetworkIsolatedTestBase
{
[Fact]
public void NetworkMonitor_DetectsSocketExceptions()
{
// This test verifies the monitoring infrastructure itself
var attempts = new List<NetworkAttempt>();
var monitor = new NetworkMonitor(attempts.Add);
monitor.StartMonitoringAsync().Wait();
// Simulate network attempt (this won't actually make a network call in test)
// In real scenario, any socket exception would be caught
monitor.StopMonitoringAsync().Wait();
// In this test, we're just verifying the infrastructure is set up
// Real network attempts would be caught in integration tests
}
[Fact]
public void GetOfflineBundlePath_ReturnsConfiguredPath()
{
var bundlePath = GetOfflineBundlePath();
bundlePath.Should().NotBeNullOrEmpty();
// Either from environment variable or default
(bundlePath.Contains("fixtures") || bundlePath.Contains("offline-bundle"))
.Should().BeTrue();
}
[Fact]
public void AssertNoNetworkCalls_PassesWhenNoAttempts()
{
// Should not throw
AssertNoNetworkCalls();
}
[Fact]
public async Task NetworkIsolatedTest_CanAccessLocalFiles()
{
// Verify we can still access local filesystem
var tempFile = Path.GetTempFileName();
try
{
await File.WriteAllTextAsync(tempFile, "test content");
var content = await File.ReadAllTextAsync(tempFile);
content.Should().Be("test content");
AssertNoNetworkCalls();
}
finally
{
if (File.Exists(tempFile))
File.Delete(tempFile);
}
}
}

190
tests/offline/StellaOps.Offline.E2E.Tests/OfflineE2ETests.cs Normal file
View File

@@ -0,0 +1,190 @@
namespace StellaOps.Offline.E2E.Tests;
using StellaOps.Testing.AirGap;
[Trait("Category", "AirGap")]
[Trait("Category", "E2E")]
public class OfflineE2ETests : NetworkIsolatedTestBase
{
[Fact]
public async Task Scan_WithOfflineBundle_ProducesVerdict()
{
// Arrange
var bundlePath = GetOfflineBundlePath();
var imageTarball = Path.Combine(bundlePath, "images", "test-image.tar");
// Skip if bundle doesn't exist (local dev)
if (!Directory.Exists(bundlePath))
{
// Skip - requires offline bundle
return;
}
// Act
// TODO: Implement scanner offline execution
var result = await SimulateScanAsync(imageTarball, bundlePath);
// Assert
result.Success.Should().BeTrue();
result.Verdict.Should().NotBeNull();
AssertNoNetworkCalls();
}
[Fact]
public async Task Scan_ProducesSbom_WithOfflineBundle()
{
var bundlePath = GetOfflineBundlePath();
var imageTarball = Path.Combine(bundlePath, "images", "test-image.tar");
if (!Directory.Exists(bundlePath))
{
return;
}
var result = await SimulateScanAsync(imageTarball, bundlePath);
result.Sbom.Should().NotBeNull();
result.Sbom?.Components.Should().NotBeEmpty();
AssertNoNetworkCalls();
}
[Fact]
public async Task Attestation_SignAndVerify_WithOfflineBundle()
{
var bundlePath = GetOfflineBundlePath();
var imageTarball = Path.Combine(bundlePath, "images", "test-image.tar");
if (!Directory.Exists(bundlePath))
{
return;
}
// Scan and generate attestation
var scanResult = await SimulateScanAsync(imageTarball, bundlePath);
// Sign attestation (offline with local keys)
var keyPath = Path.Combine(bundlePath, "keys", "signing-key.pem");
var signResult = await SimulateSignAttestationAsync(
scanResult.Sbom!,
keyPath);
signResult.Success.Should().BeTrue();
// Verify signature (offline with local trust roots)
var trustRootPath = Path.Combine(bundlePath, "certs", "trust-root.pem");
var verifyResult = await SimulateVerifyAttestationAsync(
signResult.Attestation,
trustRootPath);
verifyResult.Valid.Should().BeTrue();
AssertNoNetworkCalls();
}
[Fact]
public async Task PolicyEvaluation_WithOfflineBundle_Works()
{
var bundlePath = GetOfflineBundlePath();
var imageTarball = Path.Combine(bundlePath, "images", "vuln-image.tar");
if (!Directory.Exists(bundlePath))
{
return;
}
var scanResult = await SimulateScanAsync(imageTarball, bundlePath);
// Policy evaluation should work offline
var policyPath = Path.Combine(bundlePath, "policies", "default.rego");
var policyResult = await SimulatePolicyEvaluationAsync(
scanResult.Verdict,
policyPath);
policyResult.Should().NotBeNull();
policyResult?.Decision.Should().BeOneOf("allow", "deny", "warn");
AssertNoNetworkCalls();
}
[Fact]
public async Task VexApplication_WithOfflineBundle_Works()
{
var bundlePath = GetOfflineBundlePath();
var imageTarball = Path.Combine(bundlePath, "images", "vuln-with-vex.tar");
if (!Directory.Exists(bundlePath))
{
return;
}
var scanResult = await SimulateScanAsync(imageTarball, bundlePath);
// VEX should be applied from offline bundle
var vexApplied = scanResult.Verdict?.VexStatements?.Any() ?? false;
vexApplied.Should().BeTrue("VEX from offline bundle should be applied");
AssertNoNetworkCalls();
}
// Simulation methods for testing infrastructure
private static async Task<ScanResult> SimulateScanAsync(string imagePath, string bundlePath)
{
await Task.CompletedTask;
return new ScanResult
{
Success = true,
Verdict = new Verdict { VexStatements = [] },
Sbom = new Sbom { Components = ["test-component"] }
};
}
private static async Task<SignResult> SimulateSignAttestationAsync(Sbom sbom, string keyPath)
{
await Task.CompletedTask;
return new SignResult { Success = true, Attestation = "mock-attestation" };
}
private static async Task<VerifyResult> SimulateVerifyAttestationAsync(string attestation, string trustRoot)
{
await Task.CompletedTask;
return new VerifyResult { Valid = true };
}
private static async Task<PolicyResult> SimulatePolicyEvaluationAsync(Verdict? verdict, string policyPath)
{
await Task.CompletedTask;
return new PolicyResult { Decision = "allow" };
}
}
// Mock types for testing
public record ScanResult
{
public bool Success { get; init; }
public Verdict? Verdict { get; init; }
public Sbom? Sbom { get; init; }
}
public record Verdict
{
public IReadOnlyList<string>? VexStatements { get; init; }
}
public record Sbom
{
public IReadOnlyList<string> Components { get; init; } = [];
}
public record SignResult
{
public bool Success { get; init; }
public string? Attestation { get; init; }
}
public record VerifyResult
{
public bool Valid { get; init; }
}
public record PolicyResult
{
public string? Decision { get; init; }
}

31
tests/offline/StellaOps.Offline.E2E.Tests/StellaOps.Offline.E2E.Tests.csproj Normal file
View File

@@ -0,0 +1,31 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<IsPackable>false</IsPackable>
<IsTestProject>true</IsTestProject>
<LangVersion>preview</LangVersion>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="FluentAssertions" Version="6.12.0" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
<PackageReference Include="xunit" Version="2.6.6" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.5.6">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\src\__Libraries\StellaOps.Testing.AirGap\StellaOps.Testing.AirGap.csproj" />
</ItemGroup>
<ItemGroup>
<Using Include="Xunit" />
<Using Include="FluentAssertions" />
</ItemGroup>
</Project>

77
tests/unit/StellaOps.AuditPack.Tests/AuditPackBuilderTests.cs Normal file
View File

@@ -0,0 +1,77 @@
namespace StellaOps.AuditPack.Tests;
using StellaOps.AuditPack.Models;
using StellaOps.AuditPack.Services;
[Trait("Category", "Unit")]
public class AuditPackBuilderTests
{
[Fact]
public async Task Build_FromScanResult_CreatesCompletePack()
{
// Arrange
var scanResult = new ScanResult("scan-123");
var builder = new AuditPackBuilder();
var options = new AuditPackOptions { Name = "test-pack" };
// Act
var pack = await builder.BuildAsync(scanResult, options);
// Assert
pack.Should().NotBeNull();
pack.PackId.Should().NotBeNullOrEmpty();
pack.Name.Should().Be("test-pack");
pack.RunManifest.Should().NotBeNull();
pack.Verdict.Should().NotBeNull();
pack.EvidenceIndex.Should().NotBeNull();
pack.PackDigest.Should().NotBeNullOrEmpty();
}
[Fact]
public async Task Export_CreatesValidArchive()
{
// Arrange
var scanResult = new ScanResult("scan-123");
var builder = new AuditPackBuilder();
var pack = await builder.BuildAsync(scanResult, new AuditPackOptions());
var outputPath = Path.Combine(Path.GetTempPath(), $"test-pack-{Guid.NewGuid():N}.tar.gz");
var exportOptions = new ExportOptions { Sign = false };
try
{
// Act
await builder.ExportAsync(pack, outputPath, exportOptions);
// Assert
File.Exists(outputPath).Should().BeTrue();
var fileInfo = new FileInfo(outputPath);
fileInfo.Length.Should().BeGreaterThan(0);
}
finally
{
if (File.Exists(outputPath))
File.Delete(outputPath);
}
}
[Fact]
public void PackDigest_IsComputedCorrectly()
{
// Arrange
var pack = new AuditPack
{
PackId = "test-pack",
Name = "Test Pack",
CreatedAt = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero),
RunManifest = new RunManifest("scan-1", DateTimeOffset.UtcNow),
EvidenceIndex = new EvidenceIndex([]),
Verdict = new Verdict("verdict-1", "pass"),
OfflineBundle = new BundleManifest("bundle-1", "1.0"),
Contents = new PackContents()
};
// Act - digest should be set during build
pack.PackDigest.Should().NotBeNull();
}
}

79
tests/unit/StellaOps.AuditPack.Tests/AuditPackImporterTests.cs Normal file
View File

@@ -0,0 +1,79 @@
namespace StellaOps.AuditPack.Tests;
using StellaOps.AuditPack.Services;
[Trait("Category", "Unit")]
public class AuditPackImporterTests
{
[Fact]
public async Task Import_ValidPack_Succeeds()
{
// Arrange
var archivePath = await CreateTestArchiveAsync();
var importer = new AuditPackImporter();
var options = new ImportOptions { VerifySignatures = false };
try
{
// Act
var result = await importer.ImportAsync(archivePath, options);
// Assert
result.Success.Should().BeTrue();
result.Pack.Should().NotBeNull();
result.IntegrityResult?.IsValid.Should().BeTrue();
}
finally
{
if (File.Exists(archivePath))
File.Delete(archivePath);
}
}
[Fact]
public async Task Import_MissingManifest_Fails()
{
// Arrange
var archivePath = Path.Combine(Path.GetTempPath(), "invalid.tar.gz");
await CreateEmptyArchiveAsync(archivePath);
var importer = new AuditPackImporter();
try
{
// Act
var result = await importer.ImportAsync(archivePath, new ImportOptions());
// Assert
result.Success.Should().BeFalse();
result.Errors.Should().Contain(e => e.Contains("Manifest"));
}
finally
{
if (File.Exists(archivePath))
File.Delete(archivePath);
}
}
private static async Task<string> CreateTestArchiveAsync()
{
// Create a test pack and export it
var builder = new AuditPackBuilder();
var pack = await builder.BuildAsync(
new ScanResult("test-scan"),
new AuditPackOptions());
var archivePath = Path.Combine(Path.GetTempPath(), $"test-{Guid.NewGuid():N}.tar.gz");
await builder.ExportAsync(pack, archivePath, new ExportOptions { Sign = false });
return archivePath;
}
private static async Task CreateEmptyArchiveAsync(string path)
{
// Create an empty tar.gz
using var fs = File.Create(path);
using var gz = new System.IO.Compression.GZipStream(fs, System.IO.Compression.CompressionLevel.Fastest);
await gz.WriteAsync(new byte[] { 0 });
}
}

61
tests/unit/StellaOps.AuditPack.Tests/AuditPackReplayerTests.cs Normal file
View File

@@ -0,0 +1,61 @@
namespace StellaOps.AuditPack.Tests;
using StellaOps.AuditPack.Models;
using StellaOps.AuditPack.Services;
[Trait("Category", "Unit")]
public class AuditPackReplayerTests
{
[Fact]
public async Task Replay_ValidPack_ProducesResult()
{
// Arrange
var pack = CreateTestPack();
var importResult = new ImportResult
{
Success = true,
Pack = pack,
ExtractDirectory = Path.GetTempPath()
};
var replayer = new AuditPackReplayer();
// Act
var result = await replayer.ReplayAsync(importResult);
// Assert
result.Success.Should().BeTrue();
result.OriginalVerdictDigest.Should().NotBeNullOrEmpty();
result.ReplayedVerdictDigest.Should().NotBeNullOrEmpty();
}
[Fact]
public async Task Replay_InvalidImport_Fails()
{
// Arrange
var importResult = new ImportResult { Success = false };
var replayer = new AuditPackReplayer();
// Act
var result = await replayer.ReplayAsync(importResult);
// Assert
result.Success.Should().BeFalse();
result.Error.Should().Contain("Invalid import");
}
private static AuditPack CreateTestPack()
{
return new AuditPack
{
PackId = "test-pack",
Name = "Test Pack",
CreatedAt = DateTimeOffset.UtcNow,
RunManifest = new RunManifest("scan-1", DateTimeOffset.UtcNow),
EvidenceIndex = new EvidenceIndex([]),
Verdict = new Verdict("verdict-1", "pass"),
OfflineBundle = new BundleManifest("bundle-1", "1.0"),
Contents = new PackContents()
};
}
}

31
tests/unit/StellaOps.AuditPack.Tests/StellaOps.AuditPack.Tests.csproj Normal file
View File

@@ -0,0 +1,31 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<IsPackable>false</IsPackable>
<IsTestProject>true</IsTestProject>
<LangVersion>preview</LangVersion>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="FluentAssertions" Version="6.12.0" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
<PackageReference Include="xunit" Version="2.6.6" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.5.6">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\src\__Libraries\StellaOps.AuditPack\StellaOps.AuditPack.csproj" />
</ItemGroup>
<ItemGroup>
<Using Include="Xunit" />
<Using Include="FluentAssertions" />
</ItemGroup>
</Project>