up

2025-11-24 07:52:25 +02:00
parent 5970f0d9bd
commit 150b3730ef
215 changed files with 8119 additions and 740 deletions
--- a/src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/GraphOverlayFactoryTests.cs
+++ b/src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/GraphOverlayFactoryTests.cs
@@ -0,0 +1,108 @@
+using System;
+using System.Collections.Immutable;
+using System.Text.Json.Nodes;
+using StellaOps.Excititor.Core;
+using StellaOps.Excititor.Core.Observations;
+using StellaOps.Excititor.WebService.Graph;
+using Xunit;
+
+namespace StellaOps.Excititor.WebService.Tests;
+
+public sealed class GraphOverlayFactoryTests
+{
+    [Fact]
+    public void Build_ComputesSummariesAndProvenancePerPurl()
+    {
+        var now = DateTimeOffset.UtcNow;
+        var observations = new[]
+        {
+            CreateObservation(
+                providerId: "redhat",
+                createdAt: now.AddMinutes(-5),
+                purls: new[] { "pkg:rpm/redhat/openssl@1.1.1" },
+                statements: new[]
+                {
+                    new VexObservationStatement(
+                        vulnerabilityId: "CVE-2025-1000",
+                        productKey: "pkg:rpm/redhat/openssl@1.1.1",
+                        status: VexClaimStatus.NotAffected,
+                        lastObserved: now,
+                        justification: VexJustification.ComponentNotPresent,
+                        purl: "pkg:rpm/redhat/openssl@1.1.1")
+                },
+                contentHash: "hash-old"),
+            CreateObservation(
+                providerId: "ubuntu",
+                createdAt: now,
+                purls: new[] { "pkg:rpm/redhat/openssl@1.1.1" },
+                statements: new[]
+                {
+                    new VexObservationStatement(
+                        vulnerabilityId: "CVE-2025-1001",
+                        productKey: "pkg:rpm/redhat/openssl@1.1.1",
+                        status: VexClaimStatus.UnderInvestigation,
+                        lastObserved: now,
+                        justification: null,
+                        purl: "pkg:rpm/redhat/openssl@1.1.1")
+                },
+                contentHash: "hash-new"),
+            CreateObservation(
+                providerId: "oracle",
+                createdAt: now.AddMinutes(-1),
+                purls: new[] { "pkg:rpm/redhat/openssl@1.1.1" },
+                statements: Array.Empty<VexObservationStatement>(),
+                contentHash: "hash-oracle")
+        };
+
+        var overlays = GraphOverlayFactory.Build(
+            orderedPurls: new[] { "pkg:rpm/redhat/openssl@1.1.1" },
+            observations: observations,
+            includeJustifications: true);
+
+        var overlay = Assert.Single(overlays);
+        Assert.Equal("pkg:rpm/redhat/openssl@1.1.1", overlay.Purl);
+        Assert.Equal(0, overlay.Summary.Open);
+        Assert.Equal(1, overlay.Summary.NotAffected);
+        Assert.Equal(1, overlay.Summary.UnderInvestigation);
+        Assert.Equal(1, overlay.Summary.NoStatement);
+        Assert.Equal(now, overlay.LatestModifiedAt);
+        Assert.Equal(new[] { "ComponentNotPresent" }, overlay.Justifications);
+        Assert.Equal("hash-new", overlay.Provenance.LastEvidenceHash);
+        Assert.Equal(new[] { "oracle", "redhat", "ubuntu" }, overlay.Provenance.Sources);
+    }
+
+    private static VexObservation CreateObservation(
+        string providerId,
+        DateTimeOffset createdAt,
+        string[] purls,
+        VexObservationStatement[] statements,
+        string contentHash)
+    {
+        return new VexObservation(
+            observationId: $"obs-{providerId}-{createdAt.ToUnixTimeMilliseconds()}",
+            tenant: "tenant-a",
+            providerId: providerId,
+            streamId: "csaf",
+            upstream: new VexObservationUpstream(
+                upstreamId: Guid.NewGuid().ToString("N"),
+                documentVersion: "1",
+                fetchedAt: createdAt,
+                receivedAt: createdAt,
+                contentHash: contentHash,
+                signature: new VexObservationSignature(present: true, format: "sig", keyId: null, signature: null)),
+            statements: statements.ToImmutableArray(),
+            content: new VexObservationContent(
+                format: "csaf",
+                specVersion: "1",
+                raw: JsonValue.Create("raw")!,
+                metadata: ImmutableDictionary<string, string>.Empty),
+            linkset: new VexObservationLinkset(
+                aliases: Array.Empty<string>(),
+                purls: purls,
+                cpes: Array.Empty<string>(),
+                references: Array.Empty<VexObservationReference>()),
+            createdAt: createdAt,
+            supersedes: ImmutableArray<string>.Empty,
+            attributes: ImmutableDictionary<string, string>.Empty);
+    }
+}
--- a/src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/StellaOps.Excititor.WebService.Tests.csproj
+++ b/src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/StellaOps.Excititor.WebService.Tests.csproj
@@ -34,6 +34,7 @@
    <Compile Include="TestAuthentication.cs" />
    <Compile Include="TestServiceOverrides.cs" />
    <Compile Include="TestWebApplicationFactory.cs" />
+    <Compile Include="GraphOverlayFactoryTests.cs" />
    <Compile Include="AttestationVerifyEndpointTests.cs" />
  </ItemGroup>
 </Project>