feat: Implement Filesystem and MongoDB provenance writers for PackRun execution context

- Added `FilesystemPackRunProvenanceWriter` to write provenance manifests to the filesystem. - Introduced `MongoPackRunArtifactReader` to read artifacts from MongoDB. - Created `MongoPackRunProvenanceWriter` to store provenance manifests in MongoDB. - Developed unit tests for filesystem and MongoDB provenance writers. - Established `ITimelineEventStore` and `ITimelineIngestionService` interfaces for timeline event handling. - Implemented `TimelineIngestionService` to validate and persist timeline events with hashing. - Created PostgreSQL schema and migration scripts for timeline indexing. - Added dependency injection support for timeline indexer services. - Developed tests for timeline ingestion and schema validation.
2025-11-30 15:38:14 +02:00
parent 8f54ffa203
commit 17d45a6d30
276 changed files with 8618 additions and 688 deletions
--- a/bench/reachability-benchmark/cases/js/express-guarded/case.yaml
+++ b/bench/reachability-benchmark/cases/js/express-guarded/case.yaml
@@ -0,0 +1,38 @@
+id: "js-express-guarded:004"
+language: js
+project: express-guarded
+version: "1.0.0"
+description: "Admin exec guarded by ALLOW_EXEC flag; unreachable by default"
+entrypoints:
+  - "POST /api/admin/exec"
+sinks:
+  - id: "ExpressGuarded::exec"
+    path: "src/app.js::createServer"
+    kind: "process"
+    location:
+      file: src/app.js
+      line: 16
+    notes: "eval(code) gated by ALLOW_EXEC"
+environment:
+  os_image: "node:20-alpine"
+  runtime:
+    node: "20.11.0"
+  source_date_epoch: 1730000000
+build:
+  command: "./build/build.sh"
+  source_date_epoch: 1730000000
+  outputs:
+    artifact_path: outputs/binary.tar.gz
+    sbom_path: outputs/sbom.cdx.json
+    coverage_path: outputs/coverage.json
+    traces_dir: outputs/traces
+test:
+  command: "./tests/run-tests.sh"
+  expected_coverage:
+    - outputs/coverage.json
+  expected_traces:
+    - outputs/traces/traces.json
+ground_truth:
+  summary: "Guard prevents sink unless ALLOW_EXEC=true"
+  evidence_files:
+    - "../benchmark/truth/js-express-guarded.json"
--- a/bench/reachability-benchmark/cases/js/express-guarded/entrypoints.yaml
+++ b/bench/reachability-benchmark/cases/js/express-guarded/entrypoints.yaml
@@ -0,0 +1,8 @@
+case_id: "js-express-guarded:004"
+entries:
+  http:
+    - id: "POST /api/admin/exec"
+      route: "/api/admin/exec"
+      method: "POST"
+      handler: "createServer.exec"
+      description: "Admin exec blocked unless ALLOW_EXEC=true"
--- a/bench/reachability-benchmark/cases/js/express-guarded/package.json
+++ b/bench/reachability-benchmark/cases/js/express-guarded/package.json
@@ -0,0 +1,9 @@
+{
+  "name": "rb-case-express-guarded",
+  "version": "1.0.0",
+  "description": "Reachability benchmark case: express-like admin exec guarded by env flag",
+  "license": "Apache-2.0",
+  "scripts": {
+    "test": "./tests/run-tests.sh"
+  }
+}
--- a/bench/reachability-benchmark/cases/js/express-guarded/src/app.js
+++ b/bench/reachability-benchmark/cases/js/express-guarded/src/app.js
@@ -0,0 +1,33 @@
+'use strict';
+
+function makeApp() {
+  const routes = {};
+  return {
+    post(path, handler) {
+      routes[`POST ${path}`] = handler;
+    },
+    handle(method, path, req) {
+      const key = `${method} ${path}`;
+      if (routes[key]) return routes[key](req);
+      return { status: 404, body: 'not found' };
+    }
+  };
+}
+
+function createServer() {
+  const app = makeApp();
+  app.post('/api/admin/exec', (req) => {
+    if (req?.env?.ALLOW_EXEC !== 'true') {
+      return { status: 403, body: 'forbidden' };
+    }
+    if (typeof req?.body?.code !== 'string') {
+      return { status: 400, body: 'bad request' };
+    }
+    // eslint-disable-next-line no-eval
+    const result = eval(req.body.code);
+    return { status: 200, body: String(result) };
+  });
+  return app;
+}
+
+module.exports = { createServer };
--- a/bench/reachability-benchmark/cases/js/express-guarded/tests/run-tests.sh
+++ b/bench/reachability-benchmark/cases/js/express-guarded/tests/run-tests.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+cd "$(dirname "$0")"
+export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-1730000000}
+export TZ=UTC
+export LC_ALL=C
+node test_unreachable.js
--- a/bench/reachability-benchmark/cases/js/express-guarded/tests/test_unreachable.js
+++ b/bench/reachability-benchmark/cases/js/express-guarded/tests/test_unreachable.js
@@ -0,0 +1,53 @@
+'use strict';
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+const { createServer } = require('../src/app');
+
+const OUT_DIR = path.resolve(__dirname, '../outputs');
+const TRACE_DIR = path.join(OUT_DIR, 'traces');
+const COVERAGE_FILE = path.join(OUT_DIR, 'coverage.json');
+const TRACE_FILE = path.join(TRACE_DIR, 'traces.json');
+
+function ensureDirs() {
+  fs.mkdirSync(OUT_DIR, { recursive: true });
+  fs.mkdirSync(TRACE_DIR, { recursive: true });
+}
+
+function recordTrace(entry, pathNodes) {
+  fs.writeFileSync(
+    TRACE_FILE,
+    JSON.stringify({
+      entry,
+      path: pathNodes,
+      sink: 'ExpressGuarded::exec',
+      notes: 'Guard blocked sink'
+    }, null, 2)
+  );
+}
+
+function recordCoverage(filePath, lines) {
+  fs.writeFileSync(
+    COVERAGE_FILE,
+    JSON.stringify({
+      files: {
+        [filePath]: {
+          lines_covered: lines,
+          lines_total: 50
+        }
+      }
+    }, null, 2)
+  );
+}
+
+(function main() {
+  ensureDirs();
+  const app = createServer();
+  const res = app.handle('POST', '/api/admin/exec', { body: { code: '2+2' }, env: { ALLOW_EXEC: 'false' } });
+  assert.strictEqual(res.status, 403);
+  assert.strictEqual(res.body, 'forbidden');
+
+  recordTrace('POST /api/admin/exec', ['app.js::createServer', 'guard: ALLOW_EXEC!=true']);
+  recordCoverage('src/app.js', [5,6,7,12,13,14,15]);
+})();