Add integration e2e coverage: GitHubApp, advisory pipeline, Rekor, eBPF hardening

- GitHubApp: 11 new tests (health, CRUD lifecycle, update, delete, UI SCM tab) - Advisory pipeline: 16 tests (fixture data verification, source management smoke, initial/incremental sync, cross-source merge, canonical query API, UI catalog) with KEV/GHSA/EPSS fixture data files for deterministic testing - Rekor transparency: 7 tests (container health, submit/get/verify round-trip, log consistency, attestation API) gated behind E2E_REKOR=1 - eBPF agent: 3 edge case tests (unreachable endpoint, coexistence, degraded health) plus mock limitation documentation in test header - Fix UI search race: wait for table rows before counting rowsBefore - Advisory fixture now serves real data (KEV JSON, GHSA list, EPSS CSV) - Runtime host fixture adds degraded health endpoint Suite: 143 passed, 0 failed, 32 skipped in 13.5min (up from 123 tests) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 10:34:04 +03:00
parent a86ef6afb8
commit 2141fea4b6
13 changed files with 1545 additions and 1 deletions
--- a/devops/compose/fixtures/integration-fixtures/advisory/data/epss-scores.csv
+++ b/devops/compose/fixtures/integration-fixtures/advisory/data/epss-scores.csv
@@ -0,0 +1,12 @@
+#model_version:v2026.03.01,score_date:2026-03-30
+cve,epss,percentile
+CVE-2024-0001,0.92,0.99
+CVE-2024-0002,0.78,0.96
+CVE-2024-0003,0.45,0.88
+CVE-2024-0004,0.33,0.82
+CVE-2024-0005,0.12,0.65
+CVE-2024-0010,0.67,0.94
+CVE-2024-0011,0.08,0.52
+CVE-2024-1000,0.02,0.30
+CVE-2024-1001,0.01,0.15
+CVE-2024-1002,0.005,0.08
--- a/devops/compose/fixtures/integration-fixtures/advisory/data/ghsa-list.json
+++ b/devops/compose/fixtures/integration-fixtures/advisory/data/ghsa-list.json
@@ -0,0 +1,124 @@
+[
+  {
+    "ghsa_id": "GHSA-e2e1-test-0001",
+    "cve_id": "CVE-2024-0001",
+    "url": "https://github.com/advisories/GHSA-e2e1-test-0001",
+    "html_url": "https://github.com/advisories/GHSA-e2e1-test-0001",
+    "summary": "Apache HTTP Server Path Traversal allows RCE",
+    "description": "A path traversal vulnerability in Apache HTTP Server 2.4.49 through 2.4.50 allows attackers to map URLs to files outside the configured document root via crafted path components.",
+    "severity": "critical",
+    "identifiers": [
+      { "type": "GHSA", "value": "GHSA-e2e1-test-0001" },
+      { "type": "CVE", "value": "CVE-2024-0001" }
+    ],
+    "aliases": ["CVE-2024-0001"],
+    "published_at": "2026-01-10T00:00:00Z",
+    "updated_at": "2026-03-15T12:00:00Z",
+    "withdrawn_at": null,
+    "vulnerabilities": [
+      {
+        "package": {
+          "ecosystem": "Maven",
+          "name": "org.apache.httpd:httpd"
+        },
+        "vulnerable_version_range": ">= 2.4.49, <= 2.4.50",
+        "patched_versions": "2.4.51",
+        "vulnerable_functions": []
+      }
+    ],
+    "cvss": {
+      "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+      "score": 9.8
+    },
+    "cwes": [
+      { "cwe_id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory" }
+    ],
+    "credits": [
+      { "login": "security-researcher-1", "type": "reporter" }
+    ],
+    "references": [
+      { "url": "https://httpd.apache.org/security/vulnerabilities_24.html" },
+      { "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0001" }
+    ]
+  },
+  {
+    "ghsa_id": "GHSA-e2e1-test-0002",
+    "cve_id": "CVE-2024-0010",
+    "url": "https://github.com/advisories/GHSA-e2e1-test-0002",
+    "html_url": "https://github.com/advisories/GHSA-e2e1-test-0002",
+    "summary": "lodash prototype pollution via merge functions",
+    "description": "Versions of lodash prior to 4.17.21 are vulnerable to prototype pollution via the merge, mergeWith, and defaultsDeep functions.",
+    "severity": "high",
+    "identifiers": [
+      { "type": "GHSA", "value": "GHSA-e2e1-test-0002" },
+      { "type": "CVE", "value": "CVE-2024-0010" }
+    ],
+    "aliases": ["CVE-2024-0010"],
+    "published_at": "2026-02-01T00:00:00Z",
+    "updated_at": "2026-03-20T08:00:00Z",
+    "withdrawn_at": null,
+    "vulnerabilities": [
+      {
+        "package": {
+          "ecosystem": "npm",
+          "name": "lodash"
+        },
+        "vulnerable_version_range": "< 4.17.21",
+        "patched_versions": "4.17.21",
+        "vulnerable_functions": ["merge", "mergeWith", "defaultsDeep"]
+      }
+    ],
+    "cvss": {
+      "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
+      "score": 7.4
+    },
+    "cwes": [
+      { "cwe_id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes" }
+    ],
+    "credits": [],
+    "references": [
+      { "url": "https://github.com/lodash/lodash/issues/4744" }
+    ]
+  },
+  {
+    "ghsa_id": "GHSA-e2e1-test-0003",
+    "cve_id": "CVE-2024-0011",
+    "url": "https://github.com/advisories/GHSA-e2e1-test-0003",
+    "html_url": "https://github.com/advisories/GHSA-e2e1-test-0003",
+    "summary": "Express.js open redirect vulnerability",
+    "description": "Express.js versions before 4.19.0 are vulnerable to open redirect when untrusted user input is passed to the res.redirect() function.",
+    "severity": "medium",
+    "identifiers": [
+      { "type": "GHSA", "value": "GHSA-e2e1-test-0003" },
+      { "type": "CVE", "value": "CVE-2024-0011" }
+    ],
+    "aliases": ["CVE-2024-0011"],
+    "published_at": "2026-03-01T00:00:00Z",
+    "updated_at": "2026-03-25T16:00:00Z",
+    "withdrawn_at": null,
+    "vulnerabilities": [
+      {
+        "package": {
+          "ecosystem": "npm",
+          "name": "express"
+        },
+        "vulnerable_version_range": "< 4.19.0",
+        "patched_versions": "4.19.0",
+        "vulnerable_functions": ["redirect"]
+      }
+    ],
+    "cvss": {
+      "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+      "score": 6.1
+    },
+    "cwes": [
+      { "cwe_id": "CWE-601", "name": "URL Redirection to Untrusted Site" }
+    ],
+    "credits": [
+      { "login": "security-researcher-2", "type": "reporter" }
+    ],
+    "references": [
+      { "url": "https://expressjs.com/en/advanced/security-updates.html" }
+    ]
+  }
+]
--- a/devops/compose/fixtures/integration-fixtures/advisory/data/kev-catalog.json
+++ b/devops/compose/fixtures/integration-fixtures/advisory/data/kev-catalog.json
@@ -0,0 +1,73 @@
+{
+  "title": "CISA Known Exploited Vulnerabilities Catalog",
+  "catalogVersion": "2026.04.01",
+  "dateReleased": "2026-04-01T00:00:00.000Z",
+  "count": 5,
+  "vulnerabilities": [
+    {
+      "cveID": "CVE-2024-0001",
+      "vendorProject": "Apache",
+      "product": "HTTP Server",
+      "vulnerabilityName": "Apache HTTP Server Path Traversal",
+      "dateAdded": "2026-01-15",
+      "shortDescription": "Apache HTTP Server contains a path traversal vulnerability that allows remote code execution.",
+      "requiredAction": "Apply updates per vendor instructions.",
+      "dueDate": "2026-02-15",
+      "knownRansomwareCampaignUse": "Unknown",
+      "notes": "https://httpd.apache.org/security/",
+      "cwes": ["CWE-22"]
+    },
+    {
+      "cveID": "CVE-2024-0002",
+      "vendorProject": "Microsoft",
+      "product": "Windows",
+      "vulnerabilityName": "Windows Kernel Privilege Escalation",
+      "dateAdded": "2026-01-20",
+      "shortDescription": "Microsoft Windows kernel contains a privilege escalation vulnerability.",
+      "requiredAction": "Apply updates per vendor instructions.",
+      "dueDate": "2026-02-20",
+      "knownRansomwareCampaignUse": "Known",
+      "notes": "https://msrc.microsoft.com/",
+      "cwes": ["CWE-269"]
+    },
+    {
+      "cveID": "CVE-2024-0003",
+      "vendorProject": "Google",
+      "product": "Chrome",
+      "vulnerabilityName": "Chrome V8 Type Confusion",
+      "dateAdded": "2026-02-01",
+      "shortDescription": "Google Chrome V8 engine contains a type confusion vulnerability allowing sandbox escape.",
+      "requiredAction": "Apply updates per vendor instructions.",
+      "dueDate": "2026-03-01",
+      "knownRansomwareCampaignUse": "Unknown",
+      "notes": "https://chromereleases.googleblog.com/",
+      "cwes": ["CWE-843"]
+    },
+    {
+      "cveID": "CVE-2024-0004",
+      "vendorProject": "OpenSSL",
+      "product": "OpenSSL",
+      "vulnerabilityName": "OpenSSL Buffer Overflow",
+      "dateAdded": "2026-02-10",
+      "shortDescription": "OpenSSL contains a buffer overflow vulnerability in X.509 certificate verification.",
+      "requiredAction": "Apply updates per vendor instructions.",
+      "dueDate": "2026-03-10",
+      "knownRansomwareCampaignUse": "Unknown",
+      "notes": "https://www.openssl.org/news/secadv/",
+      "cwes": ["CWE-120"]
+    },
+    {
+      "cveID": "CVE-2024-0005",
+      "vendorProject": "Linux",
+      "product": "Linux Kernel",
+      "vulnerabilityName": "Linux Kernel Use-After-Free",
+      "dateAdded": "2026-03-01",
+      "shortDescription": "Linux kernel contains a use-after-free vulnerability in the netfilter subsystem.",
+      "requiredAction": "Apply updates per vendor instructions.",
+      "dueDate": "2026-04-01",
+      "knownRansomwareCampaignUse": "Unknown",
+      "notes": "https://kernel.org/",
+      "cwes": ["CWE-416"]
+    }
+  ]
+}