Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories

- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management. - Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management. - Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support. - Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.
2025-12-16 16:40:19 +02:00
parent 415eff1207
commit 2170a58734
206 changed files with 30547 additions and 534 deletions
--- a/src/Scanner/AGENTS.md
+++ b/src/Scanner/AGENTS.md
@@ -13,6 +13,7 @@
 - `docs/reachability/DELIVERY_GUIDE.md` (sections 5.5–5.9 for native/JS/PHP updates)
 - `docs/reachability/purl-resolved-edges.md`
 - `docs/reachability/patch-oracles.md`
+- `docs/product-advisories/14-Dec-2025 - Smart-Diff Technical Reference.md` (for Smart-Diff predicates)
 - Current sprint file (e.g., `docs/implplan/SPRINT_401_reachability_evidence_chain.md`).

 ## Working Directory & Boundaries
@@ -20,6 +21,30 @@
 - Avoid cross-module edits unless sprint explicitly permits; note any cross-module change in sprint tracker.
 - Keep fixtures minimal/deterministic; store under `src/Scanner/__Tests/Fixtures` or `__Benchmarks`.

+## Smart-Diff Contracts (Sprint 3500)
+
+The Scanner module now includes Smart-Diff foundation primitives:
+
+### Libraries
+- `StellaOps.Scanner.SmartDiff` - Core Smart-Diff predicate models and serialization
+- `StellaOps.Scanner.Reachability` - Reachability gate computation with 3-bit class
+
+### Key Types
+- `SmartDiffPredicate` - Attestation predicate for differential scans
+- `ReachabilityGate` - 3-bit class (0-7) indicating entry/sink reachability
+- `SinkCategory` - Taxonomy of sensitive sinks (file, network, crypto, etc.)
+- `SinkRegistry` - Registry of known sinks with category mappings
+
+### Predicate Schema
+- URI: `stellaops.dev/predicates/smart-diff@v1`
+- Schema: `docs/schemas/stellaops-smart-diff.v1.schema.json`
+- DSSE-signed predicates for evidence chain
+
+### Integration Points
+- Integrates with `StellaOps.Policy.Suppression` for pre-filter rules
+- Emits to Attestor module for DSSE envelope wrapping
+- Consumed by Findings Ledger for triage decisions
+
 ## Engineering Rules
 - Target `net10.0`; prefer latest C# preview allowed in repo.
 - Offline-first: no new external network calls; use cached feeds (`/local-nugets`).
@@ -34,6 +59,7 @@
 - Add/extend tests in `src/Scanner/__Tests/**`; golden outputs should be deterministic (sorted keys, stable ordering).
 - Benchmarks under `src/Scanner/__Benchmarks/**`; document input and expected ceilings in comments.
 - Cover multi-RID, trimmed/NativeAOT, self-contained vs framework-dependent cases where applicable.
+- Smart-Diff: Run schema validation tests (`SmartDiffSchemaValidationTests`) for predicate contract changes.

 ## Workflow Expectations
 - Mirror task state in sprint tracker (`TODO → DOING → DONE/BLOCKED`); note blockers with the specific decision needed.