Add unit tests for SBOM ingestion and transformation

- Implement `SbomIngestServiceCollectionExtensionsTests` to verify the SBOM ingestion pipeline exports snapshots correctly. - Create `SbomIngestTransformerTests` to ensure the transformation produces expected nodes and edges, including deduplication of license nodes and normalization of timestamps. - Add `SbomSnapshotExporterTests` to test the export functionality for manifest, adjacency, nodes, and edges. - Introduce `VexOverlayTransformerTests` to validate the transformation of VEX nodes and edges. - Set up project file for the test project with necessary dependencies and configurations. - Include JSON fixture files for testing purposes.
2025-11-04 07:49:39 +02:00
parent f72c5c513a
commit 2eb6852d34
491 changed files with 39445 additions and 3917 deletions
--- a/seed-data/findings-ledger/fixtures/finding-projection.sample.json
+++ b/seed-data/findings-ledger/fixtures/finding-projection.sample.json
@@ -0,0 +1,19 @@
+{
+  "currentEventId": "3ac1f4ef-3c26-4b0d-91d4-6a6d3a5bde10",
+  "cycleHash": "1a61c14efc1aceaed7d2574d2054475b2683a3bfc81103585070ef560b15bd02",
+  "explainRef": "explain://tenant-a/findings/3ac1f4ef",
+  "findingId": "artifact:sha256:3f1e2d9c7b1a0f6534d1b6f998d7a5c3ef9e0ab92f4c1d2e3f5a6b7c8d9e0f1a|pkg:cpe:/o:vendor:product",
+  "labels": {
+    "kev": true,
+    "runtime": "exposed"
+  },
+  "policyVersion": "sha256:5f38c7887d4a4bb887ce89c393c7a2e23e6e708fda310f9f3ff2a2a0b4dffbdf",
+  "severity": 6.7,
+  "status": "triaged",
+  "tenantId": "tenant-a",
+  "updatedAt": "2025-11-03T15:12:05.456Z",
+  "policyRationale": [
+    "explain://tenant-a/findings/3ac1f4ef",
+    "policy://tenant-a/policy-v1/rationale/accepted"
+  ]
+}
--- a/seed-data/findings-ledger/fixtures/ledger-event.sample.json
+++ b/seed-data/findings-ledger/fixtures/ledger-event.sample.json
@@ -0,0 +1,42 @@
+{
+  "event": {
+    "actor": {
+      "id": "user:alice@tenant",
+      "type": "operator"
+    },
+    "artifactId": "sha256:3f1e2d9c7b1a0f6534d1b6f998d7a5c3ef9e0ab92f4c1d2e3f5a6b7c8d9e0f1a",
+    "chainId": "5fa2b970-9da2-4ef4-9a63-463c5d98d3cc",
+    "eventHash": "05332adf4298733a243968c40c7aeb4215dae48c52af9a5316374eacc9b30d45",
+    "finding": {
+      "artifactId": "sha256:3f1e2d9c7b1a0f6534d1b6f998d7a5c3ef9e0ab92f4c1d2e3f5a6b7c8d9e0f1a",
+      "id": "artifact:sha256:3f1e2d9c7b1a0f6534d1b6f998d7a5c3ef9e0ab92f4c1d2e3f5a6b7c8d9e0f1a|pkg:cpe:/o:vendor:product",
+      "vulnId": "CVE-2025-1234"
+    },
+    "id": "3ac1f4ef-3c26-4b0d-91d4-6a6d3a5bde10",
+    "occurredAt": "2025-11-03T15:12:05.123Z",
+    "payload": {
+      "justification": "Ticket SEC-1234 created",
+      "previousStatus": "affected",
+      "status": "triaged",
+      "ticket": {
+        "id": "SEC-1234",
+        "url": "https://tracker.example/sec-1234"
+      },
+      "rationaleRefs": [
+        "explain://tenant-a/findings/3ac1f4ef"
+      ]
+    },
+    "policyVersion": "sha256:5f38c7887d4a4bb887ce89c393c7a2e23e6e708fda310f9f3ff2a2a0b4dffbdf",
+    "previousHash": "0000000000000000000000000000000000000000000000000000000000000000",
+    "recordedAt": "2025-11-03T15:12:06.001Z",
+    "sequence": 42,
+    "sourceRunId": "8f89a703-94cd-4e9d-8a75-2f407c4bee7f",
+    "tenant": "tenant-a",
+    "type": "finding.status_changed"
+  },
+  "hashes": {
+    "eventHash": "05332adf4298733a243968c40c7aeb4215dae48c52af9a5316374eacc9b30d45",
+    "merkleLeafHash": "a2ad094e2e2064a29de8b93710d97645401d7690e920e866eef231790c5200be",
+    "previousHash": "0000000000000000000000000000000000000000000000000000000000000000"
+  }
+}