Add unit tests for SBOM ingestion and transformation
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled

- Implement `SbomIngestServiceCollectionExtensionsTests` to verify the SBOM ingestion pipeline exports snapshots correctly.
- Create `SbomIngestTransformerTests` to ensure the transformation produces expected nodes and edges, including deduplication of license nodes and normalization of timestamps.
- Add `SbomSnapshotExporterTests` to test the export functionality for manifest, adjacency, nodes, and edges.
- Introduce `VexOverlayTransformerTests` to validate the transformation of VEX nodes and edges.
- Set up project file for the test project with necessary dependencies and configurations.
- Include JSON fixture files for testing purposes.
This commit is contained in:
master
2025-11-04 07:49:39 +02:00
parent f72c5c513a
commit 2eb6852d34
491 changed files with 39445 additions and 3917 deletions

View File

@@ -0,0 +1,205 @@
using System.Security.Cryptography;
using System.Text;
using System.Text.Json.Nodes;
using FluentAssertions;
using StellaOps.Findings.Ledger.Domain;
using StellaOps.Findings.Ledger.Hashing;
using StellaOps.Findings.Ledger.Infrastructure.Policy;
using StellaOps.Findings.Ledger.Services;
using Xunit;
namespace StellaOps.Findings.Ledger.Tests;
public sealed class LedgerProjectionReducerTests
{
[Fact]
public void Reduce_WhenFindingCreated_InitialisesProjection()
{
var payload = new JsonObject
{
["status"] = "triaged",
["severity"] = 6.5,
["labels"] = new JsonObject
{
["kev"] = true,
["runtime"] = "exposed"
},
["explainRef"] = "explain://tenant-a/finding/123"
};
var record = CreateRecord(LedgerEventConstants.EventFindingCreated, payload);
var evaluation = new PolicyEvaluationResult(
"triaged",
6.5m,
(JsonObject)payload["labels"]!.DeepClone(),
payload["explainRef"]!.GetValue<string>(),
new JsonArray(payload["explainRef"]!.GetValue<string>()));
var result = LedgerProjectionReducer.Reduce(record, current: null, evaluation);
result.Projection.Status.Should().Be("triaged");
result.Projection.Severity.Should().Be(6.5m);
result.Projection.Labels["kev"]!.GetValue<bool>().Should().BeTrue();
result.Projection.Labels["runtime"]!.GetValue<string>().Should().Be("exposed");
result.Projection.ExplainRef.Should().Be("explain://tenant-a/finding/123");
result.Projection.PolicyRationale.Should().ContainSingle()
.Which!.GetValue<string>().Should().Be("explain://tenant-a/finding/123");
result.Projection.CycleHash.Should().NotBeNullOrWhiteSpace();
ProjectionHashing.ComputeCycleHash(result.Projection).Should().Be(result.Projection.CycleHash);
result.History.Status.Should().Be("triaged");
result.History.Severity.Should().Be(6.5m);
result.Action.Should().BeNull();
}
[Fact]
public void Reduce_StatusChange_ProducesHistoryAndAction()
{
var existing = new FindingProjection(
"tenant-a",
"finding-1",
"policy-v1",
"affected",
5.0m,
new JsonObject(),
Guid.NewGuid(),
null,
DateTimeOffset.UtcNow,
string.Empty);
var existingHash = ProjectionHashing.ComputeCycleHash(existing);
existing = existing with { CycleHash = existingHash };
var payload = new JsonObject
{
["status"] = "accepted_risk",
["justification"] = "Approved by CISO"
};
var record = CreateRecord(LedgerEventConstants.EventFindingStatusChanged, payload);
var evaluation = new PolicyEvaluationResult(
"accepted_risk",
existing.Severity,
(JsonObject)existing.Labels.DeepClone(),
null,
new JsonArray());
var result = LedgerProjectionReducer.Reduce(record, existing, evaluation);
result.Projection.Status.Should().Be("accepted_risk");
result.History.Status.Should().Be("accepted_risk");
result.History.Comment.Should().Be("Approved by CISO");
result.Action.Should().NotBeNull();
result.Action!.ActionType.Should().Be("status_change");
result.Action.Payload["justification"]!.GetValue<string>().Should().Be("Approved by CISO");
}
[Fact]
public void Reduce_LabelUpdates_RemoveKeys()
{
var labels = new JsonObject
{
["kev"] = true,
["runtime"] = "exposed"
};
var existing = new FindingProjection(
"tenant-a",
"finding-1",
"policy-v1",
"triaged",
7.1m,
labels,
Guid.NewGuid(),
null,
DateTimeOffset.UtcNow,
string.Empty);
existing = existing with { CycleHash = ProjectionHashing.ComputeCycleHash(existing) };
var payload = new JsonObject
{
["labels"] = new JsonObject
{
["runtime"] = "contained",
["priority"] = "p1"
},
["labelsRemove"] = new JsonArray("kev")
};
var record = CreateRecord(LedgerEventConstants.EventFindingTagUpdated, payload);
var evaluation = new PolicyEvaluationResult(
"triaged",
existing.Severity,
(JsonObject)payload["labels"]!.DeepClone(),
null,
new JsonArray());
var result = LedgerProjectionReducer.Reduce(record, existing, evaluation);
result.Projection.Labels.ContainsKey("kev").Should().BeFalse();
result.Projection.Labels["runtime"]!.GetValue<string>().Should().Be("contained");
result.Projection.Labels["priority"]!.GetValue<string>().Should().Be("p1");
}
private static LedgerEventRecord CreateRecord(string eventType, JsonObject payload)
{
var envelope = new JsonObject
{
["event"] = new JsonObject
{
["id"] = Guid.NewGuid().ToString(),
["type"] = eventType,
["tenant"] = "tenant-a",
["chainId"] = Guid.NewGuid().ToString(),
["sequence"] = 1,
["policyVersion"] = "policy-v1",
["artifactId"] = "artifact-1",
["finding"] = new JsonObject
{
["id"] = "finding-1",
["artifactId"] = "artifact-1",
["vulnId"] = "CVE-2025-0001"
},
["actor"] = new JsonObject
{
["id"] = "user:alice",
["type"] = "operator"
},
["occurredAt"] = "2025-11-03T12:00:00.000Z",
["recordedAt"] = "2025-11-03T12:00:05.000Z",
["payload"] = payload.DeepClone()
}
};
var canonical = LedgerCanonicalJsonSerializer.Canonicalize(envelope);
var canonicalJson = LedgerCanonicalJsonSerializer.Serialize(canonical);
return new LedgerEventRecord(
"tenant-a",
Guid.Parse(canonical["event"]!["chainId"]!.GetValue<string>()),
1,
Guid.Parse(canonical["event"]!["id"]!.GetValue<string>()),
eventType,
canonical["event"]!["policyVersion"]!.GetValue<string>(),
canonical["event"]!["finding"]!["id"]!.GetValue<string>(),
canonical["event"]!["artifactId"]!.GetValue<string>(),
null,
canonical["event"]!["actor"]!["id"]!.GetValue<string>(),
canonical["event"]!["actor"]!["type"]!.GetValue<string>(),
DateTimeOffset.Parse(canonical["event"]!["occurredAt"]!.GetValue<string>()),
DateTimeOffset.Parse(canonical["event"]!["recordedAt"]!.GetValue<string>()),
canonical,
ComputeSha256Hex(canonicalJson),
LedgerEventConstants.EmptyHash,
ComputeSha256Hex("placeholder-1"),
canonicalJson);
}
private static string ComputeSha256Hex(string input)
{
var bytes = Encoding.UTF8.GetBytes(input);
var hashBytes = SHA256.HashData(bytes);
return Convert.ToHexString(hashBytes).ToLowerInvariant();
}
}