Add unit tests for SBOM ingestion and transformation

- Implement `SbomIngestServiceCollectionExtensionsTests` to verify the SBOM ingestion pipeline exports snapshots correctly. - Create `SbomIngestTransformerTests` to ensure the transformation produces expected nodes and edges, including deduplication of license nodes and normalization of timestamps. - Add `SbomSnapshotExporterTests` to test the export functionality for manifest, adjacency, nodes, and edges. - Introduce `VexOverlayTransformerTests` to validate the transformation of VEX nodes and edges. - Set up project file for the test project with necessary dependencies and configurations. - Include JSON fixture files for testing purposes.
2025-11-04 07:49:39 +02:00
parent f72c5c513a
commit 2eb6852d34
491 changed files with 39445 additions and 3917 deletions
--- a/tests/Graph/StellaOps.Graph.Indexer.Tests/Fixtures/v1/schema-matrix.json
+++ b/tests/Graph/StellaOps.Graph.Indexer.Tests/Fixtures/v1/schema-matrix.json
@@ -0,0 +1,115 @@
+{
+  "version": "v1",
+  "nodes": {
+    "artifact": [
+      "display_name",
+      "artifact_digest",
+      "sbom_digest",
+      "environment",
+      "labels",
+      "origin_registry",
+      "supply_chain_stage"
+    ],
+    "component": [
+      "purl",
+      "version",
+      "ecosystem",
+      "scope",
+      "license_spdx",
+      "usage"
+    ],
+    "file": [
+      "normalized_path",
+      "content_sha256",
+      "language_hint",
+      "size_bytes",
+      "scope"
+    ],
+    "license": [
+      "license_spdx",
+      "name",
+      "classification",
+      "notice_uri"
+    ],
+    "advisory": [
+      "advisory_source",
+      "advisory_id",
+      "severity",
+      "published_at",
+      "content_hash",
+      "linkset_digest"
+    ],
+    "vex_statement": [
+      "status",
+      "statement_id",
+      "justification",
+      "issued_at",
+      "expires_at",
+      "content_hash"
+    ],
+    "policy_version": [
+      "policy_pack_digest",
+      "policy_name",
+      "effective_from",
+      "expires_at",
+      "explain_hash"
+    ],
+    "runtime_context": [
+      "runtime_fingerprint",
+      "collector",
+      "observed_at",
+      "cluster",
+      "namespace",
+      "workload_kind",
+      "runtime_state"
+    ]
+  },
+  "edges": {
+    "CONTAINS": [
+      "detected_by",
+      "layer_digest",
+      "scope",
+      "evidence_digest"
+    ],
+    "DEPENDS_ON": [
+      "dependency_purl",
+      "dependency_version",
+      "relationship",
+      "evidence_digest"
+    ],
+    "DECLARED_IN": [
+      "detected_by",
+      "scope",
+      "evidence_digest"
+    ],
+    "BUILT_FROM": [
+      "build_type",
+      "builder_id",
+      "attestation_digest"
+    ],
+    "AFFECTED_BY": [
+      "evidence_digest",
+      "matched_versions",
+      "cvss",
+      "confidence"
+    ],
+    "VEX_EXEMPTS": [
+      "status",
+      "justification",
+      "impact_statement",
+      "evidence_digest"
+    ],
+    "GOVERNS_WITH": [
+      "verdict",
+      "explain_hash",
+      "policy_rule_id",
+      "evaluation_timestamp"
+    ],
+    "OBSERVED_RUNTIME": [
+      "process_name",
+      "entrypoint_kind",
+      "runtime_evidence_digest",
+      "confidence"
+    ]
+  }
+}