Add unit tests for SBOM ingestion and transformation

- Implement `SbomIngestServiceCollectionExtensionsTests` to verify the SBOM ingestion pipeline exports snapshots correctly. - Create `SbomIngestTransformerTests` to ensure the transformation produces expected nodes and edges, including deduplication of license nodes and normalization of timestamps. - Add `SbomSnapshotExporterTests` to test the export functionality for manifest, adjacency, nodes, and edges. - Introduce `VexOverlayTransformerTests` to validate the transformation of VEX nodes and edges. - Set up project file for the test project with necessary dependencies and configurations. - Include JSON fixture files for testing purposes.
2025-11-04 07:49:39 +02:00
parent f72c5c513a
commit 2eb6852d34
491 changed files with 39445 additions and 3917 deletions
--- a/tests/Graph/StellaOps.Graph.Indexer.Tests/GraphSnapshotBuilderTests.cs
+++ b/tests/Graph/StellaOps.Graph.Indexer.Tests/GraphSnapshotBuilderTests.cs
@@ -0,0 +1,147 @@
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.IO;
+using System.Linq;
+using System.Text.Json;
+using System.Text.Json.Nodes;
+using FluentAssertions;
+using StellaOps.Graph.Indexer.Documents;
+using StellaOps.Graph.Indexer.Ingestion.Advisory;
+using StellaOps.Graph.Indexer.Ingestion.Policy;
+using StellaOps.Graph.Indexer.Ingestion.Sbom;
+using StellaOps.Graph.Indexer.Ingestion.Vex;
+using StellaOps.Graph.Indexer.Schema;
+using Xunit;
+
+namespace StellaOps.Graph.Indexer.Tests;
+
+public sealed class GraphSnapshotBuilderTests
+{
+    private static readonly string FixturesRoot =
+        Path.Combine(AppContext.BaseDirectory, "Fixtures", "v1");
+
+    [Fact]
+    public void Build_creates_manifest_and_adjacency_with_lineage()
+    {
+        var sbomSnapshot = Load<SbomSnapshot>("sbom-snapshot.json");
+        var linksetSnapshot = Load<AdvisoryLinksetSnapshot>("concelier-linkset.json");
+        var vexSnapshot = Load<VexOverlaySnapshot>("excititor-vex.json");
+        var policySnapshot = Load<PolicyOverlaySnapshot>("policy-overlay.json");
+
+        var sbomBatch = new SbomIngestTransformer().Transform(sbomSnapshot);
+        var advisoryBatch = new AdvisoryLinksetTransformer().Transform(linksetSnapshot);
+        var vexBatch = new VexOverlayTransformer().Transform(vexSnapshot);
+        var policyBatch = new PolicyOverlayTransformer().Transform(policySnapshot);
+
+        var combinedBatch = MergeBatches(sbomBatch, advisoryBatch, vexBatch, policyBatch);
+
+        var builder = new GraphSnapshotBuilder();
+        var generatedAt = DateTimeOffset.Parse("2025-10-30T12:06:30Z");
+
+        var snapshot = builder.Build(sbomSnapshot, combinedBatch, generatedAt);
+
+        snapshot.Manifest.Tenant.Should().Be("tenant-alpha");
+        snapshot.Manifest.ArtifactDigest.Should().Be("sha256:aaa111");
+        snapshot.Manifest.SbomDigest.Should().Be("sha256:sbom111");
+        snapshot.Manifest.GeneratedAt.Should().Be(generatedAt);
+        snapshot.Manifest.NodeCount.Should().Be(combinedBatch.Nodes.Length);
+        snapshot.Manifest.EdgeCount.Should().Be(combinedBatch.Edges.Length);
+        snapshot.Manifest.Files.Nodes.Should().Be("nodes.jsonl");
+        snapshot.Manifest.Files.Edges.Should().Be("edges.jsonl");
+        snapshot.Manifest.Files.Adjacency.Should().Be("adjacency.json");
+
+        snapshot.Manifest.Lineage.DerivedFromSbomDigests.Should().BeEquivalentTo(new[] { "sha256:sbom-base" }, options => options.WithStrictOrdering());
+        snapshot.Manifest.Lineage.BaseArtifactDigests.Should().BeEquivalentTo(new[] { "sha256:base000" }, options => options.WithStrictOrdering());
+        snapshot.Manifest.Lineage.SourceSnapshotId.Should().BeNull();
+
+        var manifestJson = snapshot.Manifest.ToJson();
+        manifestJson.Should().NotBeNull();
+        manifestJson["hash"]!.GetValue<string>().Should().Be(snapshot.Manifest.Hash);
+
+        var manifestWithoutHash = (JsonObject)manifestJson.DeepClone();
+        manifestWithoutHash.Remove("hash");
+        var expectedManifestHash = GraphIdentity.ComputeDocumentHash(manifestWithoutHash);
+        snapshot.Manifest.Hash.Should().Be(expectedManifestHash);
+
+        var adjacency = snapshot.Adjacency;
+        adjacency.Tenant.Should().Be("tenant-alpha");
+        adjacency.SnapshotId.Should().Be(snapshot.Manifest.SnapshotId);
+        adjacency.GeneratedAt.Should().Be(generatedAt);
+
+        var adjacencyNodes = adjacency.Nodes.ToDictionary(node => node.NodeId, StringComparer.Ordinal);
+        adjacencyNodes.Should().ContainKey("gn:tenant-alpha:artifact:RX033HH7S6JXMY66QM51S89SX76B3JXJHWHPXPPBJCD05BR3GVXG");
+
+        var artifactAdjacency = adjacencyNodes["gn:tenant-alpha:artifact:RX033HH7S6JXMY66QM51S89SX76B3JXJHWHPXPPBJCD05BR3GVXG"];
+        artifactAdjacency.OutgoingEdges.Should().BeEquivalentTo(new[]
+        {
+            "ge:tenant-alpha:BUILT_FROM:HJNKVFSDSA44HRY0XAJ0GBEVPD2S82JFF58BZVRT9QF6HB2EGPJG",
+            "ge:tenant-alpha:CONTAINS:EVA5N7P029VYV9W8Q7XJC0JFTEQYFSAQ6381SNVM3T1G5290XHTG"
+        }, options => options.WithStrictOrdering());
+        artifactAdjacency.IncomingEdges.Should().BeEmpty();
+
+        var componentAdjacency = adjacencyNodes["gn:tenant-alpha:component:BQSZFXSPNGS6M8XEQZ6XX3E7775XZQABM301GFPFXCQSQSA1WHZ0"];
+        componentAdjacency.IncomingEdges.Should().BeEquivalentTo(new[]
+        {
+            "ge:tenant-alpha:CONTAINS:EVA5N7P029VYV9W8Q7XJC0JFTEQYFSAQ6381SNVM3T1G5290XHTG",
+            "ge:tenant-alpha:GOVERNS_WITH:XG3KQTYT8D4NY0BTFXWGBQY6TXR2MRYDWZBQT07T0200NQ72AFG0"
+        });
+        componentAdjacency.OutgoingEdges.Should().BeEquivalentTo(new[]
+        {
+            "ge:tenant-alpha:DEPENDS_ON:FJ7GZ9RHPKPR30XVKECD702QG20PGT3V75DY1GST8AAW9SR8TBB0",
+            "ge:tenant-alpha:DECLARED_IN:T7E8NQEMKXPZ3T1SWT8HXKWAHJVS9QKD87XBKAQAAQ29CDHEA47G",
+            "ge:tenant-alpha:AFFECTED_BY:1V3NRKAR6KMXAWZ89R69G8JAY3HV7DXNB16YY9X25X1TAFW9VGYG",
+            "ge:tenant-alpha:VEX_EXEMPTS:DT0BBCM9S0KJVF61KVR7D2W8DVFTKK03F3TFD4DR9DRS0T5CWZM0"
+        });
+
+        var dependencyComponent = adjacencyNodes["gn:tenant-alpha:component:FZ9EHXFFGPDQAEKAPWZ4JX5X6KYS467PJ5D1Y4T9NFFQG2SG0DV0"];
+        dependencyComponent.IncomingEdges.Should().BeEquivalentTo(new[]
+        {
+            "ge:tenant-alpha:DEPENDS_ON:FJ7GZ9RHPKPR30XVKECD702QG20PGT3V75DY1GST8AAW9SR8TBB0"
+        });
+        dependencyComponent.OutgoingEdges.Should().BeEmpty();
+
+        adjacency.Nodes.Length.Should().Be(combinedBatch.Nodes.Length);
+    }
+
+    private static GraphBuildBatch MergeBatches(params GraphBuildBatch[] batches)
+    {
+        var nodes = new Dictionary<string, JsonObject>(StringComparer.Ordinal);
+        var edges = new Dictionary<string, JsonObject>(StringComparer.Ordinal);
+
+        foreach (var batch in batches)
+        {
+            foreach (var node in batch.Nodes)
+            {
+                nodes[node["id"]!.GetValue<string>()] = node;
+            }
+
+            foreach (var edge in batch.Edges)
+            {
+                edges[edge["id"]!.GetValue<string>()] = edge;
+            }
+        }
+
+        var orderedNodes = nodes.Values
+            .OrderBy(node => node["kind"]!.GetValue<string>(), StringComparer.Ordinal)
+            .ThenBy(node => node["id"]!.GetValue<string>(), StringComparer.Ordinal)
+            .ToImmutableArray();
+
+        var orderedEdges = edges.Values
+            .OrderBy(edge => edge["kind"]!.GetValue<string>(), StringComparer.Ordinal)
+            .ThenBy(edge => edge["id"]!.GetValue<string>(), StringComparer.Ordinal)
+            .ToImmutableArray();
+
+        return new GraphBuildBatch(orderedNodes, orderedEdges);
+    }
+
+    private static T Load<T>(string fixtureFile)
+    {
+        var path = Path.Combine(FixturesRoot, fixtureFile);
+        var json = File.ReadAllText(path);
+        return JsonSerializer.Deserialize<T>(json, new JsonSerializerOptions
+        {
+            PropertyNameCaseInsensitive = true
+        })!;
+    }
+}