Add tests and implement timeline ingestion options with NATS and Redis subscribers

- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality. - Created `PackRunWorkerOptions` for configuring worker paths and execution persistence. - Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports. - Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events. - Developed `RedisTimelineEventSubscriber` for reading from Redis Streams. - Added `TimelineEnvelopeParser` to normalize incoming event envelopes. - Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping. - Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.
2025-12-03 09:46:48 +02:00
parent e923880694
commit 35c8f9216f
520 changed files with 4416 additions and 31492 deletions
--- a/docs/modules/scanner/fixtures/cdx17-cbom/hashes.txt
+++ b/docs/modules/scanner/fixtures/cdx17-cbom/hashes.txt
@@ -1,3 +1,3 @@
-# placeholder; compute BLAKE3 and SHA256 after schemas stabilize
-sample-cdx17-cbom.json: BLAKE3=<TBD> SHA256=<TBD>
-sample-cdx16.json: BLAKE3=<TBD> SHA256=<TBD>
+# Deterministic hashes for CDX 1.7 CBOM fixture and downgraded 1.6 variant
+sample-cdx17-cbom.json: BLAKE3=27c6de0ccd6adb8149c5521477fba8292aa119fb9e42b521cba6356b2308e761 SHA256=22d8f6f80f02be13f840b74b24b2eea769f108a225152695e1bf8d8a0577e6f6
+sample-cdx16.json: BLAKE3=da5b631a8cca865f929f8fd5d3b35adc512de1754fe2278cb8b415b01c81b3d3 SHA256=3cf6cb04aec97ec05fad0658f54b4ec099644176806f098897a9ba0bf1135cb0
--- a/docs/modules/scanner/fixtures/cdx17-cbom/sample-cdx16.json
+++ b/docs/modules/scanner/fixtures/cdx17-cbom/sample-cdx16.json
@@ -0,0 +1,49 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:00000000-0000-4000-8000-000000000001",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2025-01-01T00:00:00Z",
+    "component": {
+      "type": "application",
+      "name": "demo-app",
+      "version": "1.0.0",
+      "purl": "pkg:demo/demo-app@1.0.0",
+      "hashes": [
+        { "alg": "SHA-256", "content": "1111111111111111111111111111111111111111111111111111111111111111" }
+      ]
+    },
+    "tools": [
+      { "vendor": "stellaops", "name": "scanner", "version": "0.0.0-fixture" }
+    ]
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "lib-a",
+      "version": "1.2.3",
+      "purl": "pkg:demo/lib-a@1.2.3"
+    },
+    {
+      "type": "library",
+      "name": "lib-b",
+      "version": "2.0.0",
+      "purl": "pkg:demo/lib-b@2.0.0"
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "CVE-0000-0001",
+      "source": { "name": "NVD" },
+      "ratings": [
+        {
+          "source": { "name": "NVD" },
+          "method": "CVSSv3.1",
+          "score": 7.5,
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+        }
+      ]
+    }
+  ]
+}
--- a/docs/modules/scanner/fixtures/cdx17-cbom/sample-cdx17-cbom.json
+++ b/docs/modules/scanner/fixtures/cdx17-cbom/sample-cdx17-cbom.json
@@ -10,10 +10,26 @@
      "name": "demo-app",
      "version": "1.0.0",
      "purl": "pkg:demo/demo-app@1.0.0",
-      "hashes": [ { "alg": "SHA-256", "content": "d" } ],
-      "evidence": { "properties": [ { "name": "evidence:source", "value": "fixture" } ] }
+      "hashes": [
+        { "alg": "SHA-256", "content": "1111111111111111111111111111111111111111111111111111111111111111" }
+      ],
+      "evidence": {
+        "properties": [
+          { "name": "evidence:source", "value": "fixture" },
+          { "name": "evidence:hash", "value": "blake3:fixture-demo-app" }
+        ]
+      }
    },
-    "tools": [ { "vendor": "stellaops", "name": "scanner", "version": "0.0.0-fixture" } ]
+    "properties": [
+      { "name": "source.repo", "value": "https://example.invalid/demo" },
+      { "name": "source.ref", "value": "refs/tags/v1.0.0" },
+      { "name": "build.id", "value": "build-123" },
+      { "name": "build.invocation.hash", "value": "blake3:deadbeef" },
+      { "name": "provenance.dsse", "value": "sha256:2222222222222222222222222222222222222222222222222222222222222222" }
+    ],
+    "tools": [
+      { "vendor": "stellaops", "name": "scanner", "version": "0.0.0-fixture" }
+    ]
  },
  "services": [
    {
@@ -25,16 +41,43 @@
    }
  ],
  "components": [
-    { "type": "library", "name": "lib-a", "version": "1.2.3", "purl": "pkg:demo/lib-a@1.2.3" },
-    { "type": "library", "name": "lib-b", "version": "2.0.0", "purl": "pkg:demo/lib-b@2.0.0" }
+    {
+      "type": "library",
+      "name": "lib-a",
+      "version": "1.2.3",
+      "purl": "pkg:demo/lib-a@1.2.3",
+      "hashes": [ { "alg": "SHA-256", "content": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" } ]
+    },
+    {
+      "type": "library",
+      "name": "lib-b",
+      "version": "2.0.0",
+      "purl": "pkg:demo/lib-b@2.0.0",
+      "hashes": [ { "alg": "SHA-256", "content": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" } ]
+    }
  ],
  "vulnerabilities": [
    {
      "id": "CVE-0000-0001",
      "source": { "name": "NVD" },
      "ratings": [
-        { "source": { "name": "NVD" }, "method": "CVSSv4", "score": 8.0, "vector": "CVSS:4.0/AV:N/AC:L" },
-        { "source": { "name": "NVD" }, "method": "CVSSv3.1", "score": 7.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }
+        {
+          "source": { "name": "NVD" },
+          "method": "CVSSv4",
+          "score": 8.0,
+          "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
+        },
+        {
+          "source": { "name": "NVD" },
+          "method": "CVSSv3.1",
+          "score": 7.5,
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+        }
+      ],
+      "properties": [
+        { "name": "evidence:source", "value": "fixture" },
+        { "name": "evidence:proof-id", "value": "proof-123" },
+        { "name": "evidence:hash", "value": "sha256:3333333333333333333333333333333333333333333333333333333333333333" }
      ]
    }
  ]