Add tests and implement timeline ingestion options with NATS and Redis subscribers

- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality. - Created `PackRunWorkerOptions` for configuring worker paths and execution persistence. - Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports. - Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events. - Developed `RedisTimelineEventSubscriber` for reading from Redis Streams. - Added `TimelineEnvelopeParser` to normalize incoming event envelopes. - Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping. - Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.
2025-12-03 09:46:48 +02:00
parent e923880694
commit 35c8f9216f
520 changed files with 4416 additions and 31492 deletions
--- a/docs/modules/scanner/fixtures/competitor-adapters/fixtures/hashes.txt
+++ b/docs/modules/scanner/fixtures/competitor-adapters/fixtures/hashes.txt
@@ -1 +1,4 @@
-# Golden outputs for Syft/Trivy/Clair fixtures; fill after adapter code lands
+# Deterministic hashes for normalized competitor ingest fixtures (BLAKE3, SHA256)
+normalized-syft.json: BLAKE3=aa42c167d19535709a10df73dc39e6a50b8efbbb0ae596d17183ce62676fa85a SHA256=3f8684ff341808dcb92e97dd2c10acca727baaff05182e81a4364bb3dad0eaa7
+normalized-trivy.json: BLAKE3=0da216b49ebcf823d8d4aa3c9c1d2a1dcc579d836ba66bb2ae94dd781e214130 SHA256=c29aa6251d378c2aca1c3c6165e61bd2e16b6fa1227c976417b8a525ad7c1fc1
+normalized-clair.json: BLAKE3=92985f4cbdeecc8a0e585a70e07f17b07abdd866eecacaca9ba1b331f4b3af68 SHA256=bc232cc19885c53e4d801f5c830e3683a4031e42f6421739c4cc221f33f15e01
--- a/docs/modules/scanner/fixtures/competitor-adapters/fixtures/normalized-clair.json
+++ b/docs/modules/scanner/fixtures/competitor-adapters/fixtures/normalized-clair.json
@@ -0,0 +1,25 @@
+{
+  "source": { "tool": "clair", "version": "6.0.0", "hash": "sha256:clair-fixture" },
+  "components": [
+    {
+      "name": "demo-os",
+      "version": "3.1-1",
+      "purl": "pkg:apk/demo-os@3.1-1",
+      "type": "os",
+      "hashes": ["sha256:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"],
+      "licenses": ["BSD-3-Clause"],
+      "evidenceRef": "evidence-003"
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "CVE-0000-0003",
+      "source": "alpine",
+      "severity": "Low",
+      "cvss": { "score": 3.1, "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" },
+      "fixVersions": ["3.1-2"],
+      "evidenceRef": "evidence-003"
+    }
+  ],
+  "normalized_hash": "blake3:993e43cfe0f22667b5243d4a91d18f53e3efe4f84ee97fc33531629c9ff36418"
+}
--- a/docs/modules/scanner/fixtures/competitor-adapters/fixtures/normalized-syft.json
+++ b/docs/modules/scanner/fixtures/competitor-adapters/fixtures/normalized-syft.json
@@ -0,0 +1,25 @@
+{
+  "source": { "tool": "syft", "version": "1.0.0", "hash": "sha256:syft-fixture" },
+  "components": [
+    {
+      "name": "demo-app",
+      "version": "1.0.0",
+      "purl": "pkg:docker/demo-app@1.0.0",
+      "type": "container",
+      "hashes": ["sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"],
+      "licenses": ["MIT"],
+      "evidenceRef": "evidence-001"
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "CVE-0000-0002",
+      "source": "nvd",
+      "severity": "High",
+      "cvss": { "score": 7.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" },
+      "fixVersions": ["1.0.1"],
+      "evidenceRef": "evidence-001"
+    }
+  ],
+  "normalized_hash": "blake3:aea5398089eec122fd594027e9b1322b19d87b057bdb2d0925a89cf2c945b980"
+}
--- a/docs/modules/scanner/fixtures/competitor-adapters/fixtures/normalized-trivy.json
+++ b/docs/modules/scanner/fixtures/competitor-adapters/fixtures/normalized-trivy.json
@@ -0,0 +1,25 @@
+{
+  "source": { "tool": "trivy", "version": "0.50.0", "hash": "sha256:trivy-fixture" },
+  "components": [
+    {
+      "name": "demo-lib",
+      "version": "2.0.0",
+      "purl": "pkg:npm/demo-lib@2.0.0",
+      "type": "library",
+      "hashes": ["sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"],
+      "licenses": ["Apache-2.0"],
+      "evidenceRef": "evidence-002"
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "GHSA-xxxx-yyyy-zzzz",
+      "source": "ghsa",
+      "severity": "Medium",
+      "cvss": { "score": 5.0, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" },
+      "fixVersions": ["2.0.1"],
+      "evidenceRef": "evidence-002"
+    }
+  ],
+  "normalized_hash": "blake3:0db368a22f8fe008f03ee8256a5fafe4b16bf8c087ae1c273c6d0090b5cadca7"
+}