up

2025-12-03 00:10:19 +02:00
parent ea1d58a89b
commit 37cba83708
158 changed files with 147438 additions and 867 deletions
--- a/samples/graph/graph-40k/explorer/README.md
+++ b/samples/graph/graph-40k/explorer/README.md
@@ -0,0 +1,34 @@
+# Vulnerability Explorer fixtures (SAMPLES-GRAPH-24-004)
+
+Derives a small, deterministic explorer dataset from the canonical graph-40k fixture.
+
+## Files
+- `vuln-explorer.json` — 5 records covering mixed policy verdicts and reachability (reachable/unreachable alternation).
+- `vuln-explorer.csv` — same data for CSV-driven UI/CLI tests; `evidence` is `;`-separated.
+- `manifest.json` — SHA-256 hashes for both files.
+
+## Source
+- Built from `samples/graph/graph-40k/overlay.ndjson` (policy overlays) using `samples/graph/scripts/build_explorer_fixture.py`.
+- Tenant: `demo-tenant`; snapshot: `graph-40k-policy-overlay-20251122`.
+
+## Determinism
+- Fixed advisory list and order.
+- Overlay rows sorted by `overlay_id`; first 5 overlays selected.
+- No randomness; rerunning `build_explorer_fixture.py` produces identical hashes.
+
+## Verify
+```bash
+python samples/graph/scripts/build_explorer_fixture.py
+python - <<'PY'
+import json,hashlib,Pathlib
+from pathlib import Path
+base=Path("samples/graph/graph-40k/explorer")
+for name in ["vuln-explorer.json","vuln-explorer.csv"]:
+    h=hashlib.sha256((base/name).read_bytes()).hexdigest()
+    print(name, h)
+PY
+```
+
+## Consumption hints
+- UI: seed list/detail views and policy conflict badges (fields: `reachability`, `policy_verdict`, `conflict`).
+- CLI: pipe JSON into explorer tests or convert from CSV as needed.
--- a/samples/graph/graph-40k/explorer/manifest.json
+++ b/samples/graph/graph-40k/explorer/manifest.json
@@ -0,0 +1,15 @@
+{
+  "advisories": [
+    "CVE-2024-0001",
+    "CVE-2024-0002",
+    "CVE-2023-9999",
+    "CVE-2025-1234",
+    "CVE-2022-4242"
+  ],
+  "count": 5,
+  "fixture": "graph-40k",
+  "hashes": {
+    "vuln-explorer.csv": "d116f2451fe82c7895325b1ceda10f024dd5df822131bf5882f5a1b97ea60ea0",
+    "vuln-explorer.json": "d34938dbb6d7de14751c6e49392de27766703425f18ab949861bc1d1147abb01"
+  }
+}
--- a/samples/graph/graph-40k/explorer/vuln-explorer.csv
+++ b/samples/graph/graph-40k/explorer/vuln-explorer.csv
@@ -0,0 +1,6 @@
+component,advisory,advisory_severity,reachability,status,policy_overlay_id,policy_verdict,policy_severity,policy_rule_id,evidence,conflict,snapshot,tenant
+pkg:pypi/demo-15400@1.0.0,CVE-2024-0001,critical,reachable,affected,00f6635f7e16f4249116313369beadeee8836ae6da36dedaec23b38130b92f24,deny,low,RULE-06000,sbom:mock-sbom-v1;overlay:00f6635f7e16f4249116313369beadeee8836ae6da36dedaec23b38130b92f24,policy_deny_vs_scanner_affected,graph-40k-policy-overlay-20251122,demo-tenant
+pkg:pypi/demo-6040@1.0.0,CVE-2024-0002,high,unreachable,not_affected,065090e3b6aa2f247cfd6844c5d00dda582516b606f068adbe497ac84fb71f99,defer,critical,RULE-35600,sbom:mock-sbom-v1;overlay:065090e3b6aa2f247cfd6844c5d00dda582516b606f068adbe497ac84fb71f99,,graph-40k-policy-overlay-20251122,demo-tenant
+pkg:pypi/demo-14320@1.0.0,CVE-2023-9999,medium,reachable,affected,06a3cb2fef361ef22f596d1cb2a9dba7da6cf4316b43892f3aa1041b55fdf457,deny,none,RULE-04800,sbom:mock-sbom-v1;overlay:06a3cb2fef361ef22f596d1cb2a9dba7da6cf4316b43892f3aa1041b55fdf457,policy_deny_vs_scanner_affected,graph-40k-policy-overlay-20251122,demo-tenant
+pkg:pypi/demo-4961@1.0.1,CVE-2025-1234,low,unreachable,not_affected,076cf3660de3a883d6a148a1850347300bd368e8177491b3c8a880e1f000bda6,defer,high,RULE-34400,sbom:mock-sbom-v1;overlay:076cf3660de3a883d6a148a1850347300bd368e8177491b3c8a880e1f000bda6,,graph-40k-policy-overlay-20251122,demo-tenant
+pkg:pypi/demo-6761@1.0.1,CVE-2022-4242,none,reachable,affected,08471f5759128be339110c0a72cf3cc6de36da9f5315a148f9e41602af808546,deny,none,RULE-36400,sbom:mock-sbom-v1;overlay:08471f5759128be339110c0a72cf3cc6de36da9f5315a148f9e41602af808546,policy_deny_vs_scanner_affected,graph-40k-policy-overlay-20251122,demo-tenant
--- a/samples/graph/graph-40k/explorer/vuln-explorer.json
+++ b/samples/graph/graph-40k/explorer/vuln-explorer.json
@@ -0,0 +1,92 @@
+[
+  {
+    "advisory": "CVE-2024-0001",
+    "advisory_severity": "critical",
+    "component": "pkg:pypi/demo-15400@1.0.0",
+    "conflict": "policy_deny_vs_scanner_affected",
+    "evidence": [
+      "sbom:mock-sbom-v1",
+      "overlay:00f6635f7e16f4249116313369beadeee8836ae6da36dedaec23b38130b92f24"
+    ],
+    "policy_overlay_id": "00f6635f7e16f4249116313369beadeee8836ae6da36dedaec23b38130b92f24",
+    "policy_rule_id": "RULE-06000",
+    "policy_severity": "low",
+    "policy_verdict": "deny",
+    "reachability": "reachable",
+    "snapshot": "graph-40k-policy-overlay-20251122",
+    "status": "affected",
+    "tenant": "demo-tenant"
+  },
+  {
+    "advisory": "CVE-2024-0002",
+    "advisory_severity": "high",
+    "component": "pkg:pypi/demo-6040@1.0.0",
+    "conflict": "",
+    "evidence": [
+      "sbom:mock-sbom-v1",
+      "overlay:065090e3b6aa2f247cfd6844c5d00dda582516b606f068adbe497ac84fb71f99"
+    ],
+    "policy_overlay_id": "065090e3b6aa2f247cfd6844c5d00dda582516b606f068adbe497ac84fb71f99",
+    "policy_rule_id": "RULE-35600",
+    "policy_severity": "critical",
+    "policy_verdict": "defer",
+    "reachability": "unreachable",
+    "snapshot": "graph-40k-policy-overlay-20251122",
+    "status": "not_affected",
+    "tenant": "demo-tenant"
+  },
+  {
+    "advisory": "CVE-2023-9999",
+    "advisory_severity": "medium",
+    "component": "pkg:pypi/demo-14320@1.0.0",
+    "conflict": "policy_deny_vs_scanner_affected",
+    "evidence": [
+      "sbom:mock-sbom-v1",
+      "overlay:06a3cb2fef361ef22f596d1cb2a9dba7da6cf4316b43892f3aa1041b55fdf457"
+    ],
+    "policy_overlay_id": "06a3cb2fef361ef22f596d1cb2a9dba7da6cf4316b43892f3aa1041b55fdf457",
+    "policy_rule_id": "RULE-04800",
+    "policy_severity": "none",
+    "policy_verdict": "deny",
+    "reachability": "reachable",
+    "snapshot": "graph-40k-policy-overlay-20251122",
+    "status": "affected",
+    "tenant": "demo-tenant"
+  },
+  {
+    "advisory": "CVE-2025-1234",
+    "advisory_severity": "low",
+    "component": "pkg:pypi/demo-4961@1.0.1",
+    "conflict": "",
+    "evidence": [
+      "sbom:mock-sbom-v1",
+      "overlay:076cf3660de3a883d6a148a1850347300bd368e8177491b3c8a880e1f000bda6"
+    ],
+    "policy_overlay_id": "076cf3660de3a883d6a148a1850347300bd368e8177491b3c8a880e1f000bda6",
+    "policy_rule_id": "RULE-34400",
+    "policy_severity": "high",
+    "policy_verdict": "defer",
+    "reachability": "unreachable",
+    "snapshot": "graph-40k-policy-overlay-20251122",
+    "status": "not_affected",
+    "tenant": "demo-tenant"
+  },
+  {
+    "advisory": "CVE-2022-4242",
+    "advisory_severity": "none",
+    "component": "pkg:pypi/demo-6761@1.0.1",
+    "conflict": "policy_deny_vs_scanner_affected",
+    "evidence": [
+      "sbom:mock-sbom-v1",
+      "overlay:08471f5759128be339110c0a72cf3cc6de36da9f5315a148f9e41602af808546"
+    ],
+    "policy_overlay_id": "08471f5759128be339110c0a72cf3cc6de36da9f5315a148f9e41602af808546",
+    "policy_rule_id": "RULE-36400",
+    "policy_severity": "none",
+    "policy_verdict": "deny",
+    "reachability": "reachable",
+    "snapshot": "graph-40k-policy-overlay-20251122",
+    "status": "affected",
+    "tenant": "demo-tenant"
+  }
+]