Add unit and integration tests for VexCandidateEmitter and SmartDiff repositories
- Implemented comprehensive unit tests for VexCandidateEmitter to validate candidate emission logic based on various scenarios including absent and present APIs, confidence thresholds, and rate limiting. - Added integration tests for SmartDiff PostgreSQL repositories, covering snapshot storage and retrieval, candidate storage, and material risk change handling. - Ensured tests validate correct behavior for storing, retrieving, and querying snapshots and candidates, including edge cases and expected outcomes.
This commit is contained in:
master
@@ -30,20 +30,20 @@ why the system leans *monolith‑plus‑plug‑ins*, and where extension points
|
||||
|
||||
```mermaid
|
||||
graph TD
|
||||
A(API Gateway)
|
||||
B1(Scanner Core<br/>.NET latest LTS)
|
||||
B2(Concelier service\n(vuln ingest/merge/export))
|
||||
B3(Policy Engine OPA)
|
||||
C1(Redis 7)
|
||||
C2(MongoDB 7)
|
||||
D(UI SPA<br/>Angular latest version)
|
||||
A(API Gateway)
|
||||
B1(Scanner Core<br/>.NET latest LTS)
|
||||
B2(Concelier service\n(vuln ingest/merge/export))
|
||||
B3(Policy Engine OPA)
|
||||
C1(Redis 7)
|
||||
C2(PostgreSQL 16)
|
||||
D(UI SPA<br/>Angular latest version)
|
||||
A -->|gRPC| B1
|
||||
B1 -->|async| B2
|
||||
B1 -->|OPA| B3
|
||||
B1 --> C1
|
||||
B1 --> C2
|
||||
A -->|REST/WS| D
|
||||
````
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
@@ -53,10 +53,10 @@ graph TD
|
||||
| ---------------------------- | --------------------- | ---------------------------------------------------- |
|
||||
| **API Gateway** | ASP.NET Minimal API | Auth (JWT), quotas, request routing |
|
||||
| **Scanner Core** | C# 12, Polly | Layer diffing, SBOM generation, vuln correlation |
|
||||
| **Concelier (vulnerability ingest/merge/export service)** | C# source-gen workers | Consolidate NVD + regional CVE feeds into the canonical MongoDB store and drive JSON / Trivy DB exports |
|
||||
| **Policy Engine** | OPA (Rego) | admission decisions, custom org rules |
|
||||
| **Concelier (vulnerability ingest/merge/export service)** | C# source-gen workers | Consolidate NVD + regional CVE feeds into the canonical PostgreSQL store and drive JSON / Trivy DB exports |
|
||||
| **Policy Engine** | OPA (Rego) | admission decisions, custom org rules |
|
||||
| **Redis 7** | Key‑DB compatible | LRU cache, quota counters |
|
||||
| **MongoDB 7** | WiredTiger | SBOM & findings storage |
|
||||
| **PostgreSQL 16** | JSONB storage | SBOM & findings storage |
|
||||
| **Angular {{ angular }} UI** | RxJS, Tailwind | Dashboard, reports, admin UX |
|
||||
|
||||
---
|
||||
@@ -87,8 +87,8 @@ Hot‑plugging is deferred until after v 1.0 for security review.
|
||||
* If miss → pulls layers, generates SBOM.
|
||||
* Executes plug‑ins (mutators, additional scanners).
|
||||
4. **Policy Engine** evaluates `scanResult` document.
|
||||
5. **Findings** stored in MongoDB; WebSocket event notifies UI.
|
||||
6. **ResultSink plug‑ins** export to Slack, Splunk, JSON file, etc.
|
||||
5. **Findings** stored in PostgreSQL; WebSocket event notifies UI.
|
||||
6. **ResultSink plug‑ins** export to Slack, Splunk, JSON file, etc.
|
||||
|
||||
---
|
||||
|
||||
@@ -121,7 +121,7 @@ Hot‑plugging is deferred until after v 1.0 for security review.
|
||||
Although the default deployment is a single container, each sub‑service can be
|
||||
extracted:
|
||||
|
||||
* Concelier → standalone cron pod.
|
||||
* Concelier → standalone cron pod.
|
||||
* Policy Engine → side‑car (OPA) with gRPC contract.
|
||||
* ResultSink → queue worker (RabbitMQ or Azure Service Bus).
|
||||
|
||||
|
||||
Reference in New Issue
Block a user