update evidence bundle to include new evidence types and implement ProofSpine integration

2025-12-15 09:15:30 +02:00
parent 8c8f0c632d
commit 505fe7a885
49 changed files with 4756 additions and 551 deletions
--- a/src/Policy/__Tests/StellaOps.Policy.Tests/Suppression/SuppressionRuleEvaluatorTests.cs
+++ b/src/Policy/__Tests/StellaOps.Policy.Tests/Suppression/SuppressionRuleEvaluatorTests.cs
@@ -0,0 +1,145 @@
+using StellaOps.Policy.Suppression;
+using Xunit;
+
+namespace StellaOps.Policy.Tests.Suppression;
+
+public sealed class SuppressionRuleEvaluatorTests
+{
+    [Fact]
+    public void Evaluate_Suppresses_WhenAllConditionsPass()
+    {
+        var key = CreateFindingKey();
+        var evaluator = new SuppressionRuleEvaluator(new InMemorySuppressionOverrideProvider());
+
+        var result = evaluator.Evaluate(new SuppressionInput(
+            FindingKey: key,
+            Reachable: false,
+            VexStatus: VexStatus.NotAffected,
+            Kev: false));
+
+        Assert.True(result.Suppressed);
+        Assert.All(result.Conditions, condition => Assert.True(condition.Passed, condition.ConditionName));
+        Assert.Equal("All 4 suppression conditions met", result.Reason);
+    }
+
+    [Fact]
+    public void Evaluate_DoesNotSuppress_WhenReachableIsTrue()
+    {
+        var key = CreateFindingKey();
+        var evaluator = new SuppressionRuleEvaluator(new InMemorySuppressionOverrideProvider());
+
+        var result = evaluator.Evaluate(new SuppressionInput(
+            FindingKey: key,
+            Reachable: true,
+            VexStatus: VexStatus.NotAffected,
+            Kev: false));
+
+        Assert.False(result.Suppressed);
+        Assert.Contains("unreachable", result.Reason, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public void Evaluate_DoesNotSuppress_WhenReachableIsUnknown()
+    {
+        var key = CreateFindingKey();
+        var evaluator = new SuppressionRuleEvaluator(new InMemorySuppressionOverrideProvider());
+
+        var result = evaluator.Evaluate(new SuppressionInput(
+            FindingKey: key,
+            Reachable: null,
+            VexStatus: VexStatus.NotAffected,
+            Kev: false));
+
+        Assert.False(result.Suppressed);
+        Assert.Contains("unreachable", result.Reason, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public void Evaluate_DoesNotSuppress_WhenVexIsNotNotAffected()
+    {
+        var key = CreateFindingKey();
+        var evaluator = new SuppressionRuleEvaluator(new InMemorySuppressionOverrideProvider());
+
+        var result = evaluator.Evaluate(new SuppressionInput(
+            FindingKey: key,
+            Reachable: false,
+            VexStatus: VexStatus.Affected,
+            Kev: false));
+
+        Assert.False(result.Suppressed);
+        Assert.Contains("vex_not_affected", result.Reason, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public void Evaluate_DoesNotSuppress_WhenKev()
+    {
+        var key = CreateFindingKey();
+        var evaluator = new SuppressionRuleEvaluator(new InMemorySuppressionOverrideProvider());
+
+        var result = evaluator.Evaluate(new SuppressionInput(
+            FindingKey: key,
+            Reachable: false,
+            VexStatus: VexStatus.NotAffected,
+            Kev: true));
+
+        Assert.False(result.Suppressed);
+        Assert.Contains("not_kev", result.Reason, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public void Evaluate_DoesNotSuppress_WhenOverrideActive()
+    {
+        var key = CreateFindingKey();
+        var evaluator = new SuppressionRuleEvaluator(new InMemorySuppressionOverrideProvider(new[] { key }));
+
+        var result = evaluator.Evaluate(new SuppressionInput(
+            FindingKey: key,
+            Reachable: false,
+            VexStatus: VexStatus.NotAffected,
+            Kev: false));
+
+        Assert.False(result.Suppressed);
+        Assert.Contains("no_override", result.Reason, StringComparison.Ordinal);
+    }
+
+    [Fact]
+    public void EvaluatePatchChurn_Suppresses_WhenVersionChangesButNoMaterialChange()
+    {
+        var key = CreateFindingKey();
+        var evaluator = new SuppressionRuleEvaluator(new InMemorySuppressionOverrideProvider());
+
+        var result = evaluator.EvaluatePatchChurn(new PatchChurnInput(
+            FindingKey: key,
+            VersionChanged: true,
+            WasInAffectedRange: false,
+            IsInAffectedRange: false,
+            Kev: false,
+            PolicyFlipped: false));
+
+        Assert.True(result.Suppressed);
+        Assert.Equal("Patch churn - no material change", result.Reason);
+    }
+
+    [Fact]
+    public void EvaluatePatchChurn_DoesNotSuppress_WhenInAffectedRange()
+    {
+        var key = CreateFindingKey();
+        var evaluator = new SuppressionRuleEvaluator(new InMemorySuppressionOverrideProvider());
+
+        var result = evaluator.EvaluatePatchChurn(new PatchChurnInput(
+            FindingKey: key,
+            VersionChanged: true,
+            WasInAffectedRange: false,
+            IsInAffectedRange: true,
+            Kev: false,
+            PolicyFlipped: false));
+
+        Assert.False(result.Suppressed);
+    }
+
+    private static FindingKey CreateFindingKey() => new(
+        ComponentPurl: "pkg:nuget/Example.Component@1.0.0",
+        ComponentVersion: "1.0.0",
+        CveId: "CVE-2025-0001");
+}
+