feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
--- a/src/Policy/__Tests/StellaOps.Policy.Tests/Deltas/DeltaVerdictTests.cs
+++ b/src/Policy/__Tests/StellaOps.Policy.Tests/Deltas/DeltaVerdictTests.cs
@@ -0,0 +1,152 @@
+using FluentAssertions;
+using StellaOps.Policy.Deltas;
+using Xunit;
+
+namespace StellaOps.Policy.Tests.Deltas;
+
+public sealed class DeltaVerdictTests
+{
+    [Fact]
+    public void Build_WithNoDrivers_ReturnsPass()
+    {
+        var verdict = new DeltaVerdictBuilder()
+            .Build("delta:sha256:test");
+
+        verdict.Status.Should().Be(DeltaVerdictStatus.Pass);
+        verdict.Explanation.Should().Contain("No blocking");
+    }
+
+    [Fact]
+    public void Build_WithWarningDriver_ReturnsWarn()
+    {
+        var driver = new DeltaDriver
+        {
+            Type = "new-package",
+            Severity = DeltaDriverSeverity.Low,
+            Description = "New package added"
+        };
+
+        var verdict = new DeltaVerdictBuilder()
+            .AddWarningDriver(driver)
+            .Build("delta:sha256:test");
+
+        verdict.Status.Should().Be(DeltaVerdictStatus.Warn);
+        verdict.WarningDrivers.Should().HaveCount(1);
+    }
+
+    [Fact]
+    public void Build_WithBlockingDriver_ReturnsFail()
+    {
+        var driver = new DeltaDriver
+        {
+            Type = "new-reachable-cve",
+            Severity = DeltaDriverSeverity.Critical,
+            Description = "Critical CVE is now reachable",
+            CveId = "CVE-2024-001"
+        };
+
+        var verdict = new DeltaVerdictBuilder()
+            .AddBlockingDriver(driver)
+            .Build("delta:sha256:test");
+
+        verdict.Status.Should().Be(DeltaVerdictStatus.Fail);
+        verdict.BlockingDrivers.Should().HaveCount(1);
+        verdict.RecommendedGate.Should().Be(DeltaGateLevel.G4);
+    }
+
+    [Fact]
+    public void Build_WithBlockingDriverAndException_ReturnsPassWithExceptions()
+    {
+        var driver = new DeltaDriver
+        {
+            Type = "new-reachable-cve",
+            Severity = DeltaDriverSeverity.Critical,
+            Description = "Critical CVE is now reachable",
+            CveId = "CVE-2024-001"
+        };
+
+        var verdict = new DeltaVerdictBuilder()
+            .AddBlockingDriver(driver)
+            .AddException("exception-123")
+            .Build("delta:sha256:test");
+
+        verdict.Status.Should().Be(DeltaVerdictStatus.PassWithExceptions);
+        verdict.AppliedExceptions.Should().Contain("exception-123");
+    }
+
+    [Fact]
+    public void Build_CriticalDriver_EscalatesToG4()
+    {
+        var driver = new DeltaDriver
+        {
+            Type = "critical-issue",
+            Severity = DeltaDriverSeverity.Critical,
+            Description = "Critical issue"
+        };
+
+        var verdict = new DeltaVerdictBuilder()
+            .AddBlockingDriver(driver)
+            .Build("delta:sha256:test");
+
+        verdict.RecommendedGate.Should().Be(DeltaGateLevel.G4);
+    }
+
+    [Fact]
+    public void Build_HighDriver_EscalatesToG3()
+    {
+        var driver = new DeltaDriver
+        {
+            Type = "high-issue",
+            Severity = DeltaDriverSeverity.High,
+            Description = "High severity issue"
+        };
+
+        var verdict = new DeltaVerdictBuilder()
+            .AddBlockingDriver(driver)
+            .Build("delta:sha256:test");
+
+        verdict.RecommendedGate.Should().Be(DeltaGateLevel.G3);
+    }
+
+    [Fact]
+    public void Build_WithRiskPoints_SetsCorrectValue()
+    {
+        var verdict = new DeltaVerdictBuilder()
+            .WithRiskPoints(25)
+            .Build("delta:sha256:test");
+
+        verdict.RiskPoints.Should().Be(25);
+    }
+
+    [Fact]
+    public void Build_WithRecommendations_IncludesAll()
+    {
+        var verdict = new DeltaVerdictBuilder()
+            .AddRecommendation("Review CVE-2024-001")
+            .AddRecommendation("Update dependency")
+            .Build("delta:sha256:test");
+
+        verdict.Recommendations.Should().HaveCount(2);
+        verdict.Recommendations.Should().Contain("Review CVE-2024-001");
+    }
+
+    [Fact]
+    public void Build_WithCustomExplanation_UsesProvided()
+    {
+        var verdict = new DeltaVerdictBuilder()
+            .WithExplanation("Custom explanation")
+            .Build("delta:sha256:test");
+
+        verdict.Explanation.Should().Be("Custom explanation");
+    }
+
+    [Fact]
+    public void Build_GeneratesUniqueVerdictId()
+    {
+        var verdict1 = new DeltaVerdictBuilder().Build("delta:sha256:test");
+        var verdict2 = new DeltaVerdictBuilder().Build("delta:sha256:test");
+
+        verdict1.VerdictId.Should().StartWith("dv:");
+        verdict1.VerdictId.Should().NotBe(verdict2.VerdictId);
+    }
+}