Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
2025-11-08 20:53:45 +02:00
parent 515975edc5
commit 536f6249a6
837 changed files with 37279 additions and 14675 deletions
--- a/docs/19_TEST_SUITE_OVERVIEW.md
+++ b/docs/19_TEST_SUITE_OVERVIEW.md
@@ -57,7 +57,62 @@ The script spins up MongoDB/Redis via Testcontainers and requires:
 * Docker ≥ 25
 * Node 20 (for Jest/Playwright)

---
+#### Mongo2Go / OpenSSL shim
+
+Multiple suites (Concelier connectors, Excititor worker/WebService, Scheduler)
+fall back to [Mongo2Go](https://github.com/Mongo2Go/Mongo2Go) when a developer
+does not have a local `mongod` listening on `127.0.0.1:27017`.  Modern distros
+ship OpenSSL 3 by default, so you **must** expose the legacy OpenSSL 1.1
+libraries that the embedded `mongod` requires:
+
+1. From the repo root, export the provided binaries before running any tests:
+
+   ```bash
+   export LD_LIBRARY_PATH="$(pwd)/tests/native/openssl-1.1/linux-x64:${LD_LIBRARY_PATH:-}"
+   ```
+
+2. (Optional) If you only need the shim for a single command, prefix it:
+
+   ```bash
+   LD_LIBRARY_PATH="$(pwd)/tests/native/openssl-1.1/linux-x64" \
+     dotnet test src/Concelier/StellaOps.Concelier.sln --nologo
+   ```
+
+3. CI runners or dev containers should either copy
+   `tests/native/openssl-1.1/linux-x64/libcrypto.so.1.1` and `libssl.so.1.1`
+   into a directory that is already on the default library path, or export the
+   `LD_LIBRARY_PATH` value shown above before invoking `dotnet test`.
+
+The shim lives under `tests/native/openssl-1.1/README.md` with upstream source
+and licensing details.  When the system already has OpenSSL 1.1 installed you
+can skip this step.
+
+#### Local Mongo helper
+
+Some suites (Concelier WebService/Core, Exporter JSON) need a full
+`mongod` instance when you want to debug outside of Mongo2Go (for example to
+inspect data with `mongosh` or pin a specific server version).  A thin wrapper
+is available under `tools/mongodb/local-mongo.sh`:
+
+```bash
+# download (cached under .cache/mongodb-local) and start a local replica set
+tools/mongodb/local-mongo.sh start
+
+# reuse an existing data set
+tools/mongodb/local-mongo.sh restart
+
+# stop / clean
+tools/mongodb/local-mongo.sh stop
+tools/mongodb/local-mongo.sh clean
+```
+
+By default the script downloads MongoDB 6.0.16 for Ubuntu 22.04, binds to
+`127.0.0.1:27017`, and initialises a single-node replica set called `rs0`.  The
+current URI is printed on start, e.g.
+`mongodb://127.0.0.1:27017/?replicaSet=rs0`, and you can export it before
+running `dotnet test` if a suite supports overriding its connection string.
+
+--- 

 ### Concelier OSV↔GHSA parity fixtures

@@ -106,4 +161,3 @@ flowchart LR
 ---

 *Last updated {{ "now" | date: "%Y‑%m‑%d" }}*
-