Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
@@ -18,14 +18,35 @@
|
||||
- Build linksets from conflicting advisory observations (e.g., differing severity or status flags).
|
||||
- Confirm conflict markers propagate to `AdvisoryLinkset` outputs and associated metrics/log records.
|
||||
- Capture deterministic ordering of conflict explanations for evidence exports.
|
||||
- Coverage landed via `AdvisoryObservationFactoryTests.Create_PreservesRawReferencesForConflictAudits` (raw linkset + attribute parity) and `AdvisoryEventLogTests.AppendAsync_SortsConflictStatementIds` (canonical conflict JSON + stable hashes).
|
||||
|
||||
3. **Evidence/export parity**
|
||||
- Re-run observation/linkset pipelines against identical fixtures and assert resulting evidence manifests hash-identically.
|
||||
- Track monotonic `supersedes` chains and ensure canonical link records include `PRIMARY` schemes.
|
||||
- `JsonExportSnapshotBuilderTests.WriteAsync_DifferentInputOrderProducesSameDigest` now proves export bundles remain byte-identical regardless of advisory enumeration order; digest sampling extends `ProducesIdenticalBytesAcrossRuns`.
|
||||
|
||||
## Mongo2Go/OpenSSL toolchain
|
||||
|
||||
Concelier solution tests (and most connector suites) depend on Mongo2Go’s embedded `mongod`, which is linked against OpenSSL 1.1. The repo already ships the required libraries in `tests/native/openssl-1.1/linux-x64/{libcrypto.so.1.1,libssl.so.1.1}`; use them instead of installing global packages so offline runners stay deterministic.
|
||||
|
||||
1. Add the shim to your shell before executing any Mongo-backed suite:
|
||||
|
||||
```bash
|
||||
export LD_LIBRARY_PATH="$(git rev-parse --show-toplevel)/tests/native/openssl-1.1/linux-x64:${LD_LIBRARY_PATH:-}"
|
||||
```
|
||||
|
||||
2. For single commands you can prefix the invocation (handy for CI copy/paste):
|
||||
|
||||
```bash
|
||||
LD_LIBRARY_PATH="$(pwd)/tests/native/openssl-1.1/linux-x64" \
|
||||
dotnet test src/Concelier/StellaOps.Concelier.sln --nologo
|
||||
```
|
||||
|
||||
3. The shim’s provenance and troubleshooting notes live in `tests/native/openssl-1.1/README.md`; reference it when mirroring the toolchain into air-gapped runners.
|
||||
|
||||
## Migration Steps
|
||||
- [ ] Retire `StellaOps.Concelier.Merge.Tests` determinism suites once observation/linkset equivalents land.
|
||||
- [ ] Introduce new regression fixtures under `StellaOps.Concelier.Core.Tests` (shared via `StellaOps.Concelier.Testing`).
|
||||
- [x] Retire `StellaOps.Concelier.Merge.Tests` determinism suites once observation/linkset equivalents land.
|
||||
- [x] Introduce new regression fixtures under `StellaOps.Concelier.Core.Tests` (shared via `StellaOps.Concelier.Testing`).
|
||||
- [ ] Wire test helpers to Mongo in-memory harness for end-to-end parity runs.
|
||||
- [ ] Update documentation (`docs/migration/no-merge.md`) with validation checklist once new tests are green.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user