Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

src/__Libraries/__Tests/StellaOps.Cryptography.Tests/CryptoProviderRegistryTests.cs

@@ -59,6 +59,22 @@ public class CryptoProviderRegistryTests
         Assert.Equal("key-a", fallbackResolution.Signer.KeyId);
     }
 
+    [Fact]
+    public void RegistryOptions_UsesActiveProfileOrder()
+    {
+        var options = new StellaOps.Cryptography.DependencyInjection.CryptoProviderRegistryOptions();
+        options.PreferredProviders.Add("default");
+        options.ActiveProfile = "ru-offline";
+        options.Profiles["ru-offline"] = new StellaOps.Cryptography.DependencyInjection.CryptoProviderProfileOptions
+        {
+            PreferredProviders = { "ru.cryptopro.csp", "ru.pkcs11" }
+        };
+
+        var resolved = options.ResolvePreferredProviders();
+
+        Assert.Equal(new[] { "ru.cryptopro.csp", "ru.pkcs11" }, resolved);
+    }
+
     private sealed class FakeCryptoProvider : ICryptoProvider
     {
         private readonly Dictionary<string, FakeSigner> signers = new(StringComparer.Ordinal);

src/__Libraries/__Tests/StellaOps.Cryptography.Tests/DefaultCryptoHashTests.cs

@@ -0,0 +1,73 @@
+using System;
+using System.IO;
+using System.Security.Cryptography;
+using System.Text;
+using System.Threading.Tasks;
+using Org.BouncyCastle.Crypto;
+using Org.BouncyCastle.Crypto.Digests;
+using StellaOps.Cryptography;
+using Xunit;
+
+namespace StellaOps.Cryptography.Tests;
+
+public sealed class DefaultCryptoHashTests
+{
+    private static readonly byte[] Sample = Encoding.UTF8.GetBytes("The quick brown fox jumps over the lazy dog");
+
+    [Fact]
+    public void ComputeHash_Sha256_MatchesBcl()
+    {
+        var hash = CryptoHashFactory.CreateDefault();
+        var expected = SHA256.HashData(Sample);
+        var actual = hash.ComputeHash(Sample, HashAlgorithms.Sha256);
+        Assert.Equal(Convert.ToHexString(expected).ToLowerInvariant(), Convert.ToHexString(actual).ToLowerInvariant());
+    }
+
+    [Fact]
+    public void ComputeHash_Sha512_MatchesBcl()
+    {
+        var hash = CryptoHashFactory.CreateDefault();
+        var expected = SHA512.HashData(Sample);
+        var actual = hash.ComputeHash(Sample, HashAlgorithms.Sha512);
+        Assert.Equal(Convert.ToHexString(expected).ToLowerInvariant(), Convert.ToHexString(actual).ToLowerInvariant());
+    }
+
+    [Fact]
+    public void ComputeHash_Gost256_MatchesBouncyCastle()
+    {
+        var hash = CryptoHashFactory.CreateDefault();
+        var expected = ComputeGostDigest(use256: true);
+        var actual = hash.ComputeHash(Sample, HashAlgorithms.Gost3411_2012_256);
+        Assert.Equal(Convert.ToHexString(expected).ToLowerInvariant(), Convert.ToHexString(actual).ToLowerInvariant());
+    }
+
+    [Fact]
+    public void ComputeHash_Gost512_MatchesBouncyCastle()
+    {
+        var hash = CryptoHashFactory.CreateDefault();
+        var expected = ComputeGostDigest(use256: false);
+        var actual = hash.ComputeHash(Sample, HashAlgorithms.Gost3411_2012_512);
+        Assert.Equal(Convert.ToHexString(expected).ToLowerInvariant(), Convert.ToHexString(actual).ToLowerInvariant());
+    }
+
+    [Fact]
+    public async Task ComputeHashAsync_Stream_MatchesBuffer()
+    {
+        var hash = CryptoHashFactory.CreateDefault();
+        await using var stream = new MemoryStream(Sample);
+        var streamDigest = await hash.ComputeHashAsync(stream, HashAlgorithms.Sha256);
+        var bufferDigest = hash.ComputeHash(Sample, HashAlgorithms.Sha256);
+        Assert.Equal(Convert.ToHexString(bufferDigest), Convert.ToHexString(streamDigest));
+    }
+
+    private static byte[] ComputeGostDigest(bool use256)
+    {
+        Org.BouncyCastle.Crypto.IDigest digest = use256
+            ? new Gost3411_2012_256Digest()
+            : new Gost3411_2012_512Digest();
+        digest.BlockUpdate(Sample, 0, Sample.Length);
+        var output = new byte[digest.GetDigestSize()];
+        digest.DoFinal(output, 0);
+        return output;
+    }
+}