Add tests for SBOM generation determinism across multiple formats

- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
2025-12-23 18:56:12 +02:00
parent 7ac70ece71
commit 5590a99a1a
381 changed files with 21071 additions and 14678 deletions
--- a/docs/_archive/vuln/explorer-cli.md
+++ b/docs/_archive/vuln/explorer-cli.md
@@ -0,0 +1,39 @@
+# Vuln Explorer CLI (Md.XI draft)
+
+> Status: DRAFT — depends on explorer API/console assets and GRAP0101 schema. Do not publish until samples are hashed and prerequisites land.
+
+## Scope
+- Command reference for Explorer-related CLI verbs (list/view/actions/reports/exports/VEX decisions).
+- Examples must be deterministic and offline-friendly (fixed fixtures, no live endpoints).
+
+## Prerequisites
+- GRAP0101 contract for finalized field names and filters.
+- CLI sample payloads (requested with console assets; due 2025-12-09).
+- API schema from `docs/vuln/explorer-api.md` once finalized.
+
+## Commands (outline)
+- `stella findings list` — filters, pagination, sorting, `--fields`, `--reachability`, `--vex-status`.
+- `stella findings view <id>` — includes history, actions, explain bundle refs.
+- `stella findings action <id> --assign/--comment/--status/--remediate/--ticket` — DSSE signing optional.
+- `stella findings report create` — outputs manifest path and DSSE envelope.
+- `stella findings export offline` — deterministic bundle with hashes (aligns with Offline Kit).
+- `stella vex decisions` — create/update/list VEX decisions.
+
+## Determinism & Offline
+- Record all sample command outputs (stdout/stderr) with hashes in `docs/assets/vuln-explorer/SHA256SUMS`.
+- Use fixed fixture IDs, ordered output, and `--format json` where applicable.
+
+### Fixtures to Capture (once CLI samples arrive)
+- `assets/vuln-explorer/cli-findings-list.json` (list with filters)
+- `assets/vuln-explorer/cli-findings-view.json` (detail view)
+- `assets/vuln-explorer/cli-action.json` (assign/comment/status change)
+- `assets/vuln-explorer/cli-report-create.json` (report creation output)
+- `assets/vuln-explorer/cli-export-offline.json` (bundle manifest snippet)
+- `assets/vuln-explorer/cli-vex-decision.json` (decision create/list)
+
+## Open Items
+- Insert real examples and exit codes once assets arrive.
+- Confirm DSSE flag names and default signing key selection.
+- Add CI snippets for GitLab/GitHub once policy overlays provided.
+
+_Last updated: 2025-12-05 (UTC)_