up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
This commit is contained in:
StellaOps Bot
@@ -1,96 +1,96 @@
|
||||
using System;
|
||||
using StellaOps.Concelier.Merge.Services;
|
||||
using StellaOps.Concelier.Models;
|
||||
|
||||
namespace StellaOps.Concelier.Merge.Tests;
|
||||
|
||||
public sealed class AffectedPackagePrecedenceResolverTests
|
||||
{
|
||||
[Fact]
|
||||
public void Merge_PrefersRedHatOverNvdForSameCpe()
|
||||
{
|
||||
var redHat = new AffectedPackage(
|
||||
type: AffectedPackageTypes.Cpe,
|
||||
identifier: "cpe:2.3:o:redhat:enterprise_linux:9:*:*:*:*:*:*:*",
|
||||
platform: "RHEL 9",
|
||||
versionRanges: Array.Empty<AffectedVersionRange>(),
|
||||
statuses: new[]
|
||||
{
|
||||
new AffectedPackageStatus(
|
||||
status: "known_affected",
|
||||
provenance: new AdvisoryProvenance("redhat", "oval", "RHEL-9", DateTimeOffset.Parse("2025-10-01T00:00:00Z")))
|
||||
},
|
||||
provenance: new[]
|
||||
{
|
||||
new AdvisoryProvenance("redhat", "oval", "RHEL-9", DateTimeOffset.Parse("2025-10-01T00:00:00Z"))
|
||||
});
|
||||
|
||||
var nvd = new AffectedPackage(
|
||||
type: AffectedPackageTypes.Cpe,
|
||||
identifier: "cpe:2.3:o:redhat:enterprise_linux:9:*:*:*:*:*:*:*",
|
||||
platform: "RHEL 9",
|
||||
versionRanges: new[]
|
||||
{
|
||||
new AffectedVersionRange(
|
||||
rangeKind: "cpe",
|
||||
introducedVersion: null,
|
||||
fixedVersion: null,
|
||||
lastAffectedVersion: null,
|
||||
rangeExpression: "<=9.0",
|
||||
provenance: new AdvisoryProvenance("nvd", "cpe_match", "RHEL-9", DateTimeOffset.Parse("2025-09-30T00:00:00Z")))
|
||||
},
|
||||
provenance: new[]
|
||||
{
|
||||
new AdvisoryProvenance("nvd", "cpe_match", "RHEL-9", DateTimeOffset.Parse("2025-09-30T00:00:00Z"))
|
||||
});
|
||||
|
||||
var resolver = new AffectedPackagePrecedenceResolver();
|
||||
var result = resolver.Merge(new[] { nvd, redHat });
|
||||
|
||||
var package = Assert.Single(result.Packages);
|
||||
Assert.Equal("cpe:2.3:o:redhat:enterprise_linux:9:*:*:*:*:*:*:*", package.Identifier);
|
||||
Assert.Empty(package.VersionRanges); // NVD range overridden
|
||||
Assert.Contains(package.Statuses, status => status.Status == "known_affected");
|
||||
Assert.Contains(package.Provenance, provenance => provenance.Source == "redhat");
|
||||
Assert.Contains(package.Provenance, provenance => provenance.Source == "nvd");
|
||||
|
||||
var rangeOverride = Assert.Single(result.Overrides);
|
||||
Assert.Equal("cpe:2.3:o:redhat:enterprise_linux:9:*:*:*:*:*:*:*", rangeOverride.Identifier);
|
||||
Assert.Equal(0, rangeOverride.PrimaryRank);
|
||||
Assert.True(rangeOverride.SuppressedRank >= rangeOverride.PrimaryRank);
|
||||
Assert.Equal(0, rangeOverride.PrimaryRangeCount);
|
||||
Assert.Equal(1, rangeOverride.SuppressedRangeCount);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Merge_KeepsNvdWhenNoHigherPrecedence()
|
||||
{
|
||||
var nvd = new AffectedPackage(
|
||||
type: AffectedPackageTypes.Cpe,
|
||||
identifier: "cpe:2.3:a:example:product:1.0:*:*:*:*:*:*:*",
|
||||
platform: null,
|
||||
versionRanges: new[]
|
||||
{
|
||||
new AffectedVersionRange(
|
||||
rangeKind: "semver",
|
||||
introducedVersion: null,
|
||||
fixedVersion: "1.0.1",
|
||||
lastAffectedVersion: null,
|
||||
rangeExpression: "<1.0.1",
|
||||
provenance: new AdvisoryProvenance("nvd", "cpe_match", "product", DateTimeOffset.Parse("2025-09-01T00:00:00Z")))
|
||||
},
|
||||
provenance: new[]
|
||||
{
|
||||
new AdvisoryProvenance("nvd", "cpe_match", "product", DateTimeOffset.Parse("2025-09-01T00:00:00Z"))
|
||||
});
|
||||
|
||||
var resolver = new AffectedPackagePrecedenceResolver();
|
||||
var result = resolver.Merge(new[] { nvd });
|
||||
|
||||
var package = Assert.Single(result.Packages);
|
||||
Assert.Equal(nvd.Identifier, package.Identifier);
|
||||
Assert.Equal(nvd.VersionRanges.Single().RangeExpression, package.VersionRanges.Single().RangeExpression);
|
||||
Assert.Equal("nvd", package.Provenance.Single().Source);
|
||||
Assert.Empty(result.Overrides);
|
||||
}
|
||||
}
|
||||
using System;
|
||||
using StellaOps.Concelier.Merge.Services;
|
||||
using StellaOps.Concelier.Models;
|
||||
|
||||
namespace StellaOps.Concelier.Merge.Tests;
|
||||
|
||||
public sealed class AffectedPackagePrecedenceResolverTests
|
||||
{
|
||||
[Fact]
|
||||
public void Merge_PrefersRedHatOverNvdForSameCpe()
|
||||
{
|
||||
var redHat = new AffectedPackage(
|
||||
type: AffectedPackageTypes.Cpe,
|
||||
identifier: "cpe:2.3:o:redhat:enterprise_linux:9:*:*:*:*:*:*:*",
|
||||
platform: "RHEL 9",
|
||||
versionRanges: Array.Empty<AffectedVersionRange>(),
|
||||
statuses: new[]
|
||||
{
|
||||
new AffectedPackageStatus(
|
||||
status: "known_affected",
|
||||
provenance: new AdvisoryProvenance("redhat", "oval", "RHEL-9", DateTimeOffset.Parse("2025-10-01T00:00:00Z")))
|
||||
},
|
||||
provenance: new[]
|
||||
{
|
||||
new AdvisoryProvenance("redhat", "oval", "RHEL-9", DateTimeOffset.Parse("2025-10-01T00:00:00Z"))
|
||||
});
|
||||
|
||||
var nvd = new AffectedPackage(
|
||||
type: AffectedPackageTypes.Cpe,
|
||||
identifier: "cpe:2.3:o:redhat:enterprise_linux:9:*:*:*:*:*:*:*",
|
||||
platform: "RHEL 9",
|
||||
versionRanges: new[]
|
||||
{
|
||||
new AffectedVersionRange(
|
||||
rangeKind: "cpe",
|
||||
introducedVersion: null,
|
||||
fixedVersion: null,
|
||||
lastAffectedVersion: null,
|
||||
rangeExpression: "<=9.0",
|
||||
provenance: new AdvisoryProvenance("nvd", "cpe_match", "RHEL-9", DateTimeOffset.Parse("2025-09-30T00:00:00Z")))
|
||||
},
|
||||
provenance: new[]
|
||||
{
|
||||
new AdvisoryProvenance("nvd", "cpe_match", "RHEL-9", DateTimeOffset.Parse("2025-09-30T00:00:00Z"))
|
||||
});
|
||||
|
||||
var resolver = new AffectedPackagePrecedenceResolver();
|
||||
var result = resolver.Merge(new[] { nvd, redHat });
|
||||
|
||||
var package = Assert.Single(result.Packages);
|
||||
Assert.Equal("cpe:2.3:o:redhat:enterprise_linux:9:*:*:*:*:*:*:*", package.Identifier);
|
||||
Assert.Empty(package.VersionRanges); // NVD range overridden
|
||||
Assert.Contains(package.Statuses, status => status.Status == "known_affected");
|
||||
Assert.Contains(package.Provenance, provenance => provenance.Source == "redhat");
|
||||
Assert.Contains(package.Provenance, provenance => provenance.Source == "nvd");
|
||||
|
||||
var rangeOverride = Assert.Single(result.Overrides);
|
||||
Assert.Equal("cpe:2.3:o:redhat:enterprise_linux:9:*:*:*:*:*:*:*", rangeOverride.Identifier);
|
||||
Assert.Equal(0, rangeOverride.PrimaryRank);
|
||||
Assert.True(rangeOverride.SuppressedRank >= rangeOverride.PrimaryRank);
|
||||
Assert.Equal(0, rangeOverride.PrimaryRangeCount);
|
||||
Assert.Equal(1, rangeOverride.SuppressedRangeCount);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Merge_KeepsNvdWhenNoHigherPrecedence()
|
||||
{
|
||||
var nvd = new AffectedPackage(
|
||||
type: AffectedPackageTypes.Cpe,
|
||||
identifier: "cpe:2.3:a:example:product:1.0:*:*:*:*:*:*:*",
|
||||
platform: null,
|
||||
versionRanges: new[]
|
||||
{
|
||||
new AffectedVersionRange(
|
||||
rangeKind: "semver",
|
||||
introducedVersion: null,
|
||||
fixedVersion: "1.0.1",
|
||||
lastAffectedVersion: null,
|
||||
rangeExpression: "<1.0.1",
|
||||
provenance: new AdvisoryProvenance("nvd", "cpe_match", "product", DateTimeOffset.Parse("2025-09-01T00:00:00Z")))
|
||||
},
|
||||
provenance: new[]
|
||||
{
|
||||
new AdvisoryProvenance("nvd", "cpe_match", "product", DateTimeOffset.Parse("2025-09-01T00:00:00Z"))
|
||||
});
|
||||
|
||||
var resolver = new AffectedPackagePrecedenceResolver();
|
||||
var result = resolver.Merge(new[] { nvd });
|
||||
|
||||
var package = Assert.Single(result.Packages);
|
||||
Assert.Equal(nvd.Identifier, package.Identifier);
|
||||
Assert.Equal(nvd.VersionRanges.Single().RangeExpression, package.VersionRanges.Single().RangeExpression);
|
||||
Assert.Equal("nvd", package.Provenance.Single().Source);
|
||||
Assert.Empty(result.Overrides);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user