stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add unit tests for AST parsing and security sink detection

Browse Source 
- Created `StellaOps.AuditPack.Tests.csproj` for unit testing the AuditPack library.
- Implemented comprehensive unit tests in `index.test.js` for AST parsing, covering various JavaScript and TypeScript constructs including functions, classes, decorators, and JSX.
- Added `sink-detect.test.js` to test security sink detection patterns, validating command injection, SQL injection, file write, deserialization, SSRF, NoSQL injection, and more.
- Included tests for taint source detection in various contexts such as Express, Koa, and AWS Lambda.
This commit is contained in:
StellaOps Bot
2025-12-23 09:23:42 +02:00
parent 7e384ab610
commit 56e2dc01ee
96 changed files with 8555 additions and 1455 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
src/Cli/StellaOps.Cli/Commands/CommandHandlers.Drift.cs
View File

@@ -20,8 +20,9 @@ internal static partial class CommandHandlers
/// <summary>
/// Handler for `drift compare` command.
/// SPRINT_3600_0005_0001 GATE-006: Returns exit codes for CI/CD integration.
/// </summary>
internal static async Task HandleDriftCompareAsync(
internal static async Task<int> HandleDriftCompareAsync(
IServiceProvider services,
string baseId,
string? headId,
@@ -74,12 +75,16 @@ internal static partial class CommandHandlers
WriteTableOutput(console, driftResult, onlyIncreases, minSeverity);
break;
}
// GATE-006: Return appropriate exit code based on drift analysis
return ComputeDriftExitCode(driftResult);
}
/// <summary>
/// Handler for `drift show` command.
/// SPRINT_3600_0005_0001 GATE-006: Returns exit codes for CI/CD integration.
/// </summary>
internal static async Task HandleDriftShowAsync(
internal static async Task<int> HandleDriftShowAsync(
IServiceProvider services,
string id,
string output,
@@ -127,6 +132,46 @@ internal static partial class CommandHandlers
WriteTableOutput(console, driftResult, false, "info");
break;
}
// GATE-006: Return appropriate exit code based on drift analysis
return ComputeDriftExitCode(driftResult);
}
/// <summary>
/// SPRINT_3600_0005_0001 GATE-006: Compute exit code based on drift result.
/// Exit codes follow DriftExitCodes conventions for CI/CD integration.
/// </summary>
private static int ComputeDriftExitCode(DriftResultDto driftResult)
{
// Check for KEV reachable (highest priority)
if (driftResult.DriftedSinks.Any(s => s.IsKev && s.IsRiskIncrease))
{
return DriftExitCodes.KevReachable;
}
// Check for affected vulnerabilities now reachable
if (driftResult.DriftedSinks.Any(s =>
s.IsRiskIncrease &&
s.Severity is "critical" or "high" &&
s.VexStatus is "affected" or "under_investigation"))
{
return DriftExitCodes.AffectedReachable;
}
// Check for hardening (decreased reachability)
if (driftResult.Summary.DecreasedReachability > 0 && driftResult.Summary.IncreasedReachability == 0)
{
return DriftExitCodes.SuccessHardening;
}
// Check for informational drift (new paths but not to affected sinks)
if (driftResult.Summary.IncreasedReachability > 0)
{
return DriftExitCodes.SuccessWithInfoDrift;
}
// No material changes
return DriftExitCodes.Success;
}
// Task: UI-020 - Table output using Spectre.Console
@@ -316,5 +361,16 @@ internal static partial class CommandHandlers
public string CurrentBucket { get; init; } = string.Empty;
public bool IsRiskIncrease { get; init; }
public int RiskDelta { get; init; }
// SPRINT_3600_0005_0001 GATE-006: Additional fields for exit code computation
/// <summary>
/// Whether this sink is a Known Exploited Vulnerability (CISA KEV list).
/// </summary>
public bool IsKev { get; init; }
/// <summary>
/// VEX status for this vulnerability: affected, not_affected, under_investigation, fixed.
/// </summary>
public string? VexStatus { get; init; }
}
}