Add unit tests for AST parsing and security sink detection

- Created `StellaOps.AuditPack.Tests.csproj` for unit testing the AuditPack library. - Implemented comprehensive unit tests in `index.test.js` for AST parsing, covering various JavaScript and TypeScript constructs including functions, classes, decorators, and JSX. - Added `sink-detect.test.js` to test security sink detection patterns, validating command injection, SQL injection, file write, deserialization, SSRF, NoSQL injection, and more. - Included tests for taint source detection in various contexts such as Express, Koa, and AWS Lambda.
2025-12-23 09:23:42 +02:00
parent 7e384ab610
commit 56e2dc01ee
96 changed files with 8555 additions and 1455 deletions
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxComposer.cs
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxComposer.cs
@@ -20,10 +20,10 @@ public sealed class CycloneDxComposer
 {
    private static readonly Guid SerialNamespace = new("0d3a422b-6e1b-4d9b-9c35-654b706c97e8");

-    private const string InventoryMediaTypeJson = "application/vnd.cyclonedx+json; version=1.6";
-    private const string UsageMediaTypeJson = "application/vnd.cyclonedx+json; version=1.6; view=usage";
-    private const string InventoryMediaTypeProtobuf = "application/vnd.cyclonedx+protobuf; version=1.6";
-    private const string UsageMediaTypeProtobuf = "application/vnd.cyclonedx+protobuf; version=1.6; view=usage";
+    private const string InventoryMediaTypeJson = CycloneDx17Extensions.MediaTypes.InventoryJson;
+    private const string UsageMediaTypeJson = CycloneDx17Extensions.MediaTypes.UsageJson;
+    private const string InventoryMediaTypeProtobuf = CycloneDx17Extensions.MediaTypes.InventoryProtobuf;
+    private const string UsageMediaTypeProtobuf = CycloneDx17Extensions.MediaTypes.UsageProtobuf;

    public SbomCompositionResult Compose(SbomCompositionRequest request)
    {
@@ -101,7 +101,9 @@ public sealed class CycloneDxComposer
        string protobufMediaType)
    {
        var bom = BuildBom(request, graph, view, components, generatedAt);
-        var json = JsonSerializer.Serialize(bom);
+        var json16 = JsonSerializer.Serialize(bom);
+        // Upgrade serialized JSON from 1.6 to 1.7 (CycloneDX.Core doesn't support v1_7 natively yet)
+        var json = CycloneDx17Extensions.UpgradeJsonTo17(json16);
        var jsonBytes = Encoding.UTF8.GetBytes(json);
        var protobufBytes = ProtoSerializer.Serialize(bom);

@@ -169,6 +171,7 @@ public sealed class CycloneDxComposer
        ImmutableArray<AggregatedComponent> components,
        DateTimeOffset generatedAt)
    {
+        // Use v1_6 for serialization; output is upgraded to 1.7 via CycloneDx17Extensions
        var bom = new Bom
        {
            SpecVersion = SpecificationVersion.v1_6,