Add call graph fixtures for various languages and scenarios

- Introduced `all-edge-reasons.json` to test edge resolution reasons in .NET. - Added `all-visibility-levels.json` to validate method visibility levels in .NET. - Created `dotnet-aspnetcore-minimal.json` for a minimal ASP.NET Core application. - Included `go-gin-api.json` for a Go Gin API application structure. - Added `java-spring-boot.json` for the Spring PetClinic application in Java. - Introduced `legacy-no-schema.json` for legacy application structure without schema. - Created `node-express-api.json` for an Express.js API application structure.
2025-12-16 10:44:24 +02:00
parent 4391f35d8a
commit 5a480a3c2a
223 changed files with 19367 additions and 727 deletions
--- a/src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs
+++ b/src/AirGap/StellaOps.AirGap.Importer/Validation/DsseVerifier.cs
@@ -1,5 +1,6 @@
 using System.Security.Cryptography;
 using System.Text;
+using Microsoft.Extensions.Logging;
 using StellaOps.AirGap.Importer.Contracts;

 namespace StellaOps.AirGap.Importer.Validation;
@@ -13,13 +14,24 @@ public sealed class DsseVerifier
 {
    private const string PaePrefix = "DSSEv1";

-    public BundleValidationResult Verify(DsseEnvelope envelope, TrustRootConfig trustRoots)
+    public BundleValidationResult Verify(DsseEnvelope envelope, TrustRootConfig trustRoots, ILogger? logger = null)
    {
        if (trustRoots.TrustedKeyFingerprints.Count == 0 || trustRoots.PublicKeys.Count == 0)
        {
+            logger?.LogWarning(
+                "offlinekit.dsse.verify failed reason_code={reason_code} trusted_fingerprints={trusted_fingerprints} public_keys={public_keys}",
+                "TRUST_ROOTS_REQUIRED",
+                trustRoots.TrustedKeyFingerprints.Count,
+                trustRoots.PublicKeys.Count);
            return BundleValidationResult.Failure("trust-roots-required");
        }

+        logger?.LogDebug(
+            "offlinekit.dsse.verify start payload_type={payload_type} signatures={signatures} public_keys={public_keys}",
+            envelope.PayloadType,
+            envelope.Signatures.Count,
+            trustRoots.PublicKeys.Count);
+
        foreach (var signature in envelope.Signatures)
        {
            if (!trustRoots.PublicKeys.TryGetValue(signature.KeyId, out var keyBytes))
@@ -36,10 +48,20 @@ public sealed class DsseVerifier
            var pae = BuildPreAuthEncoding(envelope.PayloadType, envelope.Payload);
            if (TryVerifyRsaPss(keyBytes, pae, signature.Signature))
            {
+                logger?.LogInformation(
+                    "offlinekit.dsse.verify succeeded key_id={key_id} fingerprint={fingerprint} payload_type={payload_type}",
+                    signature.KeyId,
+                    fingerprint,
+                    envelope.PayloadType);
                return BundleValidationResult.Success("dsse-signature-verified");
            }
        }

+        logger?.LogWarning(
+            "offlinekit.dsse.verify failed reason_code={reason_code} signatures={signatures} public_keys={public_keys}",
+            "DSSE_SIGNATURE_INVALID",
+            envelope.Signatures.Count,
+            trustRoots.PublicKeys.Count);
        return BundleValidationResult.Failure("dsse-signature-untrusted-or-invalid");
    }