audit work, fixed StellaOps.sln warnings/errors, fixed tests, sprints work, new advisories

2026-01-07 18:49:59 +02:00
parent 04ec098046
commit 608a7f85c0
866 changed files with 56323 additions and 6231 deletions
--- a/src/Scanner/__Tests/StellaOps.Scanner.Emit.Tests/Composition/SpdxComposerTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.Emit.Tests/Composition/SpdxComposerTests.cs
@@ -5,6 +5,7 @@ using System.Linq;
 using System.Text.Json;
 using StellaOps.Scanner.Core.Contracts;
 using StellaOps.Scanner.Emit.Composition;
+using StellaOps.Scanner.Emit.Spdx;
 using Xunit;

 namespace StellaOps.Scanner.Emit.Tests.Composition;
@@ -70,6 +71,86 @@ public sealed class SpdxComposerTests
        Assert.Equal(first.JsonSha256, second.JsonSha256);
    }

+    [Fact]
+    [Trait("Category", "Unit")]
+    public void Compose_LiteProfile_OmitsLicenseInfo()
+    {
+        var request = BuildRequest();
+        var composer = new SpdxComposer();
+
+        var result = composer.Compose(request, new SpdxCompositionOptions
+        {
+            ProfileType = Spdx3ProfileType.Lite
+        });
+
+        using var document = JsonDocument.Parse(result.JsonBytes);
+        var graph = document.RootElement.GetProperty("@graph").EnumerateArray().ToArray();
+
+        var packages = graph
+            .Where(node => node.GetProperty("type").GetString() == "software_Package")
+            .ToArray();
+
+        // Lite profile should not include license expression (used for declaredLicense)
+        foreach (var package in packages)
+        {
+            Assert.False(
+                package.TryGetProperty("simplelicensing_licenseExpression", out _),
+                "Lite profile should not include license information");
+        }
+    }
+
+    [Fact]
+    [Trait("Category", "Unit")]
+    public void Compose_LiteProfile_IncludesLiteInConformance()
+    {
+        var request = BuildRequest();
+        var composer = new SpdxComposer();
+
+        var result = composer.Compose(request, new SpdxCompositionOptions
+        {
+            ProfileType = Spdx3ProfileType.Lite
+        });
+
+        using var document = JsonDocument.Parse(result.JsonBytes);
+        var graph = document.RootElement.GetProperty("@graph").EnumerateArray().ToArray();
+
+        var docNode = graph.Single(node => node.GetProperty("type").GetString() == "SpdxDocument");
+        var conformance = docNode.GetProperty("profileConformance")
+            .EnumerateArray()
+            .Select(p => p.GetString())
+            .ToArray();
+
+        Assert.Contains("lite", conformance);
+        Assert.Contains("core", conformance);
+        Assert.Contains("software", conformance);
+    }
+
+    [Fact]
+    [Trait("Category", "Unit")]
+    public void Compose_SoftwareProfile_IncludesLicenseInfo()
+    {
+        var request = BuildRequest();
+        var composer = new SpdxComposer();
+
+        var result = composer.Compose(request, new SpdxCompositionOptions
+        {
+            ProfileType = Spdx3ProfileType.Software
+        });
+
+        using var document = JsonDocument.Parse(result.JsonBytes);
+        var graph = document.RootElement.GetProperty("@graph").EnumerateArray().ToArray();
+
+        var packages = graph
+            .Where(node => node.GetProperty("type").GetString() == "software_Package")
+            .ToArray();
+
+        // Software profile should include license expression where available
+        var componentA = packages.Single(p => p.GetProperty("name").GetString() == "component-a");
+        Assert.True(
+            componentA.TryGetProperty("simplelicensing_licenseExpression", out _),
+            "Software profile should include license information");
+    }
+
    private static SbomCompositionRequest BuildRequest()
    {
        var fragments = new[]