stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

up
Some checks failed
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-13 09:37:15 +02:00
parent e00f6365da
commit 6e45066e37
349 changed files with 17160 additions and 1867 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Node/NodeDeterminismTests.cs
View File

@@ -125,6 +125,107 @@ public sealed class NodeDeterminismTests : IDisposable
#endregion
[Fact]
public async Task LockOnlyProject_EmitsDeclaredOnlyComponents_WithoutRangeAsPurl()
{
WriteFile("package.json", JsonSerializer.Serialize(new
{
name = "root",
version = "1.0.0",
dependencies = new Dictionary<string, string>
{
["express"] = "^4.18.2",
["left-pad"] = "^1.3.0"
}
}));
WriteFile("package-lock.json", JsonSerializer.Serialize(new
{
name = "root",
version = "1.0.0",
lockfileVersion = 3,
packages = new Dictionary<string, object>
{
[""] = new
{
name = "root",
version = "1.0.0"
},
["node_modules/express"] = new
{
version = "4.18.2",
resolved = "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
integrity = "sha512-deadbeef"
}
}
}));
var json = await RunAnalyzerAsync();
using var document = JsonDocument.Parse(json);
var components = document.RootElement.EnumerateArray().ToArray();
var express = components.Single(static element =>
element.TryGetProperty("purl", out var purl)
&& purl.ValueKind == JsonValueKind.String
&& purl.GetString() == "pkg:npm/express@4.18.2");
var expressMeta = express.GetProperty("metadata");
Assert.Equal("true", expressMeta.GetProperty("declaredOnly").GetString());
Assert.Equal("package-lock.json", expressMeta.GetProperty("declared.source").GetString());
Assert.Equal("package-lock.json:node_modules/express", expressMeta.GetProperty("declared.locator").GetString());
Assert.Equal("^4.18.2", expressMeta.GetProperty("declared.versionSpec").GetString());
Assert.Equal("4.18.2", expressMeta.GetProperty("declared.resolvedVersion").GetString());
var leftPad = components.Single(static element =>
element.GetProperty("name").GetString() == "left-pad");
Assert.False(leftPad.TryGetProperty("purl", out _));
Assert.StartsWith("explicit::node::npm::left-pad::sha256:", leftPad.GetProperty("componentKey").GetString(), StringComparison.Ordinal);
var leftPadMeta = leftPad.GetProperty("metadata");
Assert.Equal("true", leftPadMeta.GetProperty("declaredOnly").GetString());
Assert.Equal("package.json", leftPadMeta.GetProperty("declared.source").GetString());
Assert.Equal("^1.3.0", leftPadMeta.GetProperty("declared.versionSpec").GetString());
}
[Fact]
public async Task PnpmLock_IntegrityMissing_EmitsDeclaredOnlyMetadata()
{
WriteFile("package.json", JsonSerializer.Serialize(new
{
name = "root",
version = "1.0.0",
dependencies = new Dictionary<string, string>
{
["local-file"] = "file:../local-file-1.0.0.tgz"
}
}));
var pnpmLock = "lockfileVersion: '6.0'\n" +
"packages:\n" +
" /local-file/1.0.0:\n" +
" resolution: {tarball: file:../local-file-1.0.0.tgz}\n";
WriteFile("pnpm-lock.yaml", pnpmLock);
var json = await RunAnalyzerAsync();
using var document = JsonDocument.Parse(json);
var components = document.RootElement.EnumerateArray().ToArray();
var localFile = components.Single(static element =>
element.TryGetProperty("purl", out var purl)
&& purl.ValueKind == JsonValueKind.String
&& purl.GetString() == "pkg:npm/local-file@1.0.0");
var meta = localFile.GetProperty("metadata");
Assert.Equal("true", meta.GetProperty("declaredOnly").GetString());
Assert.Equal("pnpm-lock.yaml", meta.GetProperty("declared.source").GetString());
Assert.Equal("pnpm-lock.yaml:local-file/1.0.0", meta.GetProperty("declared.locator").GetString());
Assert.Equal("file:../local-file-1.0.0.tgz", meta.GetProperty("declared.versionSpec").GetString());
Assert.Equal("1.0.0", meta.GetProperty("declared.resolvedVersion").GetString());
Assert.Equal("true", meta.GetProperty("lockIntegrityMissing").GetString());
Assert.Equal("file", meta.GetProperty("lockIntegrityMissingReason").GetString());
}
#region Entrypoint Ordering
[Fact]