stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

up
Some checks failed
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-13 09:37:15 +02:00
parent e00f6365da
commit 6e45066e37
349 changed files with 17160 additions and 1867 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Node/NodeLockDataTests.cs
View File

@@ -38,6 +38,34 @@ public sealed class NodeLockDataTests : IDisposable
Assert.Empty(result.DeclaredPackages);
}
[Fact]
public async Task LoadAsync_EmptyRootPath_DoesNotThrow_WhenCurrentDirectoryHasPackageJson()
{
var originalDirectory = Environment.CurrentDirectory;
var tempDirectory = Path.Combine(Path.GetTempPath(), "node-lock-tests-cwd-" + Guid.NewGuid().ToString("N")[..8]);
Directory.CreateDirectory(tempDirectory);
try
{
await File.WriteAllTextAsync(Path.Combine(tempDirectory, "package.json"), """
{
"name": "fixture",
"version": "0.0.0"
}
""");
Environment.CurrentDirectory = tempDirectory;
var result = await NodeLockData.LoadAsync(string.Empty, CancellationToken.None);
Assert.Empty(result.DeclaredPackages);
}
finally
{
Environment.CurrentDirectory = originalDirectory;
Directory.Delete(tempDirectory, recursive: true);
}
}
[Fact]
public async Task LoadAsync_OnlyPackageJson_CreatesDeclaredOnlyEntries()
{
@@ -232,7 +260,6 @@ public sealed class NodeLockDataTests : IDisposable
[Fact]
public async Task LoadPackageLockJson_V3Format_NestedNodeModules()
{
// Note: Nested node_modules require explicit name property for correct extraction
await File.WriteAllTextAsync(Path.Combine(_tempDir, "package-lock.json"), """
{
"lockfileVersion": 3,
@@ -241,7 +268,6 @@ public sealed class NodeLockDataTests : IDisposable
"version": "1.0.0"
},
"node_modules/parent/node_modules/child": {
"name": "child",
"version": "2.0.0"
}
}
@@ -253,6 +279,38 @@ public sealed class NodeLockDataTests : IDisposable
Assert.Equal(2, result.DeclaredPackages.Count);
Assert.Contains(result.DeclaredPackages, e => e.Name == "parent");
Assert.Contains(result.DeclaredPackages, e => e.Name == "child");
Assert.True(result.TryGet("node_modules/parent/node_modules/child", "child", "2.0.0", out var entry));
Assert.NotNull(entry);
Assert.Equal("2.0.0", entry!.Version);
}
[Fact]
public async Task LoadPackageLockJson_V3Format_NestedNodeModules_ScopedChild()
{
await File.WriteAllTextAsync(Path.Combine(_tempDir, "package-lock.json"), """
{
"lockfileVersion": 3,
"packages": {
"node_modules/parent": {
"version": "1.0.0"
},
"node_modules/parent/node_modules/@types/node": {
"version": "20.10.0"
}
}
}
""");
var result = await NodeLockData.LoadAsync(_tempDir, CancellationToken.None);
Assert.Equal(2, result.DeclaredPackages.Count);
Assert.Contains(result.DeclaredPackages, e => e.Name == "parent");
Assert.Contains(result.DeclaredPackages, e => e.Name == "@types/node");
Assert.True(result.TryGet("node_modules/parent/node_modules/@types/node", "@types/node", "20.10.0", out var entry));
Assert.NotNull(entry);
Assert.Equal("20.10.0", entry!.Version);
}
[Fact]
@@ -495,6 +553,35 @@ valid@^2.0.0:
Assert.Contains(result.DeclaredPackages, e => e.Name == "valid");
}
[Fact]
public async Task LoadYarnLock_BerryFormat_ParsesResolutionChecksum_AndSkipsMetadata()
{
await File.WriteAllTextAsync(Path.Combine(_tempDir, "yarn.lock"), """
__metadata:
version: 6
"lodash@npm:^4.17.21":
version: 4.17.21
resolution: "lodash@npm:4.17.21"
checksum: 10c0deadbeef
""");
var result = await NodeLockData.LoadAsync(_tempDir, CancellationToken.None);
Assert.Single(result.DeclaredPackages);
Assert.DoesNotContain(result.DeclaredPackages, e => e.Name == "__metadata");
var entry = result.DeclaredPackages.Single();
Assert.Equal("lodash", entry.Name);
Assert.Equal("4.17.21", entry.Version);
Assert.Equal("lodash@npm:4.17.21", entry.Resolved);
Assert.Equal("checksum:10c0deadbeef", entry.Integrity);
Assert.True(result.TryGet("", "lodash", "4.17.21", out var byVersion));
Assert.NotNull(byVersion);
Assert.Equal("lodash@npm:^4.17.21", byVersion!.Locator);
}
#endregion
#region pnpm-lock.yaml Parsing Tests
@@ -557,6 +644,24 @@ valid@^2.0.0:
Assert.Equal("4.18.2", result.DeclaredPackages.First().Version);
}
[Fact]
public async Task LoadPnpmLock_WhenVersionLineMissing_UsesVersionFromKey()
{
var content = "lockfileVersion: '6.0'\n" +
"packages:\n" +
" /express/4.18.2:\n" +
" resolution: {integrity: sha512-xyz}\n";
await File.WriteAllTextAsync(Path.Combine(_tempDir, "pnpm-lock.yaml"), content);
var result = await NodeLockData.LoadAsync(_tempDir, CancellationToken.None);
Assert.Single(result.DeclaredPackages);
var entry = result.DeclaredPackages.Single();
Assert.Equal("express", entry.Name);
Assert.Equal("4.18.2", entry.Version);
Assert.Equal("sha512-xyz", entry.Integrity);
}
[Fact]
public async Task LoadPnpmLock_ExtractsTarball()
{
@@ -573,6 +678,43 @@ valid@^2.0.0:
Assert.Contains("lodash-4.17.21.tgz", result.DeclaredPackages.First().Resolved);
}
[Fact]
public async Task LoadPnpmLock_IntegrityMissingReason_File()
{
var content = "lockfileVersion: '6.0'\n" +
"packages:\n" +
" /local-file/1.0.0:\n" +
" resolution: {tarball: file:../local-file-1.0.0.tgz}\n";
await File.WriteAllTextAsync(Path.Combine(_tempDir, "pnpm-lock.yaml"), content);
var result = await NodeLockData.LoadAsync(_tempDir, CancellationToken.None);
Assert.Single(result.DeclaredPackages);
var entry = result.DeclaredPackages.Single();
Assert.Equal("local-file", entry.Name);
Assert.True(entry.IntegrityMissing);
Assert.Equal("file", entry.IntegrityMissingReason);
Assert.StartsWith("file:", entry.Resolved, StringComparison.Ordinal);
}
[Fact]
public async Task LoadPnpmLock_SnapshotsSection_IsParsed()
{
var content = "lockfileVersion: '9.0'\n" +
"snapshots:\n" +
" /snap-only/1.0.0:\n" +
" resolution: {integrity: sha512-snap}\n";
await File.WriteAllTextAsync(Path.Combine(_tempDir, "pnpm-lock.yaml"), content);
var result = await NodeLockData.LoadAsync(_tempDir, CancellationToken.None);
Assert.Single(result.DeclaredPackages);
var entry = result.DeclaredPackages.Single();
Assert.Equal("snap-only", entry.Name);
Assert.Equal("1.0.0", entry.Version);
Assert.Equal("sha512-snap", entry.Integrity);
}
[Fact]
public async Task LoadPnpmLock_SeparateIntegrityLine()
{
@@ -590,7 +732,7 @@ valid@^2.0.0:
}
[Fact]
public async Task LoadPnpmLock_SkipsPackagesWithoutIntegrity()
public async Task LoadPnpmLock_PackagesWithoutIntegrity_AreKeptAndMarked()
{
var content = "lockfileVersion: '6.0'\n" +
"packages:\n" +
@@ -603,8 +745,19 @@ valid@^2.0.0:
var result = await NodeLockData.LoadAsync(_tempDir, CancellationToken.None);
Assert.Single(result.DeclaredPackages);
Assert.Equal("has-integrity", result.DeclaredPackages.First().Name);
Assert.Equal(2, result.DeclaredPackages.Count);
var noIntegrity = result.DeclaredPackages.Single(e => e.Name == "no-integrity");
Assert.Equal("1.0.0", noIntegrity.Version);
Assert.Null(noIntegrity.Integrity);
Assert.True(noIntegrity.IntegrityMissing);
Assert.Equal("missing", noIntegrity.IntegrityMissingReason);
var hasIntegrity = result.DeclaredPackages.Single(e => e.Name == "has-integrity");
Assert.Equal("2.0.0", hasIntegrity.Version);
Assert.Equal("sha512-valid", hasIntegrity.Integrity);
Assert.False(hasIntegrity.IntegrityMissing);
Assert.Null(hasIntegrity.IntegrityMissingReason);
}
[Fact]
@@ -863,6 +1016,12 @@ valid@^2.0.0:
Assert.True(result.TryGet("", "lodash", out var byNameEntry));
Assert.Equal("4.0.0", byNameEntry!.Version);
Assert.True(result.TryGet("", "lodash", "4.17.21", out var byVersionEntry));
Assert.Equal("4.17.21", byVersionEntry!.Version);
Assert.True(result.TryGet("", "lodash", "4.0.0", out var byVersionEntry2));
Assert.Equal("4.0.0", byVersionEntry2!.Version);
// For TryGet lookups by path, package-lock.json entry is found
Assert.True(result.TryGet("node_modules/lodash", "", out var byPathEntry));
Assert.Equal("4.17.21", byPathEntry!.Version);