sprints work

2026-01-10 11:15:28 +02:00
parent a21d3dbc1f
commit 701eb6b21c
71 changed files with 10854 additions and 136 deletions
--- a/src/Policy/__Tests/StellaOps.Policy.Engine.Tests/ReachabilityFacts/ReachabilityCoreBridgeTests.cs
+++ b/src/Policy/__Tests/StellaOps.Policy.Engine.Tests/ReachabilityFacts/ReachabilityCoreBridgeTests.cs
@@ -0,0 +1,314 @@
+// <copyright file="ReachabilityCoreBridgeTests.cs" company="StellaOps">
+// Copyright (c) StellaOps. Licensed under the AGPL-3.0-or-later.
+// </copyright>
+
+using System.Collections.Immutable;
+using FluentAssertions;
+using StellaOps.Policy.Engine.ReachabilityFacts;
+using StellaOps.Reachability.Core;
+using Xunit;
+
+namespace StellaOps.Policy.Engine.Tests.ReachabilityFacts;
+
+/// <summary>
+/// Tests for <see cref="ReachabilityCoreBridge"/>.
+/// </summary>
+[Trait("Category", "Unit")]
+public class ReachabilityCoreBridgeTests
+{
+    private readonly DateTimeOffset _now = new(2026, 1, 9, 12, 0, 0, TimeSpan.Zero);
+
+    [Fact]
+    public void ToReachabilityFact_MapsConfirmedReachableToReachable()
+    {
+        // Arrange
+        var result = CreateHybridResult(LatticeState.ConfirmedReachable, 0.95);
+
+        // Act
+        var fact = ReachabilityCoreBridge.ToReachabilityFact(result, "tenant1", "CVE-2024-1234");
+
+        // Assert
+        fact.State.Should().Be(ReachabilityState.Reachable);
+        fact.Confidence.Should().Be(0.95m);
+        fact.Score.Should().Be(1.0m);
+        fact.TenantId.Should().Be("tenant1");
+        fact.AdvisoryId.Should().Be("CVE-2024-1234");
+    }
+
+    [Fact]
+    public void ToReachabilityFact_MapsStaticUnreachableToUnreachable()
+    {
+        // Arrange
+        var result = CreateHybridResult(LatticeState.StaticUnreachable, 0.8);
+
+        // Act
+        var fact = ReachabilityCoreBridge.ToReachabilityFact(result, "tenant1", "CVE-2024-5678");
+
+        // Assert
+        fact.State.Should().Be(ReachabilityState.Unreachable);
+        fact.Score.Should().Be(0.1m);
+    }
+
+    [Fact]
+    public void ToReachabilityFact_MapsContestedToUnderInvestigation()
+    {
+        // Arrange
+        var result = CreateHybridResult(LatticeState.Contested, 0.5);
+
+        // Act
+        var fact = ReachabilityCoreBridge.ToReachabilityFact(result, "tenant1", "CVE-2024-9999");
+
+        // Assert
+        fact.State.Should().Be(ReachabilityState.UnderInvestigation);
+        fact.Score.Should().Be(0.5m);
+    }
+
+    [Theory]
+    [InlineData(LatticeState.ConfirmedReachable, "critical")]
+    [InlineData(LatticeState.RuntimeObserved, "critical")]
+    [InlineData(LatticeState.StaticReachable, "high")]
+    [InlineData(LatticeState.Contested, "medium")]
+    [InlineData(LatticeState.Unknown, "medium")]
+    [InlineData(LatticeState.RuntimeUnobserved, "low")]
+    [InlineData(LatticeState.StaticUnreachable, "informational")]
+    [InlineData(LatticeState.ConfirmedUnreachable, "informational")]
+    public void MapToBucket_ReturnsCorrectBucket(LatticeState state, string expectedBucket)
+    {
+        // Act
+        var bucket = ReachabilityCoreBridge.MapToBucket(state);
+
+        // Assert
+        bucket.Should().Be(expectedBucket);
+    }
+
+    [Theory]
+    [InlineData(LatticeState.Unknown, "U")]
+    [InlineData(LatticeState.StaticReachable, "SR")]
+    [InlineData(LatticeState.StaticUnreachable, "SU")]
+    [InlineData(LatticeState.RuntimeObserved, "RO")]
+    [InlineData(LatticeState.RuntimeUnobserved, "RU")]
+    [InlineData(LatticeState.ConfirmedReachable, "CR")]
+    [InlineData(LatticeState.ConfirmedUnreachable, "CU")]
+    [InlineData(LatticeState.Contested, "X")]
+    public void MapLatticeStateToString_ReturnsCorrectCode(LatticeState state, string expectedCode)
+    {
+        // Act
+        var code = ReachabilityCoreBridge.MapLatticeStateToString(state);
+
+        // Assert
+        code.Should().Be(expectedCode);
+    }
+
+    [Theory]
+    [InlineData("U", LatticeState.Unknown)]
+    [InlineData("SR", LatticeState.StaticReachable)]
+    [InlineData("SU", LatticeState.StaticUnreachable)]
+    [InlineData("RO", LatticeState.RuntimeObserved)]
+    [InlineData("RU", LatticeState.RuntimeUnobserved)]
+    [InlineData("CR", LatticeState.ConfirmedReachable)]
+    [InlineData("CU", LatticeState.ConfirmedUnreachable)]
+    [InlineData("X", LatticeState.Contested)]
+    [InlineData(null, LatticeState.Unknown)]
+    [InlineData("invalid", LatticeState.Unknown)]
+    public void ParseLatticeState_ReturnsCorrectState(string? code, LatticeState expectedState)
+    {
+        // Act
+        var state = ReachabilityCoreBridge.ParseLatticeState(code);
+
+        // Assert
+        state.Should().Be(expectedState);
+    }
+
+    [Fact]
+    public void ToReachabilityFact_WithStaticResult_SetsMethodToStatic()
+    {
+        // Arrange
+        var result = CreateHybridResult(LatticeState.StaticReachable, 0.75);
+        result = result with
+        {
+            StaticResult = new StaticReachabilityResult
+            {
+                Symbol = result.Symbol,
+                ArtifactDigest = result.ArtifactDigest,
+                IsReachable = true,
+                AnalyzedAt = _now
+            }
+        };
+
+        // Act
+        var fact = ReachabilityCoreBridge.ToReachabilityFact(result, "tenant1", "CVE-TEST");
+
+        // Assert
+        fact.Method.Should().Be(AnalysisMethod.Static);
+        fact.HasRuntimeEvidence.Should().BeFalse();
+    }
+
+    [Fact]
+    public void ToReachabilityFact_WithRuntimeResult_SetsMethodToDynamic()
+    {
+        // Arrange
+        var result = CreateHybridResult(LatticeState.RuntimeObserved, 0.9);
+        result = result with
+        {
+            RuntimeResult = new RuntimeReachabilityResult
+            {
+                Symbol = result.Symbol,
+                ArtifactDigest = result.ArtifactDigest,
+                WasObserved = true,
+                ObservationWindow = TimeSpan.FromDays(7),
+                WindowStart = _now.AddDays(-7),
+                WindowEnd = _now
+            }
+        };
+
+        // Act
+        var fact = ReachabilityCoreBridge.ToReachabilityFact(result, "tenant1", "CVE-TEST");
+
+        // Assert
+        fact.Method.Should().Be(AnalysisMethod.Dynamic);
+        fact.HasRuntimeEvidence.Should().BeTrue();
+    }
+
+    [Fact]
+    public void ToReachabilityFact_WithBothResults_SetsMethodToHybrid()
+    {
+        // Arrange
+        var result = CreateHybridResult(LatticeState.ConfirmedReachable, 0.95);
+        result = result with
+        {
+            StaticResult = new StaticReachabilityResult
+            {
+                Symbol = result.Symbol,
+                ArtifactDigest = result.ArtifactDigest,
+                IsReachable = true,
+                AnalyzedAt = _now
+            },
+            RuntimeResult = new RuntimeReachabilityResult
+            {
+                Symbol = result.Symbol,
+                ArtifactDigest = result.ArtifactDigest,
+                WasObserved = true,
+                ObservationWindow = TimeSpan.FromDays(7),
+                WindowStart = _now.AddDays(-7),
+                WindowEnd = _now
+            }
+        };
+
+        // Act
+        var fact = ReachabilityCoreBridge.ToReachabilityFact(result, "tenant1", "CVE-TEST");
+
+        // Assert
+        fact.Method.Should().Be(AnalysisMethod.Hybrid);
+        fact.HasRuntimeEvidence.Should().BeTrue();
+    }
+
+    [Theory]
+    [InlineData(LatticeState.ConfirmedUnreachable, "not_affected")]
+    [InlineData(LatticeState.StaticUnreachable, "not_affected")]
+    [InlineData(LatticeState.ConfirmedReachable, "affected")]
+    [InlineData(LatticeState.RuntimeObserved, "affected")]
+    [InlineData(LatticeState.StaticReachable, "under_investigation")]
+    [InlineData(LatticeState.Contested, "under_investigation")]
+    public void MapToVexStatus_ReturnsCorrectStatus(LatticeState state, string expectedStatus)
+    {
+        // Arrange
+        var result = CreateHybridResult(state, 0.8);
+
+        // Act
+        var status = ReachabilityCoreBridge.MapToVexStatus(result);
+
+        // Assert
+        status.Should().Be(expectedStatus);
+    }
+
+    [Fact]
+    public void MapToVexJustification_WhenUnreachable_ReturnsJustification()
+    {
+        // Arrange
+        var result = CreateHybridResult(LatticeState.ConfirmedUnreachable, 0.9);
+
+        // Act
+        var justification = ReachabilityCoreBridge.MapToVexJustification(result);
+
+        // Assert
+        justification.Should().Be("vulnerable_code_not_in_execute_path");
+    }
+
+    [Fact]
+    public void MapToVexJustification_WhenReachable_ReturnsNull()
+    {
+        // Arrange
+        var result = CreateHybridResult(LatticeState.ConfirmedReachable, 0.9);
+
+        // Act
+        var justification = ReachabilityCoreBridge.MapToVexJustification(result);
+
+        // Assert
+        justification.Should().BeNull();
+    }
+
+    [Fact]
+    public void ToReachabilityFact_IncludesMetadata()
+    {
+        // Arrange
+        var result = CreateHybridResult(LatticeState.StaticReachable, 0.75);
+
+        // Act
+        var fact = ReachabilityCoreBridge.ToReachabilityFact(result, "tenant1", "CVE-TEST");
+
+        // Assert
+        fact.Metadata.Should().NotBeNull();
+        fact.Metadata!["lattice_state"].Should().Be("SR");
+        fact.Metadata!["symbol_canonical_id"].Should().Be(result.Symbol.CanonicalId);
+    }
+
+    [Fact]
+    public void ToReachabilityFact_NullResultThrows()
+    {
+        // Act
+        var act = () => ReachabilityCoreBridge.ToReachabilityFact(null!, "tenant1", "CVE-TEST");
+
+        // Assert
+        act.Should().Throw<ArgumentNullException>();
+    }
+
+    [Fact]
+    public void ToReachabilityFact_EmptyTenantIdThrows()
+    {
+        // Arrange
+        var result = CreateHybridResult(LatticeState.Unknown, 0.5);
+
+        // Act
+        var act = () => ReachabilityCoreBridge.ToReachabilityFact(result, "", "CVE-TEST");
+
+        // Assert
+        act.Should().Throw<ArgumentException>();
+    }
+
+    private HybridReachabilityResult CreateHybridResult(LatticeState state, double confidence)
+    {
+        var symbol = new SymbolRef
+        {
+            Purl = "pkg:npm/lodash@4.17.21",
+            Namespace = "lodash",
+            Type = "_",
+            Method = "template",
+            Signature = "(string)"
+        };
+
+        return new HybridReachabilityResult
+        {
+            Symbol = symbol,
+            ArtifactDigest = "sha256:abc123",
+            LatticeState = state,
+            Confidence = confidence,
+            Verdict = VerdictRecommendation.UnderInvestigation(),
+            Evidence = new EvidenceBundle
+            {
+                Uris = ["stellaops://evidence/test"],
+                CollectedAt = _now
+            },
+            ComputedAt = _now
+        };
+    }
+}