Add inline DSSE provenance documentation and Mongo schema

- Introduced a new document outlining the inline DSSE provenance for SBOM, VEX, scan, and derived events. - Defined the Mongo schema for event patches, including key fields for provenance and trust verification. - Documented the write path for ingesting provenance metadata and backfilling historical events. - Created CI/CD snippets for uploading DSSE attestations and generating provenance metadata. - Established Mongo indexes for efficient provenance queries and provided query recipes for various use cases. - Outlined policy gates for managing VEX decisions based on provenance verification. - Included UI nudges for displaying provenance information and implementation tasks for future enhancements. --- Implement reachability lattice and scoring model - Developed a comprehensive document detailing the reachability lattice and scoring model. - Defined core types for reachability states, evidence, and mitigations with corresponding C# models. - Established a scoring policy with base score contributions from various evidence classes. - Mapped reachability states to VEX gates and provided a clear overview of evidence sources. - Documented the event graph schema for persisting reachability data in MongoDB. - Outlined the integration of runtime probes for evidence collection and defined a roadmap for future tasks. --- Introduce uncertainty states and entropy scoring - Created a draft document for tracking uncertainty states and their impact on risk scoring. - Defined core uncertainty states with associated entropy values and evidence requirements. - Established a schema for storing uncertainty states alongside findings. - Documented the risk score calculation incorporating uncertainty and its effect on final risk assessments. - Provided policy guidelines for handling uncertainty in decision-making processes. - Outlined UI guidelines for displaying uncertainty information and suggested remediation actions. --- Add Ruby package inventory management - Implemented Ruby package inventory management with corresponding data models and storage mechanisms. - Created C# records for Ruby package inventory, artifacts, provenance, and runtime details. - Developed a repository for managing Ruby package inventory documents in MongoDB. - Implemented a service for storing and retrieving Ruby package inventories. - Added unit tests for the Ruby package inventory store to ensure functionality and data integrity.
2025-11-13 00:20:33 +02:00
parent 86be324fc0
commit 7040984215
41 changed files with 1955 additions and 76 deletions
--- a/src/Scanner/__Tests/StellaOps.Scanner.Storage.Tests/RubyPackageInventoryStoreTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.Storage.Tests/RubyPackageInventoryStoreTests.cs
@@ -0,0 +1,121 @@
+using System.Collections.Generic;
+using Microsoft.Extensions.Options;
+using MongoDB.Driver;
+using StellaOps.Scanner.Core.Contracts;
+using StellaOps.Scanner.Storage;
+using StellaOps.Scanner.Storage.Mongo;
+using StellaOps.Scanner.Storage.Repositories;
+using StellaOps.Scanner.Storage.Services;
+using StellaOps.Scanner.Storage.Catalog;
+using Xunit;
+
+namespace StellaOps.Scanner.Storage.Tests;
+
+public sealed class RubyPackageInventoryStoreTests : IClassFixture<ScannerMongoFixture>
+{
+    private readonly ScannerMongoFixture _fixture;
+
+    public RubyPackageInventoryStoreTests(ScannerMongoFixture fixture)
+    {
+        _fixture = fixture;
+    }
+
+    [Fact]
+    public async Task StoreAsync_ThrowsWhenInventoryNull()
+    {
+        var store = CreateStore();
+        await Assert.ThrowsAsync<ArgumentNullException>(async () =>
+        {
+            RubyPackageInventory? inventory = null;
+            await store.StoreAsync(inventory!, CancellationToken.None);
+        });
+    }
+
+    [Fact]
+    public async Task GetAsync_ReturnsNullWhenMissing()
+    {
+        await ClearCollectionAsync();
+        var store = CreateStore();
+
+        var inventory = await store.GetAsync("scan-missing", CancellationToken.None);
+
+        Assert.Null(inventory);
+    }
+
+    [Fact]
+    public async Task StoreAsync_RoundTripsInventory()
+    {
+        await ClearCollectionAsync();
+        var store = CreateStore();
+
+        var scanId = $"scan-{Guid.NewGuid():n}";
+        var generatedAt = new DateTimeOffset(2025, 11, 12, 16, 10, 0, TimeSpan.Zero);
+
+        var packages = new[]
+        {
+            new RubyPackageArtifact(
+                Id: "purl::pkg:gem/rack@3.1.2",
+                Name: "rack",
+                Version: "3.1.2",
+                Source: "rubygems",
+                Platform: "ruby",
+                Groups: new[] {"default"},
+                DeclaredOnly: true,
+                RuntimeUsed: true,
+                Provenance: new RubyPackageProvenance("rubygems", "Gemfile.lock", "Gemfile.lock"),
+                Runtime: new RubyPackageRuntime(
+                    new[] { "config.ru" },
+                    new[] { "config.ru" },
+                    new[] { "require-static" }),
+                Metadata: new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase)
+                {
+                    ["source"] = "rubygems",
+                    ["lockfile"] = "Gemfile.lock",
+                    ["groups"] = "default"
+                })
+        };
+
+        var inventory = new RubyPackageInventory(scanId, "sha256:image", generatedAt, packages);
+
+        await store.StoreAsync(inventory, CancellationToken.None);
+
+        var stored = await store.GetAsync(scanId, CancellationToken.None);
+
+        Assert.NotNull(stored);
+        Assert.Equal(scanId, stored!.ScanId);
+        Assert.Equal("sha256:image", stored.ImageDigest);
+        Assert.Equal(generatedAt, stored.GeneratedAtUtc);
+        Assert.Single(stored.Packages);
+        Assert.Equal("rack", stored.Packages[0].Name);
+        Assert.Equal("rubygems", stored.Packages[0].Source);
+    }
+
+    private async Task ClearCollectionAsync()
+    {
+        var provider = CreateProvider();
+        await provider.RubyPackages.DeleteManyAsync(Builders<RubyPackageInventoryDocument>.Filter.Empty);
+    }
+
+    private RubyPackageInventoryStore CreateStore()
+    {
+        var provider = CreateProvider();
+        var repository = new RubyPackageInventoryRepository(provider);
+        return new RubyPackageInventoryStore(repository);
+    }
+
+    private MongoCollectionProvider CreateProvider()
+    {
+        var options = Options.Create(new ScannerStorageOptions
+        {
+            Mongo = new MongoOptions
+            {
+                ConnectionString = _fixture.Runner.ConnectionString,
+                DatabaseName = _fixture.Database.DatabaseNamespace.DatabaseName,
+                UseMajorityReadConcern = false,
+                UseMajorityWriteConcern = false
+            }
+        });
+
+        return new MongoCollectionProvider(_fixture.Database, options);
+    }
+}