Add inline DSSE provenance documentation and Mongo schema

- Introduced a new document outlining the inline DSSE provenance for SBOM, VEX, scan, and derived events. - Defined the Mongo schema for event patches, including key fields for provenance and trust verification. - Documented the write path for ingesting provenance metadata and backfilling historical events. - Created CI/CD snippets for uploading DSSE attestations and generating provenance metadata. - Established Mongo indexes for efficient provenance queries and provided query recipes for various use cases. - Outlined policy gates for managing VEX decisions based on provenance verification. - Included UI nudges for displaying provenance information and implementation tasks for future enhancements. --- Implement reachability lattice and scoring model - Developed a comprehensive document detailing the reachability lattice and scoring model. - Defined core types for reachability states, evidence, and mitigations with corresponding C# models. - Established a scoring policy with base score contributions from various evidence classes. - Mapped reachability states to VEX gates and provided a clear overview of evidence sources. - Documented the event graph schema for persisting reachability data in MongoDB. - Outlined the integration of runtime probes for evidence collection and defined a roadmap for future tasks. --- Introduce uncertainty states and entropy scoring - Created a draft document for tracking uncertainty states and their impact on risk scoring. - Defined core uncertainty states with associated entropy values and evidence requirements. - Established a schema for storing uncertainty states alongside findings. - Documented the risk score calculation incorporating uncertainty and its effect on final risk assessments. - Provided policy guidelines for handling uncertainty in decision-making processes. - Outlined UI guidelines for displaying uncertainty information and suggested remediation actions. --- Add Ruby package inventory management - Implemented Ruby package inventory management with corresponding data models and storage mechanisms. - Created C# records for Ruby package inventory, artifacts, provenance, and runtime details. - Developed a repository for managing Ruby package inventory documents in MongoDB. - Implemented a service for storing and retrieving Ruby package inventories. - Added unit tests for the Ruby package inventory store to ensure functionality and data integrity.
2025-11-13 00:20:33 +02:00
parent 86be324fc0
commit 7040984215
41 changed files with 1955 additions and 76 deletions
--- a/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ScansEndpointsTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ScansEndpointsTests.cs
@@ -13,6 +13,7 @@ using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc.Testing;
 using Microsoft.AspNetCore.TestHost;
 using Microsoft.Extensions.DependencyInjection;
+using StellaOps.Scanner.Core.Contracts;
 using StellaOps.Scanner.EntryTrace;
 using StellaOps.Scanner.EntryTrace.Serialization;
 using StellaOps.Scanner.Storage.Catalog;
@@ -365,6 +366,66 @@ public sealed class ScansEndpointsTests
        Assert.Equal(ndjson, payload.Ndjson);
    }

+    [Fact]
+    public async Task RubyPackagesEndpointReturnsNotFoundWhenMissing()
+    {
+        using var factory = new ScannerApplicationFactory();
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync("/api/v1/scans/scan-ruby-missing/ruby-packages");
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task RubyPackagesEndpointReturnsInventory()
+    {
+        const string scanId = "scan-ruby-existing";
+        const string digest = "sha256:feedfacefeedfacefeedfacefeedfacefeedfacefeedfacefeedfacefeedface";
+        var generatedAt = DateTime.UtcNow.AddMinutes(-10);
+
+        using var factory = new ScannerApplicationFactory();
+
+        using (var scope = factory.Services.CreateScope())
+        {
+            var repository = scope.ServiceProvider.GetRequiredService<RubyPackageInventoryRepository>();
+            var document = new RubyPackageInventoryDocument
+            {
+                ScanId = scanId,
+                ImageDigest = digest,
+                GeneratedAtUtc = generatedAt,
+                Packages = new List<RubyPackageDocument>
+                {
+                    new()
+                    {
+                        Id = "pkg:gem/rack@3.1.0",
+                        Name = "rack",
+                        Version = "3.1.0",
+                        Source = "rubygems",
+                        Platform = "ruby",
+                        Groups = new List<string> { "default" },
+                        RuntimeUsed = true,
+                        Provenance = new RubyPackageProvenance("rubygems", "Gemfile.lock", "Gemfile.lock")
+                    }
+                }
+            };
+
+            await repository.UpsertAsync(document, CancellationToken.None).ConfigureAwait(false);
+        }
+
+        using var client = factory.CreateClient();
+        var response = await client.GetAsync($"/api/v1/scans/{scanId}/ruby-packages");
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+        var payload = await response.Content.ReadFromJsonAsync<RubyPackagesResponse>();
+        Assert.NotNull(payload);
+        Assert.Equal(scanId, payload!.ScanId);
+        Assert.Equal(digest, payload.ImageDigest);
+        Assert.Single(payload.Packages);
+        Assert.Equal("rack", payload.Packages[0].Name);
+        Assert.Equal("rubygems", payload.Packages[0].Source);
+    }
+
    private sealed class RecordingCoordinator : IScanCoordinator
    {
        private readonly IHttpContextAccessor accessor;