tests fixes and sprints work

2026-01-22 19:08:46 +02:00
parent c32fff8f86
commit 726d70dc7f
881 changed files with 134434 additions and 6228 deletions
--- a/src/Scanner/__Tests/StellaOps.Scanner.BuildProvenance.Tests/BuildConfigVerifierTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.BuildProvenance.Tests/BuildConfigVerifierTests.cs
@@ -0,0 +1,59 @@
+using StellaOps.Scanner.BuildProvenance.Analyzers;
+using StellaOps.Scanner.BuildProvenance.Models;
+using StellaOps.Scanner.BuildProvenance.Policy;
+using StellaOps.TestKit;
+using Xunit;
+
+namespace StellaOps.Scanner.BuildProvenance.Tests;
+
+public sealed class BuildConfigVerifierTests
+{
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void Verify_FlagsDigestMismatch()
+    {
+        var tempPath = Path.GetTempFileName();
+        File.WriteAllText(tempPath, "build-config");
+
+        var buildInfo = TestSbomFactory.CreateBuildInfo(builder =>
+        {
+            builder.WithConfig(tempPath, "sha256:deadbeef");
+        });
+
+        var sbom = TestSbomFactory.CreateSbom(buildInfo);
+        var chainBuilder = new BuildProvenanceChainBuilder();
+        var chain = chainBuilder.Build(sbom);
+
+        var policy = BuildProvenancePolicyDefaults.Default with
+        {
+            BuildRequirements = BuildProvenancePolicyDefaults.Default.BuildRequirements with
+            {
+                RequireConfigDigest = true
+            }
+        };
+
+        var verifier = new BuildConfigVerifier();
+        var findings = verifier.Verify(sbom, chain, policy).ToList();
+
+        Assert.Contains(findings, f => f.Type == BuildProvenanceFindingType.OutputMismatch);
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void Verify_FlagsSensitiveEnvironmentVariables()
+    {
+        var buildInfo = TestSbomFactory.CreateBuildInfo(builder =>
+        {
+            builder.WithEnvironment("API_TOKEN", "secret");
+        });
+
+        var sbom = TestSbomFactory.CreateSbom(buildInfo);
+        var chain = new BuildProvenanceChainBuilder().Build(sbom);
+        var policy = BuildProvenancePolicyDefaults.Default;
+
+        var verifier = new BuildConfigVerifier();
+        var findings = verifier.Verify(sbom, chain, policy).ToList();
+
+        Assert.Contains(findings, f => f.Type == BuildProvenanceFindingType.EnvironmentVariableLeak);
+    }
+}