Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools

- Implemented PolicyDslValidator with command-line options for strict mode and JSON output. - Created PolicySchemaExporter to generate JSON schemas for policy-related models. - Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes. - Added project files and necessary dependencies for each tool. - Ensured proper error handling and usage instructions across tools.
2025-10-27 08:00:11 +02:00
parent 2b7b88ca77
commit 799f787de2
712 changed files with 49449 additions and 6124 deletions
--- a/samples/TASKS.md
+++ b/samples/TASKS.md
@@ -9,15 +9,13 @@

 | ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
 |----|--------|----------|------------|-------------|---------------|
-| SAMPLES-POLICY-20-001 | TODO | Samples Guild, Policy Guild | POLICY-ENGINE-20-002, DOCS-POLICY-20-011 | Create sample policies (`baseline.pol`, `serverless.pol`, `internal-only.pol`) with annotated SBOM/advisory fixtures. | Samples stored under `samples/policy/`; README documents usage; tests validate deterministic outputs. |
-| SAMPLES-POLICY-20-002 | TODO | Samples Guild, UI Guild | UI-POLICY-20-002 | Produce simulation diff fixtures (before/after JSON) for UI/CLI tests. | Fixtures committed with schema validation; referenced by UI+CLI tests; docs cross-link. |
+| SAMPLES-POLICY-20-001 | DONE (2025-10-26) | Samples Guild, Policy Guild | POLICY-ENGINE-20-002, DOCS-POLICY-20-011 | Create sample policies (`baseline.pol`, `serverless.pol`, `internal-only.pol`) with annotated SBOM/advisory fixtures. | Samples stored under `samples/policy/`; README documents usage; tests validate deterministic outputs. |
+| SAMPLES-POLICY-20-002 | DONE (2025-10-26) | Samples Guild, UI Guild | UI-POLICY-20-002 | Produce simulation diff fixtures (before/after JSON) for UI/CLI tests. | Fixtures committed with schema validation; referenced by UI+CLI tests; docs cross-link. |

 ## Graph Explorer v1

 | ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
 |----|--------|----------|------------|-------------|---------------|
-| SAMPLES-GRAPH-21-001 | TODO | Samples Guild, Cartographer Guild | CARTO-GRAPH-21-003 | Produce small/medium SBOM graph fixtures (JSON, GraphML, layout tiles) for automated tests and docs. | Fixtures stored under `samples/graph/`; validated by Cartographer + UI tests; README documents usage. |
-| SAMPLES-GRAPH-21-002 | TODO | Samples Guild, UI Guild | UI-GRAPH-21-005 | Capture golden Graph Explorer screenshots (baseline/diff) and path exports for visual regression + documentation. | Screenshots exported; stored with metadata; referenced in docs; tests consume assets. |

 ## Link-Not-Merge v1

--- a/samples/api/scheduler/graph-build-job.json
+++ b/samples/api/scheduler/graph-build-job.json
@@ -0,0 +1,19 @@
+{
+  "schemaVersion": "scheduler.graph-build-job@1",
+  "id": "gbj_20251026a",
+  "tenantId": "tenant-alpha",
+  "sbomId": "sbom_20251026",
+  "sbomVersionId": "sbom_ver_20251026",
+  "sbomDigest": "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
+  "graphSnapshotId": "graph_snap_20251026",
+  "status": "running",
+  "trigger": "sbom-version",
+  "attempts": 1,
+  "cartographerJobId": "carto_job_42",
+  "correlationId": "evt_svc_987",
+  "createdAt": "2025-10-26T12:00:00+00:00",
+  "startedAt": "2025-10-26T12:00:05+00:00",
+  "metadata": {
+    "sbomEventId": "sbom_evt_20251026"
+  }
+}
--- a/samples/api/scheduler/graph-overlay-job.json
+++ b/samples/api/scheduler/graph-overlay-job.json
@@ -0,0 +1,21 @@
+{
+  "schemaVersion": "scheduler.graph-overlay-job@1",
+  "id": "goj_20251026a",
+  "tenantId": "tenant-alpha",
+  "graphSnapshotId": "graph_snap_20251026",
+  "buildJobId": "gbj_20251026a",
+  "overlayKind": "policy",
+  "overlayKey": "policy@2025-10-01",
+  "subjects": [
+    "artifact:service-api",
+    "artifact:service-worker"
+  ],
+  "status": "queued",
+  "trigger": "policy",
+  "attempts": 0,
+  "correlationId": "policy_run_321",
+  "createdAt": "2025-10-26T12:05:00+00:00",
+  "metadata": {
+    "policyRunId": "policy_run_321"
+  }
+}
--- a/samples/api/scheduler/policy-diff-summary.json
+++ b/samples/api/scheduler/policy-diff-summary.json
@@ -0,0 +1,31 @@
+{
+  "schemaVersion": "scheduler.policy-diff-summary@1",
+  "added": 12,
+  "removed": 8,
+  "unchanged": 657,
+  "bySeverity": {
+    "critical": {
+      "up": 1
+    },
+    "high": {
+      "up": 3,
+      "down": 4
+    },
+    "medium": {
+      "up": 2,
+      "down": 1
+    }
+  },
+  "ruleHits": [
+    {
+      "ruleId": "rule-block-critical",
+      "ruleName": "Block Critical Findings",
+      "up": 1
+    },
+    {
+      "ruleId": "rule-quiet-low",
+      "ruleName": "Quiet Low Risk",
+      "down": 2
+    }
+  ]
+}
--- a/samples/api/scheduler/policy-explain-trace.json
+++ b/samples/api/scheduler/policy-explain-trace.json
@@ -0,0 +1,83 @@
+{
+  "schemaVersion": "scheduler.policy-explain-trace@1",
+  "findingId": "finding:sbom:S-42/pkg:npm/lodash@4.17.21",
+  "policyId": "P-7",
+  "policyVersion": 4,
+  "tenantId": "default",
+  "runId": "run:P-7:2025-10-26:auto",
+  "evaluatedAt": "2025-10-26T14:06:01+00:00",
+  "verdict": {
+    "status": "blocked",
+    "severity": "critical",
+    "score": 19.5,
+    "rationale": "Matches rule-block-critical"
+  },
+  "ruleChain": [
+    {
+      "ruleId": "rule-allow-known",
+      "ruleName": "Allow Known Vendors",
+      "action": "allow",
+      "decision": "skipped",
+      "condition": "when vendor == \"trusted\""
+    },
+    {
+      "ruleId": "rule-block-critical",
+      "ruleName": "Block Critical Findings",
+      "action": "block",
+      "decision": "matched",
+      "score": 19.5,
+      "condition": "when severity >= Critical"
+    }
+  ],
+  "evidence": [
+    {
+      "type": "advisory",
+      "reference": "CVE-2025-12345",
+      "source": "nvd",
+      "status": "affected",
+      "weight": 1,
+      "justification": "Vendor advisory",
+      "metadata": {}
+    },
+    {
+      "type": "vex",
+      "reference": "vex:ghsa-2025-0001",
+      "source": "vendor",
+      "status": "not_affected",
+      "weight": 0.5,
+      "justification": "Runtime unreachable",
+      "metadata": {
+        "justificationid": "csaf:justification/123"
+      }
+    }
+  ],
+  "vexImpacts": [
+    {
+      "statementId": "vex:ghsa-2025-0001",
+      "provider": "vendor",
+      "status": "not_affected",
+      "accepted": true,
+      "justification": "Runtime unreachable",
+      "confidence": "medium"
+    }
+  ],
+  "history": [
+    {
+      "status": "blocked",
+      "occurredAt": "2025-10-26T14:06:01+00:00",
+      "actor": "policy-engine",
+      "note": "Initial evaluation"
+    },
+    {
+      "status": "blocked",
+      "occurredAt": "2025-10-26T14:16:01+00:00",
+      "actor": "policy-engine",
+      "note": "Replay verification"
+    }
+  ],
+  "metadata": {
+    "componentpurl": "pkg:npm/lodash@4.17.21",
+    "sbomid": "sbom:S-42",
+    "traceid": "01HE0BJX5S4T9YCN6ZT0"
+  }
+}
--- a/samples/api/scheduler/policy-run-request.json
+++ b/samples/api/scheduler/policy-run-request.json
@@ -0,0 +1,29 @@
+{
+  "schemaVersion": "scheduler.policy-run-request@1",
+  "tenantId": "default",
+  "policyId": "P-7",
+  "policyVersion": 4,
+  "mode": "incremental",
+  "priority": "normal",
+  "runId": "run:P-7:2025-10-26:auto",
+  "queuedAt": "2025-10-26T14:05:00+00:00",
+  "requestedBy": "user:cli",
+  "correlationId": "req-20251026T140500Z",
+  "metadata": {
+    "source": "stella policy run",
+    "trigger": "cli"
+  },
+  "inputs": {
+    "sbomSet": [
+      "sbom:S-318",
+      "sbom:S-42"
+    ],
+    "advisoryCursor": "2025-10-26T13:59:00+00:00",
+    "vexCursor": "2025-10-26T13:58:30+00:00",
+    "environment": {
+      "exposure": "internet",
+      "sealed": false
+    },
+    "captureExplain": true
+  }
+}
--- a/samples/api/scheduler/policy-run-status.json
+++ b/samples/api/scheduler/policy-run-status.json
@@ -0,0 +1,41 @@
+{
+  "schemaVersion": "scheduler.policy-run-status@1",
+  "runId": "run:P-7:2025-10-26:auto",
+  "tenantId": "default",
+  "policyId": "P-7",
+  "policyVersion": 4,
+  "mode": "incremental",
+  "status": "succeeded",
+  "priority": "normal",
+  "queuedAt": "2025-10-26T14:05:00+00:00",
+  "startedAt": "2025-10-26T14:05:11+00:00",
+  "finishedAt": "2025-10-26T14:06:01+00:00",
+  "determinismHash": "sha256:e3c2b2f3b1aa4567890abcdef1234567890abcdef1234567890abcdef123456",
+  "traceId": "01HE0BJX5S4T9YCN6ZT0",
+  "explainUri": "blob://policy/P-7/runs/2025-10-26T14-06-01Z.json",
+  "metadata": {
+    "orchestrator": "scheduler",
+    "sbombatchhash": "sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
+  },
+  "stats": {
+    "components": 1742,
+    "rulesFired": 68023,
+    "findingsWritten": 4321,
+    "vexOverrides": 210,
+    "quieted": 12,
+    "durationSeconds": 50.8
+  },
+  "inputs": {
+    "sbomSet": [
+      "sbom:S-318",
+      "sbom:S-42"
+    ],
+    "advisoryCursor": "2025-10-26T13:59:00+00:00",
+    "vexCursor": "2025-10-26T13:58:30+00:00",
+    "environment": {
+      "exposure": "internet",
+      "sealed": false
+    },
+    "captureExplain": true
+  }
+}
--- a/samples/api/scheduler/run-summary.json
+++ b/samples/api/scheduler/run-summary.json
@@ -0,0 +1,101 @@
+{
+  "tenantId": "tenant-alpha",
+  "scheduleId": "sch_20251018a",
+  "updatedAt": "2025-10-18T22:10:10Z",
+  "lastRun": {
+    "runId": "run_20251018_0001",
+    "trigger": "feedser",
+    "state": "completed",
+    "createdAt": "2025-10-18T22:03:14Z",
+    "startedAt": "2025-10-18T22:03:20Z",
+    "finishedAt": "2025-10-18T22:08:45Z",
+    "stats": {
+      "candidates": 1280,
+      "deduped": 910,
+      "queued": 0,
+      "completed": 910,
+      "deltas": 42,
+      "newCriticals": 7,
+      "newHigh": 11,
+      "newMedium": 18,
+      "newLow": 6
+    },
+    "error": null
+  },
+  "recent": [
+    {
+      "runId": "run_20251018_0001",
+      "trigger": "feedser",
+      "state": "completed",
+      "createdAt": "2025-10-18T22:03:14Z",
+      "startedAt": "2025-10-18T22:03:20Z",
+      "finishedAt": "2025-10-18T22:08:45Z",
+      "stats": {
+        "candidates": 1280,
+        "deduped": 910,
+        "queued": 0,
+        "completed": 910,
+        "deltas": 42,
+        "newCriticals": 7,
+        "newHigh": 11,
+        "newMedium": 18,
+        "newLow": 6
+      },
+      "error": null
+    },
+    {
+      "runId": "run_20251017_0003",
+      "trigger": "cron",
+      "state": "error",
+      "createdAt": "2025-10-17T22:01:02Z",
+      "startedAt": "2025-10-17T22:01:08Z",
+      "finishedAt": "2025-10-17T22:04:11Z",
+      "stats": {
+        "candidates": 1040,
+        "deduped": 812,
+        "queued": 0,
+        "completed": 640,
+        "deltas": 18,
+        "newCriticals": 2,
+        "newHigh": 4,
+        "newMedium": 7,
+        "newLow": 3
+      },
+      "error": "scanner timeout"
+    },
+    {
+      "runId": "run_20251016_0007",
+      "trigger": "manual",
+      "state": "cancelled",
+      "createdAt": "2025-10-16T20:00:00Z",
+      "startedAt": "2025-10-16T20:00:04Z",
+      "finishedAt": null,
+      "stats": {
+        "candidates": 820,
+        "deduped": 640,
+        "queued": 0,
+        "completed": 0,
+        "deltas": 0,
+        "newCriticals": 0,
+        "newHigh": 0,
+        "newMedium": 0,
+        "newLow": 0
+      },
+      "error": null
+    }
+  ],
+  "counters": {
+    "total": 3,
+    "planning": 0,
+    "queued": 0,
+    "running": 0,
+    "completed": 1,
+    "error": 1,
+    "cancelled": 1,
+    "totalDeltas": 60,
+    "totalNewCriticals": 9,
+    "totalNewHigh": 15,
+    "totalNewMedium": 25,
+    "totalNewLow": 9
+  }
+}
--- a/samples/policy/README.md
+++ b/samples/policy/README.md
@@ -0,0 +1,25 @@
+# Policy Samples
+
+Curated fixtures used by CI smoke/determinism checks and example documentation.
+
+| Scenario | Policy | Findings | Expected Diff | UI/CLI Diff Fixture |
+|----------|--------|----------|---------------|---------------------|
+| `baseline` | `docs/examples/policies/baseline.yaml` | `samples/policy/baseline/findings.json` | `samples/policy/baseline/diffs.json` | `samples/policy/simulations/baseline/diff.json` |
+| `serverless` | `docs/examples/policies/serverless.yaml` | `samples/policy/serverless/findings.json` | `samples/policy/serverless/diffs.json` | `samples/policy/simulations/serverless/diff.json` |
+| `internal-only` | `docs/examples/policies/internal-only.yaml` | `samples/policy/internal-only/findings.json` | `samples/policy/internal-only/diffs.json` | `samples/policy/simulations/internal-only/diff.json` |
+
+Run the simulation harness locally:
+
+```bash
+dotnet run \
+  --project tools/PolicySimulationSmoke/PolicySimulationSmoke.csproj \
+  -- \
+  --scenario-root samples/policy/simulations \
+  --output out/policy-simulations
+```
+
+Then inspect `out/policy-simulations/policy-simulation-summary.json` for verdict changes.
+
+---
+
+*Last updated: 2025-10-26.*
--- a/samples/policy/baseline/diffs.json
+++ b/samples/policy/baseline/diffs.json
@@ -0,0 +1,12 @@
+[
+  {
+    "findingId": "library:pkg/openssl@1.1.1w",
+    "status": "Blocked",
+    "rule": "block_critical"
+  },
+  {
+    "findingId": "library:pkg/internal-runtime@1.0.0",
+    "status": "Warned",
+    "rule": "alert_warn_eol_runtime"
+  }
+]
--- a/samples/policy/baseline/findings.json
+++ b/samples/policy/baseline/findings.json
@@ -0,0 +1,14 @@
+[
+  {
+    "findingId": "library:pkg/openssl@1.1.1w",
+    "severity": "Critical",
+    "source": "NVD",
+    "environment": "internet"
+  },
+  {
+    "findingId": "library:pkg/internal-runtime@1.0.0",
+    "severity": "Low",
+    "source": "NVD",
+    "tags": ["runtime:eol"]
+  }
+]
--- a/samples/policy/internal-only/diffs.json
+++ b/samples/policy/internal-only/diffs.json
@@ -0,0 +1,12 @@
+[
+  {
+    "findingId": "library:pkg/internal-app@2.0.0",
+    "status": "RequiresVex",
+    "rule": "accept_vendor_vex"
+  },
+  {
+    "findingId": "library:pkg/kev-component@3.1.4",
+    "status": "RequiresVex",
+    "rule": "accept_vendor_vex"
+  }
+]
--- a/samples/policy/internal-only/findings.json
+++ b/samples/policy/internal-only/findings.json
@@ -0,0 +1,15 @@
+[
+  {
+    "findingId": "library:pkg/internal-app@2.0.0",
+    "severity": "Medium",
+    "source": "GHSA",
+    "environment": "internal"
+  },
+  {
+    "findingId": "library:pkg/kev-component@3.1.4",
+    "severity": "High",
+    "source": "NVD",
+    "tags": ["kev"],
+    "environment": "internal"
+  }
+]
--- a/samples/policy/serverless/diffs.json
+++ b/samples/policy/serverless/diffs.json
@@ -0,0 +1,12 @@
+[
+  {
+    "findingId": "library:pkg/aws-lambda@1.0.0",
+    "status": "Blocked",
+    "rule": "block_any_high"
+  },
+  {
+    "findingId": "image:sha256:untrusted-base",
+    "status": "Blocked",
+    "rule": "forbid_unpinned_base"
+  }
+]
--- a/samples/policy/serverless/findings.json
+++ b/samples/policy/serverless/findings.json
@@ -0,0 +1,15 @@
+[
+  {
+    "findingId": "library:pkg/aws-lambda@1.0.0",
+    "severity": "High",
+    "source": "NVD",
+    "environment": "serverless"
+  },
+  {
+    "findingId": "image:sha256:untrusted-base",
+    "severity": "Medium",
+    "source": "NVD",
+    "tags": ["image:latest-tag"],
+    "environment": "serverless"
+  }
+]
--- a/samples/policy/simulations/baseline/diff.json
+++ b/samples/policy/simulations/baseline/diff.json
@@ -0,0 +1,23 @@
+{
+  "summary": {
+    "policy": "baseline",
+    "policyDigest": "sha256:simulation-baseline",
+    "changed": 2
+  },
+  "diffs": [
+    {
+      "findingId": "library:pkg/openssl@1.1.1w",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Blocked",
+      "rule": "block_critical",
+      "notes": "Critical severity must be remediated before deploy."
+    },
+    {
+      "findingId": "library:pkg/internal-runtime@1.0.0",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Warned",
+      "rule": "alert_warn_eol_runtime",
+      "notes": "Runtime marked as EOL; upgrade recommended."
+    }
+  ]
+}
--- a/samples/policy/simulations/baseline/scenario.json
+++ b/samples/policy/simulations/baseline/scenario.json
@@ -0,0 +1,21 @@
+{
+  "name": "baseline",
+  "policyPath": "docs/examples/policies/baseline.yaml",
+  "findings": [
+    {
+      "findingId": "library:pkg/openssl@1.1.1w",
+      "severity": "Critical",
+      "source": "NVD"
+    },
+    {
+      "findingId": "library:pkg/internal-runtime@1.0.0",
+      "severity": "Low",
+      "source": "NVD",
+      "tags": ["runtime:eol"]
+    }
+  ],
+  "expectedDiffs": [
+    { "findingId": "library:pkg/openssl@1.1.1w", "status": "Blocked" },
+    { "findingId": "library:pkg/internal-runtime@1.0.0", "status": "Warned" }
+  ]
+}
--- a/samples/policy/simulations/internal-only/diff.json
+++ b/samples/policy/simulations/internal-only/diff.json
@@ -0,0 +1,23 @@
+{
+  "summary": {
+    "policy": "internal-only",
+    "policyDigest": "sha256:simulation-internal-only",
+    "changed": 2
+  },
+  "diffs": [
+    {
+      "findingId": "library:pkg/internal-app@2.0.0",
+      "baselineStatus": "Pass",
+      "projectedStatus": "RequiresVex",
+      "rule": "accept_vendor_vex",
+      "notes": "Trust vendor VEX statements for internal scope."
+    },
+    {
+      "findingId": "library:pkg/kev-component@3.1.4",
+      "baselineStatus": "Pass",
+      "projectedStatus": "RequiresVex",
+      "rule": "accept_vendor_vex",
+      "notes": "Trust vendor VEX statements for internal scope."
+    }
+  ]
+}
--- a/samples/policy/simulations/internal-only/scenario.json
+++ b/samples/policy/simulations/internal-only/scenario.json
@@ -0,0 +1,23 @@
+{
+  "name": "internal-only",
+  "policyPath": "docs/examples/policies/internal-only.yaml",
+  "findings": [
+    {
+      "findingId": "library:pkg/internal-app@2.0.0",
+      "severity": "Medium",
+      "source": "GHSA",
+      "environment": "internal"
+    },
+    {
+      "findingId": "library:pkg/kev-component@3.1.4",
+      "severity": "High",
+      "source": "NVD",
+      "tags": ["kev"],
+      "environment": "internal"
+    }
+  ],
+  "expectedDiffs": [
+    { "findingId": "library:pkg/internal-app@2.0.0", "status": "RequiresVex" },
+    { "findingId": "library:pkg/kev-component@3.1.4", "status": "RequiresVex" }
+  ]
+}
--- a/samples/policy/simulations/serverless/diff.json
+++ b/samples/policy/simulations/serverless/diff.json
@@ -0,0 +1,23 @@
+{
+  "summary": {
+    "policy": "serverless",
+    "policyDigest": "sha256:simulation-serverless",
+    "changed": 2
+  },
+  "diffs": [
+    {
+      "findingId": "library:pkg/aws-lambda@1.0.0",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Blocked",
+      "rule": "block_any_high",
+      "notes": "Serverless workloads block High+ severities."
+    },
+    {
+      "findingId": "image:sha256:untrusted-base",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Blocked",
+      "rule": "forbid_unpinned_base",
+      "notes": "Base image must be pinned (no :latest)."
+    }
+  ]
+}
--- a/samples/policy/simulations/serverless/scenario.json
+++ b/samples/policy/simulations/serverless/scenario.json
@@ -0,0 +1,23 @@
+{
+  "name": "serverless",
+  "policyPath": "docs/examples/policies/serverless.yaml",
+  "findings": [
+    {
+      "findingId": "library:pkg/aws-lambda@1.0.0",
+      "severity": "High",
+      "source": "NVD",
+      "environment": "serverless"
+    },
+    {
+      "findingId": "image:sha256:untrusted-base",
+      "severity": "Medium",
+      "source": "NVD",
+      "tags": ["image:latest-tag"],
+      "environment": "serverless"
+    }
+  ],
+  "expectedDiffs": [
+    { "findingId": "library:pkg/aws-lambda@1.0.0", "status": "Blocked" },
+    { "findingId": "image:sha256:untrusted-base", "status": "Blocked" }
+  ]
+}