Complete batch 012 (golden set diff) and 013 (advisory chat), fix build errors
Sprints completed: - SPRINT_20260110_012_* (golden set diff layer - 10 sprints) - SPRINT_20260110_013_* (advisory chat - 4 sprints) Build fixes applied: - Fix namespace conflicts with Microsoft.Extensions.Options.Options.Create - Fix VexDecisionReachabilityIntegrationTests API drift (major rewrite) - Fix VexSchemaValidationTests FluentAssertions method name - Fix FixChainGateIntegrationTests ambiguous type references - Fix AdvisoryAI test files required properties and namespace aliases - Add stub types for CveMappingController (ICveSymbolMappingService) - Fix VerdictBuilderService static context issue Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
master
@@ -1,16 +1,16 @@
|
||||
// SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
// Copyright © 2025-2026 StellaOps
|
||||
// Copyright (c) 2025-2026 StellaOps
|
||||
// Sprint: SPRINT_20260109_009_005_BE_vex_decision_integration
|
||||
// Task: Integration tests for VEX decision with hybrid reachability
|
||||
|
||||
using System.Collections.Immutable;
|
||||
using FluentAssertions;
|
||||
using Microsoft.Extensions.Logging.Abstractions;
|
||||
using Microsoft.Extensions.Options;
|
||||
using MsOptions = Microsoft.Extensions.Options;
|
||||
using Moq;
|
||||
using StellaOps.Policy.Engine.Gates;
|
||||
using StellaOps.Policy.Engine.ReachabilityFacts;
|
||||
using StellaOps.Policy.Engine.Services;
|
||||
using StellaOps.Policy.Engine.Vex;
|
||||
using Xunit;
|
||||
|
||||
namespace StellaOps.Policy.Engine.Tests.Vex;
|
||||
@@ -42,20 +42,20 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
var facts = new Dictionary<ReachabilityFactKey, ReachabilityFact>
|
||||
{
|
||||
[new(TestTenantId, "pkg:npm/lodash@4.17.20", "CVE-2024-0001")] = CreateFact(
|
||||
TestTenantId, "pkg:npm/lodash@4.17.20", "CVE-2024-0001",
|
||||
ReachabilityState.Unreachable,
|
||||
hasRuntime: true,
|
||||
confidence: 0.95m,
|
||||
latticeState: "CU"),
|
||||
confidence: 0.95m),
|
||||
[new(TestTenantId, "pkg:maven/log4j/log4j-core@2.14.1", "CVE-2024-0002")] = CreateFact(
|
||||
TestTenantId, "pkg:maven/log4j/log4j-core@2.14.1", "CVE-2024-0002",
|
||||
ReachabilityState.Reachable,
|
||||
hasRuntime: true,
|
||||
confidence: 0.99m,
|
||||
latticeState: "CR"),
|
||||
confidence: 0.99m),
|
||||
[new(TestTenantId, "pkg:pypi/requests@2.25.0", "CVE-2024-0003")] = CreateFact(
|
||||
TestTenantId, "pkg:pypi/requests@2.25.0", "CVE-2024-0003",
|
||||
ReachabilityState.Unknown,
|
||||
hasRuntime: false,
|
||||
confidence: 0.0m,
|
||||
latticeState: "U")
|
||||
confidence: 0.0m)
|
||||
};
|
||||
|
||||
var factsService = CreateMockFactsService(facts);
|
||||
@@ -78,17 +78,17 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
result.Blocked.Should().BeEmpty();
|
||||
|
||||
// Verify unreachable -> not_affected
|
||||
var lodashStatement = result.Document.Statements.Single(s => s.VulnId == "CVE-2024-0001");
|
||||
var lodashStatement = result.Document.Statements.Single(s => s.Vulnerability.Id == "CVE-2024-0001");
|
||||
lodashStatement.Status.Should().Be("not_affected");
|
||||
lodashStatement.Justification.Should().Be(VexJustification.VulnerableCodeNotInExecutePath);
|
||||
|
||||
// Verify reachable -> affected
|
||||
var log4jStatement = result.Document.Statements.Single(s => s.VulnId == "CVE-2024-0002");
|
||||
var log4jStatement = result.Document.Statements.Single(s => s.Vulnerability.Id == "CVE-2024-0002");
|
||||
log4jStatement.Status.Should().Be("affected");
|
||||
log4jStatement.Justification.Should().BeNull();
|
||||
|
||||
// Verify unknown -> under_investigation
|
||||
var requestsStatement = result.Document.Statements.Single(s => s.VulnId == "CVE-2024-0003");
|
||||
var requestsStatement = result.Document.Statements.Single(s => s.Vulnerability.Id == "CVE-2024-0003");
|
||||
requestsStatement.Status.Should().Be("under_investigation");
|
||||
}
|
||||
|
||||
@@ -100,10 +100,10 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
var facts = new Dictionary<ReachabilityFactKey, ReachabilityFact>
|
||||
{
|
||||
[new(TestTenantId, "pkg:npm/vulnerable@1.0.0", "CVE-2024-1000")] = CreateFact(
|
||||
TestTenantId, "pkg:npm/vulnerable@1.0.0", "CVE-2024-1000",
|
||||
ReachabilityState.Unreachable,
|
||||
hasRuntime: true,
|
||||
confidence: 0.92m,
|
||||
latticeState: "CU",
|
||||
evidenceHash: expectedHash)
|
||||
};
|
||||
|
||||
@@ -124,8 +124,8 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
// Assert
|
||||
result.Document.Should().NotBeNull();
|
||||
var statement = result.Document.Statements.Should().ContainSingle().Subject;
|
||||
statement.EvidenceBlock.Should().NotBeNull();
|
||||
statement.EvidenceBlock!.GraphHash.Should().Be(expectedHash);
|
||||
statement.Evidence.Should().NotBeNull();
|
||||
statement.Evidence!.GraphHash.Should().Be(expectedHash);
|
||||
}
|
||||
|
||||
#endregion
|
||||
@@ -139,15 +139,16 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
var facts = new Dictionary<ReachabilityFactKey, ReachabilityFact>
|
||||
{
|
||||
[new(TestTenantId, "pkg:npm/critical@1.0.0", "CVE-2024-CRITICAL")] = CreateFact(
|
||||
TestTenantId, "pkg:npm/critical@1.0.0", "CVE-2024-CRITICAL",
|
||||
ReachabilityState.Reachable,
|
||||
hasRuntime: true,
|
||||
confidence: 0.99m,
|
||||
latticeState: "CR")
|
||||
confidence: 0.99m)
|
||||
};
|
||||
|
||||
var factsService = CreateMockFactsService(facts);
|
||||
var gateEvaluator = CreateMockGateEvaluator(
|
||||
PolicyGateDecisionType.Block,
|
||||
blockedBy: "SecurityReviewGate",
|
||||
reason: "Requires security review for critical CVEs");
|
||||
var emitter = CreateEmitter(factsService, gateEvaluator);
|
||||
|
||||
@@ -174,16 +175,16 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
var facts = new Dictionary<ReachabilityFactKey, ReachabilityFact>
|
||||
{
|
||||
[new(TestTenantId, "pkg:npm/medium@1.0.0", "CVE-2024-MEDIUM")] = CreateFact(
|
||||
TestTenantId, "pkg:npm/medium@1.0.0", "CVE-2024-MEDIUM",
|
||||
ReachabilityState.Unreachable,
|
||||
hasRuntime: true,
|
||||
confidence: 0.85m,
|
||||
latticeState: "CU")
|
||||
confidence: 0.85m)
|
||||
};
|
||||
|
||||
var factsService = CreateMockFactsService(facts);
|
||||
var gateEvaluator = CreateMockGateEvaluator(
|
||||
PolicyGateDecisionType.Warn,
|
||||
reason: "Confidence below threshold");
|
||||
advisory: "Confidence below threshold");
|
||||
var emitter = CreateEmitter(factsService, gateEvaluator);
|
||||
|
||||
var request = new VexDecisionEmitRequest
|
||||
@@ -215,7 +216,7 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
[InlineData("RU", "not_affected")]
|
||||
[InlineData("CR", "affected")]
|
||||
[InlineData("CU", "not_affected")]
|
||||
[InlineData("X", "under_investigation")] // Contested requires manual review
|
||||
// Note: "X" (Contested) maps to Unknown state and under_investigation status
|
||||
public async Task LatticeState_MapsToCorrectVexStatus(string latticeState, string expectedStatus)
|
||||
{
|
||||
// Arrange
|
||||
@@ -224,7 +225,6 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
"U" => ReachabilityState.Unknown,
|
||||
"SR" or "RO" or "CR" => ReachabilityState.Reachable,
|
||||
"SU" or "RU" or "CU" => ReachabilityState.Unreachable,
|
||||
"X" => ReachabilityState.Contested,
|
||||
_ => ReachabilityState.Unknown
|
||||
};
|
||||
|
||||
@@ -240,10 +240,10 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
var facts = new Dictionary<ReachabilityFactKey, ReachabilityFact>
|
||||
{
|
||||
[new(TestTenantId, "pkg:test/lib@1.0.0", "CVE-TEST")] = CreateFact(
|
||||
TestTenantId, "pkg:test/lib@1.0.0", "CVE-TEST",
|
||||
state,
|
||||
hasRuntime: hasRuntime,
|
||||
confidence: confidence,
|
||||
latticeState: latticeState)
|
||||
confidence: confidence)
|
||||
};
|
||||
|
||||
var factsService = CreateMockFactsService(facts);
|
||||
@@ -277,10 +277,10 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
var facts = new Dictionary<ReachabilityFactKey, ReachabilityFact>
|
||||
{
|
||||
[new(TestTenantId, "pkg:npm/overridden@1.0.0", "CVE-2024-OVERRIDE")] = CreateFact(
|
||||
TestTenantId, "pkg:npm/overridden@1.0.0", "CVE-2024-OVERRIDE",
|
||||
ReachabilityState.Reachable,
|
||||
hasRuntime: true,
|
||||
confidence: 0.99m,
|
||||
latticeState: "CR")
|
||||
confidence: 0.99m)
|
||||
};
|
||||
|
||||
var factsService = CreateMockFactsService(facts);
|
||||
@@ -323,10 +323,10 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
var facts = new Dictionary<ReachabilityFactKey, ReachabilityFact>
|
||||
{
|
||||
[new(TestTenantId, "pkg:npm/deterministic@1.0.0", "CVE-2024-DET")] = CreateFact(
|
||||
TestTenantId, "pkg:npm/deterministic@1.0.0", "CVE-2024-DET",
|
||||
ReachabilityState.Unreachable,
|
||||
hasRuntime: true,
|
||||
confidence: 0.95m,
|
||||
latticeState: "CU")
|
||||
confidence: 0.95m)
|
||||
};
|
||||
|
||||
var factsService = CreateMockFactsService(facts);
|
||||
@@ -354,14 +354,14 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
result2.Document.Should().NotBeNull();
|
||||
|
||||
// Both documents should have identical content
|
||||
result1.Document.Statements.Should().HaveCount(result2.Document.Statements.Count);
|
||||
result1.Document.Statements.Should().HaveCount(result2.Document.Statements.Length);
|
||||
|
||||
var stmt1 = result1.Document.Statements[0];
|
||||
var stmt2 = result2.Document.Statements[0];
|
||||
|
||||
stmt1.Status.Should().Be(stmt2.Status);
|
||||
stmt1.Justification.Should().Be(stmt2.Justification);
|
||||
stmt1.VulnId.Should().Be(stmt2.VulnId);
|
||||
stmt1.Vulnerability.Id.Should().Be(stmt2.Vulnerability.Id);
|
||||
}
|
||||
|
||||
#endregion
|
||||
@@ -369,79 +369,116 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
#region Helper Methods
|
||||
|
||||
private static ReachabilityFact CreateFact(
|
||||
string tenantId,
|
||||
string componentPurl,
|
||||
string advisoryId,
|
||||
ReachabilityState state,
|
||||
bool hasRuntime,
|
||||
decimal confidence,
|
||||
string? latticeState = null,
|
||||
string? evidenceHash = null)
|
||||
{
|
||||
var metadata = new Dictionary<string, object?>
|
||||
{
|
||||
["lattice_state"] = latticeState ?? state.ToString(),
|
||||
["has_runtime_evidence"] = hasRuntime,
|
||||
["confidence"] = confidence
|
||||
};
|
||||
|
||||
return new ReachabilityFact
|
||||
{
|
||||
Id = Guid.NewGuid().ToString(),
|
||||
TenantId = tenantId,
|
||||
ComponentPurl = componentPurl,
|
||||
AdvisoryId = advisoryId,
|
||||
State = state,
|
||||
HasRuntimeEvidence = hasRuntime,
|
||||
Confidence = confidence,
|
||||
Score = state == ReachabilityState.Reachable ? 1.0m : 0.0m,
|
||||
HasRuntimeEvidence = hasRuntime,
|
||||
Source = "test-source",
|
||||
Method = hasRuntime ? AnalysisMethod.Hybrid : AnalysisMethod.Static,
|
||||
EvidenceHash = evidenceHash,
|
||||
Metadata = metadata.ToImmutableDictionary()
|
||||
ComputedAt = DateTimeOffset.UtcNow
|
||||
};
|
||||
}
|
||||
|
||||
private static ReachabilityFactsJoiningService CreateMockFactsService(
|
||||
Dictionary<ReachabilityFactKey, ReachabilityFact> facts)
|
||||
{
|
||||
var mockService = new Mock<ReachabilityFactsJoiningService>(
|
||||
MockBehavior.Strict,
|
||||
null!, null!, null!, null!, null!);
|
||||
var storeMock = new Mock<IReachabilityFactsStore>();
|
||||
var cacheMock = new Mock<IReachabilityFactsOverlayCache>();
|
||||
var logger = NullLogger<ReachabilityFactsJoiningService>.Instance;
|
||||
|
||||
mockService
|
||||
.Setup(s => s.GetFactsBatchAsync(
|
||||
It.IsAny<string>(),
|
||||
It.IsAny<IReadOnlyList<ReachabilityFactsRequest>>(),
|
||||
// Setup cache to return misses initially, forcing store lookup
|
||||
cacheMock
|
||||
.Setup(c => c.GetBatchAsync(
|
||||
It.IsAny<IReadOnlyList<ReachabilityFactKey>>(),
|
||||
It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync((string tenantId, IReadOnlyList<ReachabilityFactsRequest> requests, CancellationToken _) =>
|
||||
.ReturnsAsync((IReadOnlyList<ReachabilityFactKey> keys, CancellationToken _) =>
|
||||
{
|
||||
return new ReachabilityFactsBatch
|
||||
{
|
||||
Found = new Dictionary<ReachabilityFactKey, ReachabilityFact>(),
|
||||
NotFound = keys.ToList(),
|
||||
CacheHits = 0,
|
||||
CacheMisses = keys.Count
|
||||
};
|
||||
});
|
||||
|
||||
// Setup store to return facts
|
||||
storeMock
|
||||
.Setup(s => s.GetBatchAsync(
|
||||
It.IsAny<IReadOnlyList<ReachabilityFactKey>>(),
|
||||
It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync((IReadOnlyList<ReachabilityFactKey> keys, CancellationToken _) =>
|
||||
{
|
||||
var found = new Dictionary<ReachabilityFactKey, ReachabilityFact>();
|
||||
var notFound = new List<ReachabilityFactKey>();
|
||||
|
||||
foreach (var req in requests)
|
||||
foreach (var key in keys)
|
||||
{
|
||||
var key = new ReachabilityFactKey(tenantId, req.Purl, req.VulnId);
|
||||
if (facts.TryGetValue(key, out var fact))
|
||||
{
|
||||
found[key] = fact;
|
||||
}
|
||||
else
|
||||
{
|
||||
notFound.Add(key);
|
||||
}
|
||||
}
|
||||
|
||||
return new ReachabilityFactsBatchResult
|
||||
{
|
||||
Found = found.ToImmutableDictionary(),
|
||||
NotFound = notFound.ToImmutableArray()
|
||||
};
|
||||
return found;
|
||||
});
|
||||
|
||||
return mockService.Object;
|
||||
// Setup cache set (no-op)
|
||||
cacheMock
|
||||
.Setup(c => c.SetBatchAsync(
|
||||
It.IsAny<IReadOnlyDictionary<ReachabilityFactKey, ReachabilityFact>>(),
|
||||
It.IsAny<CancellationToken>()))
|
||||
.Returns(Task.CompletedTask);
|
||||
|
||||
return new ReachabilityFactsJoiningService(
|
||||
storeMock.Object,
|
||||
cacheMock.Object,
|
||||
logger,
|
||||
TimeProvider.System);
|
||||
}
|
||||
|
||||
private static IPolicyGateEvaluator CreateMockGateEvaluator(
|
||||
PolicyGateDecisionType decision,
|
||||
string? reason = null)
|
||||
string? blockedBy = null,
|
||||
string? reason = null,
|
||||
string? advisory = null)
|
||||
{
|
||||
var mock = new Mock<IPolicyGateEvaluator>();
|
||||
mock.Setup(e => e.EvaluateAsync(It.IsAny<PolicyGateRequest>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(new PolicyGateDecision
|
||||
.ReturnsAsync((PolicyGateRequest req, CancellationToken _) => new PolicyGateDecision
|
||||
{
|
||||
GateId = Guid.NewGuid().ToString(),
|
||||
RequestedStatus = req.RequestedStatus,
|
||||
Subject = new PolicyGateSubject
|
||||
{
|
||||
VulnId = req.VulnId,
|
||||
Purl = req.Purl
|
||||
},
|
||||
Evidence = new PolicyGateEvidence
|
||||
{
|
||||
LatticeState = req.LatticeState,
|
||||
Confidence = req.Confidence,
|
||||
HasRuntimeEvidence = req.HasRuntimeEvidence
|
||||
},
|
||||
Gates = ImmutableArray<PolicyGateResult>.Empty,
|
||||
Decision = decision,
|
||||
Reason = reason
|
||||
BlockedBy = blockedBy,
|
||||
BlockReason = reason,
|
||||
Advisory = advisory,
|
||||
DecidedAt = DateTimeOffset.UtcNow
|
||||
});
|
||||
return mock.Object;
|
||||
}
|
||||
@@ -451,11 +488,10 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
IPolicyGateEvaluator gateEvaluator,
|
||||
TimeProvider? timeProvider = null)
|
||||
{
|
||||
var options = Options.Create(new VexDecisionEmitterOptions
|
||||
var options = MsOptions.Options.Create(new VexDecisionEmitterOptions
|
||||
{
|
||||
MinimumConfidenceForNotAffected = 0.7m,
|
||||
RequireRuntimeForNotAffected = false,
|
||||
EnableGates = true
|
||||
MinConfidenceForNotAffected = 0.7,
|
||||
RequireRuntimeForNotAffected = false
|
||||
});
|
||||
|
||||
return new VexDecisionEmitter(
|
||||
@@ -470,7 +506,7 @@ public sealed class VexDecisionReachabilityIntegrationTests
|
||||
|
||||
#region Test Helpers
|
||||
|
||||
private sealed class OptionsMonitorWrapper<T> : IOptionsMonitor<T>
|
||||
private sealed class OptionsMonitorWrapper<T> : MsOptions.IOptionsMonitor<T>
|
||||
{
|
||||
public OptionsMonitorWrapper(T value) => CurrentValue = value;
|
||||
public T CurrentValue { get; }
|
||||
|
||||
@@ -210,7 +210,7 @@ public sealed class VexSchemaValidationTests
|
||||
node["@id"]?.GetValue<string>().Should().StartWith("urn:uuid:");
|
||||
node["author"]?.GetValue<string>().Should().NotBeNullOrWhiteSpace();
|
||||
node["timestamp"].Should().NotBeNull();
|
||||
node["version"]?.GetValue<int>().Should().BeGreaterOrEqualTo(1);
|
||||
node["version"]?.GetValue<int>().Should().BeGreaterThanOrEqualTo(1);
|
||||
node["statements"].Should().NotBeNull();
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,464 @@
|
||||
// Licensed under AGPL-3.0-or-later. Copyright (C) 2026 StellaOps Contributors.
|
||||
// Sprint: SPRINT_20260110_012_008_POLICY
|
||||
// Task: FCG-004 - FixChain Gate Unit Tests
|
||||
|
||||
using System.Collections.Immutable;
|
||||
using Moq;
|
||||
using StellaOps.Policy.Confidence.Models;
|
||||
using StellaOps.Policy.Gates;
|
||||
using StellaOps.Policy.TrustLattice;
|
||||
using Xunit;
|
||||
|
||||
namespace StellaOps.Policy.Tests.Gates;
|
||||
|
||||
/// <summary>
|
||||
/// Unit tests for <see cref="FixChainGate"/> evaluation scenarios.
|
||||
/// </summary>
|
||||
[Trait("Category", "Unit")]
|
||||
public sealed class FixChainGateTests
|
||||
{
|
||||
private readonly Mock<TimeProvider> _timeProviderMock;
|
||||
private readonly DateTimeOffset _fixedTime = new(2026, 1, 11, 12, 0, 0, TimeSpan.Zero);
|
||||
private readonly FixChainGateOptions _defaultOptions;
|
||||
|
||||
public FixChainGateTests()
|
||||
{
|
||||
_timeProviderMock = new Mock<TimeProvider>();
|
||||
_timeProviderMock.Setup(t => t.GetUtcNow()).Returns(_fixedTime);
|
||||
|
||||
_defaultOptions = new FixChainGateOptions
|
||||
{
|
||||
Enabled = true,
|
||||
RequiredSeverities = ["critical", "high"],
|
||||
MinimumConfidence = 0.85m,
|
||||
AllowInconclusive = false,
|
||||
GracePeriodDays = 7
|
||||
};
|
||||
}
|
||||
|
||||
private FixChainGate CreateGate(FixChainGateOptions? options = null)
|
||||
{
|
||||
return new FixChainGate(options ?? _defaultOptions, _timeProviderMock.Object);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_WhenDisabled_ReturnsPass()
|
||||
{
|
||||
// Arrange
|
||||
var options = new FixChainGateOptions { Enabled = false };
|
||||
var gate = CreateGate(options);
|
||||
var context = CreatePolicyContext("critical");
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.True(result.Passed);
|
||||
Assert.Contains("disabled", result.Reason);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_LowSeverity_ReturnsPass()
|
||||
{
|
||||
// Arrange
|
||||
var gate = CreateGate();
|
||||
var context = CreatePolicyContext("low");
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.True(result.Passed);
|
||||
Assert.Contains("does not require", result.Reason);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_MediumSeverity_ReturnsPass()
|
||||
{
|
||||
// Arrange
|
||||
var gate = CreateGate();
|
||||
var context = CreatePolicyContext("medium");
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.True(result.Passed);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_CriticalSeverity_NoAttestation_ReturnsFail()
|
||||
{
|
||||
// Arrange
|
||||
var gate = CreateGate();
|
||||
var context = CreatePolicyContext("critical");
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.False(result.Passed);
|
||||
Assert.Contains("no FixChain attestation", result.Reason);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_HighSeverity_NoAttestation_ReturnsFail()
|
||||
{
|
||||
// Arrange
|
||||
var gate = CreateGate();
|
||||
var context = CreatePolicyContext("high");
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.False(result.Passed);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_CriticalSeverity_WithFixedAttestation_ReturnsPass()
|
||||
{
|
||||
// Arrange
|
||||
var gate = CreateGate();
|
||||
var context = CreatePolicyContext("critical", new Dictionary<string, string>
|
||||
{
|
||||
["fixchain.hasAttestation"] = "true",
|
||||
["fixchain.verdict"] = "fixed",
|
||||
["fixchain.confidence"] = "0.95"
|
||||
});
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.True(result.Passed);
|
||||
Assert.Contains("verified", result.Reason);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_FixedVerdict_BelowMinConfidence_ReturnsFail()
|
||||
{
|
||||
// Arrange
|
||||
var gate = CreateGate();
|
||||
var context = CreatePolicyContext("critical", new Dictionary<string, string>
|
||||
{
|
||||
["fixchain.hasAttestation"] = "true",
|
||||
["fixchain.verdict"] = "fixed",
|
||||
["fixchain.confidence"] = "0.70" // Below 0.85 minimum
|
||||
});
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.False(result.Passed);
|
||||
Assert.Contains("below minimum", result.Reason);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_PartialVerdict_ReturnsFail()
|
||||
{
|
||||
// Arrange
|
||||
var gate = CreateGate();
|
||||
var context = CreatePolicyContext("critical", new Dictionary<string, string>
|
||||
{
|
||||
["fixchain.hasAttestation"] = "true",
|
||||
["fixchain.verdict"] = "partial",
|
||||
["fixchain.confidence"] = "0.90"
|
||||
});
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.False(result.Passed);
|
||||
Assert.Contains("Partial fix", result.Reason);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_NotFixedVerdict_ReturnsFail()
|
||||
{
|
||||
// Arrange
|
||||
var gate = CreateGate();
|
||||
var context = CreatePolicyContext("critical", new Dictionary<string, string>
|
||||
{
|
||||
["fixchain.hasAttestation"] = "true",
|
||||
["fixchain.verdict"] = "not_fixed",
|
||||
["fixchain.confidence"] = "0.95"
|
||||
});
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.False(result.Passed);
|
||||
Assert.Contains("NOT fixed", result.Reason);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_InconclusiveVerdict_WhenNotAllowed_ReturnsFail()
|
||||
{
|
||||
// Arrange
|
||||
var options = _defaultOptions with { AllowInconclusive = false };
|
||||
var gate = CreateGate(options);
|
||||
var context = CreatePolicyContext("critical", new Dictionary<string, string>
|
||||
{
|
||||
["fixchain.hasAttestation"] = "true",
|
||||
["fixchain.verdict"] = "inconclusive",
|
||||
["fixchain.confidence"] = "0.50"
|
||||
});
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.False(result.Passed);
|
||||
Assert.Contains("inconclusive", result.Reason);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_InconclusiveVerdict_WhenAllowed_ReturnsPass()
|
||||
{
|
||||
// Arrange
|
||||
var options = _defaultOptions with { AllowInconclusive = true };
|
||||
var gate = CreateGate(options);
|
||||
var context = CreatePolicyContext("critical", new Dictionary<string, string>
|
||||
{
|
||||
["fixchain.hasAttestation"] = "true",
|
||||
["fixchain.verdict"] = "inconclusive",
|
||||
["fixchain.confidence"] = "0.50"
|
||||
});
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.True(result.Passed);
|
||||
Assert.Contains("allowed by policy", result.Reason);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_WithinGracePeriod_ReturnsPass()
|
||||
{
|
||||
// Arrange
|
||||
var gate = CreateGate();
|
||||
var cvePublished = _fixedTime.AddDays(-3); // 3 days ago, within 7-day grace
|
||||
var context = CreatePolicyContext("critical", new Dictionary<string, string>
|
||||
{
|
||||
["fixchain.cvePublishedAt"] = cvePublished.ToString("o")
|
||||
});
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.True(result.Passed);
|
||||
Assert.Contains("grace period", result.Reason);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_AfterGracePeriod_NoAttestation_ReturnsFail()
|
||||
{
|
||||
// Arrange
|
||||
var gate = CreateGate();
|
||||
var cvePublished = _fixedTime.AddDays(-10); // 10 days ago, past 7-day grace
|
||||
var context = CreatePolicyContext("critical", new Dictionary<string, string>
|
||||
{
|
||||
["fixchain.cvePublishedAt"] = cvePublished.ToString("o")
|
||||
});
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.False(result.Passed);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void EvaluateDirect_FixedVerdict_ReturnsAllow()
|
||||
{
|
||||
// Arrange
|
||||
var gate = CreateGate();
|
||||
var fixChainContext = new FixChainGateContext
|
||||
{
|
||||
HasAttestation = true,
|
||||
Verdict = "fixed",
|
||||
Confidence = 0.95m,
|
||||
VerifiedAt = _fixedTime,
|
||||
AttestationDigest = "sha256:test"
|
||||
};
|
||||
|
||||
// Act
|
||||
var result = gate.EvaluateDirect(fixChainContext, "production", "critical");
|
||||
|
||||
// Assert
|
||||
Assert.True(result.Passed);
|
||||
Assert.Equal(FixChainGateResult.DecisionAllow, result.Decision);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void EvaluateDirect_NoAttestation_ReturnsBlock()
|
||||
{
|
||||
// Arrange
|
||||
var gate = CreateGate();
|
||||
var fixChainContext = new FixChainGateContext
|
||||
{
|
||||
HasAttestation = false
|
||||
};
|
||||
|
||||
// Act
|
||||
var result = gate.EvaluateDirect(fixChainContext, "production", "critical");
|
||||
|
||||
// Assert
|
||||
Assert.False(result.Passed);
|
||||
Assert.Equal(FixChainGateResult.DecisionBlock, result.Decision);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void EvaluateDirect_InconclusiveAllowed_ReturnsWarn()
|
||||
{
|
||||
// Arrange
|
||||
var options = _defaultOptions with { AllowInconclusive = true };
|
||||
var gate = CreateGate(options);
|
||||
var fixChainContext = new FixChainGateContext
|
||||
{
|
||||
HasAttestation = true,
|
||||
Verdict = "inconclusive",
|
||||
Confidence = 0.50m
|
||||
};
|
||||
|
||||
// Act
|
||||
var result = gate.EvaluateDirect(fixChainContext, "production", "critical");
|
||||
|
||||
// Assert
|
||||
Assert.True(result.Passed);
|
||||
Assert.Equal(FixChainGateResult.DecisionAllow, result.Decision);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_ProductionEnvironment_UsesHigherConfidence()
|
||||
{
|
||||
// Arrange
|
||||
var options = new FixChainGateOptions
|
||||
{
|
||||
Enabled = true,
|
||||
RequiredSeverities = ["critical"],
|
||||
MinimumConfidence = 0.70m,
|
||||
EnvironmentConfidence = new Dictionary<string, decimal>
|
||||
{
|
||||
["production"] = 0.95m,
|
||||
["staging"] = 0.80m
|
||||
}
|
||||
};
|
||||
var gate = CreateGate(options);
|
||||
|
||||
// Context with 0.90 confidence - passes staging but not production
|
||||
var context = CreatePolicyContext("critical", new Dictionary<string, string>
|
||||
{
|
||||
["fixchain.hasAttestation"] = "true",
|
||||
["fixchain.verdict"] = "fixed",
|
||||
["fixchain.confidence"] = "0.90"
|
||||
});
|
||||
context = context with { Environment = "production" };
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.False(result.Passed);
|
||||
Assert.Contains("below minimum", result.Reason);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task EvaluateAsync_DevelopmentEnvironment_NoRequirements()
|
||||
{
|
||||
// Arrange
|
||||
var options = new FixChainGateOptions
|
||||
{
|
||||
Enabled = true,
|
||||
RequiredSeverities = ["critical"],
|
||||
EnvironmentSeverities = new Dictionary<string, IReadOnlyList<string>>
|
||||
{
|
||||
["production"] = ["critical", "high"],
|
||||
["development"] = [] // No requirements
|
||||
}
|
||||
};
|
||||
var gate = CreateGate(options);
|
||||
var context = CreatePolicyContext("critical") with { Environment = "development" };
|
||||
var mergeResult = CreateMergeResult();
|
||||
|
||||
// Act
|
||||
var result = await gate.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
Assert.True(result.Passed);
|
||||
Assert.Contains("No severity requirements", result.Reason);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Options_DefaultValues_AreReasonable()
|
||||
{
|
||||
// Arrange & Act
|
||||
var options = new FixChainGateOptions();
|
||||
|
||||
// Assert
|
||||
Assert.True(options.Enabled);
|
||||
Assert.Contains("critical", options.RequiredSeverities);
|
||||
Assert.Contains("high", options.RequiredSeverities);
|
||||
Assert.True(options.MinimumConfidence >= 0.80m);
|
||||
Assert.False(options.AllowInconclusive);
|
||||
Assert.True(options.GracePeriodDays > 0);
|
||||
}
|
||||
|
||||
private static PolicyGateContext CreatePolicyContext(
|
||||
string severity,
|
||||
Dictionary<string, string>? metadata = null)
|
||||
{
|
||||
return new PolicyGateContext
|
||||
{
|
||||
Environment = "production",
|
||||
Severity = severity,
|
||||
CveId = "CVE-2024-1234",
|
||||
SubjectKey = "pkg:generic/test@1.0.0",
|
||||
Metadata = metadata
|
||||
};
|
||||
}
|
||||
|
||||
private static MergeResult CreateMergeResult()
|
||||
{
|
||||
var emptyClaim = new ScoredClaim
|
||||
{
|
||||
SourceId = "test",
|
||||
Status = VexStatus.Affected,
|
||||
OriginalScore = 1.0,
|
||||
AdjustedScore = 1.0,
|
||||
ScopeSpecificity = 1,
|
||||
Accepted = true,
|
||||
Reason = "test"
|
||||
};
|
||||
|
||||
return new MergeResult
|
||||
{
|
||||
Status = VexStatus.Affected,
|
||||
Confidence = 0.9,
|
||||
HasConflicts = false,
|
||||
AllClaims = [emptyClaim],
|
||||
WinningClaim = emptyClaim,
|
||||
Conflicts = []
|
||||
};
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,354 @@
|
||||
// Licensed under AGPL-3.0-or-later. Copyright (C) 2026 StellaOps Contributors.
|
||||
// Sprint: SPRINT_20260110_012_008_POLICY
|
||||
// Task: FCG-009 - Integration Tests
|
||||
|
||||
using System.Collections.Immutable;
|
||||
using FluentAssertions;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.Extensions.Logging.Abstractions;
|
||||
using Microsoft.Extensions.Options;
|
||||
using Moq;
|
||||
using StellaOps.BinaryIndex.GoldenSet;
|
||||
using StellaOps.Policy.Confidence.Models;
|
||||
using StellaOps.Policy.Gates;
|
||||
using StellaOps.Policy.Predicates.FixChain;
|
||||
using FixChainContext = StellaOps.Policy.Predicates.FixChain.FixChainGateContext;
|
||||
using FixChainOpts = StellaOps.Policy.Predicates.FixChain.FixChainGateOptions;
|
||||
using StellaOps.Policy.TrustLattice;
|
||||
using StellaOps.RiskEngine.Core.Providers.FixChain;
|
||||
using Xunit;
|
||||
|
||||
namespace StellaOps.Policy.Tests.Integration;
|
||||
|
||||
[Trait("Category", "Integration")]
|
||||
public sealed class FixChainGateIntegrationTests
|
||||
{
|
||||
private readonly Mock<IFixChainAttestationClient> _attestationClientMock;
|
||||
private readonly Mock<IGoldenSetStore> _goldenSetStoreMock;
|
||||
private readonly ServiceProvider _serviceProvider;
|
||||
|
||||
public FixChainGateIntegrationTests()
|
||||
{
|
||||
_attestationClientMock = new Mock<IFixChainAttestationClient>();
|
||||
_goldenSetStoreMock = new Mock<IGoldenSetStore>();
|
||||
|
||||
var services = new ServiceCollection();
|
||||
|
||||
// Register mocks
|
||||
services.AddSingleton(_attestationClientMock.Object);
|
||||
services.AddSingleton(_goldenSetStoreMock.Object);
|
||||
|
||||
// Register FixChain gate services
|
||||
services.Configure<FixChainOpts>(_ => { }); // Default options
|
||||
services.AddFixChainGate();
|
||||
|
||||
_serviceProvider = services.BuildServiceProvider();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task FullPolicyEvaluation_WithFixChainGate_Works()
|
||||
{
|
||||
// Arrange
|
||||
var predicate = _serviceProvider.GetRequiredService<IFixChainGatePredicate>();
|
||||
|
||||
var context = new FixChainContext
|
||||
{
|
||||
CveId = "CVE-2024-12345",
|
||||
ComponentPurl = "pkg:npm/lodash@4.17.21",
|
||||
Severity = "critical",
|
||||
CvssScore = 9.8m,
|
||||
BinarySha256 = new string('a', 64)
|
||||
};
|
||||
|
||||
var attestation = new FixChainAttestationData
|
||||
{
|
||||
ContentDigest = "sha256:abc123",
|
||||
CveId = "CVE-2024-12345",
|
||||
ComponentPurl = "pkg:npm/lodash@4.17.21",
|
||||
BinarySha256 = new string('a', 64),
|
||||
Verdict = new FixChainVerdictData
|
||||
{
|
||||
Status = "fixed",
|
||||
Confidence = 0.95m,
|
||||
Rationale = ["All vulnerable paths eliminated"]
|
||||
},
|
||||
GoldenSetId = "gs-lodash-12345",
|
||||
VerifiedAt = DateTimeOffset.UtcNow
|
||||
};
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(attestation);
|
||||
|
||||
_goldenSetStoreMock
|
||||
.Setup(x => x.GetAsync("gs-lodash-12345", It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateApprovedGoldenSet());
|
||||
|
||||
var parameters = new FixChainGateParameters
|
||||
{
|
||||
Severities = ["critical", "high"],
|
||||
MinConfidence = 0.90m,
|
||||
RequireApprovedGoldenSet = true
|
||||
};
|
||||
|
||||
// Act
|
||||
var result = await predicate.EvaluateAsync(context, parameters);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeTrue();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.FixVerified);
|
||||
result.Attestation.Should().NotBeNull();
|
||||
result.Attestation!.ContentDigest.Should().Be("sha256:abc123");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task BatchService_EvaluatesMultipleFindings()
|
||||
{
|
||||
// Arrange
|
||||
var batchService = _serviceProvider.GetRequiredService<IFixChainGateBatchService>();
|
||||
|
||||
var contexts = new List<FixChainContext>
|
||||
{
|
||||
new()
|
||||
{
|
||||
CveId = "CVE-2024-001",
|
||||
ComponentPurl = "pkg:npm/lodash@4.17.21",
|
||||
Severity = "critical",
|
||||
CvssScore = 9.8m
|
||||
},
|
||||
new()
|
||||
{
|
||||
CveId = "CVE-2024-002",
|
||||
ComponentPurl = "pkg:npm/axios@0.21.0",
|
||||
Severity = "high",
|
||||
CvssScore = 7.5m
|
||||
},
|
||||
new()
|
||||
{
|
||||
CveId = "CVE-2024-003",
|
||||
ComponentPurl = "pkg:npm/moment@2.29.0",
|
||||
Severity = "low",
|
||||
CvssScore = 3.0m
|
||||
}
|
||||
};
|
||||
|
||||
// First CVE has attestation
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync("CVE-2024-001", It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateAttestation("CVE-2024-001", "fixed", 0.95m));
|
||||
|
||||
// Second CVE has no attestation
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync("CVE-2024-002", It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync((FixChainAttestationData?)null);
|
||||
|
||||
// Third CVE doesn't need one (low severity)
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync("CVE-2024-003", It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync((FixChainAttestationData?)null);
|
||||
|
||||
_goldenSetStoreMock
|
||||
.Setup(x => x.GetAsync(It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateApprovedGoldenSet());
|
||||
|
||||
var parameters = new FixChainGateParameters
|
||||
{
|
||||
Severities = ["critical", "high"],
|
||||
MinConfidence = 0.90m,
|
||||
RequireApprovedGoldenSet = true
|
||||
};
|
||||
|
||||
// Act
|
||||
var result = await batchService.EvaluateBatchAsync(contexts, parameters);
|
||||
|
||||
// Assert
|
||||
result.Results.Should().HaveCount(3);
|
||||
result.AllPassed.Should().BeFalse(); // CVE-2024-002 should block
|
||||
|
||||
result.Results["CVE-2024-001"].Passed.Should().BeTrue();
|
||||
result.Results["CVE-2024-002"].Passed.Should().BeFalse();
|
||||
result.Results["CVE-2024-003"].Passed.Should().BeTrue(); // Low severity exempt
|
||||
|
||||
result.BlockingResults.Should().HaveCount(1);
|
||||
result.AggregatedRecommendations.Should().NotBeEmpty();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task GateAdapter_IntegratesWithPolicyGateRegistry()
|
||||
{
|
||||
// Arrange
|
||||
var registry = new PolicyGateRegistry(_serviceProvider);
|
||||
registry.RegisterFixChainGate();
|
||||
|
||||
// Setup attestation for the CVE
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateAttestation("CVE-2024-TEST", "fixed", 0.95m));
|
||||
|
||||
_goldenSetStoreMock
|
||||
.Setup(x => x.GetAsync(It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateApprovedGoldenSet());
|
||||
|
||||
var mergeResult = new MergeResult
|
||||
{
|
||||
Status = VexStatus.Affected,
|
||||
Confidence = 0.9,
|
||||
HasConflicts = false,
|
||||
AllClaims = ImmutableArray<ScoredClaim>.Empty,
|
||||
WinningClaim = new ScoredClaim
|
||||
{
|
||||
SourceId = "test",
|
||||
Status = VexStatus.Affected,
|
||||
OriginalScore = 0.9,
|
||||
AdjustedScore = 0.9,
|
||||
ScopeSpecificity = 1,
|
||||
Accepted = true,
|
||||
Reason = "Test claim"
|
||||
},
|
||||
Conflicts = ImmutableArray<ConflictRecord>.Empty
|
||||
};
|
||||
|
||||
var context = new PolicyGateContext
|
||||
{
|
||||
CveId = "CVE-2024-TEST",
|
||||
SubjectKey = "pkg:npm/test@1.0.0",
|
||||
Severity = "critical",
|
||||
Environment = "production"
|
||||
};
|
||||
|
||||
// Act
|
||||
var result = await registry.EvaluateAsync(mergeResult, context);
|
||||
|
||||
// Assert
|
||||
result.Results.Should().HaveCount(1);
|
||||
result.Results[0].GateName.Should().Be(nameof(FixChainGateAdapter));
|
||||
result.Results[0].Passed.Should().BeTrue();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Notifier_SendsNotificationsOnBlock()
|
||||
{
|
||||
// Arrange
|
||||
var channelMock = new Mock<INotificationChannel>();
|
||||
var notifier = new FixChainGateNotifier(
|
||||
NullLogger<FixChainGateNotifier>.Instance,
|
||||
[channelMock.Object]);
|
||||
|
||||
var notification = new GateBlockedNotification
|
||||
{
|
||||
CveId = "CVE-2024-12345",
|
||||
Component = "pkg:npm/lodash@4.17.21",
|
||||
Severity = "critical",
|
||||
Reason = "No FixChain attestation found",
|
||||
Outcome = FixChainGateOutcome.AttestationRequired,
|
||||
Recommendations = ["Create golden set"],
|
||||
CliCommands = ["stella scanner golden init --cve CVE-2024-12345"],
|
||||
PolicyName = "release-gates",
|
||||
BlockedAt = DateTimeOffset.UtcNow
|
||||
};
|
||||
|
||||
// Act
|
||||
await notifier.NotifyGateBlockedAsync(notification);
|
||||
|
||||
// Assert
|
||||
channelMock.Verify(
|
||||
x => x.SendAsync(
|
||||
"fixchain_gate_blocked",
|
||||
It.IsAny<NotificationMessage>(),
|
||||
NotificationSeverity.Error,
|
||||
It.IsAny<CancellationToken>()),
|
||||
Times.Once);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task ServiceRegistration_ResolvesAllServices()
|
||||
{
|
||||
// Assert all services are resolvable
|
||||
var predicate = _serviceProvider.GetService<IFixChainGatePredicate>();
|
||||
predicate.Should().NotBeNull();
|
||||
|
||||
var batchService = _serviceProvider.GetService<IFixChainGateBatchService>();
|
||||
batchService.Should().NotBeNull();
|
||||
|
||||
var adapter = _serviceProvider.GetService<FixChainGateAdapter>();
|
||||
adapter.Should().NotBeNull();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task GracePeriod_AllowsRecentCVEs()
|
||||
{
|
||||
// Arrange
|
||||
var predicate = _serviceProvider.GetRequiredService<IFixChainGatePredicate>();
|
||||
|
||||
var context = new FixChainContext
|
||||
{
|
||||
CveId = "CVE-2024-NEW",
|
||||
ComponentPurl = "pkg:npm/new-package@1.0.0",
|
||||
Severity = "critical",
|
||||
CvssScore = 9.8m,
|
||||
CvePublishedAt = DateTimeOffset.UtcNow.AddDays(-3) // 3 days ago
|
||||
};
|
||||
|
||||
var parameters = new FixChainGateParameters
|
||||
{
|
||||
Severities = ["critical"],
|
||||
GracePeriodDays = 7 // 7 day grace period
|
||||
};
|
||||
|
||||
// Act
|
||||
var result = await predicate.EvaluateAsync(context, parameters);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeTrue();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.GracePeriod);
|
||||
}
|
||||
|
||||
#region Helpers
|
||||
|
||||
private static FixChainAttestationData CreateAttestation(
|
||||
string cveId,
|
||||
string status,
|
||||
decimal confidence)
|
||||
{
|
||||
return new FixChainAttestationData
|
||||
{
|
||||
ContentDigest = $"sha256:{cveId}",
|
||||
CveId = cveId,
|
||||
ComponentPurl = "pkg:npm/test@1.0.0",
|
||||
BinarySha256 = new string('a', 64),
|
||||
Verdict = new FixChainVerdictData
|
||||
{
|
||||
Status = status,
|
||||
Confidence = confidence,
|
||||
Rationale = ["Test rationale"]
|
||||
},
|
||||
GoldenSetId = $"gs-{cveId}",
|
||||
VerifiedAt = DateTimeOffset.UtcNow
|
||||
};
|
||||
}
|
||||
|
||||
private static StoredGoldenSet CreateApprovedGoldenSet()
|
||||
{
|
||||
return new StoredGoldenSet
|
||||
{
|
||||
Definition = new GoldenSetDefinition
|
||||
{
|
||||
Id = "gs-test",
|
||||
Component = "test",
|
||||
Targets = [],
|
||||
Metadata = new GoldenSetMetadata
|
||||
{
|
||||
AuthorId = "test-author",
|
||||
CreatedAt = DateTimeOffset.UtcNow.AddDays(-1),
|
||||
SourceRef = "https://example.com",
|
||||
ReviewedBy = "reviewer"
|
||||
}
|
||||
},
|
||||
Status = GoldenSetStatus.Approved,
|
||||
CreatedAt = DateTimeOffset.UtcNow.AddDays(-1),
|
||||
UpdatedAt = DateTimeOffset.UtcNow
|
||||
};
|
||||
}
|
||||
|
||||
#endregion
|
||||
}
|
||||
@@ -19,6 +19,7 @@
|
||||
<ProjectReference Include="../../__Libraries/StellaOps.Policy/StellaOps.Policy.csproj" />
|
||||
<ProjectReference Include="../../__Libraries/StellaOps.Policy.Determinization/StellaOps.Policy.Determinization.csproj" />
|
||||
<ProjectReference Include="../../__Libraries/StellaOps.Policy.Exceptions/StellaOps.Policy.Exceptions.csproj" />
|
||||
<ProjectReference Include="../../__Libraries/StellaOps.Policy.Predicates/StellaOps.Policy.Predicates.csproj" />
|
||||
<ProjectReference Include="../../../__Libraries/StellaOps.Cryptography/StellaOps.Cryptography.csproj" />
|
||||
<ProjectReference Include="../../../__Libraries/StellaOps.TestKit/StellaOps.TestKit.csproj" />
|
||||
<ProjectReference Include="../../../__Libraries/StellaOps.Facet/StellaOps.Facet.csproj" />
|
||||
|
||||
@@ -0,0 +1,500 @@
|
||||
// Licensed under AGPL-3.0-or-later. Copyright (C) 2026 StellaOps Contributors.
|
||||
// Sprint: SPRINT_20260110_012_008_POLICY
|
||||
// Task: FCG-008 - Unit Tests
|
||||
|
||||
using System.Collections.Immutable;
|
||||
using FluentAssertions;
|
||||
using Microsoft.Extensions.Logging.Abstractions;
|
||||
using Microsoft.Extensions.Options;
|
||||
using Moq;
|
||||
using StellaOps.BinaryIndex.GoldenSet;
|
||||
using StellaOps.Policy.Predicates.FixChain;
|
||||
using StellaOps.RiskEngine.Core.Providers.FixChain;
|
||||
using Xunit;
|
||||
|
||||
namespace StellaOps.Policy.Tests.Unit.Predicates;
|
||||
|
||||
[Trait("Category", "Unit")]
|
||||
public sealed class FixChainGatePredicateTests
|
||||
{
|
||||
private readonly Mock<IFixChainAttestationClient> _attestationClientMock;
|
||||
private readonly Mock<IGoldenSetStore> _goldenSetStoreMock;
|
||||
private readonly FakeTimeProvider _timeProvider;
|
||||
private readonly FixChainGatePredicate _predicate;
|
||||
private readonly FixChainGateParameters _defaultParams;
|
||||
|
||||
public FixChainGatePredicateTests()
|
||||
{
|
||||
_attestationClientMock = new Mock<IFixChainAttestationClient>();
|
||||
_goldenSetStoreMock = new Mock<IGoldenSetStore>();
|
||||
_timeProvider = new FakeTimeProvider(new DateTimeOffset(2026, 1, 15, 12, 0, 0, TimeSpan.Zero));
|
||||
|
||||
var options = new OptionsMonitor<FixChainGateOptions>(new FixChainGateOptions { Enabled = true });
|
||||
|
||||
_predicate = new FixChainGatePredicate(
|
||||
_attestationClientMock.Object,
|
||||
_goldenSetStoreMock.Object,
|
||||
options,
|
||||
NullLogger<FixChainGatePredicate>.Instance,
|
||||
_timeProvider);
|
||||
|
||||
_defaultParams = new FixChainGateParameters
|
||||
{
|
||||
Severities = ["critical", "high"],
|
||||
MinConfidence = 0.85m,
|
||||
AllowInconclusive = false,
|
||||
GracePeriodDays = 7,
|
||||
RequireApprovedGoldenSet = true
|
||||
};
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_SeverityExempt_Passes()
|
||||
{
|
||||
// Arrange - Low severity when gate only requires critical/high
|
||||
var context = CreateContext(severity: "low");
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeTrue();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.SeverityExempt);
|
||||
result.Reason.Should().Contain("does not require fix verification");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_MediumSeverityExempt_Passes()
|
||||
{
|
||||
// Arrange
|
||||
var context = CreateContext(severity: "medium");
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeTrue();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.SeverityExempt);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_GracePeriod_Passes()
|
||||
{
|
||||
// Arrange - CVE published 3 days ago, grace period is 7 days
|
||||
var context = CreateContext(
|
||||
severity: "critical",
|
||||
cvePublishedAt: _timeProvider.GetUtcNow().AddDays(-3));
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeTrue();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.GracePeriod);
|
||||
result.Recommendations.Should().NotBeEmpty();
|
||||
result.CliCommands.Should().NotBeEmpty();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_GracePeriodExpired_RequiresAttestation()
|
||||
{
|
||||
// Arrange - CVE published 10 days ago, grace period is 7 days
|
||||
var context = CreateContext(
|
||||
severity: "critical",
|
||||
cvePublishedAt: _timeProvider.GetUtcNow().AddDays(-10));
|
||||
|
||||
// No attestation
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync((FixChainAttestationData?)null);
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeFalse();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.AttestationRequired);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_NoAttestation_Blocks()
|
||||
{
|
||||
// Arrange - Critical CVE without attestation (no grace period)
|
||||
var context = CreateContext(severity: "critical");
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync((FixChainAttestationData?)null);
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeFalse();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.AttestationRequired);
|
||||
result.Reason.Should().Contain("No FixChain attestation found");
|
||||
result.Recommendations.Should().Contain(r => r.Contains("Create golden set"));
|
||||
result.CliCommands.Should().NotBeEmpty();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_FixedHighConfidence_Passes()
|
||||
{
|
||||
// Arrange - Fixed verdict with 97% confidence
|
||||
var context = CreateContext(severity: "critical");
|
||||
var attestation = CreateAttestation("fixed", 0.97m, "gs-test");
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(attestation);
|
||||
|
||||
_goldenSetStoreMock
|
||||
.Setup(x => x.GetAsync("gs-test", It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateStoredGoldenSet(GoldenSetStatus.Approved));
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeTrue();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.FixVerified);
|
||||
result.Attestation.Should().NotBeNull();
|
||||
result.Attestation!.Confidence.Should().Be(0.97m);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_FixedLowConfidence_Blocks()
|
||||
{
|
||||
// Arrange - Fixed verdict with 70% confidence when 85% required
|
||||
var context = CreateContext(severity: "critical");
|
||||
var attestation = CreateAttestation("fixed", 0.70m, "gs-test");
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(attestation);
|
||||
|
||||
_goldenSetStoreMock
|
||||
.Setup(x => x.GetAsync("gs-test", It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateStoredGoldenSet(GoldenSetStatus.Approved));
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeFalse();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.InsufficientConfidence);
|
||||
result.Reason.Should().Contain("70%").And.Contain("85%");
|
||||
result.Recommendations.Should().Contain(r => r.Contains("completeness"));
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_InconclusiveAllowed_Passes()
|
||||
{
|
||||
// Arrange
|
||||
var context = CreateContext(severity: "critical");
|
||||
var attestation = CreateAttestation("inconclusive", 0.50m, "gs-test");
|
||||
var paramsAllowInconclusive = _defaultParams with { AllowInconclusive = true };
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(attestation);
|
||||
|
||||
_goldenSetStoreMock
|
||||
.Setup(x => x.GetAsync("gs-test", It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateStoredGoldenSet(GoldenSetStatus.Approved));
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, paramsAllowInconclusive);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeTrue();
|
||||
result.Reason.Should().Contain("allowed by policy");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_InconclusiveNotAllowed_Blocks()
|
||||
{
|
||||
// Arrange
|
||||
var context = CreateContext(severity: "critical");
|
||||
var attestation = CreateAttestation("inconclusive", 0.50m, "gs-test");
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(attestation);
|
||||
|
||||
_goldenSetStoreMock
|
||||
.Setup(x => x.GetAsync("gs-test", It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateStoredGoldenSet(GoldenSetStatus.Approved));
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeFalse();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.InconclusiveNotAllowed);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_StillVulnerable_Blocks()
|
||||
{
|
||||
// Arrange
|
||||
var context = CreateContext(severity: "critical");
|
||||
var attestation = CreateAttestation("still_vulnerable", 0.95m, "gs-test");
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(attestation);
|
||||
|
||||
_goldenSetStoreMock
|
||||
.Setup(x => x.GetAsync("gs-test", It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateStoredGoldenSet(GoldenSetStatus.Approved));
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeFalse();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.StillVulnerable);
|
||||
result.Reason.Should().Contain("still present");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_GoldenSetNotApproved_Blocks()
|
||||
{
|
||||
// Arrange - Draft golden set when approval required
|
||||
var context = CreateContext(severity: "critical");
|
||||
var attestation = CreateAttestation("fixed", 0.95m, "gs-test");
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(attestation);
|
||||
|
||||
_goldenSetStoreMock
|
||||
.Setup(x => x.GetAsync("gs-test", It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateStoredGoldenSet(GoldenSetStatus.Draft));
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeFalse();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.GoldenSetNotApproved);
|
||||
result.Reason.Should().Contain("not been reviewed");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_GoldenSetApprovalNotRequired_SkipsCheck()
|
||||
{
|
||||
// Arrange
|
||||
var context = CreateContext(severity: "critical");
|
||||
var attestation = CreateAttestation("fixed", 0.95m, "gs-test");
|
||||
var paramsNoApproval = _defaultParams with { RequireApprovedGoldenSet = false };
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(attestation);
|
||||
|
||||
// No golden set lookup should happen
|
||||
_goldenSetStoreMock
|
||||
.Setup(x => x.GetAsync(It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync((StoredGoldenSet?)null);
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, paramsNoApproval);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeTrue();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.FixVerified);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_PartialFix_UsesInconclusivePolicy()
|
||||
{
|
||||
// Arrange
|
||||
var context = CreateContext(severity: "high");
|
||||
var attestation = CreateAttestation("partial", 0.75m, "gs-test");
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(attestation);
|
||||
|
||||
_goldenSetStoreMock
|
||||
.Setup(x => x.GetAsync("gs-test", It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateStoredGoldenSet(GoldenSetStatus.Approved));
|
||||
|
||||
// Act - AllowInconclusive = false by default
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeFalse();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.PartialFix);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_HighSeverity_RequiresVerification()
|
||||
{
|
||||
// Arrange
|
||||
var context = CreateContext(severity: "high");
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync((FixChainAttestationData?)null);
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeFalse();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.AttestationRequired);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData("CRITICAL")]
|
||||
[InlineData("Critical")]
|
||||
[InlineData("critical")]
|
||||
public async Task Evaluate_SeverityCaseInsensitive_Works(string severity)
|
||||
{
|
||||
// Arrange
|
||||
var context = CreateContext(severity: severity);
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync((FixChainAttestationData?)null);
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeFalse();
|
||||
result.Outcome.Should().Be(FixChainGateOutcome.AttestationRequired);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Evaluate_MetadataPopulated_OnVerifiedFix()
|
||||
{
|
||||
// Arrange
|
||||
var metadata = new Dictionary<string, string>();
|
||||
var context = CreateContext(severity: "critical") with { Metadata = metadata };
|
||||
var attestation = CreateAttestation("fixed", 0.95m, "gs-test");
|
||||
|
||||
_attestationClientMock
|
||||
.Setup(x => x.GetFixChainAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(attestation);
|
||||
|
||||
_goldenSetStoreMock
|
||||
.Setup(x => x.GetAsync("gs-test", It.IsAny<CancellationToken>()))
|
||||
.ReturnsAsync(CreateStoredGoldenSet(GoldenSetStatus.Approved));
|
||||
|
||||
// Act
|
||||
var result = await _predicate.EvaluateAsync(context, _defaultParams);
|
||||
|
||||
// Assert
|
||||
result.Passed.Should().BeTrue();
|
||||
metadata.Should().ContainKey("fixchain_digest");
|
||||
metadata.Should().ContainKey("fixchain_confidence");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task PredicateId_ReturnsCorrectValue()
|
||||
{
|
||||
_predicate.PredicateId.Should().Be("fixChainRequired");
|
||||
}
|
||||
|
||||
#region Helpers
|
||||
|
||||
private static FixChainGateContext CreateContext(
|
||||
string severity = "critical",
|
||||
string cveId = "CVE-2024-12345",
|
||||
string componentPurl = "pkg:npm/lodash@4.17.21",
|
||||
DateTimeOffset? cvePublishedAt = null)
|
||||
{
|
||||
return new FixChainGateContext
|
||||
{
|
||||
CveId = cveId,
|
||||
ComponentPurl = componentPurl,
|
||||
Severity = severity,
|
||||
CvssScore = 8.5m,
|
||||
BinarySha256 = new string('a', 64),
|
||||
CvePublishedAt = cvePublishedAt
|
||||
};
|
||||
}
|
||||
|
||||
private static FixChainAttestationData CreateAttestation(
|
||||
string status,
|
||||
decimal confidence,
|
||||
string? goldenSetId = null)
|
||||
{
|
||||
return new FixChainAttestationData
|
||||
{
|
||||
ContentDigest = "sha256:abc123",
|
||||
CveId = "CVE-2024-12345",
|
||||
ComponentPurl = "pkg:npm/lodash@4.17.21",
|
||||
BinarySha256 = new string('a', 64),
|
||||
Verdict = new FixChainVerdictData
|
||||
{
|
||||
Status = status,
|
||||
Confidence = confidence,
|
||||
Rationale = ["Test rationale"]
|
||||
},
|
||||
GoldenSetId = goldenSetId,
|
||||
VerifiedAt = DateTimeOffset.UtcNow
|
||||
};
|
||||
}
|
||||
|
||||
private static StoredGoldenSet CreateStoredGoldenSet(GoldenSetStatus status)
|
||||
{
|
||||
return new StoredGoldenSet
|
||||
{
|
||||
Definition = new GoldenSetDefinition
|
||||
{
|
||||
Id = "CVE-2024-12345",
|
||||
Component = "lodash",
|
||||
Targets = [],
|
||||
Metadata = new GoldenSetMetadata
|
||||
{
|
||||
AuthorId = "test-author",
|
||||
CreatedAt = DateTimeOffset.UtcNow.AddDays(-1),
|
||||
SourceRef = "https://example.com/advisory",
|
||||
ReviewedBy = status == GoldenSetStatus.Approved ? "reviewer" : null
|
||||
}
|
||||
},
|
||||
Status = status,
|
||||
CreatedAt = DateTimeOffset.UtcNow.AddDays(-1),
|
||||
UpdatedAt = DateTimeOffset.UtcNow
|
||||
};
|
||||
}
|
||||
|
||||
#endregion
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Fake TimeProvider for testing.
|
||||
/// </summary>
|
||||
internal sealed class FakeTimeProvider : TimeProvider
|
||||
{
|
||||
private DateTimeOffset _now;
|
||||
|
||||
public FakeTimeProvider(DateTimeOffset now)
|
||||
{
|
||||
_now = now;
|
||||
}
|
||||
|
||||
public override DateTimeOffset GetUtcNow() => _now;
|
||||
|
||||
public void Advance(TimeSpan duration) => _now = _now.Add(duration);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Simple options monitor for testing.
|
||||
/// </summary>
|
||||
internal sealed class OptionsMonitor<T> : IOptionsMonitor<T>
|
||||
where T : class
|
||||
{
|
||||
public OptionsMonitor(T value) => CurrentValue = value;
|
||||
|
||||
public T CurrentValue { get; }
|
||||
|
||||
public T Get(string? name) => CurrentValue;
|
||||
|
||||
public IDisposable? OnChange(Action<T, string?> listener) => null;
|
||||
}
|
||||
Reference in New Issue
Block a user