old sprints work, new sprints for exposing functionality via cli, improve code_of_conduct and other agents instructions

2026-01-15 18:37:59 +02:00
parent c631bacee2
commit 88a85cdd92
208 changed files with 32271 additions and 2287 deletions
--- a/src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/PathWitnessBuilderTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/PathWitnessBuilderTests.cs
@@ -542,5 +542,200 @@ public class PathWitnessBuilderTests
        Assert.Null(w.Path[1].File);
    }

+    /// <summary>
+    /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-005)
+    /// Verify witness outputs include node hashes and path hash.
+    /// </summary>
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task BuildAsync_IncludesNodeHashesAndPathHash()
+    {
+        // Arrange
+        var graph = CreateSimpleGraph();
+        var builder = new PathWitnessBuilder(_cryptoHash, _timeProvider);
+
+        var request = new PathWitnessRequest
+        {
+            SbomDigest = "sha256:abc123",
+            ComponentPurl = "pkg:nuget/Newtonsoft.Json@12.0.3",
+            VulnId = "CVE-2024-12345",
+            VulnSource = "NVD",
+            AffectedRange = "<=12.0.3",
+            EntrypointSymbolId = "sym:entry1",
+            EntrypointKind = "http",
+            EntrypointName = "GET /api/test",
+            SinkSymbolId = "sym:sink1",
+            SinkType = "deserialization",
+            CallGraph = graph,
+            CallgraphDigest = "blake3:abc123"
+        };
+
+        // Act
+        var result = await builder.BuildAsync(request, TestCancellationToken);
+
+        // Assert
+        Assert.NotNull(result);
+        Assert.NotNull(result.NodeHashes);
+        Assert.NotEmpty(result.NodeHashes);
+        Assert.All(result.NodeHashes, h => Assert.StartsWith("sha256:", h));
+        Assert.NotNull(result.PathHash);
+        Assert.StartsWith("path:sha256:", result.PathHash);
+    }
+
+    /// <summary>
+    /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-005)
+    /// Verify witness outputs include evidence URIs.
+    /// </summary>
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task BuildAsync_IncludesEvidenceUris()
+    {
+        // Arrange
+        var graph = CreateSimpleGraph();
+        var builder = new PathWitnessBuilder(_cryptoHash, _timeProvider);
+
+        var request = new PathWitnessRequest
+        {
+            SbomDigest = "sha256:sbom123",
+            ComponentPurl = "pkg:nuget/Test@1.0.0",
+            VulnId = "CVE-2024-12345",
+            VulnSource = "NVD",
+            AffectedRange = "<=1.0.0",
+            EntrypointSymbolId = "sym:entry1",
+            EntrypointKind = "http",
+            EntrypointName = "GET /api/test",
+            SinkSymbolId = "sym:sink1",
+            SinkType = "deserialization",
+            CallGraph = graph,
+            CallgraphDigest = "blake3:graph456",
+            SurfaceDigest = "sha256:surface789",
+            BuildId = "build-001"
+        };
+
+        // Act
+        var result = await builder.BuildAsync(request, TestCancellationToken);
+
+        // Assert
+        Assert.NotNull(result);
+        Assert.NotNull(result.EvidenceUris);
+        Assert.Contains(result.EvidenceUris, u => u.StartsWith("evidence:callgraph:"));
+        Assert.Contains(result.EvidenceUris, u => u.StartsWith("evidence:sbom:"));
+        Assert.Contains(result.EvidenceUris, u => u.StartsWith("evidence:surface:"));
+        Assert.Contains(result.EvidenceUris, u => u.StartsWith("evidence:build:"));
+    }
+
+    /// <summary>
+    /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-005)
+    /// Verify witness uses canonical predicate type.
+    /// </summary>
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task BuildAsync_UsesCanonicalPredicateType()
+    {
+        // Arrange
+        var graph = CreateSimpleGraph();
+        var builder = new PathWitnessBuilder(_cryptoHash, _timeProvider);
+
+        var request = new PathWitnessRequest
+        {
+            SbomDigest = "sha256:abc123",
+            ComponentPurl = "pkg:nuget/Test@1.0.0",
+            VulnId = "CVE-2024-12345",
+            VulnSource = "NVD",
+            AffectedRange = "<=1.0.0",
+            EntrypointSymbolId = "sym:entry1",
+            EntrypointKind = "http",
+            EntrypointName = "GET /api/test",
+            SinkSymbolId = "sym:sink1",
+            SinkType = "deserialization",
+            CallGraph = graph,
+            CallgraphDigest = "blake3:graph456"
+        };
+
+        // Act
+        var result = await builder.BuildAsync(request, TestCancellationToken);
+
+        // Assert
+        Assert.NotNull(result);
+        Assert.Equal(WitnessPredicateTypes.PathWitnessCanonical, result.PredicateType);
+    }
+
+    /// <summary>
+    /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-005)
+    /// Verify DSSE payload determinism - same inputs produce same hashes.
+    /// </summary>
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task BuildAsync_ProducesDeterministicPathHash()
+    {
+        // Arrange
+        var graph = CreateSimpleGraph();
+        var builder = new PathWitnessBuilder(_cryptoHash, _timeProvider);
+
+        var request = new PathWitnessRequest
+        {
+            SbomDigest = "sha256:abc123",
+            ComponentPurl = "pkg:nuget/Test@1.0.0",
+            VulnId = "CVE-2024-12345",
+            VulnSource = "NVD",
+            AffectedRange = "<=1.0.0",
+            EntrypointSymbolId = "sym:entry1",
+            EntrypointKind = "http",
+            EntrypointName = "GET /api/test",
+            SinkSymbolId = "sym:sink1",
+            SinkType = "deserialization",
+            CallGraph = graph,
+            CallgraphDigest = "blake3:graph456"
+        };
+
+        // Act
+        var result1 = await builder.BuildAsync(request, TestCancellationToken);
+        var result2 = await builder.BuildAsync(request, TestCancellationToken);
+
+        // Assert - same inputs should produce identical hashes
+        Assert.NotNull(result1);
+        Assert.NotNull(result2);
+        Assert.Equal(result1.PathHash, result2.PathHash);
+        Assert.Equal(result1.NodeHashes, result2.NodeHashes);
+    }
+
+    /// <summary>
+    /// Sprint: SPRINT_20260112_004_SCANNER_path_witness_nodehash (PW-SCN-005)
+    /// Verify node hashes are deterministically sorted.
+    /// </summary>
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task BuildAsync_NodeHashesAreSorted()
+    {
+        // Arrange
+        var graph = CreateSimpleGraph();
+        var builder = new PathWitnessBuilder(_cryptoHash, _timeProvider);
+
+        var request = new PathWitnessRequest
+        {
+            SbomDigest = "sha256:abc123",
+            ComponentPurl = "pkg:nuget/Test@1.0.0",
+            VulnId = "CVE-2024-12345",
+            VulnSource = "NVD",
+            AffectedRange = "<=1.0.0",
+            EntrypointSymbolId = "sym:entry1",
+            EntrypointKind = "http",
+            EntrypointName = "GET /api/test",
+            SinkSymbolId = "sym:sink1",
+            SinkType = "deserialization",
+            CallGraph = graph,
+            CallgraphDigest = "blake3:graph456"
+        };
+
+        // Act
+        var result = await builder.BuildAsync(request, TestCancellationToken);
+
+        // Assert - node hashes should be in sorted order
+        Assert.NotNull(result);
+        Assert.NotNull(result.NodeHashes);
+        var sorted = result.NodeHashes.OrderBy(h => h, StringComparer.Ordinal).ToList();
+        Assert.Equal(sorted, result.NodeHashes);
+    }
+
    #endregion
 }