stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

old sprints work, new sprints for exposing functionality via cli, improve code_of_conduct and other agents instructions

Browse Source
This commit is contained in:
master
2026-01-15 18:37:59 +02:00
parent c631bacee2
commit 88a85cdd92
208 changed files with 32271 additions and 2287 deletions
Download Patch File Download Diff File Expand all files Collapse all files

234
src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/EvidenceBundleExporterBinaryDiffTests.cs Normal file
View File

@@ -0,0 +1,234 @@
// <copyright file="EvidenceBundleExporterBinaryDiffTests.cs" company="StellaOps">
// SPDX-License-Identifier: AGPL-3.0-or-later
// Sprint: SPRINT_20260112_009_SCANNER_binary_diff_bundle_export (BINDIFF-SCAN-004)
// </copyright>
using System.IO.Compression;
using System.Text.Json;
using Microsoft.Extensions.Time.Testing;
using StellaOps.Scanner.WebService.Contracts;
using StellaOps.Scanner.WebService.Services;
using StellaOps.TestKit;
using Xunit;
namespace StellaOps.Scanner.WebService.Tests;
/// <summary>
/// Tests for binary diff evidence export in EvidenceBundleExporter.
/// Sprint: SPRINT_20260112_009_SCANNER_binary_diff_bundle_export (BINDIFF-SCAN-004)
/// </summary>
[Trait("Category", TestCategories.Unit)]
public sealed class EvidenceBundleExporterBinaryDiffTests
{
private static readonly DateTimeOffset FixedTime = new(2026, 1, 15, 10, 30, 0, TimeSpan.Zero);
private readonly EvidenceBundleExporter _exporter;
public EvidenceBundleExporterBinaryDiffTests()
{
var timeProvider = new FakeTimeProvider(FixedTime);
_exporter = new EvidenceBundleExporter(timeProvider);
}
[Fact]
public async Task ExportAsync_WithBinaryDiff_IncludesBinaryDiffJson()
{
// Arrange
var evidence = CreateEvidenceWithBinaryDiff();
// Act
var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip);
// Assert
using var archive = new ZipArchive(result.Stream, ZipArchiveMode.Read);
var binaryDiffEntry = archive.Entries.FirstOrDefault(e => e.Name == "binary-diff.json");
Assert.NotNull(binaryDiffEntry);
using var reader = new StreamReader(binaryDiffEntry.Open());
var content = await reader.ReadToEndAsync();
Assert.Contains("semantic", content.ToLowerInvariant());
}
[Fact]
public async Task ExportAsync_WithBinaryDiffAttestation_IncludesDsseJson()
{
// Arrange
var evidence = CreateEvidenceWithBinaryDiffAndAttestation();
// Act
var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip);
// Assert
using var archive = new ZipArchive(result.Stream, ZipArchiveMode.Read);
var dsseEntry = archive.Entries.FirstOrDefault(e => e.Name == "binary-diff.dsse.json");
Assert.NotNull(dsseEntry);
using var reader = new StreamReader(dsseEntry.Open());
var content = await reader.ReadToEndAsync();
Assert.Contains("payloadType", content);
Assert.Contains("attestationRef", content);
}
[Fact]
public async Task ExportAsync_WithSemanticDiff_IncludesDeltaProofJson()
{
// Arrange
var evidence = CreateEvidenceWithSemanticDiff();
// Act
var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip);
// Assert
using var archive = new ZipArchive(result.Stream, ZipArchiveMode.Read);
var deltaProofEntry = archive.Entries.FirstOrDefault(e => e.Name == "delta-proof.json");
Assert.NotNull(deltaProofEntry);
using var reader = new StreamReader(deltaProofEntry.Open());
var content = await reader.ReadToEndAsync();
Assert.Contains("previousFingerprint", content);
Assert.Contains("currentFingerprint", content);
Assert.Contains("similarityScore", content);
}
[Fact]
public async Task ExportAsync_WithoutBinaryDiff_DoesNotIncludeBinaryDiffFiles()
{
// Arrange
var evidence = CreateMinimalEvidence();
// Act
var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip);
// Assert
using var archive = new ZipArchive(result.Stream, ZipArchiveMode.Read);
Assert.DoesNotContain(archive.Entries, e => e.Name == "binary-diff.json");
Assert.DoesNotContain(archive.Entries, e => e.Name == "binary-diff.dsse.json");
Assert.DoesNotContain(archive.Entries, e => e.Name == "delta-proof.json");
}
[Fact]
public async Task ExportAsync_BinaryDiffFilesInManifest()
{
// Arrange
var evidence = CreateEvidenceWithBinaryDiffAndAttestation();
// Act
var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip);
// Assert
Assert.NotNull(result.Manifest);
var filePaths = result.Manifest.Files.Select(f => f.Path).ToList();
Assert.Contains("binary-diff.json", filePaths);
Assert.Contains("binary-diff.dsse.json", filePaths);
}
[Fact]
public async Task ExportAsync_BinaryDiffFileHashes_AreDeterministic()
{
// Arrange
var evidence = CreateEvidenceWithBinaryDiff();
// Act
var result1 = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip);
var result2 = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip);
// Assert - Same input should produce same file hashes
var hash1 = result1.Manifest!.Files.First(f => f.Path == "binary-diff.json").Sha256;
var hash2 = result2.Manifest!.Files.First(f => f.Path == "binary-diff.json").Sha256;
Assert.Equal(hash1, hash2);
}
[Fact]
public async Task ExportAsync_BinaryDiffOrdering_IsDeterministic()
{
// Arrange
var evidence = CreateEvidenceWithBinaryDiffAndAttestation();
// Act
var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.Zip);
// Assert - Files should appear in consistent order
using var archive = new ZipArchive(result.Stream, ZipArchiveMode.Read);
var fileNames = archive.Entries.Select(e => e.Name).ToList();
// binary-diff.json should appear before binary-diff.dsse.json
var binaryDiffIndex = fileNames.IndexOf("binary-diff.json");
var dsseIndex = fileNames.IndexOf("binary-diff.dsse.json");
Assert.True(binaryDiffIndex < dsseIndex,
"binary-diff.json should appear before binary-diff.dsse.json for deterministic ordering");
}
[Fact]
public async Task ExportAsync_TarGzFormat_IncludesBinaryDiffFiles()
{
// Arrange
var evidence = CreateEvidenceWithBinaryDiff();
// Act
var result = await _exporter.ExportAsync(evidence, EvidenceExportFormat.TarGz);
// Assert
Assert.Equal("application/gzip", result.ContentType);
Assert.EndsWith(".tar.gz", result.FileName);
Assert.NotNull(result.Manifest);
Assert.Contains(result.Manifest.Files, f => f.Path == "binary-diff.json");
}
private static UnifiedEvidenceResponseDto CreateMinimalEvidence()
{
return new UnifiedEvidenceResponseDto
{
FindingId = "finding-001",
CveId = "CVE-2026-1234",
ComponentPurl = "pkg:npm/lodash@4.17.21",
CacheKey = "cache-key-001",
Manifests = new ManifestsDto
{
ArtifactDigest = "sha256:abc123",
ManifestHash = "sha256:manifest",
FeedSnapshotHash = "sha256:feed",
PolicyHash = "sha256:policy"
}
};
}
private static UnifiedEvidenceResponseDto CreateEvidenceWithBinaryDiff()
{
var evidence = CreateMinimalEvidence();
evidence.BinaryDiff = new BinaryDiffEvidenceDto
{
Status = "available",
DiffType = "semantic",
PreviousBinaryDigest = "sha256:old123",
CurrentBinaryDigest = "sha256:new456",
SimilarityScore = 0.95,
FunctionChangeCount = 3,
SecurityChangeCount = 1
};
return evidence;
}
private static UnifiedEvidenceResponseDto CreateEvidenceWithBinaryDiffAndAttestation()
{
var evidence = CreateEvidenceWithBinaryDiff();
evidence.BinaryDiff!.AttestationRef = new AttestationRefDto
{
Id = "attest-12345",
RekorLogIndex = 123456789,
BundleDigest = "sha256:bundle123"
};
return evidence;
}
private static UnifiedEvidenceResponseDto CreateEvidenceWithSemanticDiff()
{
var evidence = CreateEvidenceWithBinaryDiff();
evidence.BinaryDiff!.SemanticDiff = new BinarySemanticDiffDto
{
PreviousFingerprint = "fp:abc123",
CurrentFingerprint = "fp:def456",
SimilarityScore = 0.92,
SemanticChanges = new List<string> { "control_flow_modified", "data_flow_changed" }
};
return evidence;
}
}

274
src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/PrAnnotationServiceTests.cs Normal file
View File

@@ -0,0 +1,274 @@
// -----------------------------------------------------------------------------
// PrAnnotationServiceTests.cs
// Sprint: SPRINT_20260112_007_SCANNER_pr_mr_annotations (SCANNER-PR-004)
// Description: Tests for PR annotation service with ASCII-only output and evidence anchors.
// -----------------------------------------------------------------------------
using Microsoft.Extensions.Time.Testing;
using StellaOps.Scanner.Reachability;
using StellaOps.Scanner.WebService.Services;
namespace StellaOps.Scanner.WebService.Tests;
public sealed class PrAnnotationServiceTests
{
private readonly FakeTimeProvider _timeProvider;
private readonly PrAnnotationService _service;
public PrAnnotationServiceTests()
{
_timeProvider = new FakeTimeProvider(new DateTimeOffset(2026, 1, 15, 10, 0, 0, TimeSpan.Zero));
_service = new PrAnnotationService(
new FakeReachabilityQueryService(),
_timeProvider);
}
[Fact]
public void FormatAsComment_NoFlips_ReturnsAsciiOnlyOutput()
{
// Arrange
var summary = CreateSummary(newRiskCount: 0, mitigatedCount: 0, flips: []);
// Act
var comment = _service.FormatAsComment(summary);
// Assert
Assert.DoesNotContain("\u2705", comment); // No checkmark emoji
Assert.DoesNotContain("\u26d4", comment); // No stop sign emoji
Assert.DoesNotContain("\u26a0", comment); // No warning sign emoji
Assert.DoesNotContain("\u2192", comment); // No arrow
Assert.Contains("[OK]", comment);
Assert.Contains("NO CHANGE", comment);
}
[Fact]
public void FormatAsComment_WithNewRisks_ReturnsBlockingStatus()
{
// Arrange
var flips = new List<StateFlip>
{
new StateFlip
{
FlipType = StateFlipType.BecameReachable,
CveId = "CVE-2026-0001",
Purl = "pkg:npm/lodash@4.17.21",
NewTier = "confirmed",
WitnessId = "witness-123"
}
};
var summary = CreateSummary(newRiskCount: 1, mitigatedCount: 0, flips: flips, shouldBlock: true);
// Act
var comment = _service.FormatAsComment(summary);
// Assert
Assert.Contains("[BLOCKING]", comment);
Assert.Contains("[+] Became Reachable", comment);
Assert.DoesNotContain("\ud83d\udd34", comment); // No red circle emoji
}
[Fact]
public void FormatAsComment_WithMitigatedRisks_ReturnsImprovedStatus()
{
// Arrange
var flips = new List<StateFlip>
{
new StateFlip
{
FlipType = StateFlipType.BecameUnreachable,
CveId = "CVE-2026-0002",
Purl = "pkg:npm/express@4.18.0",
PreviousTier = "likely",
NewTier = "unreachable"
}
};
var summary = CreateSummary(newRiskCount: 0, mitigatedCount: 1, flips: flips);
// Act
var comment = _service.FormatAsComment(summary);
// Assert
Assert.Contains("[OK]", comment);
Assert.Contains("IMPROVED", comment);
Assert.Contains("[-] Became Unreachable", comment);
Assert.DoesNotContain("\ud83d\udfe2", comment); // No green circle emoji
}
[Fact]
public void FormatAsComment_WithEvidenceAnchors_IncludesEvidenceSection()
{
// Arrange
var summary = CreateSummary(
newRiskCount: 0,
mitigatedCount: 0,
flips: [],
attestationDigest: "sha256:abc123def456",
policyVerdict: "PASS",
policyReasonCode: "NO_BLOCKERS",
verifyCommand: "stella scan verify --digest sha256:abc123def456");
// Act
var comment = _service.FormatAsComment(summary);
// Assert
Assert.Contains("### Evidence", comment);
Assert.Contains("sha256:abc123def456", comment);
Assert.Contains("PASS", comment);
Assert.Contains("NO_BLOCKERS", comment);
Assert.Contains("stella scan verify", comment);
}
[Fact]
public void FormatAsComment_DeterministicOrdering_SortsByFlipTypeThenCveId()
{
// Arrange
var flips = new List<StateFlip>
{
new StateFlip { FlipType = StateFlipType.BecameUnreachable, CveId = "CVE-2026-0001", Purl = "pkg:a", NewTier = "unreachable" },
new StateFlip { FlipType = StateFlipType.BecameReachable, CveId = "CVE-2026-0003", Purl = "pkg:b", NewTier = "confirmed" },
new StateFlip { FlipType = StateFlipType.BecameReachable, CveId = "CVE-2026-0002", Purl = "pkg:c", NewTier = "likely" },
};
var summary = CreateSummary(newRiskCount: 2, mitigatedCount: 1, flips: flips);
// Act
var comment = _service.FormatAsComment(summary);
// Assert - BecameReachable should come first, then sorted by CVE ID
var cve0002Pos = comment.IndexOf("CVE-2026-0002");
var cve0003Pos = comment.IndexOf("CVE-2026-0003");
var cve0001Pos = comment.IndexOf("CVE-2026-0001");
// BecameReachable CVEs first (0002, 0003), then BecameUnreachable (0001)
Assert.True(cve0002Pos < cve0001Pos, "CVE-2026-0002 (reachable) should appear before CVE-2026-0001 (unreachable)");
Assert.True(cve0003Pos < cve0001Pos, "CVE-2026-0003 (reachable) should appear before CVE-2026-0001 (unreachable)");
// Within reachable, sorted by CVE ID
Assert.True(cve0002Pos < cve0003Pos, "CVE-2026-0002 should appear before CVE-2026-0003 (alphabetical)");
}
[Fact]
public void FormatAsComment_TierChanges_UsesAsciiIndicators()
{
// Arrange
var flips = new List<StateFlip>
{
new StateFlip { FlipType = StateFlipType.TierIncreased, CveId = "CVE-2026-0001", Purl = "pkg:a", PreviousTier = "present", NewTier = "likely" },
new StateFlip { FlipType = StateFlipType.TierDecreased, CveId = "CVE-2026-0002", Purl = "pkg:b", PreviousTier = "likely", NewTier = "present" },
};
var summary = CreateSummary(newRiskCount: 0, mitigatedCount: 0, flips: flips);
// Act
var comment = _service.FormatAsComment(summary);
// Assert
Assert.Contains("[^] Tier Increased", comment);
Assert.Contains("[v] Tier Decreased", comment);
Assert.DoesNotContain("\u2191", comment); // No up arrow
Assert.DoesNotContain("\u2193", comment); // No down arrow
}
[Fact]
public void FormatAsComment_LimitedTo20Flips_ShowsMoreIndicator()
{
// Arrange
var flips = Enumerable.Range(1, 25)
.Select(i => new StateFlip
{
FlipType = StateFlipType.BecameReachable,
CveId = $"CVE-2026-{i:D4}",
Purl = $"pkg:test/package-{i}",
NewTier = "likely"
})
.ToList();
var summary = CreateSummary(newRiskCount: 25, mitigatedCount: 0, flips: flips);
// Act
var comment = _service.FormatAsComment(summary);
// Assert
Assert.Contains("... and 5 more flips", comment);
}
[Fact]
public void FormatAsComment_TimestampIsIso8601()
{
// Arrange
var summary = CreateSummary(newRiskCount: 0, mitigatedCount: 0, flips: []);
// Act
var comment = _service.FormatAsComment(summary);
// Assert
Assert.Contains("2026-01-15T10:00:00", comment);
}
[Fact]
public void FormatAsComment_NoNonAsciiCharacters()
{
// Arrange
var flips = new List<StateFlip>
{
new StateFlip { FlipType = StateFlipType.BecameReachable, CveId = "CVE-2026-0001", Purl = "pkg:test", NewTier = "confirmed" },
new StateFlip { FlipType = StateFlipType.BecameUnreachable, CveId = "CVE-2026-0002", Purl = "pkg:test2", NewTier = "unreachable" },
new StateFlip { FlipType = StateFlipType.TierIncreased, CveId = "CVE-2026-0003", Purl = "pkg:test3", NewTier = "likely" },
new StateFlip { FlipType = StateFlipType.TierDecreased, CveId = "CVE-2026-0004", Purl = "pkg:test4", NewTier = "present" },
};
var summary = CreateSummary(
newRiskCount: 1,
mitigatedCount: 1,
flips: flips,
shouldBlock: true,
attestationDigest: "sha256:test",
policyVerdict: "FAIL");
// Act
var comment = _service.FormatAsComment(summary);
// Assert - Check all characters are ASCII (0-127)
foreach (var ch in comment)
{
Assert.True(ch <= 127, $"Non-ASCII character found: U+{(int)ch:X4} '{ch}'");
}
}
private static StateFlipSummary CreateSummary(
int newRiskCount,
int mitigatedCount,
IReadOnlyList<StateFlip> flips,
bool shouldBlock = false,
string? attestationDigest = null,
string? policyVerdict = null,
string? policyReasonCode = null,
string? verifyCommand = null)
{
return new StateFlipSummary
{
BaseScanId = "base-scan-123",
HeadScanId = "head-scan-456",
HasFlips = flips.Count > 0,
NewRiskCount = newRiskCount,
MitigatedCount = mitigatedCount,
NetChange = newRiskCount - mitigatedCount,
ShouldBlockPr = shouldBlock,
Summary = $"Test summary: {newRiskCount} new, {mitigatedCount} mitigated",
Flips = flips,
AttestationDigest = attestationDigest,
PolicyVerdict = policyVerdict,
PolicyReasonCode = policyReasonCode,
VerifyCommand = verifyCommand
};
}
/// <summary>
/// Fake reachability query service for testing.
/// </summary>
private sealed class FakeReachabilityQueryService : IReachabilityQueryService
{
public Task<IReadOnlyDictionary<string, ReachabilityState>> GetReachabilityStatesAsync(
string graphId,
CancellationToken cancellationToken = default)
{
return Task.FromResult<IReadOnlyDictionary<string, ReachabilityState>>(
new Dictionary<string, ReachabilityState>());
}
}
}