Add unit tests for PhpFrameworkSurface and PhpPharScanner

- Implement comprehensive tests for PhpFrameworkSurface, covering scenarios such as empty surfaces, presence of routes, controllers, middlewares, CLI commands, cron jobs, and event listeners. - Validate metadata creation for route counts, HTTP methods, protected and public routes, and route patterns. - Introduce tests for PhpPharScanner, including handling of non-existent files, null or empty paths, invalid PHAR files, and minimal PHAR structures. - Ensure correct computation of SHA256 for valid PHAR files and validate the properties of PhpPharArchive, PhpPharEntry, and PhpPharScanResult.
2025-12-07 13:44:13 +02:00
parent af30fc322f
commit 965cbf9574
49 changed files with 11935 additions and 152 deletions
--- a/src/Findings/StellaOps.Findings.Ledger/migrations/008_attestation_pointers.sql
+++ b/src/Findings/StellaOps.Findings.Ledger/migrations/008_attestation_pointers.sql
@@ -0,0 +1,100 @@
+-- 008_attestation_pointers.sql
+-- LEDGER-ATTEST-73-001: Persist pointers from findings to verification reports and attestation envelopes
+
+BEGIN;
+
+-- ============================================
+-- 1. Create attestation pointers table
+-- ============================================
+
+CREATE TABLE IF NOT EXISTS ledger_attestation_pointers (
+    tenant_id           text        NOT NULL,
+    pointer_id          uuid        NOT NULL,
+    finding_id          text        NOT NULL,
+    attestation_type    text        NOT NULL,
+    relationship        text        NOT NULL,
+    attestation_ref     jsonb       NOT NULL,
+    verification_result jsonb       NULL,
+    created_at          timestamptz NOT NULL,
+    created_by          text        NOT NULL,
+    metadata            jsonb       NULL,
+    ledger_event_id     uuid        NULL
+);
+
+ALTER TABLE ledger_attestation_pointers
+    ADD CONSTRAINT pk_ledger_attestation_pointers PRIMARY KEY (tenant_id, pointer_id);
+
+-- ============================================
+-- 2. Create indexes for efficient queries
+-- ============================================
+
+-- Index for finding lookups (most common query pattern)
+CREATE INDEX IF NOT EXISTS ix_ledger_attestation_pointers_finding
+    ON ledger_attestation_pointers (tenant_id, finding_id, created_at DESC);
+
+-- Index for digest-based lookups (idempotency checks)
+CREATE INDEX IF NOT EXISTS ix_ledger_attestation_pointers_digest
+    ON ledger_attestation_pointers (tenant_id, (attestation_ref->>'digest'));
+
+-- Index for attestation type filtering
+CREATE INDEX IF NOT EXISTS ix_ledger_attestation_pointers_type
+    ON ledger_attestation_pointers (tenant_id, attestation_type, created_at DESC);
+
+-- Index for verification status filtering (verified/unverified/failed)
+CREATE INDEX IF NOT EXISTS ix_ledger_attestation_pointers_verified
+    ON ledger_attestation_pointers (tenant_id, ((verification_result->>'verified')::boolean))
+    WHERE verification_result IS NOT NULL;
+
+-- Index for signer identity searches
+CREATE INDEX IF NOT EXISTS ix_ledger_attestation_pointers_signer
+    ON ledger_attestation_pointers (tenant_id, (attestation_ref->'signer_info'->>'subject'))
+    WHERE attestation_ref->'signer_info' IS NOT NULL;
+
+-- Index for predicate type searches
+CREATE INDEX IF NOT EXISTS ix_ledger_attestation_pointers_predicate
+    ON ledger_attestation_pointers (tenant_id, (attestation_ref->>'predicate_type'))
+    WHERE attestation_ref->>'predicate_type' IS NOT NULL;
+
+-- ============================================
+-- 3. Enable Row-Level Security
+-- ============================================
+
+ALTER TABLE ledger_attestation_pointers ENABLE ROW LEVEL SECURITY;
+ALTER TABLE ledger_attestation_pointers FORCE ROW LEVEL SECURITY;
+
+DROP POLICY IF EXISTS ledger_attestation_pointers_tenant_isolation ON ledger_attestation_pointers;
+CREATE POLICY ledger_attestation_pointers_tenant_isolation
+    ON ledger_attestation_pointers
+    FOR ALL
+    USING (tenant_id = findings_ledger_app.require_current_tenant())
+    WITH CHECK (tenant_id = findings_ledger_app.require_current_tenant());
+
+-- ============================================
+-- 4. Add comments for documentation
+-- ============================================
+
+COMMENT ON TABLE ledger_attestation_pointers IS
+    'Links findings to verification reports and attestation envelopes for explainability (LEDGER-ATTEST-73-001)';
+
+COMMENT ON COLUMN ledger_attestation_pointers.pointer_id IS
+    'Unique identifier for this attestation pointer';
+
+COMMENT ON COLUMN ledger_attestation_pointers.finding_id IS
+    'Finding that this pointer references';
+
+COMMENT ON COLUMN ledger_attestation_pointers.attestation_type IS
+    'Type of attestation: verification_report, dsse_envelope, slsa_provenance, vex_attestation, sbom_attestation, scan_attestation, policy_attestation, approval_attestation';
+
+COMMENT ON COLUMN ledger_attestation_pointers.relationship IS
+    'Semantic relationship: verified_by, attested_by, signed_by, approved_by, derived_from';
+
+COMMENT ON COLUMN ledger_attestation_pointers.attestation_ref IS
+    'JSON object containing digest, storage_uri, payload_type, predicate_type, subject_digests, signer_info, rekor_entry';
+
+COMMENT ON COLUMN ledger_attestation_pointers.verification_result IS
+    'JSON object containing verified (bool), verified_at, verifier, verifier_version, policy_ref, checks, warnings, errors';
+
+COMMENT ON COLUMN ledger_attestation_pointers.ledger_event_id IS
+    'Reference to the ledger event that recorded this pointer creation';
+
+COMMIT;
--- a/src/Findings/StellaOps.Findings.Ledger/migrations/009_snapshots.sql
+++ b/src/Findings/StellaOps.Findings.Ledger/migrations/009_snapshots.sql
@@ -0,0 +1,71 @@
+-- Migration: 009_snapshots
+-- Description: Creates ledger_snapshots table for time-travel/snapshot functionality
+-- Date: 2025-12-07
+
+-- Create ledger_snapshots table
+CREATE TABLE IF NOT EXISTS ledger_snapshots (
+    tenant_id TEXT NOT NULL,
+    snapshot_id UUID NOT NULL,
+    label TEXT,
+    description TEXT,
+    status TEXT NOT NULL DEFAULT 'Creating',
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ,
+    expires_at TIMESTAMPTZ,
+    sequence_number BIGINT NOT NULL,
+    snapshot_timestamp TIMESTAMPTZ NOT NULL,
+    findings_count BIGINT NOT NULL DEFAULT 0,
+    vex_statements_count BIGINT NOT NULL DEFAULT 0,
+    advisories_count BIGINT NOT NULL DEFAULT 0,
+    sboms_count BIGINT NOT NULL DEFAULT 0,
+    events_count BIGINT NOT NULL DEFAULT 0,
+    size_bytes BIGINT NOT NULL DEFAULT 0,
+    merkle_root TEXT,
+    dsse_digest TEXT,
+    metadata JSONB,
+    include_entity_types JSONB,
+    sign_requested BOOLEAN NOT NULL DEFAULT FALSE,
+    PRIMARY KEY (tenant_id, snapshot_id)
+);
+
+-- Index for listing snapshots by status
+CREATE INDEX IF NOT EXISTS idx_ledger_snapshots_status
+    ON ledger_snapshots (tenant_id, status, created_at DESC);
+
+-- Index for finding expired snapshots
+CREATE INDEX IF NOT EXISTS idx_ledger_snapshots_expires
+    ON ledger_snapshots (expires_at)
+    WHERE expires_at IS NOT NULL AND status = 'Available';
+
+-- Index for sequence lookups
+CREATE INDEX IF NOT EXISTS idx_ledger_snapshots_sequence
+    ON ledger_snapshots (tenant_id, sequence_number);
+
+-- Index for label search
+CREATE INDEX IF NOT EXISTS idx_ledger_snapshots_label
+    ON ledger_snapshots (tenant_id, label)
+    WHERE label IS NOT NULL;
+
+-- Enable RLS
+ALTER TABLE ledger_snapshots ENABLE ROW LEVEL SECURITY;
+
+-- RLS policy for tenant isolation
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_policies
+        WHERE tablename = 'ledger_snapshots'
+        AND policyname = 'ledger_snapshots_tenant_isolation'
+    ) THEN
+        CREATE POLICY ledger_snapshots_tenant_isolation ON ledger_snapshots
+            USING (tenant_id = current_setting('app.tenant_id', true))
+            WITH CHECK (tenant_id = current_setting('app.tenant_id', true));
+    END IF;
+END $$;
+
+-- Add comment
+COMMENT ON TABLE ledger_snapshots IS 'Point-in-time snapshots of ledger state for time-travel queries';
+COMMENT ON COLUMN ledger_snapshots.sequence_number IS 'Ledger sequence number at snapshot time';
+COMMENT ON COLUMN ledger_snapshots.snapshot_timestamp IS 'Timestamp of ledger state captured';
+COMMENT ON COLUMN ledger_snapshots.merkle_root IS 'Merkle root hash of all events up to sequence_number';
+COMMENT ON COLUMN ledger_snapshots.dsse_digest IS 'DSSE envelope digest if signed';