Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools

- Implemented PolicyDslValidator with command-line options for strict mode and JSON output. - Created PolicySchemaExporter to generate JSON schemas for policy-related models. - Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes. - Added project files and necessary dependencies for each tool. - Ensured proper error handling and usage instructions across tools.
2025-10-27 08:00:11 +02:00
parent 651b8e0fa3
commit 96d52884e8
712 changed files with 49449 additions and 6124 deletions
--- a/samples/policy/README.md
+++ b/samples/policy/README.md
@@ -0,0 +1,25 @@
+# Policy Samples
+
+Curated fixtures used by CI smoke/determinism checks and example documentation.
+
+| Scenario | Policy | Findings | Expected Diff | UI/CLI Diff Fixture |
+|----------|--------|----------|---------------|---------------------|
+| `baseline` | `docs/examples/policies/baseline.yaml` | `samples/policy/baseline/findings.json` | `samples/policy/baseline/diffs.json` | `samples/policy/simulations/baseline/diff.json` |
+| `serverless` | `docs/examples/policies/serverless.yaml` | `samples/policy/serverless/findings.json` | `samples/policy/serverless/diffs.json` | `samples/policy/simulations/serverless/diff.json` |
+| `internal-only` | `docs/examples/policies/internal-only.yaml` | `samples/policy/internal-only/findings.json` | `samples/policy/internal-only/diffs.json` | `samples/policy/simulations/internal-only/diff.json` |
+
+Run the simulation harness locally:
+
+```bash
+dotnet run \
+  --project tools/PolicySimulationSmoke/PolicySimulationSmoke.csproj \
+  -- \
+  --scenario-root samples/policy/simulations \
+  --output out/policy-simulations
+```
+
+Then inspect `out/policy-simulations/policy-simulation-summary.json` for verdict changes.
+
+---
+
+*Last updated: 2025-10-26.*
--- a/samples/policy/baseline/diffs.json
+++ b/samples/policy/baseline/diffs.json
@@ -0,0 +1,12 @@
+[
+  {
+    "findingId": "library:pkg/openssl@1.1.1w",
+    "status": "Blocked",
+    "rule": "block_critical"
+  },
+  {
+    "findingId": "library:pkg/internal-runtime@1.0.0",
+    "status": "Warned",
+    "rule": "alert_warn_eol_runtime"
+  }
+]
--- a/samples/policy/baseline/findings.json
+++ b/samples/policy/baseline/findings.json
@@ -0,0 +1,14 @@
+[
+  {
+    "findingId": "library:pkg/openssl@1.1.1w",
+    "severity": "Critical",
+    "source": "NVD",
+    "environment": "internet"
+  },
+  {
+    "findingId": "library:pkg/internal-runtime@1.0.0",
+    "severity": "Low",
+    "source": "NVD",
+    "tags": ["runtime:eol"]
+  }
+]
--- a/samples/policy/internal-only/diffs.json
+++ b/samples/policy/internal-only/diffs.json
@@ -0,0 +1,12 @@
+[
+  {
+    "findingId": "library:pkg/internal-app@2.0.0",
+    "status": "RequiresVex",
+    "rule": "accept_vendor_vex"
+  },
+  {
+    "findingId": "library:pkg/kev-component@3.1.4",
+    "status": "RequiresVex",
+    "rule": "accept_vendor_vex"
+  }
+]
--- a/samples/policy/internal-only/findings.json
+++ b/samples/policy/internal-only/findings.json
@@ -0,0 +1,15 @@
+[
+  {
+    "findingId": "library:pkg/internal-app@2.0.0",
+    "severity": "Medium",
+    "source": "GHSA",
+    "environment": "internal"
+  },
+  {
+    "findingId": "library:pkg/kev-component@3.1.4",
+    "severity": "High",
+    "source": "NVD",
+    "tags": ["kev"],
+    "environment": "internal"
+  }
+]
--- a/samples/policy/serverless/diffs.json
+++ b/samples/policy/serverless/diffs.json
@@ -0,0 +1,12 @@
+[
+  {
+    "findingId": "library:pkg/aws-lambda@1.0.0",
+    "status": "Blocked",
+    "rule": "block_any_high"
+  },
+  {
+    "findingId": "image:sha256:untrusted-base",
+    "status": "Blocked",
+    "rule": "forbid_unpinned_base"
+  }
+]
--- a/samples/policy/serverless/findings.json
+++ b/samples/policy/serverless/findings.json
@@ -0,0 +1,15 @@
+[
+  {
+    "findingId": "library:pkg/aws-lambda@1.0.0",
+    "severity": "High",
+    "source": "NVD",
+    "environment": "serverless"
+  },
+  {
+    "findingId": "image:sha256:untrusted-base",
+    "severity": "Medium",
+    "source": "NVD",
+    "tags": ["image:latest-tag"],
+    "environment": "serverless"
+  }
+]
--- a/samples/policy/simulations/baseline/diff.json
+++ b/samples/policy/simulations/baseline/diff.json
@@ -0,0 +1,23 @@
+{
+  "summary": {
+    "policy": "baseline",
+    "policyDigest": "sha256:simulation-baseline",
+    "changed": 2
+  },
+  "diffs": [
+    {
+      "findingId": "library:pkg/openssl@1.1.1w",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Blocked",
+      "rule": "block_critical",
+      "notes": "Critical severity must be remediated before deploy."
+    },
+    {
+      "findingId": "library:pkg/internal-runtime@1.0.0",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Warned",
+      "rule": "alert_warn_eol_runtime",
+      "notes": "Runtime marked as EOL; upgrade recommended."
+    }
+  ]
+}
--- a/samples/policy/simulations/baseline/scenario.json
+++ b/samples/policy/simulations/baseline/scenario.json
@@ -0,0 +1,21 @@
+{
+  "name": "baseline",
+  "policyPath": "docs/examples/policies/baseline.yaml",
+  "findings": [
+    {
+      "findingId": "library:pkg/openssl@1.1.1w",
+      "severity": "Critical",
+      "source": "NVD"
+    },
+    {
+      "findingId": "library:pkg/internal-runtime@1.0.0",
+      "severity": "Low",
+      "source": "NVD",
+      "tags": ["runtime:eol"]
+    }
+  ],
+  "expectedDiffs": [
+    { "findingId": "library:pkg/openssl@1.1.1w", "status": "Blocked" },
+    { "findingId": "library:pkg/internal-runtime@1.0.0", "status": "Warned" }
+  ]
+}
--- a/samples/policy/simulations/internal-only/diff.json
+++ b/samples/policy/simulations/internal-only/diff.json
@@ -0,0 +1,23 @@
+{
+  "summary": {
+    "policy": "internal-only",
+    "policyDigest": "sha256:simulation-internal-only",
+    "changed": 2
+  },
+  "diffs": [
+    {
+      "findingId": "library:pkg/internal-app@2.0.0",
+      "baselineStatus": "Pass",
+      "projectedStatus": "RequiresVex",
+      "rule": "accept_vendor_vex",
+      "notes": "Trust vendor VEX statements for internal scope."
+    },
+    {
+      "findingId": "library:pkg/kev-component@3.1.4",
+      "baselineStatus": "Pass",
+      "projectedStatus": "RequiresVex",
+      "rule": "accept_vendor_vex",
+      "notes": "Trust vendor VEX statements for internal scope."
+    }
+  ]
+}
--- a/samples/policy/simulations/internal-only/scenario.json
+++ b/samples/policy/simulations/internal-only/scenario.json
@@ -0,0 +1,23 @@
+{
+  "name": "internal-only",
+  "policyPath": "docs/examples/policies/internal-only.yaml",
+  "findings": [
+    {
+      "findingId": "library:pkg/internal-app@2.0.0",
+      "severity": "Medium",
+      "source": "GHSA",
+      "environment": "internal"
+    },
+    {
+      "findingId": "library:pkg/kev-component@3.1.4",
+      "severity": "High",
+      "source": "NVD",
+      "tags": ["kev"],
+      "environment": "internal"
+    }
+  ],
+  "expectedDiffs": [
+    { "findingId": "library:pkg/internal-app@2.0.0", "status": "RequiresVex" },
+    { "findingId": "library:pkg/kev-component@3.1.4", "status": "RequiresVex" }
+  ]
+}
--- a/samples/policy/simulations/serverless/diff.json
+++ b/samples/policy/simulations/serverless/diff.json
@@ -0,0 +1,23 @@
+{
+  "summary": {
+    "policy": "serverless",
+    "policyDigest": "sha256:simulation-serverless",
+    "changed": 2
+  },
+  "diffs": [
+    {
+      "findingId": "library:pkg/aws-lambda@1.0.0",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Blocked",
+      "rule": "block_any_high",
+      "notes": "Serverless workloads block High+ severities."
+    },
+    {
+      "findingId": "image:sha256:untrusted-base",
+      "baselineStatus": "Pass",
+      "projectedStatus": "Blocked",
+      "rule": "forbid_unpinned_base",
+      "notes": "Base image must be pinned (no :latest)."
+    }
+  ]
+}
--- a/samples/policy/simulations/serverless/scenario.json
+++ b/samples/policy/simulations/serverless/scenario.json
@@ -0,0 +1,23 @@
+{
+  "name": "serverless",
+  "policyPath": "docs/examples/policies/serverless.yaml",
+  "findings": [
+    {
+      "findingId": "library:pkg/aws-lambda@1.0.0",
+      "severity": "High",
+      "source": "NVD",
+      "environment": "serverless"
+    },
+    {
+      "findingId": "image:sha256:untrusted-base",
+      "severity": "Medium",
+      "source": "NVD",
+      "tags": ["image:latest-tag"],
+      "environment": "serverless"
+    }
+  ],
+  "expectedDiffs": [
+    { "findingId": "library:pkg/aws-lambda@1.0.0", "status": "Blocked" },
+    { "findingId": "image:sha256:untrusted-base", "status": "Blocked" }
+  ]
+}