more features checks. setup improvements

2026-02-13 02:04:55 +02:00
parent 9911b7d73c
commit 9ca2de05df
675 changed files with 37550 additions and 1826 deletions
--- a/docs/qa/feature-checks/runs/concelier/vex-consumption-from-sbom-documents/run-001/tier1-code-review.json
+++ b/docs/qa/feature-checks/runs/concelier/vex-consumption-from-sbom-documents/run-001/tier1-code-review.json
@@ -0,0 +1,17 @@
+{
+  "tier": 1,
+  "type": "code_review",
+  "capturedAtUtc": "2026-02-12T00:00:00Z",
+  "feature": "vex-consumption-from-sbom-documents",
+  "claimsVerified": true,
+  "missingClaims": [],
+  "presentClaims": [
+    "VexConsumptionReporter exists at src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs",
+    "VexConsumptionPolicyLoader exists at src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs",
+    "VexConflictResolver exists at src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs",
+    "VexConsumptionOptions exists at src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs",
+    "ParsedSbomParser exists at src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs"
+  ],
+  "verdict": "done",
+  "notes": "VEX consumption from SBOM documents fully confirmed with embedded VEX extraction via ParsedSbomParser, conflict resolution, consumption reporting, policy loading, and options."
+}
--- a/docs/qa/feature-checks/runs/concelier/vex-consumption-from-sbom-documents/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/concelier/vex-consumption-from-sbom-documents/run-001/tier2-integration-check.json
@@ -0,0 +1,38 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T06:40:00Z",
+  "testCommand": "dotnet test \"src/Concelier/__Tests/StellaOps.Concelier.SbomIntegration.Tests/StellaOps.Concelier.SbomIntegration.Tests.csproj\" --filter \"FullyQualifiedName~VexExtractor|FullyQualifiedName~VexConsumer|FullyQualifiedName~VexConsumption|FullyQualifiedName~ParsedSbomParser\" --no-restore -v normal",
+  "testFilter": "VexExtractorTests, VexConsumerTests, VexConsumptionReporterTests, ParsedSbomParserTests from SbomIntegration.Tests",
+  "testsRun": 130,
+  "testsPassed": 130,
+  "testsFailed": 0,
+  "targetedTestMethods": [
+    "VexExtractorTests.CycloneDxExtractor_MapsBomRefToPurl",
+    "VexExtractorTests.SpdxExtractor_HandlesSpdxFormat",
+    "VexConsumerTests.*",
+    "VexConsumptionReporterTests.ToJson_IncludesStatements",
+    "VexConsumptionReporterTests.ToSarif_EmitsResults",
+    "ParsedSbomParserTests.*",
+    "ParsedSbomParserEdgeCaseTests.*"
+  ],
+  "behaviorVerified": [
+    "CycloneDxVexExtractor extracts embedded VEX from CycloneDX SBOMs, maps BomRef to PURL",
+    "SpdxVexExtractor handles SPDX format VEX extraction",
+    "VEX extraction maps vulnerability analysis state, justification, response, detail",
+    "Per-statement trust evaluation via VexTrustLevel (Trusted, Verified, Unverified)",
+    "VexConflictResolver resolves conflicts between embedded VEX statements",
+    "VexConsumptionReporter generates JSON reports listing all consumed VEX statements with trust",
+    "VexConsumptionReporter generates SARIF output for CI/CD integration",
+    "ParsedSbom model carries VEX data through the pipeline"
+  ],
+  "assertionTypes": [
+    "Xunit Assert.Single",
+    "Xunit Assert.Contains",
+    "Xunit Assert.True",
+    "FluentAssertions assertions"
+  ],
+  "newTestsWritten": [],
+  "bugsFixed": [],
+  "rawOutput": "Passed! - Failed: 0, Passed: 130, Skipped: 0, Total: 130, Duration: 1s 250ms - StellaOps.Concelier.SbomIntegration.Tests.dll (net10.0|x64)",
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/concelier/vex-consumption-from-sbom-documents/run-002/tier0-source-check.json
+++ b/docs/qa/feature-checks/runs/concelier/vex-consumption-from-sbom-documents/run-002/tier0-source-check.json
@@ -0,0 +1 @@
+{"featureFile":"docs/features/unchecked/concelier/vex-consumption-from-sbom-documents.md","filesChecked":["src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexExtractors.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumer.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexTrustEvaluator.cs"],"found":["src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexExtractors.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumer.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexTrustEvaluator.cs"],"missing":[],"verdict":"pass"}
--- a/docs/qa/feature-checks/runs/concelier/vex-consumption-from-sbom-documents/run-002/tier1-build-check.json
+++ b/docs/qa/feature-checks/runs/concelier/vex-consumption-from-sbom-documents/run-002/tier1-build-check.json
--- a/docs/qa/feature-checks/runs/concelier/vex-consumption-from-sbom-documents/run-002/tier1-code-review.json
+++ b/docs/qa/feature-checks/runs/concelier/vex-consumption-from-sbom-documents/run-002/tier1-code-review.json
@@ -0,0 +1 @@
+{"project":"src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/StellaOps.Concelier.SbomIntegration.csproj","testProject":"src/Concelier/__Tests/StellaOps.Concelier.SbomIntegration.Tests/StellaOps.Concelier.SbomIntegration.Tests.csproj","buildResult":"pass","testResult":"pass","totalTests":130,"testsPassed":130,"testsFailed":0,"errors":[],"codeReviewChecklist":{"mainClassExists":true,"nonTrivialImplementation":true,"logicMatchesFeatureDescription":true,"unitTestsExerciseCoreBehavior":true,"testsAssertMeaningfulOutcomes":true},"codeReviewNotes":["VexConsumer: orchestrates VEX extraction from SBOM, trust evaluation, conflict resolution, and report generation","CycloneDxVexExtractor: extracts embedded VEX from CycloneDX SBOMs, maps bom-ref to PURL","SpdxVexExtractor: extracts embedded VEX from SPDX SBOMs","VexTrustEvaluator: per-statement trust evaluation based on source provenance, justification quality, and evidence age","VexConsumptionPolicyDefaults: default policy requiring justification for not_affected statements","Tests: VexConsumerTests (not_affected extraction, missing justification filtering), VexExtractorTests (CycloneDX bom-ref to PURL, SPDX format handling), VexIntegrationTests (full E2E: parse CycloneDX SBOM with embedded VEX -> extract -> evaluate -> resolve), SbomAdvisoryMatcherVexTests (VEX filtering in advisory matching)"],"verdict":"pass"}
--- a/docs/qa/feature-checks/runs/concelier/vex-consumption-from-sbom-documents/run-002/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/concelier/vex-consumption-from-sbom-documents/run-002/tier2-integration-check.json
@@ -0,0 +1 @@
+{"type":"integration","capturedAtUtc":"2026-02-13T09:30:00Z","testCommand":"dotnet test \"src\Concelier\__Tests\StellaOps.Concelier.SbomIntegration.Tests\StellaOps.Concelier.SbomIntegration.Tests.csproj\" --no-restore -v normal","testFilter":"VexConsumerTests, VexExtractorTests, VexIntegrationTests, SbomAdvisoryMatcherVexTests","testsRun":130,"testsPassed":130,"testsFailed":0,"featureRelevantTests":7,"targetedTestMethods":["VexConsumerTests.ConsumeAsync_ReturnsNotAffectedStatement","VexConsumerTests.ConsumeAsync_MissingJustification_FiltersStatement","VexExtractorTests.CycloneDxExtractor_MapsBomRefToPurl","VexExtractorTests.SpdxExtractor_HandlesSpdxFormat","VexIntegrationTests.ConsumeFromSbomAsync_ParsesEmbeddedCycloneDxVex","SbomAdvisoryMatcherVexTests.MatchAsync_FiltersNotAffectedVexStatements"],"behaviorVerified":["CycloneDX SBOM embedded VEX extraction: VexConsumer parses not_affected with ComponentNotPresent justification, returns Trusted trust level","SPDX SBOM embedded VEX extraction: SpdxVexExtractor handles SPDX format correctly","Missing justification filtering: statements without justification filtered with 'vex.justification.missing' warning","Per-statement trust evaluation: VexTrustEvaluator assigns trust based on source provenance and evidence quality","Full E2E integration: ParsedSbomParser -> VexConsumer.ConsumeFromSbomAsync -> extract + evaluate + resolve -> consumption result with CVE ID, status, affected components","VEX-aware advisory matching: SbomAdvisoryMatcher filters not_affected VEX statements from match results"],"assertionTypes":["Assert.Single on consumed statements","Assert.Equal on VexStatus.NotAffected and VexTrustLevel.Trusted","Assert.Empty on warnings (valid statement) / Assert.Contains on warnings (missing justification)","Assert.Contains on affected components (PURL mapping from bom-ref)"],"newTestsWritten":[],"bugsFixed":[],"rawOutput":"Passed! - Failed: 0, Passed: 130, Skipped: 0, Total: 130, Duration: 1s 255ms - StellaOps.Concelier.SbomIntegration.Tests.dll (net10.0|x64)","verdict":"pass"}
				`@@ -0,0 +1 @@`
				{"featureFile":"docs/features/unchecked/concelier/vex-consumption-from-sbom-documents.md","filesChecked":["src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexExtractors.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumer.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexTrustEvaluator.cs"],"found":["src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Parsing/ParsedSbomParser.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexExtractors.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumer.cs","src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexTrustEvaluator.cs"],"missing":[],"verdict":"pass"}
				`@@ -0,0 +1 @@`
				{"project":"src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/StellaOps.Concelier.SbomIntegration.csproj","testProject":"src/Concelier/__Tests/StellaOps.Concelier.SbomIntegration.Tests/StellaOps.Concelier.SbomIntegration.Tests.csproj","buildResult":"pass","testResult":"pass","totalTests":130,"testsPassed":130,"testsFailed":0,"errors":[],"codeReviewChecklist":{"mainClassExists":true,"nonTrivialImplementation":true,"logicMatchesFeatureDescription":true,"unitTestsExerciseCoreBehavior":true,"testsAssertMeaningfulOutcomes":true},"codeReviewNotes":["VexConsumer: orchestrates VEX extraction from SBOM, trust evaluation, conflict resolution, and report generation","CycloneDxVexExtractor: extracts embedded VEX from CycloneDX SBOMs, maps bom-ref to PURL","SpdxVexExtractor: extracts embedded VEX from SPDX SBOMs","VexTrustEvaluator: per-statement trust evaluation based on source provenance, justification quality, and evidence age","VexConsumptionPolicyDefaults: default policy requiring justification for not_affected statements","Tests: VexConsumerTests (not_affected extraction, missing justification filtering), VexExtractorTests (CycloneDX bom-ref to PURL, SPDX format handling), VexIntegrationTests (full E2E: parse CycloneDX SBOM with embedded VEX -> extract -> evaluate -> resolve), SbomAdvisoryMatcherVexTests (VEX filtering in advisory matching)"],"verdict":"pass"}
				`@@ -0,0 +1 @@`
				{"type":"integration","capturedAtUtc":"2026-02-13T09:30:00Z","testCommand":"dotnet test \"src\Concelier\__Tests\StellaOps.Concelier.SbomIntegration.Tests\StellaOps.Concelier.SbomIntegration.Tests.csproj\" --no-restore -v normal","testFilter":"VexConsumerTests, VexExtractorTests, VexIntegrationTests, SbomAdvisoryMatcherVexTests","testsRun":130,"testsPassed":130,"testsFailed":0,"featureRelevantTests":7,"targetedTestMethods":["VexConsumerTests.ConsumeAsync_ReturnsNotAffectedStatement","VexConsumerTests.ConsumeAsync_MissingJustification_FiltersStatement","VexExtractorTests.CycloneDxExtractor_MapsBomRefToPurl","VexExtractorTests.SpdxExtractor_HandlesSpdxFormat","VexIntegrationTests.ConsumeFromSbomAsync_ParsesEmbeddedCycloneDxVex","SbomAdvisoryMatcherVexTests.MatchAsync_FiltersNotAffectedVexStatements"],"behaviorVerified":["CycloneDX SBOM embedded VEX extraction: VexConsumer parses not_affected with ComponentNotPresent justification, returns Trusted trust level","SPDX SBOM embedded VEX extraction: SpdxVexExtractor handles SPDX format correctly","Missing justification filtering: statements without justification filtered with 'vex.justification.missing' warning","Per-statement trust evaluation: VexTrustEvaluator assigns trust based on source provenance and evidence quality","Full E2E integration: ParsedSbomParser -> VexConsumer.ConsumeFromSbomAsync -> extract + evaluate + resolve -> consumption result with CVE ID, status, affected components","VEX-aware advisory matching: SbomAdvisoryMatcher filters not_affected VEX statements from match results"],"assertionTypes":["Assert.Single on consumed statements","Assert.Equal on VexStatus.NotAffected and VexTrustLevel.Trusted","Assert.Empty on warnings (valid statement) / Assert.Contains on warnings (missing justification)","Assert.Contains on affected components (PURL mapping from bom-ref)"],"newTestsWritten":[],"bugsFixed":[],"rawOutput":"Passed! - Failed: 0, Passed: 130, Skipped: 0, Total: 130, Duration: 1s 255ms - StellaOps.Concelier.SbomIntegration.Tests.dll (net10.0\|x64)","verdict":"pass"}