stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

UI work to fill SBOM sourcing management gap. UI planning remaining functionality exposure. Work on CI/Tests stabilization

Browse Source 
Introduces CGS determinism test runs to CI workflows for Windows, macOS, Linux, Alpine, and Debian, fulfilling CGS-008 cross-platform requirements. Updates local-ci scripts to support new smoke steps, test timeouts, progress intervals, and project slicing for improved test isolation and diagnostics.
This commit is contained in:
master
2025-12-29 19:12:38 +02:00
parent 41552d26ec
commit a4badc275e
286 changed files with 50918 additions and 992 deletions
Download Patch File Download Diff File Expand all files Collapse all files

275
src/__Tests/e2e/ReplayableVerdict/README.md Normal file
View File

@@ -0,0 +1,275 @@
# E2E Replayable Verdict Tests
Sprint: `SPRINT_20251229_004_005_E2E`
## Overview
End-to-end tests validating the complete reproducible verdict pipeline:
```
Image → Scanner → Feedser → VexLens → Verdict Builder → DSSE Signing → UI Delta View
```
With capture of artifacts bundle enabling byte-for-byte replay.
## Test Structure
### Golden Bundles
Located in `src/__Tests/fixtures/e2e/bundle-XXXX/`:
```
bundle-0001/
├── manifest.json # ReplayManifest v2
├── inputs/
│ ├── sbom.cdx.json # Canonical SBOM
│ ├── feeds/
│ │ └── osv-snapshot.json # Pinned feed subset
│ ├── vex/
│ │ └── vendor.openvex.json
│ └── policy/
│ └── rules.yaml
├── outputs/
│ ├── verdict.json # Expected verdict
│ └── verdict.dsse.json # DSSE envelope (when signing enabled)
├── attestation/
│ ├── test-keypair.pem # Test signing key
│ └── public-key.pem
└── meta.json # Bundle metadata
```
### Test Categories
| Test | Status | Purpose |
|------|--------|---------|
| E2E-001 | ✅ DONE | Golden bundle creation and loading |
| E2E-002 | ⏳ SKIPPED | Full pipeline test (requires service integration) |
| E2E-003 | ⏳ SKIPPED | Replay verification test |
| E2E-004 | ⏳ SKIPPED | Delta verdict test |
| E2E-005 | ⏳ SKIPPED | DSSE signature verification |
| E2E-006 | ⏳ SKIPPED | Offline/air-gap replay test |
| E2E-007 | ✅ DONE | CLI `stella verify --bundle` command |
| E2E-008 | ⏳ SKIPPED | Cross-platform replay test |
## Running Tests
### All E2E Tests
```bash
dotnet test src/__Tests/E2E/ReplayableVerdict/ \
--filter "Category=E2E"
```
### Determinism Tests Only
```bash
dotnet test src/__Tests/E2E/ReplayableVerdict/ \
--filter "Category=Determinism"
```
### Individual Test
```bash
dotnet test src/__Tests/E2E/ReplayableVerdict/ \
--filter "FullyQualifiedName~Bundle_LoadsSuccessfully"
```
## Current Status
### ✅ Completed
- Golden bundle structure created (`bundle-0001`)
- Minimal test inputs:
- SBOM: Alpine 3.19 with 5 packages
- Feeds: 2 synthetic OSV advisories
- VEX: 1 OpenVEX statement
- Policy: Basic rules with scoring
- Manifest schema (ReplayManifest v2)
- Bundle loader implementation
- 8 test cases defined (3 passing, 5 skipped pending integration)
### ⏳ Pending Integration
The following tests are **skipped** pending service integration:
1. **Full Pipeline Test (E2E-002)**
- Requires: Scanner, VexLens, VerdictBuilder services
- Blocks: End-to-end verdict generation
2. **Replay Verification (E2E-003)**
- Requires: VerdictBuilder.ReplayAsync()
- Blocks: Determinism validation
3. **Delta Verdict (E2E-004)**
- Requires: VerdictBuilder.DiffAsync() + bundle-0002
- Blocks: Version comparison testing
4. **DSSE Signing (E2E-005)**
- Requires: Signer service integration
- Blocks: Attestation verification
5. **Offline Replay (E2E-006)**
- Requires: Network isolation test infrastructure
- Blocks: Air-gap validation
6. **Cross-Platform (E2E-008)**
- Requires: Multi-platform CI runners
- Blocks: Platform-independent determinism
### ✅ Completed: E2E-007 CLI Verify Command
**Implementation:**
The `stella verify bundle` command has been implemented in:
- `src/Cli/StellaOps.Cli/Commands/CommandHandlers.VerifyBundle.cs` (handler)
- `src/Cli/StellaOps.Cli/Commands/VerifyCommandGroup.cs` (command registration)
- `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/VerifyBundleCommandTests.cs` (tests)
**Usage:**
```bash
stella verify bundle --bundle <path-to-bundle-directory>
stella verify bundle --bundle <path-to-bundle.tar.gz> # Not yet supported
stella verify bundle --bundle ./bundle-0001 --skip-replay # Skip verdict replay
stella verify bundle --bundle ./bundle-0001 --output json # JSON output
```
**Features:**
1. ✅ Loads bundle manifest
2. ✅ Validates input hashes (SBOM, feeds, VEX, policy)
3. ⏳ Replays verdict (stubbed - requires VerdictBuilder integration)
4. ✅ Compares to expected hash
5. ⏳ Verifies DSSE signature (stubbed - requires Signer integration)
6. ✅ Outputs PASS/FAIL with violations
**Exit Codes:**
- `0` - PASS: All validations passed
- `7` - File not found (bundle or manifest)
- `8` - FAIL: Validation violations detected
- `9` - Not implemented (tar.gz extraction)
## Integration Roadmap
### Phase 1: Service Integration (Week 1-2)
1. Integrate Scanner service
2. Integrate VexLens consensus
3. Integrate VerdictBuilder
4. Enable E2E-002 (Full Pipeline)
### Phase 2: Replay Functionality (Week 3)
1. Implement VerdictBuilder.ReplayAsync()
2. Enable E2E-003 (Replay Verification)
3. Create bundle-0002 for delta testing
4. Enable E2E-004 (Delta Verdict)
### Phase 3: Signing & Attestation (Week 4)
1. Integrate Signer service
2. Generate test keypair
3. Enable E2E-005 (DSSE Signing)
4. Implement CLI verify command (E2E-007)
### Phase 4: Advanced Validation (Week 5)
1. Setup network isolation for E2E-006
2. Configure multi-platform CI for E2E-008
3. Add performance benchmarks
4. Add chaos testing variants
## Bundle Management
### Creating a New Bundle
```bash
# 1. Create bundle directory
mkdir -p src/__Tests/fixtures/e2e/bundle-XXXX
# 2. Use Fixture Harvester
cd src/__Tests/Tools/FixtureHarvester
dotnet run harvest --type e2e --id bundle-XXXX
# 3. Add inputs (SBOM, feeds, VEX, policy)
# Place files in bundle-XXXX/inputs/
# 4. Run pipeline to generate outputs
stella scan --record --bundle bundle-XXXX
# 5. Compute hashes and update manifest
dotnet run validate --bundle bundle-XXXX
# 6. Freeze bundle (commit to git)
git add src/__Tests/fixtures/e2e/bundle-XXXX
git commit -m "Add E2E bundle: bundle-XXXX"
```
### Validating Bundles
```bash
# Validate all bundles
dotnet run --project src/__Tests/Tools/FixtureHarvester \
validate --path src/__Tests/fixtures/e2e
# CI validation
.gitea/workflows/e2e-replay.yml
```
## Determinism Guarantees
### Input Stability
- All inputs pinned with SHA-256 hashes
- Feed snapshots frozen at capture time
- Policy files versioned
- SBOM canonical format (sorted, normalized)
### Output Reproducibility
- Verdict hash computed from canonical JSON
- UTC timestamps in ISO-8601 format
- Stable sorting (CVEs, packages, findings)
- No system-specific paths or UUIDs
### Cross-Platform Compatibility
- Tests run on: Ubuntu 22.04, Alpine 3.19, Debian Bookworm
- Verdict hash must match across all platforms
- File path normalization (forward slashes)
- Line ending normalization (LF only)
## Troubleshooting
### Bundle Load Failures
```bash
# Check manifest syntax
cat src/__Tests/fixtures/e2e/bundle-0001/manifest.json | jq .
# Verify file paths
ls src/__Tests/fixtures/e2e/bundle-0001/inputs/
# Validate hashes
sha256sum src/__Tests/fixtures/e2e/bundle-0001/inputs/sbom.cdx.json
```
### Hash Mismatches
```bash
# Recompute hashes
dotnet run --project src/__Tests/Tools/FixtureHarvester \
validate --path src/__Tests/fixtures/e2e
# Compare expected vs actual
diff -u expected.json actual.json | jq .
```
### Skipped Tests
Skipped tests indicate missing service integration. Follow integration roadmap to enable.
## See Also
- [Fixture Harvester](../../Tools/FixtureHarvester/README.md)
- [Determinism Guide](../../../docs/testing/DETERMINISM_DEVELOPER_GUIDE.md)
- [Replay Architecture](../../../docs/modules/replay/architecture.md)
- [Verdict API](../../../src/__Libraries/StellaOps.Verdict/README.md)

245
src/__Tests/e2e/ReplayableVerdict/ReplayableVerdictE2ETests.cs Normal file
View File

@@ -0,0 +1,245 @@
// <copyright file="ReplayableVerdictE2ETests.cs" company="Stella Operations">
// Copyright (c) Stella Operations. Licensed under AGPL-3.0-or-later.
// </copyright>
using System;
using System.IO;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using FluentAssertions;
using Xunit;
namespace StellaOps.E2E.ReplayableVerdict;
/// <summary>
/// E2E tests for reproducible verdict generation and replay
/// Sprint: SPRINT_20251229_004_005_E2E
/// </summary>
[Trait("Category", "E2E")]
[Trait("Category", "Determinism")]
public sealed class ReplayableVerdictE2ETests : IAsyncLifetime
{
private const string BundlePath = "../../../fixtures/e2e/bundle-0001";
private GoldenBundle? _bundle;
public async Task InitializeAsync()
{
_bundle = await GoldenBundle.LoadAsync(BundlePath);
}
public Task DisposeAsync()
{
return Task.CompletedTask;
}
[Fact(Skip = "E2E-002: Requires full pipeline integration")]
public async Task FullPipeline_ProducesConsistentVerdict()
{
// Arrange
_bundle.Should().NotBeNull();
// This test requires:
// - Scanner service to process SBOM
// - VexLens to compute consensus
// - Verdict builder to generate final verdict
// Currently skipped until services are integrated
// Act
// var scanResult = await Scanner.ScanAsync(_bundle.ImageDigest);
// var vexConsensus = await VexLens.ComputeConsensusAsync(scanResult.SbomDigest, _bundle.FeedSnapshot);
// var verdict = await VerdictBuilder.BuildAsync(evidencePack, _bundle.PolicyLock);
// Assert
// verdict.CgsHash.Should().Be(_bundle.ExpectedVerdictHash);
}
[Fact(Skip = "E2E-003: Requires verdict builder service")]
public async Task ReplayFromBundle_ProducesIdenticalVerdict()
{
// Arrange
_bundle.Should().NotBeNull();
var originalVerdictHash = _bundle!.Manifest.ExpectedOutputs.VerdictHash;
// Act
// var replayedVerdict = await VerdictBuilder.ReplayAsync(_bundle.Manifest);
// Assert
// replayedVerdict.CgsHash.Should().Be(originalVerdictHash);
}
[Fact]
public void Bundle_LoadsSuccessfully()
{
// Assert
_bundle.Should().NotBeNull();
_bundle!.Manifest.Should().NotBeNull();
_bundle.Manifest.SchemaVersion.Should().Be("2.0");
_bundle.Manifest.BundleId.Should().Be("bundle-0001");
}
[Fact]
public void Bundle_HasValidInputs()
{
// Assert
_bundle.Should().NotBeNull();
_bundle!.Manifest.Inputs.Should().NotBeNull();
_bundle.Manifest.Inputs.Sbom.Should().NotBeNull();
_bundle.Manifest.Inputs.Feeds.Should().NotBeNull();
_bundle.Manifest.Inputs.Vex.Should().NotBeNull();
_bundle.Manifest.Inputs.Policy.Should().NotBeNull();
}
[Fact]
public void Bundle_SbomFile_Exists()
{
// Arrange
var sbomPath = Path.Combine(BundlePath, _bundle!.Manifest.Inputs.Sbom.Path);
// Assert
File.Exists(sbomPath).Should().BeTrue($"SBOM file should exist at {sbomPath}");
}
[Fact]
public async Task Bundle_SbomFile_IsValidJson()
{
// Arrange
var sbomPath = Path.Combine(BundlePath, _bundle!.Manifest.Inputs.Sbom.Path);
var json = await File.ReadAllTextAsync(sbomPath);
// Act
var doc = JsonDocument.Parse(json);
// Assert
doc.RootElement.TryGetProperty("bomFormat", out var bomFormat).Should().BeTrue();
bomFormat.GetString().Should().Be("CycloneDX");
doc.RootElement.TryGetProperty("components", out var components).Should().BeTrue();
components.GetArrayLength().Should().BeGreaterThan(0);
}
[Fact(Skip = "E2E-004: Requires verdict builder with delta support")]
public async Task DeltaVerdict_ShowsExpectedChanges()
{
// This test requires two bundles (v1 and v2) to compare
// var bundleV1 = await GoldenBundle.LoadAsync("../../../fixtures/e2e/bundle-0001");
// var bundleV2 = await GoldenBundle.LoadAsync("../../../fixtures/e2e/bundle-0002");
// var verdictV1 = await VerdictBuilder.BuildAsync(bundleV1.ToEvidencePack(), bundleV1.PolicyLock);
// var verdictV2 = await VerdictBuilder.BuildAsync(bundleV2.ToEvidencePack(), bundleV2.PolicyLock);
// var delta = await VerdictBuilder.DiffAsync(verdictV1.CgsHash, verdictV2.CgsHash);
// delta.AddedVulns.Should().Contain("CVE-2024-NEW");
// delta.RemovedVulns.Should().Contain("CVE-2024-FIXED");
}
[Fact(Skip = "E2E-005: Requires DSSE signing service")]
public async Task Verdict_HasValidDsseSignature()
{
// var verdict = await VerdictBuilder.BuildAsync(_bundle.ToEvidencePack(), _bundle.PolicyLock);
// var dsseEnvelope = await Signer.SignAsync(verdict);
// var verificationResult = await Signer.VerifyAsync(dsseEnvelope, _bundle.PublicKey);
// verificationResult.IsValid.Should().BeTrue();
// verificationResult.SignedBy.Should().Be("test-keypair");
}
[Fact(Skip = "E2E-006: Requires network isolation support")]
public async Task OfflineReplay_ProducesIdenticalVerdict()
{
// This test should run with network disabled
// AssertNoNetworkCalls();
// var verdict = await VerdictBuilder.ReplayAsync(_bundle.Manifest);
// verdict.CgsHash.Should().Be(_bundle.ExpectedVerdictHash);
}
[Fact(Skip = "E2E-008: Requires cross-platform CI")]
public async Task CrossPlatformReplay_ProducesIdenticalHash()
{
// This test runs on multiple CI runners (Ubuntu, Alpine, Debian)
// var platform = Environment.OSVersion;
// var verdict = await VerdictBuilder.BuildAsync(_bundle.ToEvidencePack(), _bundle.PolicyLock);
// verdict.CgsHash.Should().Be(_bundle.ExpectedVerdictHash,
// $"verdict on {platform} should match golden hash");
}
}
/// <summary>
/// Golden bundle loader
/// </summary>
internal sealed class GoldenBundle
{
public required BundleManifest Manifest { get; init; }
public required string BasePath { get; init; }
public static async Task<GoldenBundle> LoadAsync(string path)
{
var manifestPath = Path.Combine(path, "manifest.json");
if (!File.Exists(manifestPath))
{
throw new FileNotFoundException($"Bundle manifest not found: {manifestPath}");
}
var json = await File.ReadAllTextAsync(manifestPath);
var manifest = JsonSerializer.Deserialize<BundleManifest>(json,
new JsonSerializerOptions { PropertyNameCaseInsensitive = true })
?? throw new InvalidOperationException("Failed to deserialize manifest");
return new GoldenBundle
{
Manifest = manifest,
BasePath = path
};
}
}
/// <summary>
/// Bundle manifest schema (ReplayManifest v2)
/// </summary>
internal sealed record BundleManifest
{
public required string SchemaVersion { get; init; }
public required string BundleId { get; init; }
public string? Description { get; init; }
public required string CreatedAt { get; init; }
public required ScanInfo Scan { get; init; }
public required BundleInputs Inputs { get; init; }
public required BundleOutputs ExpectedOutputs { get; init; }
public string? Notes { get; init; }
}
internal sealed record ScanInfo
{
public required string Id { get; init; }
public required string ImageDigest { get; init; }
public required string PolicyDigest { get; init; }
public required string ScorePolicyDigest { get; init; }
public required string FeedSnapshotDigest { get; init; }
public required string Toolchain { get; init; }
public required string AnalyzerSetDigest { get; init; }
}
internal sealed record BundleInputs
{
public required InputFile Sbom { get; init; }
public required InputFile Feeds { get; init; }
public required InputFile Vex { get; init; }
public required InputFile Policy { get; init; }
}
internal sealed record InputFile
{
public required string Path { get; init; }
public required string Sha256 { get; init; }
}
internal sealed record BundleOutputs
{
public required InputFile Verdict { get; init; }
public required string VerdictHash { get; init; }
}

36
src/__Tests/e2e/ReplayableVerdict/StellaOps.E2E.ReplayableVerdict.csproj Normal file
View File

@@ -0,0 +1,36 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<RootNamespace>StellaOps.E2E.ReplayableVerdict</RootNamespace>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<LangVersion>preview</LangVersion>
<IsPackable>false</IsPackable>
<IsTestProject>true</IsTestProject>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
<PackageReference Include="xunit" Version="2.9.3" />
<PackageReference Include="xunit.runner.visualstudio" Version="3.0.0">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
<PackageReference Include="FluentAssertions" Version="7.0.0" />
<PackageReference Include="Moq" Version="4.20.72" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\Scanner\StellaOps.Scanner.WebService\StellaOps.Scanner.WebService.csproj" />
<ProjectReference Include="..\..\..\VexLens\StellaOps.VexLens\StellaOps.VexLens.csproj" />
<ProjectReference Include="..\..\__Libraries\StellaOps.Verdict\StellaOps.Verdict.csproj" />
</ItemGroup>
<ItemGroup>
<None Update="..\..\fixtures\e2e\**\*">
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
</None>
</ItemGroup>
</Project>