Add comprehensive security tests for OWASP A03 (Injection) and A10 (SSRF)

- Implemented InjectionTests.cs to cover various injection vulnerabilities including SQL, NoSQL, Command, LDAP, and XPath injections. - Created SsrfTests.cs to test for Server-Side Request Forgery (SSRF) vulnerabilities, including internal URL access, cloud metadata access, and URL allowlist bypass attempts. - Introduced MaliciousPayloads.cs to store a collection of malicious payloads for testing various security vulnerabilities. - Added SecurityAssertions.cs for common security-specific assertion helpers. - Established SecurityTestBase.cs as a base class for security tests, providing common infrastructure and mocking utilities. - Configured the test project StellaOps.Security.Tests.csproj with necessary dependencies for testing.
2025-12-16 13:11:57 +02:00
parent 5a480a3c2a
commit b55d9fa68d
72 changed files with 8051 additions and 71 deletions
--- a/scripts/ci/performance-slos.yaml
+++ b/scripts/ci/performance-slos.yaml
@@ -0,0 +1,94 @@
+# =============================================================================
+# Performance SLOs (Service Level Objectives)
+# Reference: Testing and Quality Guardrails Technical Reference
+#
+# These SLOs define the performance budgets for CI quality gates.
+# Violations will be flagged and may block releases.
+# =============================================================================
+
+# Scan Time SLOs (milliseconds)
+scan_time:
+  p50:
+    threshold: 15000
+    description: "50th percentile scan time"
+    severity: "info"
+  p95:
+    threshold: 30000
+    description: "95th percentile scan time - primary SLO"
+    severity: "warning"
+  p99:
+    threshold: 60000
+    description: "99th percentile scan time - tail latency"
+    severity: "critical"
+
+# Memory Usage SLOs (megabytes)
+memory:
+  peak_mb:
+    threshold: 2048
+    description: "Peak memory usage during scan"
+    severity: "warning"
+  average_mb:
+    threshold: 1024
+    description: "Average memory usage"
+    severity: "info"
+
+# CPU Time SLOs (seconds)
+cpu:
+  max_seconds:
+    threshold: 120
+    description: "Maximum CPU time per scan"
+    severity: "warning"
+  average_seconds:
+    threshold: 60
+    description: "Average CPU time per scan"
+    severity: "info"
+
+# Component-Specific SLOs (milliseconds)
+components:
+  sbom_generation:
+    p95:
+      threshold: 10000
+      description: "SBOM generation time P95"
+      severity: "warning"
+  policy_evaluation:
+    p95:
+      threshold: 5000
+      description: "Policy evaluation time P95"
+      severity: "warning"
+  reachability_analysis:
+    p95:
+      threshold: 20000
+      description: "Reachability analysis time P95"
+      severity: "warning"
+  vulnerability_matching:
+    p95:
+      threshold: 8000
+      description: "Vulnerability matching time P95"
+      severity: "warning"
+
+# Resource Budget SLOs
+resource_budgets:
+  disk_io_mb:
+    threshold: 500
+    description: "Maximum disk I/O per scan"
+  network_calls:
+    threshold: 0
+    description: "Network calls (should be zero for offline scans)"
+  temp_storage_mb:
+    threshold: 1024
+    description: "Maximum temporary storage usage"
+
+# Regression Thresholds
+regression:
+  max_degradation_pct: 10
+  warning_threshold_pct: 5
+  baseline_window_days: 30
+
+# Override Configuration
+overrides:
+  allowed_labels:
+    - "performance-override"
+    - "large-scan"
+  required_approvers:
+    - "platform"
+    - "performance"