Add PHP Analyzer Plugin and Composer Lock Data Handling

- Implemented the PhpAnalyzerPlugin to analyze PHP projects. - Created ComposerLockData class to represent data from composer.lock files. - Developed ComposerLockReader to load and parse composer.lock files asynchronously. - Introduced ComposerPackage class to encapsulate package details. - Added PhpPackage class to represent PHP packages with metadata and evidence. - Implemented PhpPackageCollector to gather packages from ComposerLockData. - Created PhpLanguageAnalyzer to perform analysis and emit results. - Added capability signals for known PHP frameworks and CMS. - Developed unit tests for the PHP language analyzer and its components. - Included sample composer.lock and expected output for testing. - Updated project files for the new PHP analyzer library and tests.
2025-11-22 14:02:49 +02:00
parent a7f3c7869a
commit b6b9ffc050
158 changed files with 16272 additions and 809 deletions
--- a/src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/Linksets/AdvisoryLinksetNormalizationConfidenceTests.cs
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/Linksets/AdvisoryLinksetNormalizationConfidenceTests.cs
@@ -28,4 +28,20 @@ public sealed class AdvisoryLinksetNormalizationConfidenceTests
        Assert.Equal("severity-mismatch", conflict.Reason);
        Assert.Contains("severity:mismatch", conflict.Values!);
    }
+
+    [Fact]
+    public void FromRawLinksetWithConfidence_EmitsCvssMismatchConflict()
+    {
+        var linkset = new RawLinkset
+        {
+            PackageUrls = ImmutableArray.Create("pkg:maven/com.acme/foo@2.0.0"),
+            Notes = ImmutableDictionary.CreateRange(new[] { new KeyValuePair<string, string>("cvss_v3", "7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") })
+        };
+
+        var (_, _, conflicts) = AdvisoryLinksetNormalization.FromRawLinksetWithConfidence(linkset);
+
+        var conflict = Assert.Single(conflicts);
+        Assert.Equal("cvss-mismatch", conflict.Reason);
+        Assert.Contains("cvss_v3:7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", conflict.Values!);
+    }
 }
--- a/src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/Observations/AdvisoryObservationAggregationTests.cs
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Core.Tests/Observations/AdvisoryObservationAggregationTests.cs
@@ -96,6 +96,7 @@ public sealed class AdvisoryObservationAggregationTests
        Assert.Contains(aggregate.Conflicts, c => c.Reason == "alias-inconsistency");
        Assert.Contains(aggregate.Conflicts, c => c.Reason == "affected-range-divergence");
        Assert.True(aggregate.Confidence is > 0.0 and < 1.0);
+        Assert.All(aggregate.Conflicts, c => Assert.NotNull(c.SourceIds));
    }

    [Fact]
--- a/src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Observations/AdvisoryObservationTransportWorkerTests.cs
+++ b/src/Concelier/__Tests/StellaOps.Concelier.Storage.Mongo.Tests/Observations/AdvisoryObservationTransportWorkerTests.cs
@@ -33,8 +33,8 @@ public class AdvisoryObservationTransportWorkerTests
            "hash-1",
            DateTimeOffset.UtcNow,
            ReplayCursor: "cursor-1",
-            supersedesId: null,
-            traceId: "trace-1");
+            SupersedesId: null,
+            TraceId: "trace-1");

        var outbox = new FakeOutbox(evt);
        var transport = new FakeTransport();