Add receipt input JSON and SHA256 hash for CVSS policy scoring tests

- Introduced a new JSON fixture `receipt-input.json` containing base, environmental, and threat metrics for CVSS scoring. - Added corresponding SHA256 hash file `receipt-input.sha256` to ensure integrity of the JSON fixture.
2025-12-04 07:30:42 +02:00
parent 2d079d61ed
commit e1262eb916
91 changed files with 19493 additions and 187 deletions
--- a/bench/reachability-benchmark/cases/js/express-eval/case.yaml
+++ b/bench/reachability-benchmark/cases/js/express-eval/case.yaml
@@ -18,6 +18,9 @@ environment:
  runtime:
    node: "20.11.0"
  source_date_epoch: 1730000000
+  resource_limits:
+    cpu: "2"
+    memory: "4Gi"
 build:
  command: "./build/build.sh"
  source_date_epoch: 1730000000
@@ -26,6 +29,7 @@ build:
    sbom_path: outputs/sbom.cdx.json
    coverage_path: outputs/coverage.json
    traces_dir: outputs/traces
+    attestation_path: outputs/attestation.json
 test:
  command: "./tests/run-tests.sh"
  expected_coverage:
@@ -36,3 +40,9 @@ ground_truth:
  summary: "Admin exec endpoint reachable and executes eval"
  evidence_files:
    - "../benchmark/truth/js-express-eval.json"
+sandbox:
+  network: loopback
+  privileges: rootless
+redaction:
+  pii: false
+  policy: "benchmark-default/v1"
--- a/bench/reachability-benchmark/cases/js/express-eval/outputs/binary.tar.gz
+++ b/bench/reachability-benchmark/cases/js/express-eval/outputs/binary.tar.gz
--- a/bench/reachability-benchmark/cases/js/express-guarded/case.yaml
+++ b/bench/reachability-benchmark/cases/js/express-guarded/case.yaml
@@ -18,6 +18,9 @@ environment:
  runtime:
    node: "20.11.0"
  source_date_epoch: 1730000000
+  resource_limits:
+    cpu: "2"
+    memory: "4Gi"
 build:
  command: "./build/build.sh"
  source_date_epoch: 1730000000
@@ -26,6 +29,7 @@ build:
    sbom_path: outputs/sbom.cdx.json
    coverage_path: outputs/coverage.json
    traces_dir: outputs/traces
+    attestation_path: outputs/attestation.json
 test:
  command: "./tests/run-tests.sh"
  expected_coverage:
@@ -36,3 +40,9 @@ ground_truth:
  summary: "Guard prevents sink unless ALLOW_EXEC=true"
  evidence_files:
    - "../benchmark/truth/js-express-guarded.json"
+sandbox:
+  network: loopback
+  privileges: rootless
+redaction:
+  pii: false
+  policy: "benchmark-default/v1"
--- a/bench/reachability-benchmark/cases/js/express-guarded/outputs/binary.tar.gz
+++ b/bench/reachability-benchmark/cases/js/express-guarded/outputs/binary.tar.gz
--- a/bench/reachability-benchmark/cases/js/fastify-template/case.yaml
+++ b/bench/reachability-benchmark/cases/js/fastify-template/case.yaml
@@ -18,6 +18,9 @@ environment:
  runtime:
    node: "20.11.0"
  source_date_epoch: 1730000000
+  resource_limits:
+    cpu: "2"
+    memory: "4Gi"
 build:
  command: "./build/build.sh"
  source_date_epoch: 1730000000
@@ -26,6 +29,7 @@ build:
    sbom_path: outputs/sbom.cdx.json
    coverage_path: outputs/coverage.json
    traces_dir: outputs/traces
+    attestation_path: outputs/attestation.json
 test:
  command: "./tests/run-tests.sh"
  expected_coverage:
@@ -36,3 +40,9 @@ ground_truth:
  summary: "Template rendering reachable via POST /api/render"
  evidence_files:
    - "../benchmark/truth/js-fastify-template.json"
+sandbox:
+  network: loopback
+  privileges: rootless
+redaction:
+  pii: false
+  policy: "benchmark-default/v1"
--- a/bench/reachability-benchmark/cases/js/fastify-template/outputs/binary.tar.gz
+++ b/bench/reachability-benchmark/cases/js/fastify-template/outputs/binary.tar.gz
--- a/bench/reachability-benchmark/cases/js/guarded-eval/case.yaml
+++ b/bench/reachability-benchmark/cases/js/guarded-eval/case.yaml
@@ -18,6 +18,9 @@ environment:
  runtime:
    node: "20.11.0"
  source_date_epoch: 1730000000
+  resource_limits:
+    cpu: "2"
+    memory: "4Gi"
 build:
  command: "./build/build.sh"
  source_date_epoch: 1730000000
@@ -26,6 +29,7 @@ build:
    sbom_path: outputs/sbom.cdx.json
    coverage_path: outputs/coverage.json
    traces_dir: outputs/traces
+    attestation_path: outputs/attestation.json
 test:
  command: "./tests/run-tests.sh"
  expected_coverage:
@@ -36,3 +40,9 @@ ground_truth:
  summary: "Guard prevents sink when FEATURE_ENABLE != 1"
  evidence_files:
    - "../benchmark/truth/js-guarded-eval.json"
+sandbox:
+  network: loopback
+  privileges: rootless
+redaction:
+  pii: false
+  policy: "benchmark-default/v1"
--- a/bench/reachability-benchmark/cases/js/guarded-eval/outputs/binary.tar.gz
+++ b/bench/reachability-benchmark/cases/js/guarded-eval/outputs/binary.tar.gz
--- a/bench/reachability-benchmark/cases/js/unsafe-eval/case.yaml
+++ b/bench/reachability-benchmark/cases/js/unsafe-eval/case.yaml
@@ -18,6 +18,9 @@ environment:
  runtime:
    node: "20.11.0"
  source_date_epoch: 1730000000
+  resource_limits:
+    cpu: "2"
+    memory: "4Gi"
 build:
  command: "./build/build.sh"
  source_date_epoch: 1730000000
@@ -26,6 +29,7 @@ build:
    sbom_path: outputs/sbom.cdx.json
    coverage_path: outputs/coverage.json
    traces_dir: outputs/traces
+    attestation_path: outputs/attestation.json
 test:
  command: "./tests/run-tests.sh"
  expected_coverage:
@@ -36,3 +40,9 @@ ground_truth:
  summary: "Unit test triggers eval sink with payload {code: '1+2'}"
  evidence_files:
    - "../benchmark/truth/js-unsafe-eval.json"
+sandbox:
+  network: loopback
+  privileges: rootless
+redaction:
+  pii: false
+  policy: "benchmark-default/v1"
--- a/bench/reachability-benchmark/cases/js/unsafe-eval/outputs/binary.tar.gz
+++ b/bench/reachability-benchmark/cases/js/unsafe-eval/outputs/binary.tar.gz