Add receipt input JSON and SHA256 hash for CVSS policy scoring tests

- Introduced a new JSON fixture `receipt-input.json` containing base, environmental, and threat metrics for CVSS scoring. - Added corresponding SHA256 hash file `receipt-input.sha256` to ensure integrity of the JSON fixture.
2025-12-04 07:30:42 +02:00
parent 2d079d61ed
commit e1262eb916
91 changed files with 19493 additions and 187 deletions
--- a/docs/modules/scanner/fixtures/adapters/README.md
+++ b/docs/modules/scanner/fixtures/adapters/README.md
@@ -2,3 +2,7 @@
 - Location for mapping CSVs converting CVSS v4→v3.1, CDX 1.7→1.6, SLSA 1.2→1.0.
 - Each CSV must include BLAKE3 and SHA256 hash recorded in accompanying `hashes.txt`.
 - Adapters are pure (no network); determinism enforced in CI.
+- Files added:
+  - `mapping-cvss4-to-cvss3.csv`
+  - `mapping-slsa12-to-slsa10.csv`
+  - `mapping-cdx17-to-cdx16.csv` (placeholder empty; fill once downgrade rules freeze).
--- a/docs/modules/scanner/fixtures/adapters/hashes.txt
+++ b/docs/modules/scanner/fixtures/adapters/hashes.txt
@@ -1 +1,3 @@
-mapping-cdx17-to-cdx16.csv: BLAKE3=<TBD> SHA256=<TBD>
+mapping-cvss4-to-cvss3.csv blake3-256=fa600b266e696fd84070d2efd8678633366edcff62c4e75e0ffeaac98816c873 sha256=072b66befac9556bc84d81e522938a222c88691db9564af6f220389562f22b0d
+mapping-slsa12-to-slsa10.csv blake3-256=b833034769f1ece239a03fb0797bab160ef02d78bb781e7d48b05552d0d27015 sha256=4a3dd0a9c4ed9d5061b8c862b35ba8147da725bf0d2968164c52298a6e1451fd
+mapping-cdx17-to-cdx16.csv blake3-256=69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9 sha256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
--- a/docs/modules/scanner/fixtures/adapters/mapping-cvss4-to-cvss3.csv
+++ b/docs/modules/scanner/fixtures/adapters/mapping-cvss4-to-cvss3.csv
@@ -0,0 +1,14 @@
+source_field,target_field,rule,notes
+AV,AV,"Network->N, Adjacent->A, Local->L, Physical->P","Preserve mapping; CVSS 4 AT handled separately"
+AC,AC,"Low->L, High->H",""
+PR,PR,"None->N, Low->L, High->H",""
+UI,UI,"None->N, Passive->P, Active->A","CVSS3 has R (Required) approximate with A"
+VC,C,"High->H, Low->L, None->N","Impact mapping: VC→Confidentiality"
+VI,I,"High->H, Low->L, None->N",""
+VA,A,"High->H, Low->L, None->N",""
+SC,S,"High->C, Low->C, None->U","Scoped impact collapses to Scope Changed/Unchanged; default Changed when SC>None"
+SI,S,"High->C, Low->C, None->U","Same as SC"
+SA,S,"High->C, Low->C, None->U","Same as SC"
+AT,N/A,"drop","Attack requirements not represented in CVSS3"
+Threat,Temporal,"map to E: NotDefined","Threat metrics not supported; set Temporal NotDefined"
+Environmental,Environmental,"map CR/IR/AR to CR/IR/AR; map MV* to unchanged"
--- a/docs/modules/scanner/fixtures/adapters/mapping-slsa12-to-slsa10.csv
+++ b/docs/modules/scanner/fixtures/adapters/mapping-slsa12-to-slsa10.csv
@@ -0,0 +1,10 @@
+source_field,target_field,rule,notes
+builder.id,builder.id,copy,""
+builder.version,builder.version,copy,""
+invocation.configSource.uri,configSource.uri,copy,""
+invocation.configSource.digest,configSource.digest,copy,""
+materials[],materials[],copy,"Keep materials but drop integrity fields unsupported in 1.0"
+subject[],subject[],copy,""
+provenance.dsse,metadata.buildInvocationID,copy,"Use DSSE hash as buildInvocationID placeholder"
+metadata.startedOn,metadata.buildStartedOn,copy,""
+metadata.finishedOn,metadata.buildFinishedOn,copy,""