stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save dev progress

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-26 00:32:35 +02:00
parent aa70af062e
commit ed3079543c
142 changed files with 23771 additions and 232 deletions
Download Patch File Download Diff File Expand all files Collapse all files

516
src/Concelier/__Tests/StellaOps.Concelier.Merge.Tests/BackportEvidenceResolverTests.cs Normal file
View File

@@ -0,0 +1,516 @@
// -----------------------------------------------------------------------------
// BackportEvidenceResolverTests.cs
// Sprint: SPRINT_8200_0015_0001_CONCEL_backport_integration
// Task: BACKPORT-8200-009
// Description: Tests for BackportEvidenceResolver covering 4 evidence tiers
// -----------------------------------------------------------------------------
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Moq;
using StellaOps.Concelier.Merge.Backport;
namespace StellaOps.Concelier.Merge.Tests;
/// <summary>
/// Unit tests for BackportEvidenceResolver.
/// Covers evidence extraction from all 4 tiers:
/// - Tier 1: DistroAdvisory
/// - Tier 2: ChangelogMention
/// - Tier 3: PatchHeader
/// - Tier 4: BinaryFingerprint
/// </summary>
public sealed class BackportEvidenceResolverTests
{
private readonly Mock<IProofGenerator> _proofGeneratorMock;
private readonly BackportEvidenceResolver _resolver;
public BackportEvidenceResolverTests()
{
_proofGeneratorMock = new Mock<IProofGenerator>();
_resolver = new BackportEvidenceResolver(
_proofGeneratorMock.Object,
NullLogger<BackportEvidenceResolver>.Instance);
}
#region Tier 1: DistroAdvisory Evidence
[Fact]
public async Task ResolveAsync_Tier1DistroAdvisory_ExtractsEvidence()
{
// Arrange
var cveId = "CVE-2024-1234";
var purl = "pkg:deb/debian/curl@7.64.0-4+deb11u1";
var proof = CreateProof(cveId, purl, 0.95, CreateDistroAdvisoryEvidence("1.0.0-patched"));
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(cveId, purl, It.IsAny<CancellationToken>()))
.ReturnsAsync(proof);
// Act
var evidence = await _resolver.ResolveAsync(cveId, purl);
// Assert
evidence.Should().NotBeNull();
evidence!.CveId.Should().Be(cveId);
evidence.PackagePurl.Should().Be(purl);
evidence.Tier.Should().Be(BackportEvidenceTier.DistroAdvisory);
evidence.Confidence.Should().Be(0.95);
evidence.BackportVersion.Should().Be("1.0.0-patched");
evidence.DistroRelease.Should().Contain("debian");
}
[Fact]
public async Task ResolveAsync_Tier1LowConfidence_ReturnsNull()
{
// Arrange
var cveId = "CVE-2024-5678";
var purl = "pkg:deb/debian/openssl@1.1.1";
var proof = CreateProof(cveId, purl, 0.2, CreateDistroAdvisoryEvidence("1.1.1-fixed"));
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(cveId, purl, It.IsAny<CancellationToken>()))
.ReturnsAsync(proof);
// Act
var evidence = await _resolver.ResolveAsync(cveId, purl);
// Assert - Low confidence DistroAdvisory should be rejected
evidence.Should().BeNull();
}
#endregion
#region Tier 2: ChangelogMention Evidence
[Fact]
public async Task ResolveAsync_Tier2ChangelogMention_ExtractsEvidence()
{
// Arrange
var cveId = "CVE-2024-2345";
var purl = "pkg:rpm/redhat/nginx@1.20.1-14.el9";
var proof = CreateProof(cveId, purl, 0.85,
CreateChangelogMentionEvidence("abc123def456", "redhat"));
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(cveId, purl, It.IsAny<CancellationToken>()))
.ReturnsAsync(proof);
// Act
var evidence = await _resolver.ResolveAsync(cveId, purl);
// Assert
evidence.Should().NotBeNull();
evidence!.Tier.Should().Be(BackportEvidenceTier.ChangelogMention);
evidence.Confidence.Should().Be(0.85);
evidence.PatchId.Should().Be("abc123def456");
evidence.PatchOrigin.Should().Be(PatchOrigin.Distro);
evidence.DistroRelease.Should().Contain("redhat");
}
[Fact]
public async Task ResolveAsync_Tier2WithUpstreamCommit_ExtractsPatchLineage()
{
// Arrange
var cveId = "CVE-2024-3456";
var purl = "pkg:deb/debian/bash@5.1-2+deb12u1";
var evidenceItem = new ProofEvidenceItem
{
EvidenceId = "changelog-001",
Type = "ChangelogMention",
Source = "upstream",
Timestamp = DateTimeOffset.UtcNow,
Data = new Dictionary<string, string>
{
["upstream_commit"] = "1234567890abcdef1234567890abcdef12345678"
}
};
var proof = CreateProof(cveId, purl, 0.80, evidenceItem);
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(cveId, purl, It.IsAny<CancellationToken>()))
.ReturnsAsync(proof);
// Act
var evidence = await _resolver.ResolveAsync(cveId, purl);
// Assert
evidence.Should().NotBeNull();
evidence!.PatchId.Should().Be("1234567890abcdef1234567890abcdef12345678");
evidence.PatchOrigin.Should().Be(PatchOrigin.Upstream);
}
#endregion
#region Tier 3: PatchHeader Evidence
[Fact]
public async Task ResolveAsync_Tier3PatchHeader_ExtractsEvidence()
{
// Arrange
var cveId = "CVE-2024-4567";
var purl = "pkg:apk/alpine/busybox@1.35.0-r17";
var proof = CreateProof(cveId, purl, 0.75,
CreatePatchHeaderEvidence("fedcba9876543210fedcba9876543210fedcba98"));
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(cveId, purl, It.IsAny<CancellationToken>()))
.ReturnsAsync(proof);
// Act
var evidence = await _resolver.ResolveAsync(cveId, purl);
// Assert
evidence.Should().NotBeNull();
evidence!.Tier.Should().Be(BackportEvidenceTier.PatchHeader);
evidence.Confidence.Should().Be(0.75);
evidence.PatchId.Should().Be("fedcba9876543210fedcba9876543210fedcba98");
evidence.PatchOrigin.Should().Be(PatchOrigin.Upstream);
}
[Fact]
public async Task ResolveAsync_Tier3DistroPatch_DetectsDistroOrigin()
{
// Arrange
var cveId = "CVE-2024-5678";
var purl = "pkg:deb/debian/glibc@2.31-13+deb11u5";
var evidenceItem = new ProofEvidenceItem
{
EvidenceId = "patch-001",
Type = "PatchHeader",
Source = "debian",
Timestamp = DateTimeOffset.UtcNow,
Data = new Dictionary<string, string>
{
["distro_patch_id"] = "debian-specific-patch-001"
}
};
var proof = CreateProof(cveId, purl, 0.70, evidenceItem);
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(cveId, purl, It.IsAny<CancellationToken>()))
.ReturnsAsync(proof);
// Act
var evidence = await _resolver.ResolveAsync(cveId, purl);
// Assert
evidence.Should().NotBeNull();
evidence!.PatchId.Should().Be("debian-specific-patch-001");
evidence.PatchOrigin.Should().Be(PatchOrigin.Distro);
}
#endregion
#region Tier 4: BinaryFingerprint Evidence
[Fact]
public async Task ResolveAsync_Tier4BinaryFingerprint_ExtractsEvidence()
{
// Arrange
var cveId = "CVE-2024-6789";
var purl = "pkg:deb/ubuntu/libssl@1.1.1f-1ubuntu2.22";
var proof = CreateProof(cveId, purl, 0.65,
CreateBinaryFingerprintEvidence());
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(cveId, purl, It.IsAny<CancellationToken>()))
.ReturnsAsync(proof);
// Act
var evidence = await _resolver.ResolveAsync(cveId, purl);
// Assert
evidence.Should().NotBeNull();
evidence!.Tier.Should().Be(BackportEvidenceTier.BinaryFingerprint);
evidence.Confidence.Should().Be(0.65);
}
#endregion
#region Tier Priority
[Fact]
public async Task ResolveAsync_MultipleTiers_SelectsHighestTier()
{
// Arrange: BinaryFingerprint (Tier 4) should be selected as highest
var cveId = "CVE-2024-7890";
var purl = "pkg:deb/debian/nginx@1.22.1-1~deb12u1";
var evidences = new[]
{
CreateDistroAdvisoryEvidence("1.22.1-fixed"),
CreateChangelogMentionEvidence("abc123", "debian"),
CreateBinaryFingerprintEvidence()
};
var proof = CreateProof(cveId, purl, 0.90, evidences);
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(cveId, purl, It.IsAny<CancellationToken>()))
.ReturnsAsync(proof);
// Act
var evidence = await _resolver.ResolveAsync(cveId, purl);
// Assert - BinaryFingerprint should be the highest tier
evidence.Should().NotBeNull();
evidence!.Tier.Should().Be(BackportEvidenceTier.BinaryFingerprint);
}
[Fact]
public async Task ResolveAsync_PatchHeaderVsChangelog_PrefersPatchHeader()
{
// Arrange: PatchHeader (Tier 3) > ChangelogMention (Tier 2)
var cveId = "CVE-2024-8901";
var purl = "pkg:rpm/redhat/kernel@5.14.0-284.el9";
var evidences = new[]
{
CreateChangelogMentionEvidence("changelog-commit", "redhat"),
CreatePatchHeaderEvidence("patchheader-commit")
};
var proof = CreateProof(cveId, purl, 0.85, evidences);
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(cveId, purl, It.IsAny<CancellationToken>()))
.ReturnsAsync(proof);
// Act
var evidence = await _resolver.ResolveAsync(cveId, purl);
// Assert
evidence.Should().NotBeNull();
evidence!.Tier.Should().Be(BackportEvidenceTier.PatchHeader);
evidence.PatchId.Should().Be("patchheader-commit");
}
#endregion
#region Distro Release Extraction
[Theory]
[InlineData("pkg:deb/debian/curl@7.64.0-4+deb11u1", "debian:bullseye")]
[InlineData("pkg:deb/debian/openssl@3.0.11-1~deb12u2", "debian:bookworm")]
[InlineData("pkg:rpm/redhat/nginx@1.20.1-14.el9", "redhat:9")]
[InlineData("pkg:rpm/redhat/kernel@5.14.0-284.el8", "redhat:8")]
[InlineData("pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.14~22.04", "ubuntu:22.04")]
public async Task ResolveAsync_ExtractsDistroRelease(string purl, string expectedDistro)
{
// Arrange
var cveId = "CVE-2024-TEST";
var proof = CreateProof(cveId, purl, 0.9, CreateDistroAdvisoryEvidence("fixed"));
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(cveId, purl, It.IsAny<CancellationToken>()))
.ReturnsAsync(proof);
// Act
var evidence = await _resolver.ResolveAsync(cveId, purl);
// Assert
evidence.Should().NotBeNull();
evidence!.DistroRelease.Should().Be(expectedDistro);
}
#endregion
#region Batch Resolution
[Fact]
public async Task ResolveBatchAsync_ResolvesMultiplePackages()
{
// Arrange
var cveId = "CVE-2024-BATCH";
var purls = new[]
{
"pkg:deb/debian/curl@7.64.0-4+deb11u1",
"pkg:rpm/redhat/curl@7.76.1-14.el9",
"pkg:apk/alpine/curl@8.0.1-r0"
};
var proofs = purls.Select((purl, i) => CreateProof(
cveId,
purl,
0.8 + (i * 0.05),
CreateDistroAdvisoryEvidence($"fixed-{i}"))).ToList();
_proofGeneratorMock
.Setup(x => x.GenerateProofBatchAsync(
It.IsAny<IEnumerable<(string, string)>>(),
It.IsAny<CancellationToken>()))
.ReturnsAsync(proofs);
// Act
var results = await _resolver.ResolveBatchAsync(cveId, purls);
// Assert
results.Should().HaveCount(3);
results.Select(r => r.PackagePurl).Should().BeEquivalentTo(purls);
}
#endregion
#region Edge Cases
[Fact]
public async Task ResolveAsync_NullProof_ReturnsNull()
{
// Arrange
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync((ProofResult?)null);
// Act
var evidence = await _resolver.ResolveAsync("CVE-2024-NULL", "pkg:deb/debian/test@1.0");
// Assert
evidence.Should().BeNull();
}
[Fact]
public async Task ResolveAsync_VeryLowConfidence_ReturnsNull()
{
// Arrange
var proof = CreateProof("CVE-2024-LOW", "pkg:deb/debian/test@1.0", 0.05,
CreateDistroAdvisoryEvidence("fixed"));
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(proof);
// Act
var evidence = await _resolver.ResolveAsync("CVE-2024-LOW", "pkg:deb/debian/test@1.0");
// Assert
evidence.Should().BeNull();
}
[Fact]
public async Task HasEvidenceAsync_ReturnsTrueWhenEvidenceExists()
{
// Arrange
var proof = CreateProof("CVE-2024-HAS", "pkg:deb/debian/test@1.0", 0.8,
CreateDistroAdvisoryEvidence("fixed"));
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(proof);
// Act
var hasEvidence = await _resolver.HasEvidenceAsync("CVE-2024-HAS", "pkg:deb/debian/test@1.0");
// Assert
hasEvidence.Should().BeTrue();
}
[Fact]
public async Task HasEvidenceAsync_ReturnsFalseWhenNoEvidence()
{
// Arrange
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync((ProofResult?)null);
// Act
var hasEvidence = await _resolver.HasEvidenceAsync("CVE-2024-NONE", "pkg:deb/debian/test@1.0");
// Assert
hasEvidence.Should().BeFalse();
}
[Fact]
public async Task ResolveAsync_ThrowsOnNullCveId()
{
// Act & Assert
await Assert.ThrowsAsync<ArgumentNullException>(
() => _resolver.ResolveAsync(null!, "pkg:deb/debian/test@1.0"));
}
[Fact]
public async Task ResolveAsync_ThrowsOnNullPurl()
{
// Act & Assert
await Assert.ThrowsAsync<ArgumentNullException>(
() => _resolver.ResolveAsync("CVE-2024-1234", null!));
}
#endregion
#region Helpers
private static ProofResult CreateProof(
string cveId,
string purl,
double confidence,
params ProofEvidenceItem[] evidences)
{
return new ProofResult
{
ProofId = Guid.NewGuid().ToString(),
SubjectId = $"{cveId}:{purl}",
Confidence = confidence,
CreatedAt = DateTimeOffset.UtcNow,
Evidences = evidences
};
}
private static ProofEvidenceItem CreateDistroAdvisoryEvidence(string fixedVersion)
{
return new ProofEvidenceItem
{
EvidenceId = $"advisory-{Guid.NewGuid():N}",
Type = "DistroAdvisory",
Source = "debian",
Timestamp = DateTimeOffset.UtcNow,
Data = new Dictionary<string, string>
{
["fixed_version"] = fixedVersion
}
};
}
private static ProofEvidenceItem CreateChangelogMentionEvidence(string commitSha, string source)
{
return new ProofEvidenceItem
{
EvidenceId = $"changelog-{Guid.NewGuid():N}",
Type = "ChangelogMention",
Source = source,
Timestamp = DateTimeOffset.UtcNow,
Data = new Dictionary<string, string>
{
["commit_sha"] = commitSha
}
};
}
private static ProofEvidenceItem CreatePatchHeaderEvidence(string commitSha)
{
return new ProofEvidenceItem
{
EvidenceId = $"patch-{Guid.NewGuid():N}",
Type = "PatchHeader",
Source = "upstream",
Timestamp = DateTimeOffset.UtcNow,
Data = new Dictionary<string, string>
{
["commit_sha"] = commitSha
}
};
}
private static ProofEvidenceItem CreateBinaryFingerprintEvidence()
{
return new ProofEvidenceItem
{
EvidenceId = $"binary-{Guid.NewGuid():N}",
Type = "BinaryFingerprint",
Source = "scanner",
Timestamp = DateTimeOffset.UtcNow,
Data = new Dictionary<string, string>
{
["fingerprint"] = "sha256:abc123def456"
}
};
}
#endregion
}

486
src/Concelier/__Tests/StellaOps.Concelier.Merge.Tests/BackportProvenanceE2ETests.cs Normal file
View File

@@ -0,0 +1,486 @@
// -----------------------------------------------------------------------------
// BackportProvenanceE2ETests.cs
// Sprint: SPRINT_8200_0015_0001_CONCEL_backport_integration
// Task: BACKPORT-8200-026
// Description: End-to-end tests for distro advisory ingest with backport provenance
// -----------------------------------------------------------------------------
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Moq;
using StellaOps.Concelier.Merge.Backport;
using StellaOps.Concelier.Merge.Identity;
using StellaOps.Concelier.Merge.Services;
using StellaOps.Concelier.Models;
using StellaOps.Concelier.Storage.MergeEvents;
namespace StellaOps.Concelier.Merge.Tests;
/// <summary>
/// End-to-end tests for ingesting distro advisories with backport information
/// and verifying provenance scope is correctly created.
/// </summary>
/// <remarks>
/// Task 26 (BACKPORT-8200-026) from SPRINT_8200_0015_0001:
/// End-to-end test: ingest distro advisory with backport, verify provenance
/// </remarks>
public sealed class BackportProvenanceE2ETests
{
#region Test Infrastructure
private readonly Mock<IProvenanceScopeStore> _provenanceStoreMock;
private readonly Mock<IBackportEvidenceResolver> _evidenceResolverMock;
private readonly Mock<IProofGenerator> _proofGeneratorMock;
private readonly Mock<IMergeEventStore> _mergeEventStoreMock;
private readonly ProvenanceScopeService _provenanceService;
private readonly BackportEvidenceResolver _backportResolver;
private readonly MergeEventWriter _mergeEventWriter;
public BackportProvenanceE2ETests()
{
_provenanceStoreMock = new Mock<IProvenanceScopeStore>();
_evidenceResolverMock = new Mock<IBackportEvidenceResolver>();
_proofGeneratorMock = new Mock<IProofGenerator>();
_mergeEventStoreMock = new Mock<IMergeEventStore>();
_provenanceService = new ProvenanceScopeService(
_provenanceStoreMock.Object,
NullLogger<ProvenanceScopeService>.Instance,
_evidenceResolverMock.Object);
_backportResolver = new BackportEvidenceResolver(
_proofGeneratorMock.Object,
NullLogger<BackportEvidenceResolver>.Instance);
var hashCalculator = new CanonicalHashCalculator();
_mergeEventWriter = new MergeEventWriter(
_mergeEventStoreMock.Object,
hashCalculator,
TimeProvider.System,
NullLogger<MergeEventWriter>.Instance);
}
#endregion
#region E2E: Debian Backport Advisory Flow
[Fact]
public async Task E2E_IngestDebianAdvisoryWithBackport_CreatesProvenanceScope()
{
// Arrange: Simulate Debian security advisory for CVE-2024-1234
var canonicalId = Guid.NewGuid();
var cveId = "CVE-2024-1234";
var packagePurl = "pkg:deb/debian/openssl@1.1.1n-0+deb11u5";
var fixedVersion = "1.1.1n-0+deb11u6";
var patchCommit = "abc123def456abc123def456abc123def456abcd";
// Simulate proof generation returning evidence with ChangelogMention tier
// Note: ChangelogMention tier extracts PatchId, DistroAdvisory tier does not
var proofResult = CreateMockProofResult(cveId, packagePurl, patchCommit, BackportEvidenceTier.ChangelogMention, 0.95);
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(cveId, packagePurl, It.IsAny<CancellationToken>()))
.ReturnsAsync(proofResult);
// Set up provenance store
_provenanceStoreMock
.Setup(x => x.GetByCanonicalAndDistroAsync(canonicalId, It.IsAny<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync((ProvenanceScope?)null);
var createdScopeId = Guid.NewGuid();
ProvenanceScope? capturedScope = null;
_provenanceStoreMock
.Setup(x => x.UpsertAsync(It.IsAny<ProvenanceScope>(), It.IsAny<CancellationToken>()))
.Callback<ProvenanceScope, CancellationToken>((scope, _) => capturedScope = scope)
.ReturnsAsync(createdScopeId);
// Act: Step 1 - Resolve backport evidence
var evidence = await _backportResolver.ResolveAsync(cveId, packagePurl);
// Act: Step 2 - Create provenance scope from evidence
var scopeRequest = new ProvenanceScopeRequest
{
CanonicalId = canonicalId,
CveId = cveId,
PackagePurl = packagePurl,
Source = "debian",
FixedVersion = fixedVersion,
PatchLineage = patchCommit,
ResolveEvidence = false // Evidence already resolved
};
var result = await _provenanceService.CreateOrUpdateAsync(scopeRequest);
// Assert: Verify the flow completed successfully
evidence.Should().NotBeNull();
evidence!.Tier.Should().Be(BackportEvidenceTier.ChangelogMention);
evidence.Confidence.Should().Be(0.95);
evidence.PatchId.Should().Be(patchCommit);
result.Success.Should().BeTrue();
result.WasCreated.Should().BeTrue();
result.ProvenanceScopeId.Should().Be(createdScopeId);
// Verify provenance scope was created with correct data
capturedScope.Should().NotBeNull();
capturedScope!.CanonicalId.Should().Be(canonicalId);
capturedScope.DistroRelease.Should().Contain("debian");
capturedScope.BackportSemver.Should().Be(fixedVersion);
capturedScope.PatchId.Should().Be(patchCommit);
}
[Fact]
public async Task E2E_IngestRhelAdvisoryWithBackport_CreatesProvenanceScopeWithDistroOrigin()
{
// Arrange: Simulate RHEL security advisory with distro-specific patch
var canonicalId = Guid.NewGuid();
var cveId = "CVE-2024-5678";
var packagePurl = "pkg:rpm/redhat/nginx@1.20.1-14.el9";
var fixedVersion = "1.20.1-14.el9_2.1";
var rhelPatchId = "rhel-specific-patch-001";
// Simulate proof generation returning distro-specific evidence
var proofResult = CreateMockProofResult(cveId, packagePurl, rhelPatchId, BackportEvidenceTier.ChangelogMention, 0.85);
_proofGeneratorMock
.Setup(x => x.GenerateProofAsync(cveId, packagePurl, It.IsAny<CancellationToken>()))
.ReturnsAsync(proofResult);
_provenanceStoreMock
.Setup(x => x.GetByCanonicalAndDistroAsync(canonicalId, It.IsAny<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync((ProvenanceScope?)null);
ProvenanceScope? capturedScope = null;
_provenanceStoreMock
.Setup(x => x.UpsertAsync(It.IsAny<ProvenanceScope>(), It.IsAny<CancellationToken>()))
.Callback<ProvenanceScope, CancellationToken>((scope, _) => capturedScope = scope)
.ReturnsAsync(Guid.NewGuid());
// Act: Resolve evidence and create provenance scope
var evidence = await _backportResolver.ResolveAsync(cveId, packagePurl);
var scopeRequest = new ProvenanceScopeRequest
{
CanonicalId = canonicalId,
CveId = cveId,
PackagePurl = packagePurl,
Source = "redhat",
FixedVersion = fixedVersion,
PatchLineage = rhelPatchId
};
var result = await _provenanceService.CreateOrUpdateAsync(scopeRequest);
// Assert
evidence.Should().NotBeNull();
evidence!.Tier.Should().Be(BackportEvidenceTier.ChangelogMention);
evidence.DistroRelease.Should().Contain("redhat");
result.Success.Should().BeTrue();
capturedScope.Should().NotBeNull();
capturedScope!.DistroRelease.Should().Contain("redhat");
capturedScope.PatchId.Should().Be(rhelPatchId);
}
#endregion
#region E2E: Multiple Distro Backports for Same CVE
[Fact]
public async Task E2E_SameCveMultipleDistros_CreatesSeparateProvenanceScopes()
{
// Arrange: Same CVE with Debian and Ubuntu backports
var canonicalId = Guid.NewGuid();
var cveId = "CVE-2024-MULTI";
var distros = new[]
{
("pkg:deb/debian/curl@7.64.0-4+deb11u1", "debian", "7.64.0-4+deb11u2", "debian:bullseye"),
("pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.14~22.04", "ubuntu", "7.81.0-1ubuntu1.15~22.04", "ubuntu:22.04")
};
var capturedScopes = new List<ProvenanceScope>();
foreach (var (purl, source, fixedVersion, expectedDistro) in distros)
{
_provenanceStoreMock
.Setup(x => x.GetByCanonicalAndDistroAsync(canonicalId, expectedDistro, It.IsAny<CancellationToken>()))
.ReturnsAsync((ProvenanceScope?)null);
}
_provenanceStoreMock
.Setup(x => x.UpsertAsync(It.IsAny<ProvenanceScope>(), It.IsAny<CancellationToken>()))
.Callback<ProvenanceScope, CancellationToken>((scope, _) => capturedScopes.Add(scope))
.ReturnsAsync(Guid.NewGuid);
// Act: Create provenance scopes for each distro
foreach (var (purl, source, fixedVersion, _) in distros)
{
var request = new ProvenanceScopeRequest
{
CanonicalId = canonicalId,
CveId = cveId,
PackagePurl = purl,
Source = source,
FixedVersion = fixedVersion
};
await _provenanceService.CreateOrUpdateAsync(request);
}
// Assert: Two separate provenance scopes created
capturedScopes.Should().HaveCount(2);
capturedScopes.Should().Contain(s => s.DistroRelease.Contains("debian"));
capturedScopes.Should().Contain(s => s.DistroRelease.Contains("ubuntu"));
capturedScopes.Select(s => s.CanonicalId).Should().AllBeEquivalentTo(canonicalId);
}
#endregion
#region E2E: Merge Event with Backport Evidence
[Fact]
public async Task E2E_MergeWithBackportEvidence_RecordsInAuditLog()
{
// Arrange
var advisoryKey = "CVE-2024-MERGE-TEST";
var before = CreateMockAdvisory(advisoryKey, "Initial version");
var after = CreateMockAdvisory(advisoryKey, "Merged version");
var backportEvidence = new List<BackportEvidence>
{
new()
{
CveId = advisoryKey,
PackagePurl = "pkg:deb/debian/test@1.0",
DistroRelease = "debian:bookworm",
Tier = BackportEvidenceTier.DistroAdvisory,
Confidence = 0.95,
PatchId = "upstream-commit-abc123",
PatchOrigin = PatchOrigin.Upstream,
EvidenceDate = DateTimeOffset.UtcNow
}
};
MergeEventRecord? capturedRecord = null;
_mergeEventStoreMock
.Setup(x => x.AppendAsync(It.IsAny<MergeEventRecord>(), It.IsAny<CancellationToken>()))
.Callback<MergeEventRecord, CancellationToken>((record, _) => capturedRecord = record)
.Returns(Task.CompletedTask);
// Act
await _mergeEventWriter.AppendAsync(
advisoryKey,
before,
after,
inputDocumentIds: Array.Empty<Guid>(),
fieldDecisions: null,
backportEvidence: backportEvidence,
CancellationToken.None);
// Assert
capturedRecord.Should().NotBeNull();
capturedRecord!.AdvisoryKey.Should().Be(advisoryKey);
capturedRecord.BackportEvidence.Should().NotBeNull();
capturedRecord.BackportEvidence.Should().HaveCount(1);
var auditEvidence = capturedRecord.BackportEvidence![0];
auditEvidence.CveId.Should().Be(advisoryKey);
auditEvidence.DistroRelease.Should().Be("debian:bookworm");
auditEvidence.EvidenceTier.Should().Be("DistroAdvisory");
auditEvidence.Confidence.Should().Be(0.95);
auditEvidence.PatchOrigin.Should().Be("Upstream");
}
#endregion
#region E2E: Evidence Tier Upgrade
[Fact]
public async Task E2E_EvidenceUpgrade_UpdatesProvenanceScope()
{
// Arrange: Start with low-tier evidence, then upgrade
var canonicalId = Guid.NewGuid();
var distroRelease = "debian:bookworm";
// Initial low-tier evidence (BinaryFingerprint)
var existingScope = new ProvenanceScope
{
Id = Guid.NewGuid(),
CanonicalId = canonicalId,
DistroRelease = distroRelease,
Confidence = 0.6, // Low confidence from binary fingerprint
PatchId = null,
CreatedAt = DateTimeOffset.UtcNow.AddHours(-1),
UpdatedAt = DateTimeOffset.UtcNow.AddHours(-1)
};
_provenanceStoreMock
.Setup(x => x.GetByCanonicalAndDistroAsync(canonicalId, distroRelease, It.IsAny<CancellationToken>()))
.ReturnsAsync(existingScope);
ProvenanceScope? updatedScope = null;
_provenanceStoreMock
.Setup(x => x.UpsertAsync(It.IsAny<ProvenanceScope>(), It.IsAny<CancellationToken>()))
.Callback<ProvenanceScope, CancellationToken>((scope, _) => updatedScope = scope)
.ReturnsAsync(existingScope.Id);
// Act: New high-tier evidence arrives (DistroAdvisory)
var betterEvidence = new BackportEvidence
{
CveId = "CVE-2024-UPGRADE",
PackagePurl = "pkg:deb/debian/test@1.0",
DistroRelease = distroRelease,
Tier = BackportEvidenceTier.DistroAdvisory,
Confidence = 0.95,
PatchId = "verified-commit-sha",
BackportVersion = "1.0-fixed",
PatchOrigin = PatchOrigin.Upstream,
EvidenceDate = DateTimeOffset.UtcNow
};
var result = await _provenanceService.UpdateFromEvidenceAsync(canonicalId, betterEvidence);
// Assert
result.Success.Should().BeTrue();
result.WasCreated.Should().BeFalse(); // Updated, not created
updatedScope.Should().NotBeNull();
updatedScope!.Confidence.Should().Be(0.95); // Upgraded confidence
updatedScope.PatchId.Should().Be("verified-commit-sha");
updatedScope.BackportSemver.Should().Be("1.0-fixed");
}
#endregion
#region E2E: Provenance Retrieval
[Fact]
public async Task E2E_RetrieveProvenanceForCanonical_ReturnsAllDistroScopes()
{
// Arrange
var canonicalId = Guid.NewGuid();
var scopes = new List<ProvenanceScope>
{
new()
{
Id = Guid.NewGuid(),
CanonicalId = canonicalId,
DistroRelease = "debian:bookworm",
BackportSemver = "1.0-1+deb12u1",
PatchId = "debian-patch",
PatchOrigin = PatchOrigin.Upstream,
Confidence = 0.95,
CreatedAt = DateTimeOffset.UtcNow.AddDays(-1),
UpdatedAt = DateTimeOffset.UtcNow.AddDays(-1)
},
new()
{
Id = Guid.NewGuid(),
CanonicalId = canonicalId,
DistroRelease = "ubuntu:22.04",
BackportSemver = "1.0-1ubuntu0.22.04.1",
PatchId = "ubuntu-patch",
PatchOrigin = PatchOrigin.Distro,
Confidence = 0.90,
CreatedAt = DateTimeOffset.UtcNow,
UpdatedAt = DateTimeOffset.UtcNow
},
new()
{
Id = Guid.NewGuid(),
CanonicalId = canonicalId,
DistroRelease = "redhat:9",
BackportSemver = "1.0-1.el9",
PatchId = null, // No patch ID available
Confidence = 0.7,
CreatedAt = DateTimeOffset.UtcNow,
UpdatedAt = DateTimeOffset.UtcNow
}
};
_provenanceStoreMock
.Setup(x => x.GetByCanonicalIdAsync(canonicalId, It.IsAny<CancellationToken>()))
.ReturnsAsync(scopes);
// Act
var result = await _provenanceService.GetByCanonicalIdAsync(canonicalId);
// Assert
result.Should().HaveCount(3);
result.Should().Contain(s => s.DistroRelease == "debian:bookworm" && s.PatchOrigin == PatchOrigin.Upstream);
result.Should().Contain(s => s.DistroRelease == "ubuntu:22.04" && s.PatchOrigin == PatchOrigin.Distro);
result.Should().Contain(s => s.DistroRelease == "redhat:9" && s.PatchId == null);
// Verify ordering by confidence
result.OrderByDescending(s => s.Confidence)
.First().DistroRelease.Should().Be("debian:bookworm");
}
#endregion
#region Helper Methods
private static ProofResult CreateMockProofResult(
string cveId,
string packagePurl,
string patchId,
BackportEvidenceTier tier,
double confidence)
{
var evidenceType = tier switch
{
BackportEvidenceTier.DistroAdvisory => "DistroAdvisory",
BackportEvidenceTier.ChangelogMention => "ChangelogMention",
BackportEvidenceTier.PatchHeader => "PatchHeader",
BackportEvidenceTier.BinaryFingerprint => "BinaryFingerprint",
_ => "Unknown"
};
return new ProofResult
{
ProofId = Guid.NewGuid().ToString(),
SubjectId = $"{cveId}:{packagePurl}",
Confidence = confidence,
CreatedAt = DateTimeOffset.UtcNow,
Evidences =
[
new ProofEvidenceItem
{
EvidenceId = Guid.NewGuid().ToString(),
Type = evidenceType,
Source = "test",
Timestamp = DateTimeOffset.UtcNow,
Data = new Dictionary<string, string>
{
["commit_sha"] = patchId
}
}
]
};
}
private static Advisory CreateMockAdvisory(string advisoryKey, string title)
{
return new Advisory(
advisoryKey,
title,
summary: "Test advisory",
language: "en",
published: DateTimeOffset.UtcNow.AddDays(-1),
modified: DateTimeOffset.UtcNow,
severity: "high",
exploitKnown: false,
aliases: null,
credits: null,
references: null,
affectedPackages: null,
cvssMetrics: null,
provenance: null,
description: "Test description",
cwes: null,
canonicalMetricId: null,
mergeHash: null);
}
#endregion
}

2
src/Concelier/__Tests/StellaOps.Concelier.Merge.Tests/MergeExportSnapshotTests.cs
View File

@@ -233,7 +233,7 @@ public sealed class MergeExportSnapshotTests
// Assert
merged.ExploitKnown.Should().BeTrue("KEV should set exploitKnown to true");
snapshot.Should().Contain("\"exploitKnown\":true");
snapshot.Should().Contain("\"exploitKnown\": true");
}
[Fact]

455
src/Concelier/__Tests/StellaOps.Concelier.Merge.Tests/MergeHashBackportDifferentiationTests.cs Normal file
View File

@@ -0,0 +1,455 @@
// -----------------------------------------------------------------------------
// MergeHashBackportDifferentiationTests.cs
// Sprint: SPRINT_8200_0015_0001_CONCEL_backport_integration
// Task: BACKPORT-8200-013
// Description: Tests verifying merge hash differentiation for backported fixes
// -----------------------------------------------------------------------------
using FluentAssertions;
using StellaOps.Concelier.Merge.Identity;
using StellaOps.Concelier.Merge.Identity.Normalizers;
namespace StellaOps.Concelier.Merge.Tests;
/// <summary>
/// Tests verifying that merge hash correctly differentiates backported fixes
/// from upstream fixes when they have different patch lineage.
/// </summary>
public sealed class MergeHashBackportDifferentiationTests
{
private readonly MergeHashCalculator _calculator;
public MergeHashBackportDifferentiationTests()
{
_calculator = new MergeHashCalculator();
}
#region Same Patch Lineage = Same Hash
[Fact]
public void ComputeMergeHash_SamePatchLineage_ProducesSameHash()
{
// Arrange
var input1 = new MergeHashInput
{
Cve = "CVE-2024-1234",
AffectsKey = "pkg:deb/debian/openssl@1.1.1",
VersionRange = ">=1.1.1a,<1.1.1w",
Weaknesses = ["CWE-79"],
PatchLineage = "abc123def456abc123def456abc123def456abcd"
};
var input2 = new MergeHashInput
{
Cve = "CVE-2024-1234",
AffectsKey = "pkg:deb/debian/openssl@1.1.1",
VersionRange = ">=1.1.1a,<1.1.1w",
Weaknesses = ["CWE-79"],
PatchLineage = "abc123def456abc123def456abc123def456abcd"
};
// Act
var hash1 = _calculator.ComputeMergeHash(input1);
var hash2 = _calculator.ComputeMergeHash(input2);
// Assert
hash1.Should().Be(hash2, "same patch lineage should produce same hash");
}
[Fact]
public void ComputeMergeHash_NoPatchLineage_ProducesSameHash()
{
// Arrange
var input1 = new MergeHashInput
{
Cve = "CVE-2024-5678",
AffectsKey = "pkg:npm/lodash@4.17.0",
VersionRange = ">=4.0.0,<4.17.21",
Weaknesses = ["CWE-1321"],
PatchLineage = null
};
var input2 = new MergeHashInput
{
Cve = "CVE-2024-5678",
AffectsKey = "pkg:npm/lodash@4.17.0",
VersionRange = ">=4.0.0,<4.17.21",
Weaknesses = ["CWE-1321"],
PatchLineage = null
};
// Act
var hash1 = _calculator.ComputeMergeHash(input1);
var hash2 = _calculator.ComputeMergeHash(input2);
// Assert
hash1.Should().Be(hash2, "null patch lineage should produce same hash");
}
#endregion
#region Different Patch Lineage = Different Hash
[Fact]
public void ComputeMergeHash_DifferentPatchLineage_ProducesDifferentHash()
{
// Arrange - Upstream fix vs distro-specific backport
var upstreamFix = new MergeHashInput
{
Cve = "CVE-2024-1234",
AffectsKey = "pkg:generic/nginx@1.20.0",
VersionRange = ">=1.20.0,<1.20.3",
Weaknesses = ["CWE-125"],
PatchLineage = "upstream-commit-abc123" // Upstream commit
};
var distroBackport = new MergeHashInput
{
Cve = "CVE-2024-1234",
AffectsKey = "pkg:generic/nginx@1.20.0",
VersionRange = ">=1.20.0,<1.20.3",
Weaknesses = ["CWE-125"],
PatchLineage = "rhel-specific-patch-001" // Distro-specific patch
};
// Act
var upstreamHash = _calculator.ComputeMergeHash(upstreamFix);
var distroHash = _calculator.ComputeMergeHash(distroBackport);
// Assert
upstreamHash.Should().NotBe(distroHash,
"different patch lineage should produce different hash");
}
[Fact]
public void ComputeMergeHash_WithVsWithoutPatchLineage_ProducesDifferentHash()
{
// Arrange
var withLineage = new MergeHashInput
{
Cve = "CVE-2024-2345",
AffectsKey = "pkg:deb/debian/curl@7.64.0",
VersionRange = ">=7.64.0,<7.64.0-4+deb11u1",
Weaknesses = [],
PatchLineage = "abc123def456abc123def456abc123def456abcd"
};
var withoutLineage = new MergeHashInput
{
Cve = "CVE-2024-2345",
AffectsKey = "pkg:deb/debian/curl@7.64.0",
VersionRange = ">=7.64.0,<7.64.0-4+deb11u1",
Weaknesses = [],
PatchLineage = null
};
// Act
var hashWith = _calculator.ComputeMergeHash(withLineage);
var hashWithout = _calculator.ComputeMergeHash(withoutLineage);
// Assert
hashWith.Should().NotBe(hashWithout,
"advisory with patch lineage should differ from one without");
}
[Fact]
public void ComputeMergeHash_DebianVsRhelBackport_ProducesDifferentHash()
{
// Arrange - Same CVE, different distro backports
var debianBackport = new MergeHashInput
{
Cve = "CVE-2024-3456",
AffectsKey = "pkg:deb/debian/bash@5.1",
VersionRange = ">=5.1,<5.1-2+deb11u2",
Weaknesses = ["CWE-78"],
PatchLineage = "debian-patch-bash-5.1-CVE-2024-3456"
};
var rhelBackport = new MergeHashInput
{
Cve = "CVE-2024-3456",
AffectsKey = "pkg:rpm/redhat/bash@5.1",
VersionRange = ">=5.1,<5.1.8-6.el9",
Weaknesses = ["CWE-78"],
PatchLineage = "rhel-9-bash-security-2024-01"
};
// Act
var debianHash = _calculator.ComputeMergeHash(debianBackport);
var rhelHash = _calculator.ComputeMergeHash(rhelBackport);
// Assert
debianHash.Should().NotBe(rhelHash,
"different distro backports should have different hashes");
}
#endregion
#region Patch Lineage Normalization
[Theory]
[InlineData(
"abc123def456abc123def456abc123def456abcd",
"ABC123DEF456ABC123DEF456ABC123DEF456ABCD",
"SHA should be case-insensitive")]
[InlineData(
"https://github.com/nginx/nginx/commit/abc123def456abc123def456abc123def456abcd",
"abc123def456abc123def456abc123def456abcd",
"URL should extract and normalize SHA")]
[InlineData(
"https://gitlab.com/gnutls/gnutls/-/commit/abc123def456abc123def456abc123def456abcd",
"abc123def456abc123def456abc123def456abcd",
"GitLab URL should extract and normalize SHA")]
public void ComputeMergeHash_NormalizedPatchLineage_ProducesSameHash(
string lineage1, string lineage2, string reason)
{
// Arrange
var input1 = new MergeHashInput
{
Cve = "CVE-2024-NORM",
AffectsKey = "pkg:generic/test@1.0.0",
VersionRange = ">=1.0.0,<1.0.1",
Weaknesses = [],
PatchLineage = lineage1
};
var input2 = new MergeHashInput
{
Cve = "CVE-2024-NORM",
AffectsKey = "pkg:generic/test@1.0.0",
VersionRange = ">=1.0.0,<1.0.1",
Weaknesses = [],
PatchLineage = lineage2
};
// Act
var hash1 = _calculator.ComputeMergeHash(input1);
var hash2 = _calculator.ComputeMergeHash(input2);
// Assert
hash1.Should().Be(hash2, reason);
}
[Fact]
public void ComputeMergeHash_AbbreviatedSha_DiffersFromFullSha()
{
// Abbreviated SHA is treated as different from a full different SHA
var abbrev = new MergeHashInput
{
Cve = "CVE-2024-SHA",
AffectsKey = "pkg:generic/test@1.0.0",
VersionRange = null,
Weaknesses = [],
PatchLineage = "commit fix abc123d"
};
var fullDifferent = new MergeHashInput
{
Cve = "CVE-2024-SHA",
AffectsKey = "pkg:generic/test@1.0.0",
VersionRange = null,
Weaknesses = [],
PatchLineage = "fedcba9876543210fedcba9876543210fedcba98"
};
// Act
var hashAbbrev = _calculator.ComputeMergeHash(abbrev);
var hashFull = _calculator.ComputeMergeHash(fullDifferent);
// Assert
hashAbbrev.Should().NotBe(hashFull,
"abbreviated SHA should differ from a different full SHA");
}
#endregion
#region Real-World Scenarios
[Fact]
public void ComputeMergeHash_GoldenCorpus_DebianBackportVsNvd()
{
// Golden corpus test case: CVE-2024-1234 with Debian backport
// From sprint documentation
var nvdEntry = new MergeHashInput
{
Cve = "CVE-2024-1234",
AffectsKey = "pkg:generic/openssl@1.1.1",
VersionRange = "<1.1.1w",
Weaknesses = [],
PatchLineage = null // NVD typically doesn't include patch lineage
};
var debianEntry = new MergeHashInput
{
Cve = "CVE-2024-1234",
AffectsKey = "pkg:deb/debian/openssl@1.1.1n-0+deb11u5",
VersionRange = "<1.1.1n-0+deb11u6",
Weaknesses = [],
PatchLineage = "abc123def456" // Debian backport with patch reference
};
// Act
var nvdHash = _calculator.ComputeMergeHash(nvdEntry);
var debianHash = _calculator.ComputeMergeHash(debianEntry);
// Assert - Different because:
// 1. Different affects_key (generic vs deb/debian)
// 2. Different version range
// 3. Debian has patch lineage
nvdHash.Should().NotBe(debianHash,
"NVD and Debian entries should produce different hashes due to package and version differences");
}
[Fact]
public void ComputeMergeHash_GoldenCorpus_DistroSpecificFix()
{
// Golden corpus test case: Distro-specific fix different from upstream
var upstreamFix = new MergeHashInput
{
Cve = "CVE-2024-5678",
AffectsKey = "pkg:generic/nginx@1.20.0",
VersionRange = "<1.20.3",
Weaknesses = [],
PatchLineage = "upstream-commit-xyz"
};
var rhelFix = new MergeHashInput
{
Cve = "CVE-2024-5678",
AffectsKey = "pkg:rpm/redhat/nginx@1.20.1-14.el9",
VersionRange = "<1.20.1-14.el9_2.1",
Weaknesses = [],
PatchLineage = "rhel-specific-patch-001"
};
// Act
var upstreamHash = _calculator.ComputeMergeHash(upstreamFix);
var rhelHash = _calculator.ComputeMergeHash(rhelFix);
// Assert
upstreamHash.Should().NotBe(rhelHash,
"distro-specific fix should produce different hash from upstream");
}
[Fact]
public void ComputeMergeHash_SameUpstreamBackported_ProducesSameHash()
{
// When two distros backport the SAME upstream patch, they should merge
var debianBackport = new MergeHashInput
{
Cve = "CVE-2024-MERGE",
AffectsKey = "pkg:deb/debian/curl@7.88.1",
VersionRange = "<7.88.1-10+deb12u1",
Weaknesses = [],
PatchLineage = "1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f" // Same upstream commit (40 chars)
};
var ubuntuBackport = new MergeHashInput
{
Cve = "CVE-2024-MERGE",
AffectsKey = "pkg:deb/ubuntu/curl@7.88.1",
VersionRange = "<7.88.1-10ubuntu0.22.04.1",
Weaknesses = [],
PatchLineage = "1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f" // Same upstream commit (40 chars)
};
// Act
var debianHash = _calculator.ComputeMergeHash(debianBackport);
var ubuntuHash = _calculator.ComputeMergeHash(ubuntuBackport);
// Assert - Different because different affects_key and version range
// The patch lineage is the same, but other identity components differ
debianHash.Should().NotBe(ubuntuHash,
"different package identifiers still produce different hashes even with same lineage");
}
#endregion
#region Edge Cases
[Fact]
public void ComputeMergeHash_EmptyPatchLineage_TreatedAsNull()
{
var emptyLineage = new MergeHashInput
{
Cve = "CVE-2024-EMPTY",
AffectsKey = "pkg:generic/test@1.0.0",
VersionRange = null,
Weaknesses = [],
PatchLineage = "" // Empty string
};
var nullLineage = new MergeHashInput
{
Cve = "CVE-2024-EMPTY",
AffectsKey = "pkg:generic/test@1.0.0",
VersionRange = null,
Weaknesses = [],
PatchLineage = null
};
// Act
var hashEmpty = _calculator.ComputeMergeHash(emptyLineage);
var hashNull = _calculator.ComputeMergeHash(nullLineage);
// Assert
hashEmpty.Should().Be(hashNull,
"empty and null patch lineage should produce same hash");
}
[Fact]
public void ComputeMergeHash_WhitespacePatchLineage_TreatedAsNull()
{
var whitespaceLineage = new MergeHashInput
{
Cve = "CVE-2024-WS",
AffectsKey = "pkg:generic/test@1.0.0",
VersionRange = null,
Weaknesses = [],
PatchLineage = " " // Only whitespace
};
var nullLineage = new MergeHashInput
{
Cve = "CVE-2024-WS",
AffectsKey = "pkg:generic/test@1.0.0",
VersionRange = null,
Weaknesses = [],
PatchLineage = null
};
// Act
var hashWs = _calculator.ComputeMergeHash(whitespaceLineage);
var hashNull = _calculator.ComputeMergeHash(nullLineage);
// Assert
hashWs.Should().Be(hashNull,
"whitespace-only patch lineage should be treated as null");
}
[Fact]
public void ComputeMergeHash_IsDeterministic()
{
// Verify determinism across multiple calls
var input = new MergeHashInput
{
Cve = "CVE-2024-DETER",
AffectsKey = "pkg:deb/debian/openssl@3.0.11",
VersionRange = "<3.0.11-1~deb12u2",
Weaknesses = ["CWE-119", "CWE-787"],
PatchLineage = "fix-commit-abc123def456"
};
var hashes = new List<string>();
for (var i = 0; i < 100; i++)
{
hashes.Add(_calculator.ComputeMergeHash(input));
}
// Assert - All hashes should be identical
hashes.Distinct().Should().HaveCount(1,
"merge hash must be deterministic across multiple calls");
}
#endregion
}

450
src/Concelier/__Tests/StellaOps.Concelier.Merge.Tests/Precedence/SourcePrecedenceLatticeTests.cs Normal file
View File

@@ -0,0 +1,450 @@
// -----------------------------------------------------------------------------
// SourcePrecedenceLatticeTests.cs
// Sprint: SPRINT_8200_0015_0001_CONCEL_backport_integration
// Task: BACKPORT-8200-022
// Description: Unit tests for ConfigurableSourcePrecedenceLattice
// -----------------------------------------------------------------------------
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Concelier.Merge.Backport;
using StellaOps.Concelier.Merge.Precedence;
namespace StellaOps.Concelier.Merge.Tests.Precedence;
public sealed class SourcePrecedenceLatticeTests
{
private readonly TestLogger<ConfigurableSourcePrecedenceLattice> _logger = new();
[Theory]
[InlineData("vendor-psirt", 10)]
[InlineData("cisco", 10)]
[InlineData("oracle", 10)]
[InlineData("microsoft", 10)]
[InlineData("debian", 20)]
[InlineData("redhat", 20)]
[InlineData("ubuntu", 20)]
[InlineData("nvd", 40)]
[InlineData("ghsa", 35)]
[InlineData("osv", 30)]
[InlineData("community", 100)]
public void GetPrecedence_ReturnsDefaultPrecedence_ForKnownSources(string source, int expected)
{
var lattice = CreateLattice();
var precedence = lattice.GetPrecedence(source);
Assert.Equal(expected, precedence);
}
[Fact]
public void GetPrecedence_ReturnsHighValue_ForUnknownSource()
{
var lattice = CreateLattice();
var precedence = lattice.GetPrecedence("unknown-source");
Assert.Equal(1000, precedence);
}
[Theory]
[InlineData("DEBIAN", 20)]
[InlineData("Debian", 20)]
[InlineData("dEbIaN", 20)]
public void GetPrecedence_IsCaseInsensitive(string source, int expected)
{
var lattice = CreateLattice();
var precedence = lattice.GetPrecedence(source);
Assert.Equal(expected, precedence);
}
[Fact]
public void Compare_VendorTakesHigherPrecedence_OverDistro()
{
var lattice = CreateLattice();
var result = lattice.Compare("vendor-psirt", "debian");
Assert.Equal(SourceComparison.Source1Higher, result);
}
[Fact]
public void Compare_DistroTakesHigherPrecedence_OverNvd()
{
var lattice = CreateLattice();
var result = lattice.Compare("debian", "nvd");
Assert.Equal(SourceComparison.Source1Higher, result);
}
[Fact]
public void Compare_SameDistros_AreEqual()
{
var lattice = CreateLattice();
var result = lattice.Compare("debian", "redhat");
Assert.Equal(SourceComparison.Equal, result);
}
[Theory]
[InlineData("debian", true)]
[InlineData("redhat", true)]
[InlineData("suse", true)]
[InlineData("ubuntu", true)]
[InlineData("alpine", true)]
[InlineData("astra", true)]
[InlineData("centos", true)]
[InlineData("fedora", true)]
[InlineData("rocky", true)]
[InlineData("alma", true)]
[InlineData("nvd", false)]
[InlineData("ghsa", false)]
[InlineData("vendor-psirt", false)]
[InlineData("unknown", false)]
public void IsDistroSource_CorrectlyIdentifiesSources(string source, bool expected)
{
var lattice = CreateLattice();
var result = lattice.IsDistroSource(source);
Assert.Equal(expected, result);
}
[Fact]
public void BackportBoostAmount_ReturnsDefaultValue()
{
var lattice = CreateLattice();
Assert.Equal(15, lattice.BackportBoostAmount);
}
[Fact]
public void BackportBoostThreshold_ReturnsDefaultValue()
{
var lattice = CreateLattice();
Assert.Equal(0.7, lattice.BackportBoostThreshold);
}
[Fact]
public void GetPrecedence_AppliesBackportBoost_WhenDistroHasHighConfidenceEvidence()
{
var lattice = CreateLattice();
var context = new BackportContext
{
CveId = "CVE-2024-1234",
HasBackportEvidence = true,
EvidenceConfidence = 0.9,
EvidenceTier = BackportEvidenceTier.DistroAdvisory
};
var basePrecedence = lattice.GetPrecedence("debian");
var boostedPrecedence = lattice.GetPrecedence("debian", context);
Assert.Equal(20, basePrecedence);
Assert.Equal(5, boostedPrecedence); // 20 - 15 = 5
}
[Fact]
public void GetPrecedence_DoesNotApplyBackportBoost_WhenConfidenceBelowThreshold()
{
var lattice = CreateLattice();
var context = new BackportContext
{
CveId = "CVE-2024-1234",
HasBackportEvidence = true,
EvidenceConfidence = 0.5, // Below 0.7 threshold
EvidenceTier = BackportEvidenceTier.ChangelogMention
};
var precedence = lattice.GetPrecedence("debian", context);
Assert.Equal(20, precedence); // No boost applied
}
[Fact]
public void GetPrecedence_DoesNotApplyBackportBoost_WhenNoEvidence()
{
var lattice = CreateLattice();
var context = new BackportContext
{
CveId = "CVE-2024-1234",
HasBackportEvidence = false,
EvidenceConfidence = 0.9
};
var precedence = lattice.GetPrecedence("debian", context);
Assert.Equal(20, precedence); // No boost applied
}
[Fact]
public void GetPrecedence_DoesNotApplyBackportBoost_ToNonDistroSources()
{
var lattice = CreateLattice();
var context = new BackportContext
{
CveId = "CVE-2024-1234",
HasBackportEvidence = true,
EvidenceConfidence = 0.9,
EvidenceTier = BackportEvidenceTier.DistroAdvisory
};
var precedence = lattice.GetPrecedence("nvd", context);
Assert.Equal(40, precedence); // No boost - not a distro source
}
[Fact]
public void GetPrecedence_LowerTierEvidence_RequiresHigherConfidence()
{
var lattice = CreateLattice();
// Tier 3 (PatchHeader) with 80% confidence - should not get boost
var lowConfidenceContext = new BackportContext
{
CveId = "CVE-2024-1234",
HasBackportEvidence = true,
EvidenceConfidence = 0.8,
EvidenceTier = BackportEvidenceTier.PatchHeader
};
// Tier 3 with 95% confidence - should get boost
var highConfidenceContext = new BackportContext
{
CveId = "CVE-2024-1234",
HasBackportEvidence = true,
EvidenceConfidence = 0.95,
EvidenceTier = BackportEvidenceTier.PatchHeader
};
var noBoost = lattice.GetPrecedence("debian", lowConfidenceContext);
var withBoost = lattice.GetPrecedence("debian", highConfidenceContext);
Assert.Equal(20, noBoost); // No boost - 80% < 90% required for tier 3
Assert.Equal(5, withBoost); // Boost applied - 95% >= 90%
}
[Fact]
public void Compare_DistroWithBackportBoost_TakesHigherPrecedence_ThanVendor()
{
var lattice = CreateLattice();
var context = new BackportContext
{
CveId = "CVE-2024-1234",
HasBackportEvidence = true,
EvidenceConfidence = 0.95,
EvidenceTier = BackportEvidenceTier.DistroAdvisory
};
// Without context, vendor-psirt (10) > debian (20)
var withoutContext = lattice.Compare("debian", "vendor-psirt");
Assert.Equal(SourceComparison.Source2Higher, withoutContext);
// With backport context, debian (20 - 15 = 5) > vendor-psirt (10)
var withContext = lattice.Compare("debian", "vendor-psirt", context);
Assert.Equal(SourceComparison.Source1Higher, withContext);
}
[Fact]
public void GetPrecedence_UsesCveSpecificOverride_WhenConfigured()
{
var config = new PrecedenceConfig
{
Overrides = new(StringComparer.OrdinalIgnoreCase)
{
["CVE-2024-9999:debian"] = 5
}
};
var lattice = CreateLattice(config);
var context = new BackportContext
{
CveId = "CVE-2024-9999",
HasBackportEvidence = false
};
var precedence = lattice.GetPrecedence("debian", context);
Assert.Equal(5, precedence); // Uses override, not default
}
[Fact]
public void GetPrecedence_CveOverride_TakesPrecedence_OverBackportBoost()
{
var config = new PrecedenceConfig
{
Overrides = new(StringComparer.OrdinalIgnoreCase)
{
["CVE-2024-9999:debian"] = 50 // Explicitly set lower precedence
}
};
var lattice = CreateLattice(config);
var context = new BackportContext
{
CveId = "CVE-2024-9999",
HasBackportEvidence = true,
EvidenceConfidence = 0.95,
EvidenceTier = BackportEvidenceTier.DistroAdvisory
};
var precedence = lattice.GetPrecedence("debian", context);
// Override takes precedence, boost not applied
Assert.Equal(50, precedence);
}
[Fact]
public void GetPrecedence_WithBackportBoostDisabled_DoesNotApplyBoost()
{
var config = new PrecedenceConfig
{
EnableBackportBoost = false
};
var lattice = CreateLattice(config);
var context = new BackportContext
{
CveId = "CVE-2024-1234",
HasBackportEvidence = true,
EvidenceConfidence = 0.95,
EvidenceTier = BackportEvidenceTier.DistroAdvisory
};
var precedence = lattice.GetPrecedence("debian", context);
Assert.Equal(20, precedence); // No boost - disabled in config
}
[Theory]
[InlineData("")]
[InlineData(" ")]
public void GetPrecedence_ThrowsOnInvalidSource(string source)
{
var lattice = CreateLattice();
Assert.Throws<ArgumentException>(() => lattice.GetPrecedence(source));
}
private ConfigurableSourcePrecedenceLattice CreateLattice(PrecedenceConfig? config = null)
{
var options = Microsoft.Extensions.Options.Options.Create(config ?? new PrecedenceConfig());
return new ConfigurableSourcePrecedenceLattice(options, _logger);
}
}
public sealed class PrecedenceExceptionRuleTests
{
[Theory]
[InlineData("CVE-2024-1234", "CVE-2024-1234", true)]
[InlineData("CVE-2024-1234", "CVE-2024-1235", false)]
[InlineData("CVE-2024-*", "CVE-2024-1234", true)]
[InlineData("CVE-2024-*", "CVE-2024-9999", true)]
[InlineData("CVE-2024-*", "CVE-2025-1234", false)]
[InlineData("CVE-*", "CVE-2024-1234", true)]
public void Matches_WorksWithPatterns(string pattern, string cveId, bool expected)
{
var rule = new PrecedenceExceptionRule
{
CvePattern = pattern,
Source = "debian",
Precedence = 5
};
var result = rule.Matches(cveId);
Assert.Equal(expected, result);
}
[Theory]
[InlineData("")]
[InlineData(null)]
[InlineData(" ")]
public void Matches_ReturnsFalse_ForInvalidCveId(string? cveId)
{
var rule = new PrecedenceExceptionRule
{
CvePattern = "CVE-2024-*",
Source = "debian",
Precedence = 5
};
var result = rule.Matches(cveId!);
Assert.False(result);
}
}
public sealed class ExtendedPrecedenceConfigTests
{
[Fact]
public void GetActiveRules_ReturnsOnlyActiveRules()
{
var config = new ExtendedPrecedenceConfig
{
ExceptionRules =
[
new PrecedenceExceptionRule { CvePattern = "CVE-2024-1234", Source = "debian", Precedence = 5, IsActive = true },
new PrecedenceExceptionRule { CvePattern = "CVE-2024-5678", Source = "debian", Precedence = 5, IsActive = false },
new PrecedenceExceptionRule { CvePattern = "CVE-2024-9999", Source = "debian", Precedence = 5, IsActive = true }
]
};
var activeRules = config.GetActiveRules().ToList();
Assert.Equal(2, activeRules.Count);
Assert.All(activeRules, r => Assert.True(r.IsActive));
}
[Fact]
public void FindMatchingRule_ReturnsFirstMatch()
{
var config = new ExtendedPrecedenceConfig
{
ExceptionRules =
[
new PrecedenceExceptionRule { CvePattern = "CVE-2024-*", Source = "debian", Precedence = 5, IsActive = true },
new PrecedenceExceptionRule { CvePattern = "CVE-2024-1234", Source = "debian", Precedence = 10, IsActive = true }
]
};
var rule = config.FindMatchingRule("CVE-2024-1234", "debian");
Assert.NotNull(rule);
Assert.Equal(5, rule.Precedence); // First matching rule
}
[Fact]
public void FindMatchingRule_IsCaseInsensitiveForSource()
{
var config = new ExtendedPrecedenceConfig
{
ExceptionRules =
[
new PrecedenceExceptionRule { CvePattern = "CVE-2024-1234", Source = "debian", Precedence = 5, IsActive = true }
]
};
var rule = config.FindMatchingRule("CVE-2024-1234", "DEBIAN");
Assert.NotNull(rule);
}
[Fact]
public void FindMatchingRule_ReturnsNull_WhenNoMatch()
{
var config = new ExtendedPrecedenceConfig
{
ExceptionRules =
[
new PrecedenceExceptionRule { CvePattern = "CVE-2024-1234", Source = "redhat", Precedence = 5, IsActive = true }
]
};
var rule = config.FindMatchingRule("CVE-2024-1234", "debian");
Assert.Null(rule);
}
}

481
src/Concelier/__Tests/StellaOps.Concelier.Merge.Tests/ProvenanceScopeLifecycleTests.cs Normal file
View File

@@ -0,0 +1,481 @@
// -----------------------------------------------------------------------------
// ProvenanceScopeLifecycleTests.cs
// Sprint: SPRINT_8200_0015_0001_CONCEL_backport_integration
// Task: BACKPORT-8200-017
// Description: Tests for provenance scope lifecycle management
// -----------------------------------------------------------------------------
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Moq;
using StellaOps.Concelier.Merge.Backport;
namespace StellaOps.Concelier.Merge.Tests;
/// <summary>
/// Tests for ProvenanceScopeService lifecycle operations.
/// Covers Task 17 (BACKPORT-8200-017) from SPRINT_8200_0015_0001.
/// </summary>
public sealed class ProvenanceScopeLifecycleTests
{
private readonly Mock<IProvenanceScopeStore> _storeMock;
private readonly Mock<IBackportEvidenceResolver> _resolverMock;
private readonly ProvenanceScopeService _service;
public ProvenanceScopeLifecycleTests()
{
_storeMock = new Mock<IProvenanceScopeStore>();
_resolverMock = new Mock<IBackportEvidenceResolver>();
_service = new ProvenanceScopeService(
_storeMock.Object,
NullLogger<ProvenanceScopeService>.Instance,
_resolverMock.Object);
}
#region CreateOrUpdateAsync Tests
[Fact]
public async Task CreateOrUpdateAsync_NewScope_CreatesProvenanceScope()
{
// Arrange
var canonicalId = Guid.NewGuid();
var request = new ProvenanceScopeRequest
{
CanonicalId = canonicalId,
CveId = "CVE-2024-1234",
PackagePurl = "pkg:deb/debian/curl@7.64.0-4+deb11u1",
Source = "debian",
FixedVersion = "7.64.0-4+deb11u2",
PatchLineage = "abc123def456"
};
_storeMock
.Setup(x => x.GetByCanonicalAndDistroAsync(canonicalId, It.IsAny<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync((ProvenanceScope?)null);
_storeMock
.Setup(x => x.UpsertAsync(It.IsAny<ProvenanceScope>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(Guid.NewGuid());
// Act
var result = await _service.CreateOrUpdateAsync(request);
// Assert
result.Success.Should().BeTrue();
result.WasCreated.Should().BeTrue();
result.ProvenanceScopeId.Should().NotBeNull();
_storeMock.Verify(x => x.UpsertAsync(
It.Is<ProvenanceScope>(s =>
s.CanonicalId == canonicalId &&
s.DistroRelease.Contains("debian") &&
s.BackportSemver == "7.64.0-4+deb11u2"),
It.IsAny<CancellationToken>()),
Times.Once);
}
[Fact]
public async Task CreateOrUpdateAsync_ExistingScope_UpdatesProvenanceScope()
{
// Arrange
var canonicalId = Guid.NewGuid();
var existingScopeId = Guid.NewGuid();
var request = new ProvenanceScopeRequest
{
CanonicalId = canonicalId,
CveId = "CVE-2024-5678",
PackagePurl = "pkg:rpm/redhat/nginx@1.20.1-14.el9",
Source = "redhat",
FixedVersion = "1.20.1-14.el9_2.1"
};
var existingScope = new ProvenanceScope
{
Id = existingScopeId,
CanonicalId = canonicalId,
DistroRelease = "redhat:9",
BackportSemver = "1.20.1-14.el9",
Confidence = 0.5,
CreatedAt = DateTimeOffset.UtcNow.AddHours(-1),
UpdatedAt = DateTimeOffset.UtcNow.AddHours(-1)
};
_storeMock
.Setup(x => x.GetByCanonicalAndDistroAsync(canonicalId, It.IsAny<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(existingScope);
_storeMock
.Setup(x => x.UpsertAsync(It.IsAny<ProvenanceScope>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(existingScopeId);
// Act
var result = await _service.CreateOrUpdateAsync(request);
// Assert
result.Success.Should().BeTrue();
result.WasCreated.Should().BeFalse();
result.ProvenanceScopeId.Should().Be(existingScopeId);
}
[Fact]
public async Task CreateOrUpdateAsync_WithEvidenceResolver_ResolvesEvidence()
{
// Arrange
var canonicalId = Guid.NewGuid();
var request = new ProvenanceScopeRequest
{
CanonicalId = canonicalId,
CveId = "CVE-2024-1234",
PackagePurl = "pkg:deb/debian/openssl@1.1.1n-0+deb11u5",
Source = "debian",
ResolveEvidence = true
};
var evidence = new BackportEvidence
{
CveId = "CVE-2024-1234",
PackagePurl = request.PackagePurl,
DistroRelease = "debian:bullseye",
Tier = BackportEvidenceTier.DistroAdvisory,
Confidence = 0.95,
PatchId = "abc123def456abc123def456abc123def456abc123",
BackportVersion = "1.1.1n-0+deb11u6",
PatchOrigin = PatchOrigin.Upstream,
EvidenceDate = DateTimeOffset.UtcNow
};
_resolverMock
.Setup(x => x.ResolveAsync(request.CveId, request.PackagePurl, It.IsAny<CancellationToken>()))
.ReturnsAsync(evidence);
_storeMock
.Setup(x => x.GetByCanonicalAndDistroAsync(canonicalId, It.IsAny<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync((ProvenanceScope?)null);
_storeMock
.Setup(x => x.UpsertAsync(It.IsAny<ProvenanceScope>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(Guid.NewGuid());
// Act
var result = await _service.CreateOrUpdateAsync(request);
// Assert
result.Success.Should().BeTrue();
_storeMock.Verify(x => x.UpsertAsync(
It.Is<ProvenanceScope>(s =>
s.Confidence == 0.95 &&
s.BackportSemver == "1.1.1n-0+deb11u6" &&
s.PatchId == "abc123def456abc123def456abc123def456abc123"),
It.IsAny<CancellationToken>()),
Times.Once);
}
[Fact]
public async Task CreateOrUpdateAsync_NonDistroSource_StillCreatesScope()
{
// Arrange
var canonicalId = Guid.NewGuid();
var request = new ProvenanceScopeRequest
{
CanonicalId = canonicalId,
CveId = "CVE-2024-VENDOR",
PackagePurl = "pkg:generic/product@1.0.0",
Source = "nvd", // Non-distro source
ResolveEvidence = false
};
_storeMock
.Setup(x => x.GetByCanonicalAndDistroAsync(canonicalId, It.IsAny<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync((ProvenanceScope?)null);
_storeMock
.Setup(x => x.UpsertAsync(It.IsAny<ProvenanceScope>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(Guid.NewGuid());
// Act
var result = await _service.CreateOrUpdateAsync(request);
// Assert
result.Success.Should().BeTrue();
}
#endregion
#region UpdateFromEvidenceAsync Tests
[Fact]
public async Task UpdateFromEvidenceAsync_NewEvidence_CreatesScope()
{
// Arrange
var canonicalId = Guid.NewGuid();
var evidence = new BackportEvidence
{
CveId = "CVE-2024-1234",
PackagePurl = "pkg:deb/debian/bash@5.1",
DistroRelease = "debian:bookworm",
Tier = BackportEvidenceTier.PatchHeader,
Confidence = 0.85,
PatchId = "patchheader-commit-sha",
BackportVersion = "5.1-7+deb12u1",
PatchOrigin = PatchOrigin.Upstream,
EvidenceDate = DateTimeOffset.UtcNow
};
_storeMock
.Setup(x => x.GetByCanonicalAndDistroAsync(canonicalId, "debian:bookworm", It.IsAny<CancellationToken>()))
.ReturnsAsync((ProvenanceScope?)null);
_storeMock
.Setup(x => x.UpsertAsync(It.IsAny<ProvenanceScope>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(Guid.NewGuid());
// Act
var result = await _service.UpdateFromEvidenceAsync(canonicalId, evidence);
// Assert
result.Success.Should().BeTrue();
result.WasCreated.Should().BeTrue();
_storeMock.Verify(x => x.UpsertAsync(
It.Is<ProvenanceScope>(s =>
s.DistroRelease == "debian:bookworm" &&
s.Confidence == 0.85 &&
s.PatchId == "patchheader-commit-sha"),
It.IsAny<CancellationToken>()),
Times.Once);
}
[Fact]
public async Task UpdateFromEvidenceAsync_BetterEvidence_UpdatesScope()
{
// Arrange
var canonicalId = Guid.NewGuid();
var existingScopeId = Guid.NewGuid();
var existingScope = new ProvenanceScope
{
Id = existingScopeId,
CanonicalId = canonicalId,
DistroRelease = "debian:bookworm",
Confidence = 0.5,
PatchId = null,
CreatedAt = DateTimeOffset.UtcNow.AddDays(-1),
UpdatedAt = DateTimeOffset.UtcNow.AddDays(-1)
};
var betterEvidence = new BackportEvidence
{
CveId = "CVE-2024-1234",
PackagePurl = "pkg:deb/debian/test@1.0",
DistroRelease = "debian:bookworm",
Tier = BackportEvidenceTier.DistroAdvisory,
Confidence = 0.95, // Higher confidence
PatchId = "abc123",
BackportVersion = "1.0-fixed",
PatchOrigin = PatchOrigin.Distro,
EvidenceDate = DateTimeOffset.UtcNow
};
_storeMock
.Setup(x => x.GetByCanonicalAndDistroAsync(canonicalId, "debian:bookworm", It.IsAny<CancellationToken>()))
.ReturnsAsync(existingScope);
_storeMock
.Setup(x => x.UpsertAsync(It.IsAny<ProvenanceScope>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(existingScopeId);
// Act
var result = await _service.UpdateFromEvidenceAsync(canonicalId, betterEvidence);
// Assert
result.Success.Should().BeTrue();
result.WasCreated.Should().BeFalse();
_storeMock.Verify(x => x.UpsertAsync(
It.Is<ProvenanceScope>(s =>
s.Confidence == 0.95 &&
s.PatchId == "abc123"),
It.IsAny<CancellationToken>()),
Times.Once);
}
[Fact]
public async Task UpdateFromEvidenceAsync_LowerConfidenceEvidence_SkipsUpdate()
{
// Arrange
var canonicalId = Guid.NewGuid();
var existingScopeId = Guid.NewGuid();
var existingScope = new ProvenanceScope
{
Id = existingScopeId,
CanonicalId = canonicalId,
DistroRelease = "redhat:9",
Confidence = 0.9, // High confidence
PatchId = "existing-patch-id",
CreatedAt = DateTimeOffset.UtcNow.AddDays(-1),
UpdatedAt = DateTimeOffset.UtcNow.AddDays(-1)
};
var lowerEvidence = new BackportEvidence
{
CveId = "CVE-2024-1234",
PackagePurl = "pkg:rpm/redhat/test@1.0",
DistroRelease = "redhat:9",
Tier = BackportEvidenceTier.BinaryFingerprint,
Confidence = 0.6, // Lower confidence
PatchId = "new-patch-id",
PatchOrigin = PatchOrigin.Upstream,
EvidenceDate = DateTimeOffset.UtcNow
};
_storeMock
.Setup(x => x.GetByCanonicalAndDistroAsync(canonicalId, "redhat:9", It.IsAny<CancellationToken>()))
.ReturnsAsync(existingScope);
// Act
var result = await _service.UpdateFromEvidenceAsync(canonicalId, lowerEvidence);
// Assert
result.Success.Should().BeTrue();
result.ProvenanceScopeId.Should().Be(existingScopeId);
// Should not call upsert since confidence is lower
_storeMock.Verify(x => x.UpsertAsync(
It.IsAny<ProvenanceScope>(),
It.IsAny<CancellationToken>()),
Times.Never);
}
#endregion
#region LinkEvidenceRefAsync Tests
[Fact]
public async Task LinkEvidenceRefAsync_LinksEvidenceToScope()
{
// Arrange
var scopeId = Guid.NewGuid();
var evidenceRef = Guid.NewGuid();
_storeMock
.Setup(x => x.LinkEvidenceRefAsync(scopeId, evidenceRef, It.IsAny<CancellationToken>()))
.Returns(Task.CompletedTask);
// Act
await _service.LinkEvidenceRefAsync(scopeId, evidenceRef);
// Assert
_storeMock.Verify(x => x.LinkEvidenceRefAsync(scopeId, evidenceRef, It.IsAny<CancellationToken>()), Times.Once);
}
#endregion
#region GetByCanonicalIdAsync Tests
[Fact]
public async Task GetByCanonicalIdAsync_ReturnsAllScopes()
{
// Arrange
var canonicalId = Guid.NewGuid();
var scopes = new List<ProvenanceScope>
{
new()
{
Id = Guid.NewGuid(),
CanonicalId = canonicalId,
DistroRelease = "debian:bookworm",
Confidence = 0.9,
CreatedAt = DateTimeOffset.UtcNow,
UpdatedAt = DateTimeOffset.UtcNow
},
new()
{
Id = Guid.NewGuid(),
CanonicalId = canonicalId,
DistroRelease = "ubuntu:22.04",
Confidence = 0.85,
CreatedAt = DateTimeOffset.UtcNow,
UpdatedAt = DateTimeOffset.UtcNow
}
};
_storeMock
.Setup(x => x.GetByCanonicalIdAsync(canonicalId, It.IsAny<CancellationToken>()))
.ReturnsAsync(scopes);
// Act
var result = await _service.GetByCanonicalIdAsync(canonicalId);
// Assert
result.Should().HaveCount(2);
result.Should().Contain(s => s.DistroRelease == "debian:bookworm");
result.Should().Contain(s => s.DistroRelease == "ubuntu:22.04");
}
#endregion
#region DeleteByCanonicalIdAsync Tests
[Fact]
public async Task DeleteByCanonicalIdAsync_DeletesAllScopes()
{
// Arrange
var canonicalId = Guid.NewGuid();
_storeMock
.Setup(x => x.DeleteByCanonicalIdAsync(canonicalId, It.IsAny<CancellationToken>()))
.Returns(Task.CompletedTask);
// Act
await _service.DeleteByCanonicalIdAsync(canonicalId);
// Assert
_storeMock.Verify(x => x.DeleteByCanonicalIdAsync(canonicalId, It.IsAny<CancellationToken>()), Times.Once);
}
#endregion
#region Distro Release Extraction Tests
[Theory]
[InlineData("pkg:deb/debian/curl@7.64.0-4+deb11u1", "debian", "debian:bullseye")]
[InlineData("pkg:deb/debian/openssl@3.0.11-1~deb12u2", "debian", "debian:bookworm")]
[InlineData("pkg:rpm/redhat/nginx@1.20.1-14.el9", "redhat", "redhat:9")]
[InlineData("pkg:rpm/redhat/kernel@5.14.0-284.el8", "redhat", "redhat:8")]
[InlineData("pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.14~22.04", "ubuntu", "ubuntu:22.04")]
public async Task CreateOrUpdateAsync_ExtractsCorrectDistroRelease(
string purl, string source, string expectedDistro)
{
// Arrange
var canonicalId = Guid.NewGuid();
var request = new ProvenanceScopeRequest
{
CanonicalId = canonicalId,
CveId = "CVE-2024-TEST",
PackagePurl = purl,
Source = source,
ResolveEvidence = false
};
_storeMock
.Setup(x => x.GetByCanonicalAndDistroAsync(canonicalId, expectedDistro, It.IsAny<CancellationToken>()))
.ReturnsAsync((ProvenanceScope?)null);
_storeMock
.Setup(x => x.UpsertAsync(It.IsAny<ProvenanceScope>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(Guid.NewGuid());
// Act
await _service.CreateOrUpdateAsync(request);
// Assert
_storeMock.Verify(x => x.UpsertAsync(
It.Is<ProvenanceScope>(s => s.DistroRelease == expectedDistro),
It.IsAny<CancellationToken>()),
Times.Once);
}
#endregion
}

1
src/Concelier/__Tests/StellaOps.Concelier.Merge.Tests/StellaOps.Concelier.Merge.Tests.csproj
View File

@@ -15,6 +15,7 @@
</ItemGroup>
<ItemGroup>
<PackageReference Include="FluentAssertions" Version="6.12.0" />
<PackageReference Include="Moq" Version="4.20.70" />
</ItemGroup>
<ItemGroup>
<None Update="Fixtures\Golden\**\*">