Add integration tests for Proof Chain and Reachability workflows
- Implement ProofChainTestFixture for PostgreSQL-backed integration tests. - Create StellaOps.Integration.ProofChain project with necessary dependencies. - Add ReachabilityIntegrationTests to validate call graph extraction and reachability analysis. - Introduce ReachabilityTestFixture for managing corpus and fixture paths. - Establish StellaOps.Integration.Reachability project with required references. - Develop UnknownsWorkflowTests to cover the unknowns lifecycle: detection, ranking, escalation, and resolution. - Create StellaOps.Integration.Unknowns project with dependencies for unknowns workflow.
This commit is contained in:
StellaOps Bot
@@ -0,0 +1,59 @@
|
||||
{
|
||||
"schema_version": "reach-corpus.callgraph/v1",
|
||||
"analysis_timestamp": "2025-01-15T00:00:00Z",
|
||||
"target_package": "pkg:nuget/HttpClient@5.0.0",
|
||||
"nodes": [
|
||||
{
|
||||
"id": "node-001",
|
||||
"symbol": "Example.Api.Controllers.ProxyController.Forward",
|
||||
"type": "entrypoint",
|
||||
"file": "src/Controllers/ProxyController.cs",
|
||||
"line": 20
|
||||
},
|
||||
{
|
||||
"id": "node-002",
|
||||
"symbol": "Example.Services.ProxyService.MakeRequest",
|
||||
"type": "method",
|
||||
"file": "src/Services/ProxyService.cs",
|
||||
"line": 35
|
||||
},
|
||||
{
|
||||
"id": "node-003",
|
||||
"symbol": "HttpClient.SendAsync",
|
||||
"type": "sink",
|
||||
"file": null,
|
||||
"line": null,
|
||||
"package": "pkg:nuget/HttpClient@5.0.0",
|
||||
"vulnerable": true,
|
||||
"cve_ids": ["CVE-2024-44444"],
|
||||
"notes": "Vulnerable when redirect following is enabled"
|
||||
}
|
||||
],
|
||||
"edges": [
|
||||
{
|
||||
"from": "node-001",
|
||||
"to": "node-002",
|
||||
"type": "call"
|
||||
},
|
||||
{
|
||||
"from": "node-002",
|
||||
"to": "node-003",
|
||||
"type": "call",
|
||||
"tainted": true,
|
||||
"taint_source": "user_url"
|
||||
}
|
||||
],
|
||||
"reachability_result": {
|
||||
"status": "reachable",
|
||||
"confidence": 0.88,
|
||||
"paths": [
|
||||
{
|
||||
"path_id": "path-001",
|
||||
"nodes": ["node-001", "node-002", "node-003"],
|
||||
"taint_flow": true,
|
||||
"explanation": "User-provided URL flows to HttpClient.SendAsync"
|
||||
}
|
||||
],
|
||||
"notes": "Code path exists but VEX states configuration mitigates the vulnerability"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,30 @@
|
||||
{
|
||||
"schema_version": "stellaops.golden.case/v1",
|
||||
"case_id": "composite-reachable-with-vex-mitigated",
|
||||
"category": "composite/reachable-with-vex",
|
||||
"description": "High severity CVE, reachable, but mitigated via configuration (VEX not_affected)",
|
||||
"tags": ["composite", "reachable", "vex", "mitigated", "vulnerable-code-not-invoked"],
|
||||
"cve_id": "CVE-2024-44444",
|
||||
"cwe_id": "CWE-918",
|
||||
"affected_package": {
|
||||
"purl": "pkg:nuget/HttpClient@5.0.0",
|
||||
"ecosystem": "nuget",
|
||||
"name": "HttpClient",
|
||||
"version": "5.0.0",
|
||||
"vendor": "Example"
|
||||
},
|
||||
"scenario": {
|
||||
"base_cvss": 8.5,
|
||||
"kev_listed": false,
|
||||
"exploit_maturity": "proof-of-concept",
|
||||
"reachability": "reachable",
|
||||
"vex_status": "not_affected",
|
||||
"vex_justification": "vulnerable_code_not_in_execute_path"
|
||||
},
|
||||
"expected_outcome": {
|
||||
"stella_score_min": 1.0,
|
||||
"stella_score_max": 3.5,
|
||||
"action": "monitor"
|
||||
},
|
||||
"notes": "SSRF vulnerability in HttpClient. Code path exists but vulnerable feature (redirect following) is disabled via configuration. VEX declares not_affected."
|
||||
}
|
||||
@@ -0,0 +1,32 @@
|
||||
{
|
||||
"schema_version": "stellaops.golden.expected/v1",
|
||||
"case_id": "composite-reachable-with-vex-mitigated",
|
||||
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
|
||||
"score_hash": "sha256:e1f2a3b4c5d67890123456789012345678901234567890123456789012e567",
|
||||
"stella_score": 2.5,
|
||||
"scoring_factors": {
|
||||
"base_cvss": 8.5,
|
||||
"temporal_cvss": 8.0,
|
||||
"environmental_cvss": 2.5,
|
||||
"kev_multiplier": 1.0,
|
||||
"exploit_maturity_adjustment": -0.3,
|
||||
"reachability_adjustment": 0.0,
|
||||
"vex_adjustment": -5.5
|
||||
},
|
||||
"flags": {
|
||||
"kev_listed": false,
|
||||
"exploit_maturity": "proof-of-concept",
|
||||
"reachability_status": "reachable",
|
||||
"reachability_confidence": 0.88,
|
||||
"vex_status": "not_affected",
|
||||
"vex_justification": "vulnerable_code_not_in_execute_path"
|
||||
},
|
||||
"action_recommendation": "monitor",
|
||||
"action_rationale": "Code path is reachable but VEX declares not_affected due to configuration mitigation (redirects disabled). Monitor for configuration changes.",
|
||||
"expected_assertions": {
|
||||
"score_ge": 1.0,
|
||||
"score_le": 3.5,
|
||||
"reachability_reachable": true,
|
||||
"vex_status_is": "not_affected"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,23 @@
|
||||
{
|
||||
"@context": "https://openvex.dev/ns/v0.2.0",
|
||||
"@id": "https://stellaops.io/vex/golden-corpus/composite-reachable-with-vex-mitigated",
|
||||
"author": "StellaOps Golden Corpus",
|
||||
"timestamp": "2025-01-15T00:00:00Z",
|
||||
"version": 1,
|
||||
"statements": [
|
||||
{
|
||||
"vulnerability": {
|
||||
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2024-44444",
|
||||
"name": "CVE-2024-44444"
|
||||
},
|
||||
"products": [
|
||||
{
|
||||
"@id": "pkg:nuget/HttpClient@5.0.0"
|
||||
}
|
||||
],
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"impact_statement": "The SSRF vulnerability requires automatic redirect following to be enabled. Our configuration explicitly disables redirect following (MaxRedirects=0), so the vulnerable code path is never executed."
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user