Add integration tests for Proof Chain and Reachability workflows

- Implement ProofChainTestFixture for PostgreSQL-backed integration tests. - Create StellaOps.Integration.ProofChain project with necessary dependencies. - Add ReachabilityIntegrationTests to validate call graph extraction and reachability analysis. - Introduce ReachabilityTestFixture for managing corpus and fixture paths. - Establish StellaOps.Integration.Reachability project with required references. - Develop UnknownsWorkflowTests to cover the unknowns lifecycle: detection, ranking, escalation, and resolution. - Create StellaOps.Integration.Unknowns project with dependencies for unknowns workflow.
2025-12-20 22:19:26 +02:00
parent 3c6e14fca5
commit efe9bd8cfe
86 changed files with 9616 additions and 323 deletions
--- a/bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/callgraph.json
+++ b/bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/callgraph.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "reach-corpus.callgraph/v1",
+  "analysis_timestamp": "2025-01-15T00:00:00Z",
+  "target_package": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+  "nodes": [
+    {
+      "id": "node-001",
+      "symbol": "com.example.app.Main.main",
+      "type": "entrypoint",
+      "file": "src/main/java/com/example/app/Main.java",
+      "line": 10
+    },
+    {
+      "id": "node-002",
+      "symbol": "com.example.app.UserService.processRequest",
+      "type": "method",
+      "file": "src/main/java/com/example/app/UserService.java",
+      "line": 25
+    },
+    {
+      "id": "node-003",
+      "symbol": "org.apache.logging.log4j.Logger.info",
+      "type": "sink",
+      "file": null,
+      "line": null,
+      "package": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+      "vulnerable": true,
+      "cve_ids": ["CVE-2021-44228"]
+    }
+  ],
+  "edges": [
+    {
+      "from": "node-001",
+      "to": "node-002",
+      "type": "call"
+    },
+    {
+      "from": "node-002",
+      "to": "node-003",
+      "type": "call",
+      "tainted": true,
+      "taint_source": "user_input"
+    }
+  ],
+  "reachability_result": {
+    "status": "reachable",
+    "paths": [
+      {
+        "path_id": "path-001",
+        "nodes": ["node-001", "node-002", "node-003"],
+        "taint_flow": true,
+        "confidence": 0.95
+      }
+    ],
+    "explanation": "User input flows from Main.main through UserService.processRequest to Logger.info, where JNDI lookup can be triggered."
+  }
+}
--- a/bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/case.json
+++ b/bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/case.json
@@ -0,0 +1,29 @@
+{
+  "schema_version": "stellaops.golden.case/v1",
+  "case_id": "critical-log4shell-CVE-2021-44228",
+  "category": "severity-levels/critical",
+  "description": "Log4Shell JNDI injection - Critical severity (CVSS 10.0), in KEV, reachable",
+  "tags": ["critical", "kev", "reachable", "remote-code-execution"],
+  "cve_id": "CVE-2021-44228",
+  "cwe_id": "CWE-917",
+  "affected_package": {
+    "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+    "ecosystem": "maven",
+    "name": "log4j-core",
+    "version": "2.14.1",
+    "vendor": "Apache"
+  },
+  "scenario": {
+    "base_cvss": 10.0,
+    "kev_listed": true,
+    "exploit_maturity": "weaponized",
+    "reachability": "reachable",
+    "vex_status": null
+  },
+  "expected_outcome": {
+    "stella_score_min": 9.5,
+    "stella_score_max": 10.0,
+    "action": "remediate-immediately"
+  },
+  "notes": "This is the canonical critical case - maximum severity, in KEV, actively weaponized, and reachable."
+}
--- a/bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/expected-score.json
+++ b/bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/expected-score.json
@@ -0,0 +1,31 @@
+{
+  "schema_version": "stellaops.golden.expected/v1",
+  "case_id": "critical-log4shell-CVE-2021-44228",
+  "determinism_salt": "frozen-2025-01-15T00:00:00Z",
+  "score_hash": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+  "stella_score": 10.0,
+  "scoring_factors": {
+    "base_cvss": 10.0,
+    "temporal_cvss": 10.0,
+    "environmental_cvss": 10.0,
+    "kev_multiplier": 1.0,
+    "exploit_maturity_adjustment": 0.0,
+    "reachability_adjustment": 0.0,
+    "vex_adjustment": 0.0
+  },
+  "flags": {
+    "kev_listed": true,
+    "exploit_maturity": "weaponized",
+    "reachability_status": "reachable",
+    "vex_status": null
+  },
+  "action_recommendation": "remediate-immediately",
+  "action_rationale": "Critical severity (CVSS 10.0), listed in KEV, actively weaponized exploit, and reachable from application entrypoint. Immediate remediation required.",
+  "expected_assertions": {
+    "score_ge": 9.5,
+    "score_le": 10.0,
+    "kev_flag_true": true,
+    "reachability_reachable": true,
+    "action_is_remediate": true
+  }
+}
--- a/bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/manifest.json
+++ b/bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/manifest.json
@@ -0,0 +1,32 @@
+{
+  "schema_version": "stellaops.manifest/v1",
+  "manifest_id": "golden-corpus-log4shell-manifest",
+  "created_at": "2025-01-15T00:00:00Z",
+  "scan_target": {
+    "type": "container",
+    "digest": "sha256:deadbeef1234567890abcdef1234567890abcdef1234567890abcdef12345678",
+    "name": "example.io/vulnerable-java-app:1.0.0"
+  },
+  "sbom_binding": {
+    "sbom_digest": "sha256:sbom0123456789abcdef0123456789abcdef0123456789abcdef0123456789ab",
+    "sbom_format": "spdx",
+    "sbom_version": "3.0.1"
+  },
+  "findings": [
+    {
+      "finding_id": "finding-001",
+      "cve_id": "CVE-2021-44228",
+      "package_purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+      "severity": "CRITICAL",
+      "cvss_v3_score": 10.0,
+      "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+      "kev_listed": true,
+      "epss_score": 0.975,
+      "exploit_maturity": "weaponized"
+    }
+  ],
+  "attestations": {
+    "sbom_attestation": "sha256:attest01234567890abcdef0123456789abcdef0123456789abcdef01234567",
+    "scan_attestation": null
+  }
+}
--- a/bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/sbom.spdx.json
+++ b/bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/sbom.spdx.json
@@ -0,0 +1,60 @@
+{
+  "spdxVersion": "SPDX-3.0.1",
+  "dataLicense": "CC0-1.0",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "golden-corpus-log4shell",
+  "documentNamespace": "https://stellaops.io/spdx/golden-corpus/critical-log4shell-CVE-2021-44228",
+  "creationInfo": {
+    "created": "2025-01-15T00:00:00Z",
+    "creators": ["Tool: stellaops-corpus-generator-1.0.0"]
+  },
+  "packages": [
+    {
+      "SPDXID": "SPDXRef-Package-log4j-core",
+      "name": "log4j-core",
+      "versionInfo": "2.14.1",
+      "packageUrl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+      "downloadLocation": "https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar",
+      "filesAnalyzed": false,
+      "supplier": "Organization: Apache Software Foundation",
+      "externalRefs": [
+        {
+          "referenceCategory": "SECURITY",
+          "referenceType": "cpe23Type",
+          "referenceLocator": "cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1"
+        }
+      ],
+      "checksums": [
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "a1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"
+        }
+      ]
+    },
+    {
+      "SPDXID": "SPDXRef-Package-application",
+      "name": "vulnerable-java-app",
+      "versionInfo": "1.0.0",
+      "packageUrl": "pkg:maven/com.example/vulnerable-java-app@1.0.0",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false
+    }
+  ],
+  "relationships": [
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relationshipType": "DESCRIBES",
+      "relatedSpdxElement": "SPDXRef-Package-application"
+    },
+    {
+      "spdxElementId": "SPDXRef-Package-application",
+      "relationshipType": "DEPENDS_ON",
+      "relatedSpdxElement": "SPDXRef-Package-log4j-core"
+    }
+  ]
+}
--- a/bench/golden-corpus/severity-levels/high/http2-rapid-reset-CVE-2023-44487/case.json
+++ b/bench/golden-corpus/severity-levels/high/http2-rapid-reset-CVE-2023-44487/case.json
@@ -0,0 +1,29 @@
+{
+  "schema_version": "stellaops.golden.case/v1",
+  "case_id": "high-http2-rapid-reset-CVE-2023-44487",
+  "category": "severity-levels/high",
+  "description": "HTTP/2 Rapid Reset DoS - High severity (CVSS 7.5), reachable web server",
+  "tags": ["high", "denial-of-service", "reachable", "http2"],
+  "cve_id": "CVE-2023-44487",
+  "cwe_id": "CWE-400",
+  "affected_package": {
+    "purl": "pkg:nuget/Microsoft.AspNetCore.Server.Kestrel@6.0.0",
+    "ecosystem": "nuget",
+    "name": "Microsoft.AspNetCore.Server.Kestrel",
+    "version": "6.0.0",
+    "vendor": "Microsoft"
+  },
+  "scenario": {
+    "base_cvss": 7.5,
+    "kev_listed": true,
+    "exploit_maturity": "proof-of-concept",
+    "reachability": "reachable",
+    "vex_status": null
+  },
+  "expected_outcome": {
+    "stella_score_min": 7.0,
+    "stella_score_max": 8.5,
+    "action": "remediate-soon"
+  },
+  "notes": "High severity DoS vulnerability. In KEV but only proof-of-concept exploit. Reachable as web server."
+}
--- a/bench/golden-corpus/severity-levels/high/http2-rapid-reset-CVE-2023-44487/expected-score.json
+++ b/bench/golden-corpus/severity-levels/high/http2-rapid-reset-CVE-2023-44487/expected-score.json
@@ -0,0 +1,30 @@
+{
+  "schema_version": "stellaops.golden.expected/v1",
+  "case_id": "high-http2-rapid-reset-CVE-2023-44487",
+  "determinism_salt": "frozen-2025-01-15T00:00:00Z",
+  "score_hash": "sha256:a1b2c3d4e5f6789012345678901234567890123456789012345678901234abcd",
+  "stella_score": 7.8,
+  "scoring_factors": {
+    "base_cvss": 7.5,
+    "temporal_cvss": 7.5,
+    "environmental_cvss": 7.8,
+    "kev_multiplier": 1.05,
+    "exploit_maturity_adjustment": -0.2,
+    "reachability_adjustment": 0.0,
+    "vex_adjustment": 0.0
+  },
+  "flags": {
+    "kev_listed": true,
+    "exploit_maturity": "proof-of-concept",
+    "reachability_status": "reachable",
+    "vex_status": null
+  },
+  "action_recommendation": "remediate-soon",
+  "action_rationale": "High severity DoS (CVSS 7.5), in KEV, but only PoC exploit available. Web server is reachable. Schedule remediation within sprint.",
+  "expected_assertions": {
+    "score_ge": 7.0,
+    "score_le": 8.5,
+    "kev_flag_true": true,
+    "reachability_reachable": true
+  }
+}
--- a/bench/golden-corpus/severity-levels/low/info-disclosure-CVE-2024-99999/case.json
+++ b/bench/golden-corpus/severity-levels/low/info-disclosure-CVE-2024-99999/case.json
@@ -0,0 +1,29 @@
+{
+  "schema_version": "stellaops.golden.case/v1",
+  "case_id": "low-info-disclosure-CVE-2024-99999",
+  "category": "severity-levels/low",
+  "description": "Minor information disclosure in error messages - Low severity (CVSS 3.1)",
+  "tags": ["low", "information-disclosure", "reachable"],
+  "cve_id": "CVE-2024-99999",
+  "cwe_id": "CWE-209",
+  "affected_package": {
+    "purl": "pkg:nuget/SomeLibrary@1.0.0",
+    "ecosystem": "nuget",
+    "name": "SomeLibrary",
+    "version": "1.0.0",
+    "vendor": "Example"
+  },
+  "scenario": {
+    "base_cvss": 3.1,
+    "kev_listed": false,
+    "exploit_maturity": "unproven",
+    "reachability": "reachable",
+    "vex_status": null
+  },
+  "expected_outcome": {
+    "stella_score_min": 2.5,
+    "stella_score_max": 3.5,
+    "action": "accept-risk"
+  },
+  "notes": "Low severity info disclosure. Reachable but minimal impact. May accept risk."
+}
--- a/bench/golden-corpus/severity-levels/low/info-disclosure-CVE-2024-99999/expected-score.json
+++ b/bench/golden-corpus/severity-levels/low/info-disclosure-CVE-2024-99999/expected-score.json
@@ -0,0 +1,29 @@
+{
+  "schema_version": "stellaops.golden.expected/v1",
+  "case_id": "low-info-disclosure-CVE-2024-99999",
+  "determinism_salt": "frozen-2025-01-15T00:00:00Z",
+  "score_hash": "sha256:c3d4e5f6a7b89012345678901234567890123456789012345678901234cdef",
+  "stella_score": 3.1,
+  "scoring_factors": {
+    "base_cvss": 3.1,
+    "temporal_cvss": 3.1,
+    "environmental_cvss": 3.1,
+    "kev_multiplier": 1.0,
+    "exploit_maturity_adjustment": 0.0,
+    "reachability_adjustment": 0.0,
+    "vex_adjustment": 0.0
+  },
+  "flags": {
+    "kev_listed": false,
+    "exploit_maturity": "unproven",
+    "reachability_status": "reachable",
+    "vex_status": null
+  },
+  "action_recommendation": "accept-risk",
+  "action_rationale": "Low severity (CVSS 3.1) information disclosure. Code is reachable but impact is minimal. Consider accepting risk.",
+  "expected_assertions": {
+    "score_ge": 2.5,
+    "score_le": 3.5,
+    "kev_flag_true": false
+  }
+}
--- a/bench/golden-corpus/severity-levels/medium/json-dos-CVE-2024-12345/case.json
+++ b/bench/golden-corpus/severity-levels/medium/json-dos-CVE-2024-12345/case.json
@@ -0,0 +1,29 @@
+{
+  "schema_version": "stellaops.golden.case/v1",
+  "case_id": "medium-json-dos-CVE-2024-12345",
+  "category": "severity-levels/medium",
+  "description": "JSON parsing DoS via deeply nested objects - Medium severity (CVSS 5.3), unreachable",
+  "tags": ["medium", "denial-of-service", "unreachable", "json"],
+  "cve_id": "CVE-2024-12345",
+  "cwe_id": "CWE-400",
+  "affected_package": {
+    "purl": "pkg:nuget/Newtonsoft.Json@12.0.3",
+    "ecosystem": "nuget",
+    "name": "Newtonsoft.Json",
+    "version": "12.0.3",
+    "vendor": "Newtonsoft"
+  },
+  "scenario": {
+    "base_cvss": 5.3,
+    "kev_listed": false,
+    "exploit_maturity": "unproven",
+    "reachability": "unreachable",
+    "vex_status": null
+  },
+  "expected_outcome": {
+    "stella_score_min": 2.0,
+    "stella_score_max": 4.0,
+    "action": "backlog"
+  },
+  "notes": "Medium severity but unreachable code path significantly reduces risk. No known exploits."
+}
--- a/bench/golden-corpus/severity-levels/medium/json-dos-CVE-2024-12345/expected-score.json
+++ b/bench/golden-corpus/severity-levels/medium/json-dos-CVE-2024-12345/expected-score.json
@@ -0,0 +1,30 @@
+{
+  "schema_version": "stellaops.golden.expected/v1",
+  "case_id": "medium-json-dos-CVE-2024-12345",
+  "determinism_salt": "frozen-2025-01-15T00:00:00Z",
+  "score_hash": "sha256:b2c3d4e5f6a789012345678901234567890123456789012345678901234bcde",
+  "stella_score": 3.2,
+  "scoring_factors": {
+    "base_cvss": 5.3,
+    "temporal_cvss": 5.0,
+    "environmental_cvss": 3.2,
+    "kev_multiplier": 1.0,
+    "exploit_maturity_adjustment": -0.3,
+    "reachability_adjustment": -1.8,
+    "vex_adjustment": 0.0
+  },
+  "flags": {
+    "kev_listed": false,
+    "exploit_maturity": "unproven",
+    "reachability_status": "unreachable",
+    "vex_status": null
+  },
+  "action_recommendation": "backlog",
+  "action_rationale": "Medium severity (CVSS 5.3) but code path is unreachable. No known exploits. Add to backlog for eventual cleanup.",
+  "expected_assertions": {
+    "score_ge": 2.0,
+    "score_le": 4.0,
+    "kev_flag_true": false,
+    "reachability_unreachable": true
+  }
+}