Add integration tests for Proof Chain and Reachability workflows

- Implement ProofChainTestFixture for PostgreSQL-backed integration tests.
- Create StellaOps.Integration.ProofChain project with necessary dependencies.
- Add ReachabilityIntegrationTests to validate call graph extraction and reachability analysis.
- Introduce ReachabilityTestFixture for managing corpus and fixture paths.
- Establish StellaOps.Integration.Reachability project with required references.
- Develop UnknownsWorkflowTests to cover the unknowns lifecycle: detection, ranking, escalation, and resolution.
- Create StellaOps.Integration.Unknowns project with dependencies for unknowns workflow.

bench/golden-corpus/vex-scenarios/affected/action-required/case.json

@@ -0,0 +1,30 @@
+{
+  "schema_version": "stellaops.golden.case/v1",
+  "case_id": "vex-affected-action-required",
+  "category": "vex-scenarios/affected",
+  "description": "High severity CVE with VEX status affected - action required",
+  "tags": ["vex", "affected", "action-required"],
+  "cve_id": "CVE-2023-99997",
+  "cwe_id": "CWE-89",
+  "affected_package": {
+    "purl": "pkg:nuget/DatabaseLib@3.0.0",
+    "ecosystem": "nuget",
+    "name": "DatabaseLib",
+    "version": "3.0.0",
+    "vendor": "Example"
+  },
+  "scenario": {
+    "base_cvss": 8.5,
+    "kev_listed": false,
+    "exploit_maturity": "proof-of-concept",
+    "reachability": "reachable",
+    "vex_status": "affected",
+    "vex_action_statement": "Upgrade to version 3.1.0 or later"
+  },
+  "expected_outcome": {
+    "stella_score_min": 7.5,
+    "stella_score_max": 9.0,
+    "action": "remediate-soon"
+  },
+  "notes": "VEX confirms affected status with recommended action. Score reflects confirmed exploitability."
+}

bench/golden-corpus/vex-scenarios/affected/action-required/expected-score.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "stellaops.golden.expected/v1",
+  "case_id": "vex-affected-action-required",
+  "determinism_salt": "frozen-2025-01-15T00:00:00Z",
+  "score_hash": "sha256:e5f6a7b8c9d01234567890123456789012345678901234567890123456ef01",
+  "stella_score": 8.2,
+  "scoring_factors": {
+    "base_cvss": 8.5,
+    "temporal_cvss": 8.0,
+    "environmental_cvss": 8.2,
+    "kev_multiplier": 1.0,
+    "exploit_maturity_adjustment": -0.3,
+    "reachability_adjustment": 0.0,
+    "vex_adjustment": 0.0
+  },
+  "flags": {
+    "kev_listed": false,
+    "exploit_maturity": "proof-of-concept",
+    "reachability_status": "reachable",
+    "vex_status": "affected"
+  },
+  "action_recommendation": "remediate-soon",
+  "action_rationale": "VEX confirms affected status. High severity SQL injection (CVSS 8.5), reachable. Upgrade to 3.1.0+ as recommended.",
+  "expected_assertions": {
+    "score_ge": 7.5,
+    "score_le": 9.0,
+    "vex_status_is": "affected"
+  }
+}

bench/golden-corpus/vex-scenarios/affected/action-required/vex.openvex.json

@@ -0,0 +1,23 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://stellaops.io/vex/golden-corpus/vex-affected-action-required",
+  "author": "StellaOps Golden Corpus",
+  "timestamp": "2025-01-15T00:00:00Z",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2023-99997",
+        "name": "CVE-2023-99997"
+      },
+      "products": [
+        {
+          "@id": "pkg:nuget/DatabaseLib@3.0.0"
+        }
+      ],
+      "status": "affected",
+      "action_statement": "Upgrade to version 3.1.0 or later to remediate this vulnerability.",
+      "action_statement_timestamp": "2025-01-15T00:00:00Z"
+    }
+  ]
+}

bench/golden-corpus/vex-scenarios/fixed/remediated/case.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "stellaops.golden.case/v1",
+  "case_id": "vex-fixed-remediated",
+  "category": "vex-scenarios/fixed",
+  "description": "Previously critical CVE now fixed - version updated",
+  "tags": ["vex", "fixed", "remediated"],
+  "cve_id": "CVE-2021-44228",
+  "cwe_id": "CWE-917",
+  "affected_package": {
+    "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1",
+    "ecosystem": "maven",
+    "name": "log4j-core",
+    "version": "2.17.1",
+    "vendor": "Apache"
+  },
+  "scenario": {
+    "base_cvss": 10.0,
+    "kev_listed": true,
+    "exploit_maturity": "weaponized",
+    "reachability": "reachable",
+    "vex_status": "fixed"
+  },
+  "expected_outcome": {
+    "stella_score_min": 0.0,
+    "stella_score_max": 0.0,
+    "action": "no-action-required"
+  },
+  "notes": "Log4Shell was critical but version 2.17.1 includes the fix. VEX marks as fixed."
+}

bench/golden-corpus/vex-scenarios/fixed/remediated/expected-score.json

@@ -0,0 +1,28 @@
+{
+  "schema_version": "stellaops.golden.expected/v1",
+  "case_id": "vex-fixed-remediated",
+  "determinism_salt": "frozen-2025-01-15T00:00:00Z",
+  "score_hash": "sha256:f6a7b8c9d0e12345678901234567890123456789012345678901234567f012",
+  "stella_score": 0.0,
+  "scoring_factors": {
+    "base_cvss": 10.0,
+    "temporal_cvss": 10.0,
+    "environmental_cvss": 0.0,
+    "kev_multiplier": 1.0,
+    "exploit_maturity_adjustment": 0.0,
+    "reachability_adjustment": 0.0,
+    "vex_adjustment": -10.0
+  },
+  "flags": {
+    "kev_listed": true,
+    "exploit_maturity": "weaponized",
+    "reachability_status": "reachable",
+    "vex_status": "fixed"
+  },
+  "action_recommendation": "no-action-required",
+  "action_rationale": "VEX status is fixed. Version 2.17.1 contains the complete remediation for Log4Shell.",
+  "expected_assertions": {
+    "score_eq": 0.0,
+    "vex_status_is": "fixed"
+  }
+}

bench/golden-corpus/vex-scenarios/fixed/remediated/vex.openvex.json

@@ -0,0 +1,22 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://stellaops.io/vex/golden-corpus/vex-fixed-remediated",
+  "author": "StellaOps Golden Corpus",
+  "timestamp": "2025-01-15T00:00:00Z",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
+        "name": "CVE-2021-44228"
+      },
+      "products": [
+        {
+          "@id": "pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1"
+        }
+      ],
+      "status": "fixed",
+      "impact_statement": "This version (2.17.1) contains the complete fix for Log4Shell. JNDI lookups are disabled by default."
+    }
+  ]
+}

bench/golden-corpus/vex-scenarios/not-affected/component-not-present/case.json

@@ -0,0 +1,30 @@
+{
+  "schema_version": "stellaops.golden.case/v1",
+  "case_id": "vex-not-affected-component-not-present",
+  "category": "vex-scenarios/not-affected",
+  "description": "High severity CVE marked not_affected - vulnerable component not present",
+  "tags": ["vex", "not-affected", "component-not-present"],
+  "cve_id": "CVE-2023-99998",
+  "cwe_id": "CWE-79",
+  "affected_package": {
+    "purl": "pkg:nuget/VulnerableLib@2.0.0",
+    "ecosystem": "nuget",
+    "name": "VulnerableLib",
+    "version": "2.0.0",
+    "vendor": "Example"
+  },
+  "scenario": {
+    "base_cvss": 8.0,
+    "kev_listed": false,
+    "exploit_maturity": "proof-of-concept",
+    "reachability": "unknown",
+    "vex_status": "not_affected",
+    "vex_justification": "component_not_present"
+  },
+  "expected_outcome": {
+    "stella_score_min": 0.0,
+    "stella_score_max": 1.0,
+    "action": "no-action-required"
+  },
+  "notes": "VEX statement declares not_affected due to component_not_present. Score should be minimal/zero."
+}

bench/golden-corpus/vex-scenarios/not-affected/component-not-present/expected-score.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "stellaops.golden.expected/v1",
+  "case_id": "vex-not-affected-component-not-present",
+  "determinism_salt": "frozen-2025-01-15T00:00:00Z",
+  "score_hash": "sha256:d4e5f6a7b8c90123456789012345678901234567890123456789012345def0",
+  "stella_score": 0.0,
+  "scoring_factors": {
+    "base_cvss": 8.0,
+    "temporal_cvss": 7.5,
+    "environmental_cvss": 0.0,
+    "kev_multiplier": 1.0,
+    "exploit_maturity_adjustment": -0.5,
+    "reachability_adjustment": 0.0,
+    "vex_adjustment": -8.0
+  },
+  "flags": {
+    "kev_listed": false,
+    "exploit_maturity": "proof-of-concept",
+    "reachability_status": "unknown",
+    "vex_status": "not_affected",
+    "vex_justification": "component_not_present"
+  },
+  "action_recommendation": "no-action-required",
+  "action_rationale": "VEX statement declares not_affected with justification component_not_present. No remediation needed.",
+  "expected_assertions": {
+    "score_eq": 0.0,
+    "vex_status_is": "not_affected"
+  }
+}

bench/golden-corpus/vex-scenarios/not-affected/component-not-present/vex.openvex.json

@@ -0,0 +1,23 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://stellaops.io/vex/golden-corpus/vex-not-affected-component-not-present",
+  "author": "StellaOps Golden Corpus",
+  "timestamp": "2025-01-15T00:00:00Z",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2023-99998",
+        "name": "CVE-2023-99998"
+      },
+      "products": [
+        {
+          "@id": "pkg:nuget/VulnerableLib@2.0.0"
+        }
+      ],
+      "status": "not_affected",
+      "justification": "component_not_present",
+      "impact_statement": "The vulnerable component (specific module) is not included in this build configuration."
+    }
+  ]
+}

bench/golden-corpus/vex-scenarios/under-investigation/pending-analysis/case.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "stellaops.golden.case/v1",
+  "case_id": "vex-under-investigation",
+  "category": "vex-scenarios/under-investigation",
+  "description": "New CVE being investigated - status pending analysis",
+  "tags": ["vex", "under-investigation", "pending"],
+  "cve_id": "CVE-2025-00001",
+  "cwe_id": "CWE-787",
+  "affected_package": {
+    "purl": "pkg:nuget/NewLib@1.0.0",
+    "ecosystem": "nuget",
+    "name": "NewLib",
+    "version": "1.0.0",
+    "vendor": "Example"
+  },
+  "scenario": {
+    "base_cvss": 7.8,
+    "kev_listed": false,
+    "exploit_maturity": "unproven",
+    "reachability": "unknown",
+    "vex_status": "under_investigation"
+  },
+  "expected_outcome": {
+    "stella_score_min": 5.0,
+    "stella_score_max": 8.0,
+    "action": "monitor"
+  },
+  "notes": "Newly disclosed CVE under investigation. Score based on base CVSS until VEX is updated."
+}

bench/golden-corpus/vex-scenarios/under-investigation/pending-analysis/expected-score.json

@@ -0,0 +1,29 @@
+{
+  "schema_version": "stellaops.golden.expected/v1",
+  "case_id": "vex-under-investigation",
+  "determinism_salt": "frozen-2025-01-15T00:00:00Z",
+  "score_hash": "sha256:a7b8c9d0e1f23456789012345678901234567890123456789012345678a123",
+  "stella_score": 6.5,
+  "scoring_factors": {
+    "base_cvss": 7.8,
+    "temporal_cvss": 7.0,
+    "environmental_cvss": 6.5,
+    "kev_multiplier": 1.0,
+    "exploit_maturity_adjustment": -0.5,
+    "reachability_adjustment": -0.3,
+    "vex_adjustment": 0.0
+  },
+  "flags": {
+    "kev_listed": false,
+    "exploit_maturity": "unproven",
+    "reachability_status": "unknown",
+    "vex_status": "under_investigation"
+  },
+  "action_recommendation": "monitor",
+  "action_rationale": "VEX status is under_investigation. Monitor for updates. Scoring based on base CVSS with uncertainty adjustments.",
+  "expected_assertions": {
+    "score_ge": 5.0,
+    "score_le": 8.0,
+    "vex_status_is": "under_investigation"
+  }
+}

bench/golden-corpus/vex-scenarios/under-investigation/pending-analysis/vex.openvex.json

@@ -0,0 +1,22 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://stellaops.io/vex/golden-corpus/vex-under-investigation",
+  "author": "StellaOps Golden Corpus",
+  "timestamp": "2025-01-15T00:00:00Z",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-2025-00001",
+        "name": "CVE-2025-00001"
+      },
+      "products": [
+        {
+          "@id": "pkg:nuget/NewLib@1.0.0"
+        }
+      ],
+      "status": "under_investigation",
+      "status_notes": "Security team is analyzing impact. Update expected within 48 hours."
+    }
+  ]
+}