stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

up
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-13 18:08:55 +02:00
parent 6e45066e37
commit f1a39c4ce3
234 changed files with 24038 additions and 6910 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/DotNet/DotNetLanguageAnalyzerTests.cs
View File

@@ -214,6 +214,111 @@ public sealed class DotNetLanguageAnalyzerTests
Assert.Contains("win-arm64", ridValues);
}
[Fact]
public async Task SourceTreeOnlyEmitsDeclaredPackagesAsync()
{
var cancellationToken = TestContext.Current.CancellationToken;
var fixturePath = TestPaths.ResolveFixture("lang", "dotnet", "source-tree-only");
var analyzers = new ILanguageAnalyzer[]
{
new DotNetLanguageAnalyzer()
};
var json = await LanguageAnalyzerTestHarness.RunToJsonAsync(
fixturePath,
analyzers,
cancellationToken);
using var document = JsonDocument.Parse(json);
var root = document.RootElement;
Assert.True(root.ValueKind == JsonValueKind.Array, "Result root should be an array.");
Assert.Equal(2, root.GetArrayLength());
// Check that packages are declared-only
foreach (var component in root.EnumerateArray())
{
var metadata = component.GetProperty("metadata");
Assert.Equal("true", metadata.GetProperty("declaredOnly").GetString());
Assert.Equal("declared", metadata.GetProperty("provenance").GetString());
}
// Check specific packages
var newtonsoftJson = root.EnumerateArray()
.First(element => element.GetProperty("name").GetString() == "Newtonsoft.Json");
Assert.Equal("13.0.3", newtonsoftJson.GetProperty("version").GetString());
Assert.Equal("pkg:nuget/newtonsoft.json@13.0.3", newtonsoftJson.GetProperty("purl").GetString());
}
[Fact]
public async Task LockfileOnlyEmitsDeclaredPackagesAsync()
{
var cancellationToken = TestContext.Current.CancellationToken;
var fixturePath = TestPaths.ResolveFixture("lang", "dotnet", "lockfile-only");
var analyzers = new ILanguageAnalyzer[]
{
new DotNetLanguageAnalyzer()
};
var json = await LanguageAnalyzerTestHarness.RunToJsonAsync(
fixturePath,
analyzers,
cancellationToken);
using var document = JsonDocument.Parse(json);
var root = document.RootElement;
Assert.True(root.ValueKind == JsonValueKind.Array, "Result root should be an array.");
Assert.Equal(2, root.GetArrayLength());
// Check that packages are declared-only
foreach (var component in root.EnumerateArray())
{
var metadata = component.GetProperty("metadata");
Assert.Equal("true", metadata.GetProperty("declaredOnly").GetString());
}
// Check direct vs transitive sources
var directPackage = root.EnumerateArray()
.First(element => element.GetProperty("name").GetString() == "Microsoft.Extensions.Logging");
var transitivePackage = root.EnumerateArray()
.First(element => element.GetProperty("name").GetString() == "Microsoft.Extensions.Logging.Abstractions");
Assert.Contains("Direct", directPackage.GetProperty("metadata").GetProperty("declared.source[0]").GetString());
Assert.Contains("Transitive", transitivePackage.GetProperty("metadata").GetProperty("declared.source[0]").GetString());
}
[Fact]
public async Task PackagesConfigOnlyEmitsDeclaredPackagesAsync()
{
var cancellationToken = TestContext.Current.CancellationToken;
var fixturePath = TestPaths.ResolveFixture("lang", "dotnet", "packages-config-only");
var analyzers = new ILanguageAnalyzer[]
{
new DotNetLanguageAnalyzer()
};
var json = await LanguageAnalyzerTestHarness.RunToJsonAsync(
fixturePath,
analyzers,
cancellationToken);
using var document = JsonDocument.Parse(json);
var root = document.RootElement;
Assert.True(root.ValueKind == JsonValueKind.Array, "Result root should be an array.");
Assert.Equal(2, root.GetArrayLength());
// Check that packages are from packages.config
foreach (var component in root.EnumerateArray())
{
var metadata = component.GetProperty("metadata");
Assert.Equal("true", metadata.GetProperty("declaredOnly").GetString());
Assert.Equal("packages.config", metadata.GetProperty("declared.source[0]").GetString());
Assert.Equal("net48", metadata.GetProperty("declared.tfm[0]").GetString());
}
}
private sealed class StubAuthenticodeInspector : IDotNetAuthenticodeInspector
{
public DotNetAuthenticodeMetadata? TryInspect(string assemblyPath, CancellationToken cancellationToken)

60
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/lockfile-only/expected.json Normal file
View File

@@ -0,0 +1,60 @@
[
{
"componentKey": "purl::pkg:nuget/microsoft.extensions.logging@8.0.0",
"analyzerId": "dotnet",
"purl": "pkg:nuget/microsoft.extensions.logging@8.0.0",
"name": "Microsoft.Extensions.Logging",
"version": "8.0.0",
"type": "nuget",
"usedByEntrypoint": false,
"metadata": {
"declaredOnly": "true",
"declared.locator[0]": "packages.lock.json",
"declared.source[0]": "packages.lock.json (Direct)",
"declared.tfm[0]": "net8.0",
"declared.versionSource": "lockfile",
"package.id": "Microsoft.Extensions.Logging",
"package.id.normalized": "microsoft.extensions.logging",
"package.version": "8.0.0",
"provenance": "declared"
},
"evidence": [
{
"kind": "File",
"source": "packages.lock.json (Direct)",
"locator": "packages.lock.json",
"value": "Microsoft.Extensions.Logging@8.0.0",
"sha256": null
}
]
},
{
"componentKey": "purl::pkg:nuget/microsoft.extensions.logging.abstractions@8.0.0",
"analyzerId": "dotnet",
"purl": "pkg:nuget/microsoft.extensions.logging.abstractions@8.0.0",
"name": "Microsoft.Extensions.Logging.Abstractions",
"version": "8.0.0",
"type": "nuget",
"usedByEntrypoint": false,
"metadata": {
"declaredOnly": "true",
"declared.locator[0]": "packages.lock.json",
"declared.source[0]": "packages.lock.json (Transitive)",
"declared.tfm[0]": "net8.0",
"declared.versionSource": "lockfile",
"package.id": "Microsoft.Extensions.Logging.Abstractions",
"package.id.normalized": "microsoft.extensions.logging.abstractions",
"package.version": "8.0.0",
"provenance": "declared"
},
"evidence": [
{
"kind": "File",
"source": "packages.lock.json (Transitive)",
"locator": "packages.lock.json",
"value": "Microsoft.Extensions.Logging.Abstractions@8.0.0",
"sha256": null
}
]
}
]

19
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/lockfile-only/packages.lock.json Normal file
View File

@@ -0,0 +1,19 @@
{
"version": 2,
"dependencies": {
"net8.0": {
"Microsoft.Extensions.Logging": {
"type": "Direct",
"requested": "[8.0.0, )",
"resolved": "8.0.0",
"contentHash": "ABC123"
},
"Microsoft.Extensions.Logging.Abstractions": {
"type": "Transitive",
"resolved": "8.0.0",
"contentHash": "DEF456",
"dependencies": {}
}
}
}
}

2
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/multi/expected.json
View File

@@ -21,6 +21,7 @@
"assembly[3].assetPath": "runtimes/osx-arm64/lib/net10.0/StellaOps.Logging.dll",
"assembly[3].rid[0]": "osx-arm64",
"assembly[3].tfm[0]": ".NETCoreApp,Version=v10.0",
"declared.missing": "true",
"deps.path[0]": "AppA.deps.json",
"deps.path[1]": "AppB.deps.json",
"deps.rid[0]": "linux-arm64",
@@ -69,6 +70,7 @@
"assembly[0].fileVersion": "1.2.3.0",
"assembly[0].tfm[0]": ".NETCoreApp,Version=v10.0",
"assembly[0].version": "1.2.3.0",
"declared.missing": "true",
"deps.dependency[0]": "stellaops.logging",
"deps.path[0]": "AppA.deps.json",
"deps.path[1]": "AppB.deps.json",

60
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/packages-config-only/expected.json Normal file
View File

@@ -0,0 +1,60 @@
[
{
"componentKey": "purl::pkg:nuget/log4net@2.0.15",
"analyzerId": "dotnet",
"purl": "pkg:nuget/log4net@2.0.15",
"name": "log4net",
"version": "2.0.15",
"type": "nuget",
"usedByEntrypoint": false,
"metadata": {
"declaredOnly": "true",
"declared.locator[0]": "packages.config",
"declared.source[0]": "packages.config",
"declared.tfm[0]": "net48",
"declared.versionSource": "packagesconfig",
"package.id": "log4net",
"package.id.normalized": "log4net",
"package.version": "2.0.15",
"provenance": "declared"
},
"evidence": [
{
"kind": "File",
"source": "packages.config",
"locator": "packages.config",
"value": "log4net@2.0.15",
"sha256": null
}
]
},
{
"componentKey": "purl::pkg:nuget/newtonsoft.json@13.0.3",
"analyzerId": "dotnet",
"purl": "pkg:nuget/newtonsoft.json@13.0.3",
"name": "Newtonsoft.Json",
"version": "13.0.3",
"type": "nuget",
"usedByEntrypoint": false,
"metadata": {
"declaredOnly": "true",
"declared.locator[0]": "packages.config",
"declared.source[0]": "packages.config",
"declared.tfm[0]": "net48",
"declared.versionSource": "packagesconfig",
"package.id": "Newtonsoft.Json",
"package.id.normalized": "newtonsoft.json",
"package.version": "13.0.3",
"provenance": "declared"
},
"evidence": [
{
"kind": "File",
"source": "packages.config",
"locator": "packages.config",
"value": "Newtonsoft.Json@13.0.3",
"sha256": null
}
]
}
]

5
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/packages-config-only/packages.config Normal file
View File

@@ -0,0 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="Newtonsoft.Json" version="13.0.3" targetFramework="net48" />
<package id="log4net" version="2.0.15" targetFramework="net48" />
</packages>

2
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/selfcontained/expected.json
View File

@@ -8,6 +8,7 @@
"type": "nuget",
"usedByEntrypoint": true,
"metadata": {
"declared.missing": "true",
"deps.path[0]": "MyApp.deps.json",
"deps.rid[0]": "linux-x64",
"deps.rid[1]": "win-x64",
@@ -61,6 +62,7 @@
"assembly[0].rid[1]": "win-x64",
"assembly[0].tfm[0]": ".NETCoreApp,Version=v10.0",
"assembly[0].version": "1.2.3.0",
"declared.missing": "true",
"deps.path[0]": "MyApp.deps.json",
"deps.rid[0]": "linux-x64",
"deps.rid[1]": "win-x64",

1
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/signed/expected.json
View File

@@ -15,6 +15,7 @@
"assembly[1].assetPath": "runtimes/linux-x64/lib/net9.0/Microsoft.Extensions.Logging.dll",
"assembly[1].rid[0]": "linux-x64",
"assembly[1].tfm[0]": ".NETCoreApp,Version=v10.0",
"declared.missing": "true",
"deps.path[0]": "Signed.App.deps.json",
"deps.rid[0]": "linux-x64",
"deps.tfm[0]": ".NETCoreApp,Version=v10.0",

2
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/simple/expected.json
View File

@@ -18,6 +18,7 @@
"assembly[2].assetPath": "runtimes/win-x86/lib/net9.0/Microsoft.Extensions.Logging.dll",
"assembly[2].rid[0]": "win-x86",
"assembly[2].tfm[0]": ".NETCoreApp,Version=v10.0",
"declared.missing": "true",
"deps.path[0]": "Sample.App.deps.json",
"deps.rid[0]": "linux-x64",
"deps.rid[1]": "win-x86",
@@ -54,6 +55,7 @@
"assembly[0].fileVersion": "1.2.3.0",
"assembly[0].tfm[0]": ".NETCoreApp,Version=v10.0",
"assembly[0].version": "1.2.3.0",
"declared.missing": "true",
"deps.dependency[0]": "microsoft.extensions.logging",
"deps.path[0]": "Sample.App.deps.json",
"deps.rid[0]": "linux-x64",

12
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/source-tree-only/Directory.Packages.props Normal file
View File

@@ -0,0 +1,12 @@
<Project>
<PropertyGroup>
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
</PropertyGroup>
<ItemGroup>
<PackageVersion Include="Newtonsoft.Json" Version="13.0.3" />
<PackageVersion Include="Serilog" Version="3.1.1" />
</ItemGroup>
</Project>

14
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/source-tree-only/Sample.App.csproj Normal file
View File

@@ -0,0 +1,14 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<OutputType>Exe</OutputType>
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Newtonsoft.Json" />
<PackageReference Include="Serilog" />
</ItemGroup>
</Project>

60
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet/source-tree-only/expected.json Normal file
View File

@@ -0,0 +1,60 @@
[
{
"componentKey": "purl::pkg:nuget/newtonsoft.json@13.0.3",
"analyzerId": "dotnet",
"purl": "pkg:nuget/newtonsoft.json@13.0.3",
"name": "Newtonsoft.Json",
"version": "13.0.3",
"type": "nuget",
"usedByEntrypoint": false,
"metadata": {
"declaredOnly": "true",
"declared.locator[0]": "Sample.App.csproj",
"declared.source[0]": "csproj",
"declared.tfm[0]": "net8.0",
"declared.versionSource": "centralpkg",
"package.id": "Newtonsoft.Json",
"package.id.normalized": "newtonsoft.json",
"package.version": "13.0.3",
"provenance": "declared"
},
"evidence": [
{
"kind": "File",
"source": "csproj",
"locator": "Sample.App.csproj",
"value": "Newtonsoft.Json@13.0.3",
"sha256": null
}
]
},
{
"componentKey": "purl::pkg:nuget/serilog@3.1.1",
"analyzerId": "dotnet",
"purl": "pkg:nuget/serilog@3.1.1",
"name": "Serilog",
"version": "3.1.1",
"type": "nuget",
"usedByEntrypoint": false,
"metadata": {
"declaredOnly": "true",
"declared.locator[0]": "Sample.App.csproj",
"declared.source[0]": "csproj",
"declared.tfm[0]": "net8.0",
"declared.versionSource": "centralpkg",
"package.id": "Serilog",
"package.id.normalized": "serilog",
"package.version": "3.1.1",
"provenance": "declared"
},
"evidence": [
{
"kind": "File",
"source": "csproj",
"locator": "Sample.App.csproj",
"value": "Serilog@3.1.1",
"sha256": null
}
]
}
]