# ----------------------------------------------------------------------------- # kev-blocker_test.rego # Tests for KEV blocker policy # ----------------------------------------------------------------------------- package stellaops.gates.kev import future.keywords.if # Test allow - no KEV CVEs test_allow_no_kev if { allow with input as { "cve_findings": [ {"cve_id": "CVE-2024-0001", "is_kev": false}, {"cve_id": "CVE-2024-0002", "is_kev": false} ], "config": {} } } # Test deny - KEV CVE present test_deny_kev_present if { not allow with input as { "cve_findings": [ {"cve_id": "CVE-2024-0001", "is_kev": false}, {"cve_id": "CVE-2024-0002", "is_kev": true} ], "config": {} } } # Test allow - empty findings test_allow_empty_findings if { allow with input as { "cve_findings": [], "config": {} } } # Test only_reachable filters unreachable KEV test_only_reachable_filters_unreachable_kev if { allow with input as { "cve_findings": [ {"cve_id": "CVE-2024-0001", "is_kev": true, "is_reachable": false} ], "config": {"only_reachable": true} } } # Test denial message includes due date test_deny_message_with_due_date if { msg := deny[_] with input as { "cve_findings": [ {"cve_id": "CVE-2024-1234", "is_kev": true, "kev_due_date": "2024-02-15"} ], "config": {} } contains(msg, "CVE-2024-1234") contains(msg, "2024-02-15") } # Test denial message without due date test_deny_message_without_due_date if { msg := deny[_] with input as { "cve_findings": [ {"cve_id": "CVE-2024-5678", "is_kev": true} ], "config": {} } contains(msg, "CVE-2024-5678") contains(msg, "actively exploited") } # Test summary structure test_summary_structure if { s := summary with input as { "cve_findings": [ {"cve_id": "CVE-2024-0001", "is_kev": false}, {"cve_id": "CVE-2024-0002", "is_kev": true, "kev_due_date": "2024-02-15"}, {"cve_id": "CVE-2024-0003", "is_kev": true} ], "config": {} } s.total_cves == 3 s.kev_count == 2 }