using System; using System.Globalization; using StellaOps.Concelier.Connector.StellaOpsMirror.Internal; using StellaOps.Concelier.Models; namespace StellaOps.Concelier.Connector.StellaOpsMirror.Tests; internal static class SampleData { public const string BundleFixture = "mirror-bundle.sample.json"; public const string AdvisoryFixture = "mirror-advisory.expected.json"; public const string TargetRepository = "mirror-primary"; public const string DomainId = "primary"; public const string AdvisoryKey = "CVE-2025-1111"; public const string GhsaAlias = "GHSA-xxxx-xxxx-xxxx"; public static DateTimeOffset GeneratedAt { get; } = new(2025, 10, 19, 12, 0, 0, TimeSpan.Zero); public static MirrorBundleDocument CreateBundle() => new( SchemaVersion: 1, GeneratedAt: GeneratedAt, TargetRepository: TargetRepository, DomainId: DomainId, DisplayName: "Primary Mirror", AdvisoryCount: 1, Advisories: new[] { CreateSourceAdvisory() }, Sources: new[] { new MirrorSourceSummary("ghsa", GeneratedAt, GeneratedAt, 1) }); public static Advisory CreateExpectedMappedAdvisory() { var baseAdvisory = CreateSourceAdvisory(); var recordedAt = GeneratedAt.ToUniversalTime(); var mirrorValue = BuildMirrorValue(recordedAt); var topProvenance = baseAdvisory.Provenance.Add(new AdvisoryProvenance( StellaOpsMirrorConnector.Source, "map", mirrorValue, recordedAt, new[] { ProvenanceFieldMasks.Advisory, ProvenanceFieldMasks.References, ProvenanceFieldMasks.Credits, ProvenanceFieldMasks.CvssMetrics, ProvenanceFieldMasks.Weaknesses, })); var package = baseAdvisory.AffectedPackages[0]; var packageProvenance = package.Provenance.Add(new AdvisoryProvenance( StellaOpsMirrorConnector.Source, "map", $"{mirrorValue};package={package.Identifier}", recordedAt, new[] { ProvenanceFieldMasks.AffectedPackages, ProvenanceFieldMasks.VersionRanges, ProvenanceFieldMasks.PackageStatuses, ProvenanceFieldMasks.NormalizedVersions, })); var updatedPackage = new AffectedPackage( package.Type, package.Identifier, package.Platform, package.VersionRanges, package.Statuses, packageProvenance, package.NormalizedVersions); return new Advisory( AdvisoryKey, baseAdvisory.Title, baseAdvisory.Summary, baseAdvisory.Language, baseAdvisory.Published, baseAdvisory.Modified, baseAdvisory.Severity, baseAdvisory.ExploitKnown, new[] { AdvisoryKey, GhsaAlias }, baseAdvisory.Credits, baseAdvisory.References, new[] { updatedPackage }, baseAdvisory.CvssMetrics, topProvenance, baseAdvisory.Description, baseAdvisory.Cwes, baseAdvisory.CanonicalMetricId); } private static Advisory CreateSourceAdvisory() { var recordedAt = GeneratedAt.ToUniversalTime(); var reference = new AdvisoryReference( "https://example.com/advisory", "advisory", "vendor", "Vendor bulletin", new AdvisoryProvenance( "ghsa", "map", "reference", recordedAt, new[] { ProvenanceFieldMasks.References, })); var credit = new AdvisoryCredit( "Security Researcher", "reporter", new[] { "mailto:researcher@example.com" }, new AdvisoryProvenance( "ghsa", "map", "credit", recordedAt, new[] { ProvenanceFieldMasks.Credits, })); var semVerPrimitive = new SemVerPrimitive( Introduced: "1.0.0", IntroducedInclusive: true, Fixed: "1.2.0", FixedInclusive: false, LastAffected: null, LastAffectedInclusive: true, ConstraintExpression: ">=1.0.0,<1.2.0", ExactValue: null); var range = new AffectedVersionRange( rangeKind: "semver", introducedVersion: "1.0.0", fixedVersion: "1.2.0", lastAffectedVersion: null, rangeExpression: ">=1.0.0,<1.2.0", provenance: new AdvisoryProvenance( "ghsa", "map", "range", recordedAt, new[] { ProvenanceFieldMasks.VersionRanges, }), primitives: new RangePrimitives(semVerPrimitive, null, null, null)); var status = new AffectedPackageStatus( "fixed", new AdvisoryProvenance( "ghsa", "map", "status", recordedAt, new[] { ProvenanceFieldMasks.PackageStatuses, })); var normalizedRule = new NormalizedVersionRule( scheme: "semver", type: "range", min: "1.0.0", minInclusive: true, max: "1.2.0", maxInclusive: false, value: null, notes: null); var package = new AffectedPackage( AffectedPackageTypes.SemVer, "pkg:npm/example@1.0.0", platform: null, versionRanges: new[] { range }, statuses: new[] { status }, provenance: new[] { new AdvisoryProvenance( "ghsa", "map", "package", recordedAt, new[] { ProvenanceFieldMasks.AffectedPackages, }) }, normalizedVersions: new[] { normalizedRule }); var cvss = new CvssMetric( "3.1", "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 9.8, "critical", new AdvisoryProvenance( "ghsa", "map", "cvss", recordedAt, new[] { ProvenanceFieldMasks.CvssMetrics, })); var weakness = new AdvisoryWeakness( "cwe", "CWE-79", "Cross-site Scripting", "https://cwe.mitre.org/data/definitions/79.html", new[] { new AdvisoryProvenance( "ghsa", "map", "cwe", recordedAt, new[] { ProvenanceFieldMasks.Weaknesses, }) }); var advisory = new Advisory( AdvisoryKey, "Sample Mirror Advisory", "Upstream advisory replicated through StellaOps mirror.", "en", published: new DateTimeOffset(2025, 10, 10, 0, 0, 0, TimeSpan.Zero), modified: new DateTimeOffset(2025, 10, 11, 0, 0, 0, TimeSpan.Zero), severity: "high", exploitKnown: false, aliases: new[] { GhsaAlias }, credits: new[] { credit }, references: new[] { reference }, affectedPackages: new[] { package }, cvssMetrics: new[] { cvss }, provenance: new[] { new AdvisoryProvenance( "ghsa", "map", "advisory", recordedAt, new[] { ProvenanceFieldMasks.Advisory, }) }, description: "Deterministic test payload distributed via mirror.", cwes: new[] { weakness }, canonicalMetricId: "cvss::ghsa::CVE-2025-1111"); return CanonicalJsonSerializer.Normalize(advisory); } private static string BuildMirrorValue(DateTimeOffset recordedAt) => $"domain={DomainId};repository={TargetRepository};generated={recordedAt.ToString("O", CultureInfo.InvariantCulture)}"; }