git.stella-ops.org/examples/policies/opa/reachable-cve_test.rego

# -----------------------------------------------------------------------------
# reachable-cve_test.rego
# Tests for reachability-aware CVE policy
# -----------------------------------------------------------------------------

package stellaops.gates.reachable

import future.keywords.if

# Test allow - high severity but not reachable
test_allow_high_not_reachable if {
    allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 9.0, "is_reachable": false}
        ],
        "config": {"severity_threshold": 7.0}
    }
}

# Test allow - reachable but below threshold
test_allow_reachable_below_threshold if {
    allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 5.0, "is_reachable": true}
        ],
        "config": {"severity_threshold": 7.0}
    }
}

# Test deny - reachable and above threshold
test_deny_reachable_above_threshold if {
    not allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 8.5, "is_reachable": true}
        ],
        "config": {"severity_threshold": 7.0}
    }
}

# Test deny - confirmed_reachable state
test_deny_confirmed_reachable_state if {
    not allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 8.5, "reachability_state": "confirmed_reachable"}
        ],
        "config": {"severity_threshold": 7.0}
    }
}

# Test allow - not_reachable state
test_allow_not_reachable_state if {
    allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 9.5, "reachability_state": "not_reachable"}
        ],
        "config": {"severity_threshold": 7.0}
    }
}

# Test environment threshold override
test_environment_threshold_override if {
    not allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 5.0, "is_reachable": true}
        ],
        "environment": "production",
        "config": {
            "severity_threshold": 7.0,
            "environments": {
                "production": {"severity_threshold": 4.0}
            }
        }
    }
}

# Test denial message content
test_deny_message_content if {
    msg := deny[_] with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-1234", "cvss_score": 8.1, "is_reachable": true}
        ],
        "config": {"severity_threshold": 7.0}
    }
    contains(msg, "CVE-2024-1234")
    contains(msg, "8.1")
}

# Test summary structure
test_summary_structure if {
    s := summary with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 9.0, "is_reachable": true},
            {"cve_id": "CVE-2024-0002", "cvss_score": 8.0, "is_reachable": false},
            {"cve_id": "CVE-2024-0003", "cvss_score": 5.0, "is_reachable": true}
        ],
        "config": {"severity_threshold": 7.0}
    }
    s.total_cves == 3
    s.reachable_high_severity == 1
    s.unreachable_high_severity == 1
}