git.stella-ops.org/examples/policies/opa/release-aggregate_test.rego

# -----------------------------------------------------------------------------
# release-aggregate_test.rego
# Tests for aggregate CVE limits policy
# -----------------------------------------------------------------------------

package stellaops.gates.aggregate

import future.keywords.if

# Test allow - within all limits
test_allow_within_limits if {
    allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 8.0},
            {"cve_id": "CVE-2024-0002", "cvss_score": 7.5},
            {"cve_id": "CVE-2024-0003", "cvss_score": 5.0}
        ],
        "config": {"max_critical": 0, "max_high": 3, "max_medium": 20}
    }
}

# Test deny - critical exceeds limit
test_deny_critical_exceeds if {
    not allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 9.5}
        ],
        "config": {"max_critical": 0}
    }
}

# Test deny - high exceeds limit
test_deny_high_exceeds if {
    not allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 8.0},
            {"cve_id": "CVE-2024-0002", "cvss_score": 7.5},
            {"cve_id": "CVE-2024-0003", "cvss_score": 8.5},
            {"cve_id": "CVE-2024-0004", "cvss_score": 7.0}
        ],
        "config": {"max_high": 3}
    }
}

# Test allow - empty findings
test_allow_empty_findings if {
    allow with input as {
        "cve_findings": [],
        "config": {"max_critical": 0, "max_high": 3}
    }
}

# Test only_reachable filter
test_only_reachable_filters if {
    allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 9.5, "is_reachable": false}
        ],
        "config": {"max_critical": 0, "only_reachable": true}
    }
}

# Test exclude suppressed
test_exclude_suppressed if {
    allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 9.5, "is_suppressed": true}
        ],
        "config": {"max_critical": 0, "count_suppressed": false}
    }
}

# Test environment override
test_environment_override if {
    allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 9.5}
        ],
        "environment": "staging",
        "config": {
            "max_critical": 0,
            "environments": {
                "staging": {"max_critical": 1}
            }
        }
    }
}

# Test severity classification
test_severity_classification if {
    c := counts with input as {
        "cve_findings": [
            {"cve_id": "CVE-001", "cvss_score": 9.5},
            {"cve_id": "CVE-002", "cvss_score": 8.0},
            {"cve_id": "CVE-003", "cvss_score": 7.0},
            {"cve_id": "CVE-004", "cvss_score": 5.0},
            {"cve_id": "CVE-005", "cvss_score": 3.0},
            {"cve_id": "CVE-006"}
        ],
        "config": {}
    }
    c.critical == 1
    c.high == 2
    c.medium == 1
    c.low == 1
    c.unknown == 1
    c.total == 6
}

# Test denial message content
test_deny_message_critical if {
    msg := deny[_] with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 9.5}
        ],
        "config": {"max_critical": 0}
    }
    contains(msg, "Critical")
    contains(msg, "1 > 0")
}

# Test summary structure
test_summary_structure if {
    s := summary with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "cvss_score": 8.0},
            {"cve_id": "CVE-2024-0002", "cvss_score": 5.0}
        ],
        "environment": "production",
        "config": {"max_high": 3, "max_medium": 20}
    }
    s.counts.high == 1
    s.counts.medium == 1
    s.limits.max_high == 3
    s.limits.max_medium == 20
    s.environment == "production"
}