60 lines
1.9 KiB
C#
60 lines
1.9 KiB
C#
using StellaOps.Scanner.BuildProvenance.Analyzers;
|
|
using StellaOps.Scanner.BuildProvenance.Models;
|
|
using StellaOps.Scanner.BuildProvenance.Policy;
|
|
using StellaOps.TestKit;
|
|
using Xunit;
|
|
|
|
namespace StellaOps.Scanner.BuildProvenance.Tests;
|
|
|
|
public sealed class BuildConfigVerifierTests
|
|
{
|
|
[Trait("Category", TestCategories.Unit)]
|
|
[Fact]
|
|
public void Verify_FlagsDigestMismatch()
|
|
{
|
|
var tempPath = Path.GetTempFileName();
|
|
File.WriteAllText(tempPath, "build-config");
|
|
|
|
var buildInfo = TestSbomFactory.CreateBuildInfo(builder =>
|
|
{
|
|
builder.WithConfig(tempPath, "sha256:deadbeef");
|
|
});
|
|
|
|
var sbom = TestSbomFactory.CreateSbom(buildInfo);
|
|
var chainBuilder = new BuildProvenanceChainBuilder();
|
|
var chain = chainBuilder.Build(sbom);
|
|
|
|
var policy = BuildProvenancePolicyDefaults.Default with
|
|
{
|
|
BuildRequirements = BuildProvenancePolicyDefaults.Default.BuildRequirements with
|
|
{
|
|
RequireConfigDigest = true
|
|
}
|
|
};
|
|
|
|
var verifier = new BuildConfigVerifier();
|
|
var findings = verifier.Verify(sbom, chain, policy).ToList();
|
|
|
|
Assert.Contains(findings, f => f.Type == BuildProvenanceFindingType.OutputMismatch);
|
|
}
|
|
|
|
[Trait("Category", TestCategories.Unit)]
|
|
[Fact]
|
|
public void Verify_FlagsSensitiveEnvironmentVariables()
|
|
{
|
|
var buildInfo = TestSbomFactory.CreateBuildInfo(builder =>
|
|
{
|
|
builder.WithEnvironment("API_TOKEN", "secret");
|
|
});
|
|
|
|
var sbom = TestSbomFactory.CreateSbom(buildInfo);
|
|
var chain = new BuildProvenanceChainBuilder().Build(sbom);
|
|
var policy = BuildProvenancePolicyDefaults.Default;
|
|
|
|
var verifier = new BuildConfigVerifier();
|
|
var findings = verifier.Verify(sbom, chain, policy).ToList();
|
|
|
|
Assert.Contains(findings, f => f.Type == BuildProvenanceFindingType.EnvironmentVariableLeak);
|
|
}
|
|
}
|