48f3071e2a
- Created SignerEndpointsTests to validate the SignDsse and VerifyReferrers endpoints. - Implemented StubBearerAuthenticationDefaults and StubBearerAuthenticationHandler for token-based authentication. - Developed ConcelierExporterClient for managing Trivy DB settings and export operations. - Added TrivyDbSettingsPageComponent for UI interactions with Trivy DB settings, including form handling and export triggering. - Implemented styles and HTML structure for Trivy DB settings page. - Created NotifySmokeCheck tool for validating Redis event streams and Notify deliveries.
266 lines
8.6 KiB
C#
266 lines
8.6 KiB
C#
using System;
|
|
using System.Globalization;
|
|
using StellaOps.Concelier.Connector.StellaOpsMirror.Internal;
|
|
using StellaOps.Concelier.Models;
|
|
|
|
namespace StellaOps.Concelier.Connector.StellaOpsMirror.Tests;
|
|
|
|
internal static class SampleData
|
|
{
|
|
public const string BundleFixture = "mirror-bundle.sample.json";
|
|
public const string AdvisoryFixture = "mirror-advisory.expected.json";
|
|
public const string TargetRepository = "mirror-primary";
|
|
public const string DomainId = "primary";
|
|
public const string AdvisoryKey = "CVE-2025-1111";
|
|
public const string GhsaAlias = "GHSA-xxxx-xxxx-xxxx";
|
|
|
|
public static DateTimeOffset GeneratedAt { get; } = new(2025, 10, 19, 12, 0, 0, TimeSpan.Zero);
|
|
|
|
public static MirrorBundleDocument CreateBundle()
|
|
=> new(
|
|
SchemaVersion: 1,
|
|
GeneratedAt: GeneratedAt,
|
|
TargetRepository: TargetRepository,
|
|
DomainId: DomainId,
|
|
DisplayName: "Primary Mirror",
|
|
AdvisoryCount: 1,
|
|
Advisories: new[] { CreateSourceAdvisory() },
|
|
Sources: new[]
|
|
{
|
|
new MirrorSourceSummary("ghsa", GeneratedAt, GeneratedAt, 1)
|
|
});
|
|
|
|
public static Advisory CreateExpectedMappedAdvisory()
|
|
{
|
|
var baseAdvisory = CreateSourceAdvisory();
|
|
var recordedAt = GeneratedAt.ToUniversalTime();
|
|
var mirrorValue = BuildMirrorValue(recordedAt);
|
|
|
|
var topProvenance = baseAdvisory.Provenance.Add(new AdvisoryProvenance(
|
|
StellaOpsMirrorConnector.Source,
|
|
"map",
|
|
mirrorValue,
|
|
recordedAt,
|
|
new[]
|
|
{
|
|
ProvenanceFieldMasks.Advisory,
|
|
ProvenanceFieldMasks.References,
|
|
ProvenanceFieldMasks.Credits,
|
|
ProvenanceFieldMasks.CvssMetrics,
|
|
ProvenanceFieldMasks.Weaknesses,
|
|
}));
|
|
|
|
var package = baseAdvisory.AffectedPackages[0];
|
|
var packageProvenance = package.Provenance.Add(new AdvisoryProvenance(
|
|
StellaOpsMirrorConnector.Source,
|
|
"map",
|
|
$"{mirrorValue};package={package.Identifier}",
|
|
recordedAt,
|
|
new[]
|
|
{
|
|
ProvenanceFieldMasks.AffectedPackages,
|
|
ProvenanceFieldMasks.VersionRanges,
|
|
ProvenanceFieldMasks.PackageStatuses,
|
|
ProvenanceFieldMasks.NormalizedVersions,
|
|
}));
|
|
var updatedPackage = new AffectedPackage(
|
|
package.Type,
|
|
package.Identifier,
|
|
package.Platform,
|
|
package.VersionRanges,
|
|
package.Statuses,
|
|
packageProvenance,
|
|
package.NormalizedVersions);
|
|
|
|
return new Advisory(
|
|
AdvisoryKey,
|
|
baseAdvisory.Title,
|
|
baseAdvisory.Summary,
|
|
baseAdvisory.Language,
|
|
baseAdvisory.Published,
|
|
baseAdvisory.Modified,
|
|
baseAdvisory.Severity,
|
|
baseAdvisory.ExploitKnown,
|
|
new[] { AdvisoryKey, GhsaAlias },
|
|
baseAdvisory.Credits,
|
|
baseAdvisory.References,
|
|
new[] { updatedPackage },
|
|
baseAdvisory.CvssMetrics,
|
|
topProvenance,
|
|
baseAdvisory.Description,
|
|
baseAdvisory.Cwes,
|
|
baseAdvisory.CanonicalMetricId);
|
|
}
|
|
|
|
private static Advisory CreateSourceAdvisory()
|
|
{
|
|
var recordedAt = GeneratedAt.ToUniversalTime();
|
|
|
|
var reference = new AdvisoryReference(
|
|
"https://example.com/advisory",
|
|
"advisory",
|
|
"vendor",
|
|
"Vendor bulletin",
|
|
new AdvisoryProvenance(
|
|
"ghsa",
|
|
"map",
|
|
"reference",
|
|
recordedAt,
|
|
new[]
|
|
{
|
|
ProvenanceFieldMasks.References,
|
|
}));
|
|
|
|
var credit = new AdvisoryCredit(
|
|
"Security Researcher",
|
|
"reporter",
|
|
new[] { "mailto:researcher@example.com" },
|
|
new AdvisoryProvenance(
|
|
"ghsa",
|
|
"map",
|
|
"credit",
|
|
recordedAt,
|
|
new[]
|
|
{
|
|
ProvenanceFieldMasks.Credits,
|
|
}));
|
|
|
|
var semVerPrimitive = new SemVerPrimitive(
|
|
Introduced: "1.0.0",
|
|
IntroducedInclusive: true,
|
|
Fixed: "1.2.0",
|
|
FixedInclusive: false,
|
|
LastAffected: null,
|
|
LastAffectedInclusive: true,
|
|
ConstraintExpression: ">=1.0.0,<1.2.0",
|
|
ExactValue: null);
|
|
|
|
var range = new AffectedVersionRange(
|
|
rangeKind: "semver",
|
|
introducedVersion: "1.0.0",
|
|
fixedVersion: "1.2.0",
|
|
lastAffectedVersion: null,
|
|
rangeExpression: ">=1.0.0,<1.2.0",
|
|
provenance: new AdvisoryProvenance(
|
|
"ghsa",
|
|
"map",
|
|
"range",
|
|
recordedAt,
|
|
new[]
|
|
{
|
|
ProvenanceFieldMasks.VersionRanges,
|
|
}),
|
|
primitives: new RangePrimitives(semVerPrimitive, null, null, null));
|
|
|
|
var status = new AffectedPackageStatus(
|
|
"fixed",
|
|
new AdvisoryProvenance(
|
|
"ghsa",
|
|
"map",
|
|
"status",
|
|
recordedAt,
|
|
new[]
|
|
{
|
|
ProvenanceFieldMasks.PackageStatuses,
|
|
}));
|
|
|
|
var normalizedRule = new NormalizedVersionRule(
|
|
scheme: "semver",
|
|
type: "range",
|
|
min: "1.0.0",
|
|
minInclusive: true,
|
|
max: "1.2.0",
|
|
maxInclusive: false,
|
|
value: null,
|
|
notes: null);
|
|
|
|
var package = new AffectedPackage(
|
|
AffectedPackageTypes.SemVer,
|
|
"pkg:npm/example@1.0.0",
|
|
platform: null,
|
|
versionRanges: new[] { range },
|
|
statuses: new[] { status },
|
|
provenance: new[]
|
|
{
|
|
new AdvisoryProvenance(
|
|
"ghsa",
|
|
"map",
|
|
"package",
|
|
recordedAt,
|
|
new[]
|
|
{
|
|
ProvenanceFieldMasks.AffectedPackages,
|
|
})
|
|
},
|
|
normalizedVersions: new[] { normalizedRule });
|
|
|
|
var cvss = new CvssMetric(
|
|
"3.1",
|
|
"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
9.8,
|
|
"critical",
|
|
new AdvisoryProvenance(
|
|
"ghsa",
|
|
"map",
|
|
"cvss",
|
|
recordedAt,
|
|
new[]
|
|
{
|
|
ProvenanceFieldMasks.CvssMetrics,
|
|
}));
|
|
|
|
var weakness = new AdvisoryWeakness(
|
|
"cwe",
|
|
"CWE-79",
|
|
"Cross-site Scripting",
|
|
"https://cwe.mitre.org/data/definitions/79.html",
|
|
new[]
|
|
{
|
|
new AdvisoryProvenance(
|
|
"ghsa",
|
|
"map",
|
|
"cwe",
|
|
recordedAt,
|
|
new[]
|
|
{
|
|
ProvenanceFieldMasks.Weaknesses,
|
|
})
|
|
});
|
|
|
|
var advisory = new Advisory(
|
|
AdvisoryKey,
|
|
"Sample Mirror Advisory",
|
|
"Upstream advisory replicated through StellaOps mirror.",
|
|
"en",
|
|
published: new DateTimeOffset(2025, 10, 10, 0, 0, 0, TimeSpan.Zero),
|
|
modified: new DateTimeOffset(2025, 10, 11, 0, 0, 0, TimeSpan.Zero),
|
|
severity: "high",
|
|
exploitKnown: false,
|
|
aliases: new[] { GhsaAlias },
|
|
credits: new[] { credit },
|
|
references: new[] { reference },
|
|
affectedPackages: new[] { package },
|
|
cvssMetrics: new[] { cvss },
|
|
provenance: new[]
|
|
{
|
|
new AdvisoryProvenance(
|
|
"ghsa",
|
|
"map",
|
|
"advisory",
|
|
recordedAt,
|
|
new[]
|
|
{
|
|
ProvenanceFieldMasks.Advisory,
|
|
})
|
|
},
|
|
description: "Deterministic test payload distributed via mirror.",
|
|
cwes: new[] { weakness },
|
|
canonicalMetricId: "cvss::ghsa::CVE-2025-1111");
|
|
|
|
return CanonicalJsonSerializer.Normalize(advisory);
|
|
}
|
|
|
|
private static string BuildMirrorValue(DateTimeOffset recordedAt)
|
|
=> $"domain={DomainId};repository={TargetRepository};generated={recordedAt.ToString("O", CultureInfo.InvariantCulture)}";
|
|
}
|