Skip to content

[Phase 1] End-to-end tests + fixtures (log4j, openssl, synthetic_cpp) #12

Description

@varun-polpakkara

Summary

Full pipeline runs against real fixture projects with real tools installed. Tagged @pytest.mark.e2e so CI can skip them in quick-check mode.

Fixtures needed

  • tests/fixtures/log4j/pom.xml declaring log4j-core 2.14.1 (exists)
  • tests/fixtures/openssl/ — project declaring openssl 1.0.1 (missing, needs to be created)
  • tests/fixtures/synthetic_cpp/reachable/ — small C++ project with a call into a vulnerable function (missing)
  • tests/fixtures/synthetic_cpp/not_reachable/ — same project with the call removed (missing)

Verification scenarios

  1. Log4Shell: fixtures/log4j/ -> CVE-2021-44228 as CRITICAL for log4j-core@2.14.1, reachability REACHABLE, exploit availability WEAPONIZED
  2. Heartbleed: fixtures/openssl/ -> CVE-2014-0160 as CRITICAL for openssl@1.0.1
  3. Reachability filter: reachable fixture -> REACHABLE; not-reachable fixture -> NOT_REACHABLE
  4. Triage audit: triage update -> triage history shows the exact change row (append-only confirmed)
  5. Report content: engineering report has CVE IDs + CVSS scores + fix versions; exec summary has ISO 21434 / UNECE R155 language
  6. Resume: full scan -> re-run with --start-from 5 -> no duplicate SBOMSnapshot rows, Stage 1-4 data unchanged

Run

# requires syft, grype, osv-scanner, opengrep installed
cd cyberguard && uv run pytest tests/e2e/ -m e2e -v

Metadata

Metadata

Assignees

No one assigned

    Labels

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions