forjar 1.4.2

Rust-native Infrastructure as Code — bare-metal first, BLAKE3 state, provenance tracing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

//! FJ-3207: SARIF output tests.

use super::*;

#[test]
fn sarif_empty_violations() {
    let yaml = r#"
version: "1.0"
name: test
resources:
  pkg:
    type: package
    packages: [curl]
"#;
    let config = parse_config(yaml).unwrap();
    let result = evaluate_policies_full(&config);
    let sarif = policy_check_to_sarif(&result);

    let parsed: serde_json::Value = serde_json::from_str(&sarif).unwrap();
    assert_eq!(parsed["version"], "2.1.0");
    assert_eq!(parsed["runs"][0]["results"].as_array().unwrap().len(), 0);
}

#[test]
fn sarif_with_violations() {
    let yaml = r#"
version: "1.0"
name: test
machines:
  m1:
    hostname: m1
    addr: 1.2.3.4
resources:
  cfg:
    type: file
    machine: m1
    path: /etc/app.conf
policies:
  - type: require
    message: "files must have owner"
    id: "SEC-001"
    field: owner
    remediation: "Add owner field"
"#;
    let config = parse_config(yaml).unwrap();
    let result = evaluate_policies_full(&config);
    let sarif = policy_check_to_sarif(&result);

    let parsed: serde_json::Value = serde_json::from_str(&sarif).unwrap();
    assert_eq!(parsed["version"], "2.1.0");

    let run = &parsed["runs"][0];
    assert_eq!(run["tool"]["driver"]["name"], "forjar");

    let rules = run["tool"]["driver"]["rules"].as_array().unwrap();
    assert_eq!(rules.len(), 1);
    assert_eq!(rules[0]["id"], "SEC-001");

    let results = run["results"].as_array().unwrap();
    assert_eq!(results.len(), 1);
    assert_eq!(results[0]["ruleId"], "SEC-001");
    assert_eq!(results[0]["level"], "error");
    assert!(results[0]["message"]["text"]
        .as_str()
        .unwrap()
        .contains("files must have owner"));
}

#[test]
fn sarif_severity_mapping() {
    let yaml = r#"
version: "1.0"
name: test
machines:
  m1:
    hostname: m1
    addr: 1.2.3.4
resources:
  cfg:
    type: file
    machine: m1
    path: /etc/app.conf
    owner: root
policies:
  - type: warn
    message: "avoid root owner"
    id: "WARN-001"
    condition_field: owner
    condition_value: root
  - type: deny
    message: "root owner denied"
    id: "ERR-001"
    condition_field: owner
    condition_value: root
    severity: info
"#;
    let config = parse_config(yaml).unwrap();
    let result = evaluate_policies_full(&config);
    let sarif = policy_check_to_sarif(&result);

    let parsed: serde_json::Value = serde_json::from_str(&sarif).unwrap();
    let results = parsed["runs"][0]["results"].as_array().unwrap();
    assert_eq!(results.len(), 2);

    // Warn type → warning severity → SARIF "warning"
    let warn_result = results.iter().find(|r| r["ruleId"] == "WARN-001").unwrap();
    assert_eq!(warn_result["level"], "warning");

    // Deny with severity override to info → SARIF "note"
    let info_result = results.iter().find(|r| r["ruleId"] == "ERR-001").unwrap();
    assert_eq!(info_result["level"], "note");
}

#[test]
fn sarif_schema_url() {
    let yaml = r#"
version: "1.0"
name: test
resources: {}
"#;
    let config = parse_config(yaml).unwrap();
    let result = evaluate_policies_full(&config);
    let sarif = policy_check_to_sarif(&result);

    let parsed: serde_json::Value = serde_json::from_str(&sarif).unwrap();
    assert!(parsed["$schema"]
        .as_str()
        .unwrap()
        .contains("sarif-schema-2.1.0"));
}