Skip to content

Deepen tests (~4x) + demos (~4x), harden malformed-input handling, fix POA&M numbering#6

Open
cognis-digital wants to merge 1 commit into
mainfrom
deepen-tests-demos-hardening
Open

Deepen tests (~4x) + demos (~4x), harden malformed-input handling, fix POA&M numbering#6
cognis-digital wants to merge 1 commit into
mainfrom
deepen-tests-demos-hardening

Conversation

@cognis-digital

Copy link
Copy Markdown
Owner

Summary

This PR roughly 4x's the depth of the repo across tests and demos, hardens input handling, and fixes two real bugs — with the public API unchanged.

Tests: 116 → 466 passing

New, offline, stdlib-only coverage for:

  • core — STIG-pack integrity (control/STIG/CCI/ATT&CK id shapes), scan() behaviour, parse-error and malformed-input paths, YAML pack emission.
  • cognis_mil — severity/finding/scanresult scoring, all six exporters (JSON/SARIF/Markdown/console/CSV/OSCAL) incl. empty-result and prop-toggling edge cases, the hash-chained AuditLog (edit/delete/reorder/non-JSON tamper detection), and the CAPCO-shape ClassificationBanner validator.
  • datafeeds — cache freshness, format decode, update/get error paths, and the air-gap snapshot_export/snapshot_import round-trip (incl. path-traversal neutralisation).
  • feeds — malformed OSCAL catalogs, crosswalk gaps, enhancement-notation normalisation (AC-6(2)ac-6.2), enrich idempotency.
  • fleet — correlation scope boundaries, drift in both directions, per-host POA&M numbering, render/parse-error handling.
  • CLI + make_cli + connect — every format, --fail-on gating, feeds subcommands, snapshot round-trip, the cognis-connect emit bridge.
  • fixtures + demos — every bundled fixture dir runs the full scan→enrich→POA&M pipeline; every runnable demo is asserted on its output content.

Demos: 5 → 20 runnable scenarios

All offline, exit 0, narrated (PYTHONUTF8=1), and registered in run_all.py + docs/DEMOS.md. Scenarios 6–20 cover multi-format export, malformed-input hardening, pack deployment, machine-JSON fleet posture, JSON POA&M, banner validation, the air-gap snapshot round-trip, countermeasure expansion, a three-tamper audit-chain proof, CI/CD fail-on gating, control-title resolution, drift regressions vs improvements, the full end-to-end RMF workflow, an ATT&CK coverage matrix, and the cognis-connect emit bridge.

Hardening + bug fixes (public API unchanged)

  1. Silent false-negative on malformed inputparse_osquery_results treated empty files and bare-list (single-query) osquery output as a clean host. For a compliance tool that manufactures false assurance. It now surfaces these as explicit diagnostics: scan() records a low-severity CO-PARSE finding, and fleet.scan_host() marks the host errored (ok=False).
  2. POA&M item numberingpoam_items() used a global counter, so the first item on a second host read web01-003 instead of web01-001. IDs are now per-asset sequential, the numbering an eMASS reviewer expects. (IDs remain globally unique via the host prefix.)

Verification

  • python -m pytest -q466 passed
  • python demos/run_all.py → exit 0

…mbering

Tests: 116 -> 466 passing. New coverage for the STIG pack + scan, the
cognis_mil models/exporters/audit/classmark layer, the datafeeds ingestion
engine (offline + air-gap snapshot), the feeds enrichment edge cases
(malformed OSCAL, crosswalk gaps, enhancement-notation normalisation),
extended fleet correlation/drift/POA&M, CLI error paths, the make_cli builder,
the connect bridge, demo output content, and fixture-directory integrity.

Demos: 5 -> 20 runnable scenarios (offline, exit 0, narrated), covering every
export format, malformed-input handling, pack deployment, machine-JSON fleet
posture, JSON POA&M, CAPCO banner validation, the air-gap snapshot round-trip,
countermeasure expansion, a three-tamper audit-chain proof, CI/CD fail-on
gating, control-title resolution, drift regressions vs improvements, the full
end-to-end RMF workflow, an ATT&CK coverage matrix, and the cognis-connect
emit bridge. run_all.py + docs/DEMOS.md updated.

Hardening + bug fixes (public API unchanged):
* parse_osquery_results now surfaces empty files, unreadable files, and
  bare-list (single-query) osquery output as explicit diagnostics instead of
  silently treating them as a clean host -- a dangerous false-negative for a
  compliance tool. scan() records these as low-severity CO-PARSE findings and
  fleet.scan_host() marks the host as errored (ok=False).
* poam_items() now numbers item IDs per affected asset (web01-001, db02-001)
  instead of using a global counter that made the first item on a second host
  read web01-003 -- the per-asset numbering an eMASS reviewer expects.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant