openclaw/test/scripts/check-opengrep-rule-metadata.test.ts

import { describe, expect, it } from "vitest";
import { validateRuleMetadata } from "../../security/opengrep/check-rule-metadata.mjs";

const validRule = {
  id: "ghsa-1234-abcd-5678.source-rule",
  metadata: {
    ghsa: "GHSA-1234-ABCD-5678",
    "advisory-url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-1234-ABCD-5678",
    "detector-bucket": "precise",
    "source-rule-id": "source-rule",
  },
};

describe("check-opengrep-rule-metadata", () => {
  it("accepts GHSA-backed rules with durable source metadata", () => {
    expect(validateRuleMetadata([validRule])).toEqual([]);
  });

  it("requires source metadata on every compiled rule", () => {
    expect(
      validateRuleMetadata([
        {
          id: "ghsa-1234-abcd-5678.source-rule",
          metadata: {
            ghsa: "GHSA-1234-ABCD-5678",
            "detector-bucket": "precise",
          },
        },
      ]),
    ).toEqual([
      "ghsa-1234-abcd-5678.source-rule: missing metadata.advisory-url",
      "ghsa-1234-abcd-5678.source-rule: missing metadata.source-rule-id",
    ]);
  });

  it("accepts non-GHSA source-backed rules with durable source metadata", () => {
    expect(
      validateRuleMetadata([
        {
          id: "cve-2026-12345.source-rule",
          metadata: {
            "advisory-id": "CVE-2026-12345",
            "advisory-url": "https://example.test/advisories/CVE-2026-12345",
            "detector-bucket": "precise",
            "source-rule-id": "source-rule",
          },
        },
      ]),
    ).toEqual([]);
  });

  it("keeps the source id, rule id, and GHSA advisory URL consistent", () => {
    expect(
      validateRuleMetadata([
        {
          ...validRule,
          metadata: {
            ...validRule.metadata,
            ghsa: "GHSA-9999-ABCD-5678",
            "advisory-url":
              "https://github.com/openclaw/openclaw/security/advisories/GHSA-1234-ABCD-5678",
          },
        },
      ]),
    ).toEqual([
      "ghsa-1234-abcd-5678.source-rule: source id in metadata (GHSA-9999-ABCD-5678) must match source id in rule id (ghsa-1234-abcd-5678)",
      "ghsa-1234-abcd-5678.source-rule: metadata.advisory-url must be https://github.com/openclaw/openclaw/security/advisories/GHSA-9999-ABCD-5678",
    ]);
  });
});