[pitboss] sweep after phase 01: 5 deferred items resolved

2026-06-15 20:05:13 +02:00 · 2026-05-11 21:38:09 -04:00 · 2026-05-11 21:38:09 -04:00 · 894f587b60
commit 894f587b60
parent a10aba5d1f
4 changed files with 385 additions and 0 deletions
--- a/src/commands/scan.rs
+++ b/src/commands/scan.rs
@ -192,6 +192,7 @@ fn is_zero_u64(v: &u64) -> bool {
    *v == 0
 }

+#[cfg(test)]
 impl Default for Diag {
    fn default() -> Self {
        Self {
@ -4264,3 +4265,122 @@ mod prioritize_tests {
        assert_eq!(j1, j2, "same input should produce same output");
    }
 }
+
+#[cfg(test)]
+mod stable_hash_tests {
+    use super::*;
+    use crate::evidence::Evidence;
+    use crate::labels::Cap;
+    use crate::patterns::{FindingCategory, Severity};
+
+    fn base_diag() -> Diag {
+        Diag {
+            path: "src/handler.rs".into(),
+            line: 42,
+            col: 5,
+            severity: Severity::High,
+            id: "taint-unsanitised-flow".into(),
+            category: FindingCategory::Security,
+            path_validated: false,
+            guard_kind: None,
+            message: None,
+            labels: vec![],
+            confidence: None,
+            evidence: Some(Evidence {
+                sink_caps: Cap::SQL_QUERY.bits(),
+                ..Default::default()
+            }),
+            rank_score: None,
+            rank_reason: None,
+            suppressed: false,
+            suppression: None,
+            rollup: None,
+            finding_id: String::new(),
+            alternative_finding_ids: vec![],
+            stable_hash: 0,
+        }
+    }
+
+    #[test]
+    fn compute_stable_hash_is_deterministic() {
+        let d = base_diag();
+        let h1 = compute_stable_hash(&d);
+        let h2 = compute_stable_hash(&d);
+        assert_eq!(h1, h2);
+        assert_ne!(h1, 0);
+    }
+
+    #[test]
+    fn compute_stable_hash_sensitive_to_rule_id() {
+        let d1 = base_diag();
+        let mut d2 = base_diag();
+        d2.id = "taint-unsanitised-flow (source 5:1)".into();
+        assert_ne!(compute_stable_hash(&d1), compute_stable_hash(&d2));
+    }
+
+    #[test]
+    fn compute_stable_hash_sensitive_to_path() {
+        let d1 = base_diag();
+        let mut d2 = base_diag();
+        d2.path = "src/other.rs".into();
+        assert_ne!(compute_stable_hash(&d1), compute_stable_hash(&d2));
+    }
+
+    #[test]
+    fn compute_stable_hash_sensitive_to_line() {
+        let d1 = base_diag();
+        let mut d2 = base_diag();
+        d2.line = 43;
+        assert_ne!(compute_stable_hash(&d1), compute_stable_hash(&d2));
+    }
+
+    #[test]
+    fn compute_stable_hash_sensitive_to_col() {
+        let d1 = base_diag();
+        let mut d2 = base_diag();
+        d2.col = 6;
+        assert_ne!(compute_stable_hash(&d1), compute_stable_hash(&d2));
+    }
+
+    #[test]
+    fn compute_stable_hash_sensitive_to_sink_caps() {
+        let d1 = base_diag();
+        let mut d2 = base_diag();
+        d2.evidence = Some(Evidence {
+            sink_caps: Cap::CODE_EXEC.bits(),
+            ..Default::default()
+        });
+        assert_ne!(compute_stable_hash(&d1), compute_stable_hash(&d2));
+    }
+
+    #[test]
+    fn compute_stable_hash_collision_resistance() {
+        let d1 = Diag {
+            path: "src/a.rs".into(),
+            line: 1,
+            col: 0,
+            id: "rule-x".into(),
+            ..base_diag()
+        };
+        let d2 = Diag {
+            path: "src/b.rs".into(),
+            line: 1,
+            col: 0,
+            id: "rule-x".into(),
+            ..base_diag()
+        };
+        let d3 = Diag {
+            path: "src/a.rs".into(),
+            line: 2,
+            col: 0,
+            id: "rule-x".into(),
+            ..base_diag()
+        };
+        let h1 = compute_stable_hash(&d1);
+        let h2 = compute_stable_hash(&d2);
+        let h3 = compute_stable_hash(&d3);
+        assert_ne!(h1, h2);
+        assert_ne!(h1, h3);
+        assert_ne!(h2, h3);
+    }
+}