advanced-security · data-douser · Apr 13, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 10, 2026
@@ -0,0 +1,19 @@
+# Integration Test: sarif_diff_by_commits - file_level_classification
+
+## Purpose
+
+Validates that the `sarif_diff_by_commits` tool correctly partitions
+SARIF results into "new" vs "pre-existing" based on file-level overlap
+with a git diff. Uses `HEAD..HEAD` (empty diff) so all results are
+classified as pre-existing.
+
+## Inputs
+
+- `results.sarif`: SARIF with 3 results across 2 rules in 3 files
+- `refRange`: `HEAD..HEAD` (produces an empty diff)
+- `granularity`: `file`
+
+## Expected Behavior
+
+Returns structured output with all 3 results in `preExistingResults`
+and 0 results in `newResults`, since the empty diff has no changed files.
@@ -0,0 +1,5 @@
+{
+  "toolName": "sarif_diff_by_commits",
+  "success": true,
+  "description": "Successfully classified all results as pre-existing with empty diff"
+}
@@ -0,0 +1,107 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL",
+          "version": "2.20.4",
+          "rules": [
+            {
+              "id": "js/sql-injection",
+              "name": "js/sql-injection",
+              "shortDescription": {
+                "text": "Database query built from user-controlled sources"
+              },
+              "properties": {
+                "tags": ["security"],
+                "kind": "path-problem",
+                "precision": "high",
+                "security-severity": "8.8"
+              }
+            },
+            {
+              "id": "js/xss",
+              "name": "js/xss",
+              "shortDescription": {
+                "text": "Cross-site scripting"
+              },
+              "properties": {
+                "tags": ["security"],
+                "kind": "path-problem",
+                "precision": "high",
+                "security-severity": "6.1"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "js/sql-injection",
+          "ruleIndex": 0,
+          "message": {
+            "text": "SQL injection from user input."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/db.js"
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 5,
+                  "endColumn": 38
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "js/sql-injection",
+          "ruleIndex": 0,
+          "message": {
+            "text": "SQL injection from request body."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/api.js"
+                },
+                "region": {
+                  "startLine": 15,
+                  "startColumn": 3,
+                  "endColumn": 40
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "js/xss",
+          "ruleIndex": 1,
+          "message": {
+            "text": "XSS vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/views.js"
+                },
+                "region": {
+                  "startLine": 30,
+                  "startColumn": 10,
+                  "endColumn": 50
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
@@ -0,0 +1,5 @@
+{
+  "toolName": "sarif_diff_by_commits",
+  "expectedSuccess": true,
+  "description": "Test sarif_diff_by_commits classifies all results as pre-existing with empty diff"
+}
@@ -0,0 +1,107 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL",
+          "version": "2.20.4",
+          "rules": [
+            {
+              "id": "js/sql-injection",
+              "name": "js/sql-injection",
+              "shortDescription": {
+                "text": "Database query built from user-controlled sources"
+              },
+              "properties": {
+                "tags": ["security"],
+                "kind": "path-problem",
+                "precision": "high",
+                "security-severity": "8.8"
+              }
+            },
+            {
+              "id": "js/xss",
+              "name": "js/xss",
+              "shortDescription": {
+                "text": "Cross-site scripting"
+              },
+              "properties": {
+                "tags": ["security"],
+                "kind": "path-problem",
+                "precision": "high",
+                "security-severity": "6.1"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "js/sql-injection",
+          "ruleIndex": 0,
+          "message": {
+            "text": "SQL injection from user input."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/db.js"
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 5,
+                  "endColumn": 38
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "js/sql-injection",
+          "ruleIndex": 0,
+          "message": {
+            "text": "SQL injection from request body."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/api.js"
+                },
+                "region": {
+                  "startLine": 15,
+                  "startColumn": 3,
+                  "endColumn": 40
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "js/xss",
+          "ruleIndex": 1,
+          "message": {
+            "text": "XSS vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/views.js"
+                },
+                "region": {
+                  "startLine": 30,
+                  "startColumn": 10,
+                  "endColumn": 50
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
@@ -0,0 +1,17 @@
+{
+  "toolName": "sarif_diff_by_commits",
+  "arguments": {
+    "refRange": "HEAD..HEAD",
+    "granularity": "file"
+  },
+  "assertions": {
+    "responseContains": [
+      "\"granularity\": \"file\"",
+      "\"preExistingResults\"",
+      "\"newResults\"",
+      "\"totalPreExisting\": 3",
+      "\"totalNew\": 0",
+      "\"totalResults\": 3"
+    ]
+  }
+}
@@ -0,0 +1,20 @@
+# Integration Test: sarif_diff_by_commits - line_level_classification
+
+## Purpose
+
+Validates that the `sarif_diff_by_commits` tool correctly handles
+line-level granularity classification. Uses `HEAD..HEAD` (empty diff)
+so all results are classified as pre-existing regardless of their
+line positions.
+
+## Inputs
+
+- `results.sarif`: SARIF with 3 results across 2 rules in 3 files
+- `refRange`: `HEAD..HEAD` (produces an empty diff)
+- `granularity`: `line`
+
+## Expected Behavior
+
+Returns structured output with `"granularity": "line"`, all 3 results
+in `preExistingResults`, and 0 results in `newResults`, since the
+empty diff has no changed files or hunks to match against.
@@ -0,0 +1,5 @@
+{
+  "toolName": "sarif_diff_by_commits",
+  "success": true,
+  "description": "Successfully classified all results as pre-existing with empty diff (line granularity)"
+}