@cyclonedx/cdxgen 12.1.4 → 12.2.0

package/lib/validator/complianceRules.poku.js

@@ -0,0 +1,328 @@
+import { assert, describe, it } from "poku";
+
+import {
+  __test,
+  getAllComplianceRules,
+  getCraRules,
+  getScvsRules,
+} from "./complianceRules.js";
+
+const {
+  componentLicenseId,
+  inventoryComponents,
+  looksLikeSpdx,
+  collectReferencedRefs,
+} = __test;
+
+function baseBom(overrides = {}) {
+  return {
+    bomFormat: "CycloneDX",
+    specVersion: "1.6",
+    serialNumber: "urn:uuid:1b671687-395b-41f5-a30f-a58921a69b79",
+    metadata: {
+      timestamp: "2024-01-02T03:04:05Z",
+      tools: {
+        components: [
+          { type: "application", name: "cdxgen", version: "12.0.0" },
+        ],
+      },
+      component: {
+        name: "demo",
+        version: "1.0.0",
+        type: "application",
+        "bom-ref": "pkg:generic/demo@1.0.0",
+      },
+      supplier: {
+        name: "Acme",
+        contact: [{ email: "psirt@example.com" }],
+      },
+    },
+    components: [
+      {
+        type: "library",
+        name: "lodash",
+        version: "4.17.21",
+        purl: "pkg:npm/lodash@4.17.21",
+        "bom-ref": "pkg:npm/lodash@4.17.21",
+        licenses: [{ license: { id: "MIT" } }],
+        hashes: [{ alg: "SHA-256", content: "abc" }],
+        copyright: "Copyright (c) OpenJS",
+      },
+    ],
+    dependencies: [
+      { ref: "pkg:generic/demo@1.0.0", dependsOn: ["pkg:npm/lodash@4.17.21"] },
+      { ref: "pkg:npm/lodash@4.17.21", dependsOn: [] },
+    ],
+    ...overrides,
+  };
+}
+
+describe("complianceRules catalog", () => {
+  it("exposes SCVS + CRA rules with stable ids", () => {
+    const all = getAllComplianceRules();
+    assert.ok(all.length >= 80, `expected >= 80 rules, got ${all.length}`);
+    const scvs = getScvsRules();
+    const cra = getCraRules();
+    assert.strictEqual(scvs.length + cra.length, all.length);
+    for (const r of all) {
+      assert.ok(typeof r.id === "string" && r.id.length > 0, `bad id ${r.id}`);
+      assert.ok(
+        typeof r.evaluate === "function",
+        `rule ${r.id} missing evaluate`,
+      );
+      assert.ok(
+        Array.isArray(r.standardRefs),
+        `rule ${r.id} missing standardRefs`,
+      );
+    }
+    const ids = new Set(all.map((r) => r.id));
+    assert.strictEqual(ids.size, all.length, "rule ids must be unique");
+  });
+
+  it("SCVS rule ids match the SCVS-X.Y convention", () => {
+    for (const r of getScvsRules()) {
+      assert.match(r.id, /^SCVS-\d+\.\d+$/);
+      assert.strictEqual(r.standard, "SCVS");
+    }
+  });
+
+  it("CRA rule ids match the CRA-MIN-XXX convention", () => {
+    for (const r of getCraRules()) {
+      assert.match(r.id, /^CRA-MIN-\d+$/);
+      assert.strictEqual(r.standard, "CRA");
+    }
+  });
+});
+
+describe("complianceRules helpers", () => {
+  it("inventoryComponents filters non-inventory types", () => {
+    const bom = {
+      components: [
+        { type: "library", name: "a" },
+        { type: "cryptographic-asset", name: "b" },
+        { type: "framework", name: "c" },
+      ],
+    };
+    assert.deepStrictEqual(
+      inventoryComponents(bom).map((c) => c.name),
+      ["a", "c"],
+    );
+  });
+
+  it("looksLikeSpdx accepts common forms and rejects garbage", () => {
+    assert.ok(looksLikeSpdx("MIT"));
+    assert.ok(looksLikeSpdx("Apache-2.0"));
+    assert.ok(looksLikeSpdx("Apache-2.0 OR MIT"));
+    assert.ok(looksLikeSpdx("(MIT AND LGPL-2.1-only)"));
+    assert.ok(!looksLikeSpdx("NOASSERTION"));
+    assert.ok(!looksLikeSpdx("unknown"));
+    assert.ok(!looksLikeSpdx(""));
+    assert.ok(!looksLikeSpdx(null));
+  });
+
+  it("componentLicenseId prefers id then name then expression", () => {
+    assert.strictEqual(
+      componentLicenseId({ licenses: [{ license: { id: "MIT" } }] }),
+      "MIT",
+    );
+    assert.strictEqual(
+      componentLicenseId({ licenses: [{ license: { name: "Custom" } }] }),
+      "Custom",
+    );
+    assert.strictEqual(
+      componentLicenseId({ licenses: [{ expression: "MIT OR Apache-2.0" }] }),
+      "MIT OR Apache-2.0",
+    );
+    assert.strictEqual(componentLicenseId({}), null);
+    assert.strictEqual(componentLicenseId({ licenses: [] }), null);
+  });
+
+  it("collectReferencedRefs gathers all refs", () => {
+    const bom = baseBom();
+    const refs = collectReferencedRefs(bom);
+    assert.ok(refs.has("pkg:generic/demo@1.0.0"));
+    assert.ok(refs.has("pkg:npm/lodash@4.17.21"));
+  });
+});
+
+describe("SCVS automatable rules on a clean BOM", () => {
+  const bom = baseBom();
+  const rules = getScvsRules().filter((r) => r.automatable);
+
+  it("SCVS-1.1, 1.3, 1.7, 2.1, 2.3, 2.7, 2.9, 2.11, 2.12, 2.14, 3.20 all pass", () => {
+    const expected = [
+      "SCVS-1.1",
+      "SCVS-1.3",
+      "SCVS-1.7",
+      "SCVS-2.1",
+      "SCVS-2.3",
+      "SCVS-2.7",
+      "SCVS-2.9",
+      "SCVS-2.11",
+      "SCVS-2.12",
+      "SCVS-2.14",
+      "SCVS-3.20",
+    ];
+    for (const id of expected) {
+      const r = rules.find((x) => x.id === id);
+      assert.ok(r, `missing rule ${id}`);
+      const res = r.evaluate(bom);
+      assert.strictEqual(res.status, "pass", `${id}: ${res.message}`);
+    }
+  });
+
+  it("SCVS-2.4 fails when BOM is not signed, passes when signed", () => {
+    const rule = rules.find((r) => r.id === "SCVS-2.4");
+    assert.strictEqual(rule.evaluate(bom).status, "fail");
+    const signed = baseBom({
+      signature: { algorithm: "RS512", value: "xxx" },
+    });
+    assert.strictEqual(rule.evaluate(signed).status, "pass");
+  });
+
+  it("SCVS-1.1 fails when a component has no version", () => {
+    const rule = rules.find((r) => r.id === "SCVS-1.1");
+    const bad = baseBom({
+      components: [{ type: "library", name: "no-version", purl: "pkg:npm/x" }],
+    });
+    const res = rule.evaluate(bad);
+    assert.strictEqual(res.status, "fail");
+    assert.match(res.message, /missing a version/);
+  });
+
+  it("SCVS-2.3 fails when serialNumber is missing", () => {
+    const rule = rules.find((r) => r.id === "SCVS-2.3");
+    assert.strictEqual(
+      rule.evaluate(baseBom({ serialNumber: undefined })).status,
+      "fail",
+    );
+    assert.strictEqual(
+      rule.evaluate(baseBom({ serialNumber: "garbage" })).status,
+      "fail",
+    );
+  });
+
+  it("SCVS-2.11 fails when root name or version is missing", () => {
+    const rule = rules.find((r) => r.id === "SCVS-2.11");
+    const noVer = baseBom({
+      metadata: {
+        ...baseBom().metadata,
+        component: { name: "x", "bom-ref": "x", type: "application" },
+      },
+    });
+    assert.strictEqual(rule.evaluate(noVer).status, "fail");
+    const noName = baseBom({
+      metadata: {
+        ...baseBom().metadata,
+        component: {},
+      },
+    });
+    assert.strictEqual(rule.evaluate(noName).status, "fail");
+  });
+
+  it("SCVS-2.12 fails when a purl is unparseable", () => {
+    const rule = rules.find((r) => r.id === "SCVS-2.12");
+    const bom = baseBom({
+      components: [
+        {
+          type: "library",
+          name: "bad",
+          version: "1.0.0",
+          purl: "not-a-purl",
+          "bom-ref": "bad",
+        },
+      ],
+    });
+    const res = rule.evaluate(bom);
+    assert.strictEqual(res.status, "fail");
+    assert.ok(res.locations.length > 0);
+  });
+
+  it("SCVS-2.15 rejects NOASSERTION-style license ids", () => {
+    const rule = rules.find((r) => r.id === "SCVS-2.15");
+    const bom = baseBom({
+      components: [
+        {
+          type: "library",
+          name: "x",
+          version: "1.0.0",
+          purl: "pkg:npm/x@1.0.0",
+          "bom-ref": "x",
+          licenses: [{ license: { id: "NOASSERTION" } }],
+        },
+      ],
+    });
+    assert.strictEqual(rule.evaluate(bom).status, "fail");
+  });
+
+  it("SCVS-3.20 flags orphan components not in dep graph", () => {
+    const rule = rules.find((r) => r.id === "SCVS-3.20");
+    const orphan = baseBom({
+      components: [
+        ...baseBom().components,
+        {
+          type: "library",
+          name: "orphan",
+          version: "0.0.1",
+          purl: "pkg:npm/orphan@0.0.1",
+          "bom-ref": "pkg:npm/orphan@0.0.1",
+          licenses: [{ license: { id: "MIT" } }],
+          hashes: [{ alg: "SHA-256", content: "1" }],
+        },
+      ],
+    });
+    const res = rule.evaluate(orphan);
+    assert.strictEqual(res.status, "fail");
+    assert.match(res.message, /not referenced/);
+  });
+
+  it("SCVS-6.3 passes when no modified components exist", () => {
+    const rule = rules.find((r) => r.id === "SCVS-6.3");
+    assert.strictEqual(rule.evaluate(baseBom()).status, "pass");
+  });
+});
+
+describe("CRA rules", () => {
+  const rules = getCraRules();
+
+  it("all pass on the well-formed baseline BOM", () => {
+    for (const r of rules) {
+      const res = r.evaluate(baseBom());
+      assert.strictEqual(
+        res.status,
+        "pass",
+        `${r.id} expected pass, got ${res.status}: ${res.message}`,
+      );
+    }
+  });
+
+  it("CRA-MIN-001 fails when supplier is missing", () => {
+    const rule = rules.find((r) => r.id === "CRA-MIN-001");
+    const bom = baseBom();
+    bom.metadata.supplier = undefined;
+    assert.strictEqual(rule.evaluate(bom).status, "fail");
+  });
+
+  it("CRA-MIN-002 fails when contact is empty", () => {
+    const rule = rules.find((r) => r.id === "CRA-MIN-002");
+    const bom = baseBom();
+    bom.metadata.supplier = { name: "Acme" };
+    assert.strictEqual(rule.evaluate(bom).status, "fail");
+  });
+
+  it("CRA-MIN-004 fails when dependency graph is empty", () => {
+    const rule = rules.find((r) => r.id === "CRA-MIN-004");
+    const bom = baseBom({ dependencies: [] });
+    assert.strictEqual(rule.evaluate(bom).status, "fail");
+  });
+
+  it("CRA-MIN-008 supports both array (1.4) and object (1.5+) tool shapes", () => {
+    const rule = rules.find((r) => r.id === "CRA-MIN-008");
+    const legacy = baseBom();
+    legacy.metadata.tools = [{ name: "old" }];
+    assert.strictEqual(rule.evaluate(legacy).status, "pass");
+    const missing = baseBom();
+    missing.metadata.tools = undefined;
+    assert.strictEqual(rule.evaluate(missing).status, "fail");
+  });
+});

package/lib/validator/index.js

@@ -0,0 +1,222 @@
+/**
+ * cdx-validate orchestrator.
+ *
+ * Combines cdxgen's existing structural validation
+ * ({@link ./bomValidator.js}) with the compliance rule packs in
+ * {@link ./complianceEngine.js} and (optionally) signature verification from
+ * {@link ../helpers/bomSigner.js}.
+ *
+ * This module exposes a single high-level function, `validateBomAdvanced`,
+ * and helpers to classify the result. It does *not* perform any I/O: the CLI
+ * wrapper (`bin/validate.js`) is responsible for reading the input BOM.
+ */
+
+import { verifyNode } from "../helpers/bomSigner.js";
+import {
+  validateBom,
+  validateMetadata,
+  validateProps,
+  validatePurls,
+  validateRefs,
+} from "./bomValidator.js";
+import { buildBenchmarkReports, evaluateAll } from "./complianceEngine.js";
+
+const SEVERITY_ORDER = { info: 0, low: 1, medium: 2, high: 3, critical: 4 };
+
+/**
+ * Compute the summary block of the report.
+ *
+ * @param {Array<object>} findings
+ * @returns {object}
+ */
+function summarize(findings) {
+  let pass = 0;
+  let failed = 0;
+  let manual = 0;
+  let errors = 0;
+  let warnings = 0;
+  for (const f of findings) {
+    if (f.status === "pass") pass += 1;
+    else if (f.status === "fail") failed += 1;
+    else if (f.status === "manual") manual += 1;
+    if (
+      f.status === "fail" &&
+      (f.severity === "high" || f.severity === "critical")
+    ) {
+      errors += 1;
+    } else if (f.status === "fail") {
+      warnings += 1;
+    }
+  }
+  return {
+    total: findings.length,
+    pass,
+    fail: failed,
+    manual,
+    errors,
+    warnings,
+    schemaValid: true,
+    deepValid: true,
+  };
+}
+
+/**
+ * Filter findings by minimum severity and optional status inclusion rules.
+ *
+ * @param {Array<object>} findings
+ * @param {object} opts
+ * @param {string} [opts.minSeverity]    "info"..."critical".
+ * @param {boolean} [opts.includeManual]  When false, drop manual findings from
+ *                                        the final array (they are still in
+ *                                        the benchmark scorecards).
+ * @param {boolean} [opts.includePass]    When false, drop pass findings.
+ * @returns {Array<object>}
+ */
+function filterFindings(findings, opts) {
+  const min = SEVERITY_ORDER[(opts.minSeverity || "info").toLowerCase()] ?? 0;
+  return findings.filter((f) => {
+    if (!opts.includeManual && f.status === "manual") return false;
+    if (!opts.includePass && f.status === "pass") return false;
+    return (SEVERITY_ORDER[f.severity] ?? 0) >= min;
+  });
+}
+
+/**
+ * Run schema + deep validation checks from the existing validator helpers and
+ * capture their boolean results without letting them blow up the process.
+ *
+ * @param {object} bomJson
+ * @param {object} opts
+ * @returns {{ schemaValid: boolean, deepValid: boolean }}
+ */
+function runSchemaAndDeep(bomJson, opts) {
+  let schemaValid = true;
+  let deepValid = true;
+  if (opts.schema !== false) {
+    try {
+      schemaValid = validateBom(bomJson) !== false;
+    } catch (err) {
+      schemaValid = false;
+      if (opts.onError) opts.onError("schema", err);
+    }
+  }
+  if (opts.deep !== false) {
+    try {
+      deepValid =
+        validateMetadata(bomJson) !== false &&
+        validatePurls(bomJson) !== false &&
+        validateRefs(bomJson) !== false &&
+        validateProps(bomJson) !== false;
+    } catch (err) {
+      deepValid = false;
+      if (opts.onError) opts.onError("deep", err);
+    }
+  }
+  return { schemaValid, deepValid };
+}
+
+/**
+ * Run structural + compliance validation against a parsed BOM.
+ *
+ * @param {object} bomJson Parsed CycloneDX JSON BOM.
+ * @param {object} [options]
+ * @param {boolean} [options.schema]            Run JSON-Schema validation (default true).
+ * @param {boolean} [options.deep]              Run purl/ref/metadata deep checks (default true).
+ * @param {Array<string>} [options.benchmarks]  Aliases to include in the scorecards (default: all).
+ * @param {Array<string>} [options.categories]  Restrict compliance rules to these categories.
+ * @param {string} [options.minSeverity]        Minimum severity for returned findings.
+ * @param {boolean} [options.includeManual]     Include manual-review findings (default true).
+ * @param {boolean} [options.includePass]       Include passing findings (default false).
+ * @param {string} [options.publicKey]          If set, verify the BOM signature.
+ * @returns {{
+ *   schemaValid: boolean,
+ *   deepValid: boolean,
+ *   signatureVerified: boolean | null,
+ *   signatureDetails: object | null,
+ *   findings: Array<object>,
+ *   allFindings: Array<object>,
+ *   benchmarks: Array<object>,
+ *   summary: object
+ * }}
+ */
+export function validateBomAdvanced(bomJson, options = {}) {
+  const { schemaValid, deepValid } = runSchemaAndDeep(bomJson, options);
+  const allFindings = evaluateAll(bomJson, {
+    categories: options.categories,
+    benchmarks: options.benchmarks,
+  });
+  const benchmarks = buildBenchmarkReports(allFindings, options.benchmarks);
+  const filtered = filterFindings(allFindings, {
+    minSeverity: options.minSeverity || "info",
+    includeManual: options.includeManual !== false,
+    includePass: options.includePass === true,
+  });
+  let signatureVerified = null;
+  let signatureDetails = null;
+  if (options.publicKey && bomJson?.signature) {
+    try {
+      const match = verifyNode(bomJson, options.publicKey);
+      signatureVerified = Boolean(match);
+      signatureDetails = match || null;
+    } catch (err) {
+      signatureVerified = false;
+      signatureDetails = { error: err?.message || String(err) };
+    }
+  } else if (options.publicKey) {
+    // Public key provided but BOM has no signature.
+    signatureVerified = false;
+    signatureDetails = { error: "BOM has no signature block." };
+  }
+  const summary = summarize(allFindings);
+  summary.schemaValid = schemaValid;
+  summary.deepValid = deepValid;
+  return {
+    schemaValid,
+    deepValid,
+    signatureVerified,
+    signatureDetails,
+    findings: filtered,
+    allFindings,
+    benchmarks,
+    summary,
+  };
+}
+
+/**
+ * Decide whether a report should trigger a non-zero CLI exit.
+ *
+ * @param {object} report
+ * @param {object} opts
+ * @param {string} [opts.failSeverity] Severity level at or above which failing findings are considered a failure (default "high").
+ * @param {boolean} [opts.strict]      When true, failing on any `fail` status regardless of severity, and a failing schema/deep validation also counts.
+ * @param {boolean} [opts.requireSignature] Require a valid signature when verification was requested.
+ * @returns {{ shouldFail: boolean, reason: string | null }}
+ */
+export function shouldFail(report, opts = {}) {
+  if (opts.requireSignature && report.signatureVerified === false) {
+    return { shouldFail: true, reason: "Signature verification failed." };
+  }
+  if (opts.strict && report.schemaValid === false) {
+    return { shouldFail: true, reason: "Schema validation failed." };
+  }
+  if (opts.strict && report.deepValid === false) {
+    return { shouldFail: true, reason: "Deep validation failed." };
+  }
+  const threshold =
+    SEVERITY_ORDER[(opts.failSeverity || "high").toLowerCase()] ??
+    SEVERITY_ORDER.high;
+  for (const f of report.allFindings || []) {
+    if (f.status !== "fail") continue;
+    const sev = SEVERITY_ORDER[f.severity] ?? 0;
+    if (sev >= threshold) {
+      return {
+        shouldFail: true,
+        reason: `Rule ${f.ruleId} failed with severity ${f.severity}.`,
+      };
+    }
+  }
+  return { shouldFail: false, reason: null };
+}
+
+export { buildBenchmarkReports, evaluateAll } from "./complianceEngine.js";
+export { SEVERITY_ORDER };

package/lib/validator/index.poku.js

@@ -0,0 +1,144 @@
+import { assert, describe, it } from "poku";
+
+import { shouldFail, validateBomAdvanced } from "./index.js";
+
+function richBom() {
+  return {
+    bomFormat: "CycloneDX",
+    specVersion: "1.6",
+    serialNumber: "urn:uuid:1b671687-395b-41f5-a30f-a58921a69b79",
+    version: 1,
+    metadata: {
+      timestamp: "2024-02-02T00:00:00Z",
+      tools: {
+        components: [
+          { type: "application", name: "cdxgen", version: "12.0.0" },
+        ],
+      },
+      component: {
+        name: "demo",
+        version: "1.0.0",
+        type: "application",
+        "bom-ref": "pkg:generic/demo@1.0.0",
+      },
+      supplier: {
+        name: "Acme",
+        contact: [{ email: "psirt@example.com" }],
+      },
+    },
+    components: [
+      {
+        type: "library",
+        name: "lodash",
+        version: "4.17.21",
+        purl: "pkg:npm/lodash@4.17.21",
+        "bom-ref": "pkg:npm/lodash@4.17.21",
+        licenses: [{ license: { id: "MIT" } }],
+        hashes: [{ alg: "SHA-256", content: "x" }],
+        copyright: "© OpenJS",
+      },
+    ],
+    dependencies: [
+      { ref: "pkg:generic/demo@1.0.0", dependsOn: ["pkg:npm/lodash@4.17.21"] },
+      { ref: "pkg:npm/lodash@4.17.21", dependsOn: [] },
+    ],
+  };
+}
+
+describe("validateBomAdvanced", () => {
+  it("returns structural, compliance, and benchmark data", () => {
+    const report = validateBomAdvanced(richBom(), { schema: false });
+    assert.strictEqual(typeof report.schemaValid, "boolean");
+    assert.strictEqual(typeof report.deepValid, "boolean");
+    assert.ok(Array.isArray(report.findings));
+    assert.ok(Array.isArray(report.allFindings));
+    assert.ok(Array.isArray(report.benchmarks));
+    assert.ok(report.summary);
+    assert.strictEqual(report.summary.schemaValid, report.schemaValid);
+    assert.strictEqual(report.summary.deepValid, report.deepValid);
+  });
+
+  it("hides pass findings by default but includes manual", () => {
+    const report = validateBomAdvanced(richBom(), { schema: false });
+    for (const f of report.findings) {
+      assert.notStrictEqual(f.status, "pass");
+    }
+    assert.ok(report.findings.some((f) => f.status === "manual"));
+  });
+
+  it("respects minSeverity filter", () => {
+    const report = validateBomAdvanced(richBom(), {
+      schema: false,
+      minSeverity: "high",
+      includeManual: true,
+    });
+    for (const f of report.findings) {
+      assert.ok(["high", "critical"].includes(f.severity));
+    }
+  });
+
+  it("marks signatureVerified=false when public key given but BOM unsigned", () => {
+    const report = validateBomAdvanced(richBom(), {
+      schema: false,
+      publicKey: "-----BEGIN PUBLIC KEY-----\nfake\n-----END PUBLIC KEY-----",
+    });
+    assert.strictEqual(report.signatureVerified, false);
+    assert.ok(report.signatureDetails?.error);
+  });
+
+  it("returns signatureVerified=null when no public key supplied", () => {
+    const report = validateBomAdvanced(richBom(), { schema: false });
+    assert.strictEqual(report.signatureVerified, null);
+  });
+});
+
+describe("shouldFail", () => {
+  const fakeReport = (opts) => ({
+    schemaValid: opts.schemaValid ?? true,
+    deepValid: opts.deepValid ?? true,
+    signatureVerified: opts.signatureVerified ?? null,
+    allFindings: opts.findings || [],
+  });
+
+  it("fails on any finding at or above fail-severity", () => {
+    const r = fakeReport({
+      findings: [{ status: "fail", severity: "high", ruleId: "X" }],
+    });
+    const { shouldFail: f } = shouldFail(r, { failSeverity: "high" });
+    assert.strictEqual(f, true);
+  });
+
+  it("does not fail when severity is below threshold", () => {
+    const r = fakeReport({
+      findings: [{ status: "fail", severity: "low", ruleId: "X" }],
+    });
+    const { shouldFail: f } = shouldFail(r, { failSeverity: "high" });
+    assert.strictEqual(f, false);
+  });
+
+  it("fails in strict mode on schema invalid", () => {
+    const r = fakeReport({ schemaValid: false });
+    assert.strictEqual(
+      shouldFail(r, { strict: true, failSeverity: "critical" }).shouldFail,
+      true,
+    );
+  });
+
+  it("fails when signature required but verification failed", () => {
+    const r = fakeReport({ signatureVerified: false });
+    const { shouldFail: f, reason } = shouldFail(r, {
+      requireSignature: true,
+      failSeverity: "critical",
+    });
+    assert.strictEqual(f, true);
+    assert.match(reason, /Signature/);
+  });
+
+  it("ignores signature when not required", () => {
+    const r = fakeReport({ signatureVerified: false });
+    assert.strictEqual(
+      shouldFail(r, { failSeverity: "critical" }).shouldFail,
+      false,
+    );
+  });
+});