1 Verify persisted output locations for VECTOR-Code artifacts TCS-001
Preconditions and setup actions
- Prepare a readable sample project directory.
- Ensure the current workspace is writable.
Test steps
- Run
python3 main.py <sample-project> --name sample-appfrom the VECTOR-Code directory. - Inspect the
output/databases,output/results, andoutput/cbomdirectories after execution. - Confirm that generated artifacts remain accessible after the process exits.
Expected outcome
- VECTOR-Code creates the expected output directory structure.
- Generated analysis artifacts are written to local files.
- Artifact paths remain inspectable after completion.
Parent links: SRS-001 Persist output artifacts in predictable locations
Child links: TRP-001 Starter report for persisted output verification
| Attribute | Value |
|---|---|
| platform | GNU/Linux workstation or dev container |
| execution_type | Manual |
| verification_method | Test |
| release | alpha |
| complexity | 2 |
| test_data | A readable sample project path with writable local output directories |
| version | 0.1 |
2 Verify supported language detection TCS-002
Preconditions and setup actions
- Prepare sample repositories containing known language mixes.
- Ensure
clocis available in the runtime environment.
Test steps
- Run the VECTOR-Code workflow against a sample project containing supported languages.
- Observe the reported detected languages and percentages.
- Repeat with a project that contains no supported language above threshold.
Expected outcome
- Supported languages above threshold are reported.
- Python, C, and C++ map to the implemented source-analysis path.
- A project with no supported language above threshold terminates with an explicit warning or failure.
Parent links: SRS-002 Detect supported source languages from the target project
Child links: TRP-002 Starter report for language detection verification
| Attribute | Value |
|---|---|
| platform | GNU/Linux workstation or dev container |
| execution_type | Manual |
| verification_method | Test |
| release | alpha |
| complexity | 2 |
| test_data | Sample projects containing Python, C, and C++ code above and below threshold |
| version | 0.1 |
3 Verify CodeQL database creation TCS-003
Preconditions and setup actions
- Prepare a readable sample project.
- Ensure the CodeQL CLI is installed and reachable from PATH.
Test steps
- Run VECTOR-Code against the sample project.
- Inspect the created database directories under
output/databases. - Verify that languages mapping to the same CodeQL language do not produce duplicate database names.
Expected outcome
- CodeQL databases are created for the detected CodeQL languages.
- Database names follow the
db-<codeql-language>convention. - Duplicate databases are not created for multiple source languages that share the same CodeQL target.
Parent links: SRS-003 Create CodeQL databases through the external CLI
Child links: TRP-003 Starter report for CodeQL database verification
| Attribute | Value |
|---|---|
| platform | GNU/Linux workstation or dev container |
| execution_type | Manual |
| verification_method | Test |
| release | alpha |
| complexity | 3 |
| test_data | Sample project with detectable supported language content and CodeQL CLI installed |
| version | 0.1 |
4 Verify SARIF generation from CodeQL queries TCS-004
Preconditions and setup actions
- Prepare created CodeQL databases.
- Ensure the configured query paths exist.
Test steps
- Run the VECTOR-Code workflow until the query stage completes.
- Inspect the
output/resultsdirectory. - Confirm that missing query paths or failed queries are reported explicitly.
Expected outcome
- Successful query execution creates SARIF output files.
- SARIF files follow the
crypto-<language>.sarifnaming pattern. - Query-path or execution failures do not appear as successful findings.
Parent links: SRS-004 Run cryptographic inventory queries on created databases
Child links: TRP-004 Starter report for SARIF generation verification
| Attribute | Value |
|---|---|
| platform | GNU/Linux workstation or dev container |
| execution_type | Manual |
| verification_method | Test |
| release | alpha |
| complexity | 3 |
| test_data | Created CodeQL databases and available inventory query packs |
| version | 0.1 |
5 Verify SARIF-to-CBOM conversion TCS-005
Preconditions and setup actions
- Prepare one or more valid SARIF result files.
- Ensure the
cryptobomcommand is available.
Test steps
- Run the VECTOR-Code workflow through the CBOM generation stage.
- Inspect the
output/cbomdirectory. - Confirm that failed conversions are reported and omitted from the successful output set.
Expected outcome
- CBOM JSON files are created from valid SARIF files.
- Generated file names derive from the source SARIF stem.
- Failed conversions do not appear as successful outputs.
Parent links: SRS-005 Convert source-analysis findings into CBOM artifacts
Child links: TRP-005 Starter report for SARIF-to-CBOM verification
| Attribute | Value |
|---|---|
| platform | GNU/Linux workstation or dev container |
| execution_type | Manual |
| verification_method | Test |
| release | alpha |
| complexity | 2 |
| test_data | Valid SARIF output files and cryptobom CLI installed |
| version | 0.1 |
6 Verify raw TLS scan output generation TCS-006
Preconditions and setup actions
- Prepare a reachable TLS-enabled endpoint.
- Ensure
testssl.shis available at the configured path.
Test steps
- Run
python3 network-scanning.py --protocol tls --target <target> --port <port>. - Inspect the created raw TLS scan file.
- Confirm that the file is non-empty and associated with the requested target.
Expected outcome
- The TLS workflow accepts valid target and port input.
- A raw JSON scan file is created.
- Empty or missing output files are treated as failure conditions.
Parent links: SRS-006 Scan TLS-enabled services by target and port
Child links: TRP-006 Starter report for raw TLS scan verification
| Attribute | Value |
|---|---|
| platform | GNU/Linux workstation or dev container |
| execution_type | Manual |
| verification_method | Test |
| release | alpha |
| complexity | 2 |
| test_data | Controlled TLS endpoint and reachable port |
| version | 0.1 |
7 Verify TLS CBOM decomposition TCS-007
Preconditions and setup actions
- Prepare a valid raw TLS scan JSON file.
- Ensure the TLS converter script and mapping files are present.
Test steps
- Run the TLS workflow through CBOM generation.
- Inspect the generated TLS CBOM file.
- Confirm that the output contains decomposed algorithm elements rather than only opaque suite names.
Expected outcome
- The converter generates a CBOM JSON file for the TLS scan.
- Mapped cipher-suite components appear as explicit algorithm records.
- Hybrid or PQ-related entries are represented when present in the mapped input data.
Parent links: SRS-007 Model TLS findings with classical, hybrid, and PQ-aware decomposition
Child links: TRP-007 Starter report for TLS CBOM verification
| Attribute | Value |
|---|---|
| platform | GNU/Linux workstation or dev container |
| execution_type | Manual |
| verification_method | Test |
| release | alpha |
| complexity | 3 |
| test_data | TLS scan JSON containing cipher suites, groups, and supported mapped entries |
| version | 0.1 |
8 Verify raw SSH scan output generation TCS-008
Preconditions and setup actions
- Prepare a reachable SSH-enabled endpoint.
- Ensure
zgrab2is available in PATH.
Test steps
- Run
python3 network-scanning.py --protocol ssh --target <target> --port <port>. - Inspect the created raw SSH scan file.
- Confirm that the file is non-empty and associated with the requested target.
Expected outcome
- The SSH workflow accepts valid target and port input.
- A raw JSON scan file is created.
- Empty or missing output files are treated as failure conditions.
Parent links: SRS-008 Scan SSH-enabled services by target and port
Child links: TRP-008 Starter report for raw SSH scan verification
| Attribute | Value |
|---|---|
| platform | GNU/Linux workstation or dev container |
| execution_type | Manual |
| verification_method | Test |
| release | alpha |
| complexity | 2 |
| test_data | Controlled SSH endpoint and reachable port |
| version | 0.1 |
9 Verify Linux runtime assumptions and tool-path checks TCS-009
Preconditions and setup actions
- Prepare one environment that satisfies the expected runtime layout.
- Prepare one environment with a missing required script or unwritable output location.
Test steps
- Run VECTOR-Code and VECTOR-Network in the valid environment.
- Observe creation of required directories and use of configured tool paths.
- Repeat in the invalid environment and record the resulting failure behavior.
Expected outcome
- The valid environment supports normal startup and artifact generation.
- Required tool paths and writable directories are part of the runtime contract.
- Missing required scripts or paths are surfaced explicitly.
Parent links: SRS-009 Provide a ready-to-use Linux execution environment
Child links: TRP-009 Starter report for runtime assumption verification
| Attribute | Value |
|---|---|
| platform | GNU/Linux workstation or dev container |
| execution_type | Manual |
| verification_method | Test |
| release | alpha |
| complexity | 2 |
| test_data | Runtime environment with and without required tool paths and writable output locations |
| version | 0.1 |
10 Verify safe failure behavior TCS-010
Preconditions and setup actions
- Prepare invalid target input, an out-of-range port, and one environment with a missing required tool.
Test steps
- Run the network workflow with an invalid port.
- Run the network workflow with an empty target.
- Run a workflow with a missing required tool or missing expected result file.
Expected outcome
- Invalid input is rejected before the scanner runs.
- Missing tools or files produce explicit failures.
- Conversion does not continue after a validation failure.
Parent links: SRS-010 Fail safely for invalid inputs, missing tools, and incomplete outputs
Child links: TRP-010 Starter report for safe failure verification
| Attribute | Value |
|---|---|
| platform | GNU/Linux workstation or dev container |
| execution_type | Manual |
| verification_method | Test |
| release | alpha |
| complexity | 2 |
| test_data | Invalid ports, empty targets, missing tools, and empty result files |
| version | 0.1 |
11 Verify quantum risk classification TCS-011
Preconditions:
- Docker engine running
- VS Code with the "Dev Containers" extension.
Setup:
- Open the project in Dev Containers.
- Activate virtual environment:
poetry shell
Test steps
- All steps below are automated in
tests/test_algorithm_classifier.py. To run:
poetry run pytest tests/test_algorithm_classifier.py -v
Expected outcome
- All 33 test methods pass. No failures, no errors. Each algorithm is assigned the correct classification label and risk score as defined in
tor/vector_score/data/algorithm-risk-catalog.yaml:
Category 1 — quantum-vulnerable (expected: classification = "quantum-vulnerable", risk_score = "high")
1.1. Running classify("RSA", "pke", None) — asserts classification == "quantum-vulnerable" and risk_score == "high".
1.2. Running classify("ECDHE", "key-agree", None) — asserts classification == "quantum-vulnerable" and risk_score == "high".
1.3. Running classify("DHE", "key-agree", None) — asserts classification == "quantum-vulnerable" and risk_score == "high".
1.4. Running classify("ECDSA", "signature", None) — asserts classification == "quantum-vulnerable" and risk_score == "high".
1.5. Running classify("DSA", "signature", None) — asserts classification == "quantum-vulnerable" and risk_score == "high".
Category 2 — classically-deprecated (expected: classification = "classically-deprecated", risk_score = "high")
1.6. Running classify("RC4", "stream-cipher", None) — asserts classification == "classically-deprecated" and risk_score == "high".
1.7. Running classify("DES", "block-cipher", None) — asserts classification == "classically-deprecated".
1.8. Running classify("MD5", "hash", None) — asserts classification == "classically-deprecated".
Category 3 — non-hybrid (expected: classification = "non-hybrid", risk_score = "medium")
1.9. Running classify("ML-KEM-768", "kem", None) — asserts classification == "non-hybrid" and risk_score == "medium".
1.10. Running classify("ML-KEM-1024", "kem", None) — asserts classification == "non-hybrid" and risk_score == "medium".
1.11. Running classify("ML-DSA-65", "signature", None) — asserts classification == "non-hybrid" and risk_score == "medium".
1.12. Running classify("SLH-DSA", "signature", None) — asserts classification == "non-hybrid" and risk_score == "medium".
1.13. Running classify("ML-KEM-512", "kem", None) — asserts classification == "non-hybrid".
1.14. Running classify("AES-128-GCM", "block-cipher", "128") — asserts classification == "non-hybrid" and risk_score == "medium".
1.15. Running classify("SHA-1", "hash", None) — asserts classification == "non-hybrid" and risk_score == "medium".
1.16. Running classify("3DES-EDE", "block-cipher", None) — asserts classification == "non-hybrid" and risk_score == "medium".
Category 4 — hybrid (expected: classification = "hybrid", risk_score = "low")
1.17. Running classify("X25519MLKEM768", None, None) — asserts classification == "hybrid" and risk_score == "low".
1.18. Running classify("SecP256r1MLKEM768", None, None) — asserts classification == "hybrid" and risk_score == "low".
Category 5 — quantum-safe (expected: classification = "quantum-safe", risk_score = "none")
1.19. Running classify("AES-256-GCM", "block-cipher", "256") — asserts classification == "quantum-safe" and risk_score == "none".
1.20. Running classify("SHA-256", "hash", "256") — asserts classification == "quantum-safe" and risk_score == "none".
1.21. Running classify("SHA-384", "hash", "384") — asserts classification == "quantum-safe".
1.22. Running classify("SHA-512", "hash", "512") — asserts classification == "quantum-safe".
1.23. Running classify("ChaCha20-Poly1305", "ae", None) — asserts classification == "quantum-safe".
Category 6 — unknown (expected: classification = "unknown", risk_score = "high")
1.24. Running classify("SuperQuantumAlgo9000", None, None) — asserts classification == "unknown".
Parent links: SRS-011 Classify cryptographic algorithms in a CBOM by quantum risk
Child links: TRP-011 Test report for algorithm classification
| Attribute | Value |
|---|---|
| platform | Visual Studio Code |
| execution_type | Manual |
| verification_method | T |
| release | alpha |
| complexity | 2 |
| version | 0.2 |
12 Verify that annotated CBOM contains 'pqcmat' risk properties TCS-012
Preconditions:
- Docker engine running
- VS Code with the "Dev Containers" extension.
Setup:
- Open the project with Dev Containers.
- Activate virtual environment:
poetry shell
Test steps
- Run the unit tests at
tests/test_cbom_scorer.py:
pytest tests/test_cbom_scorer.py
- Open the unit tests file and ensure that the tests cover the following aspects:
-
For each asset of type
algorithm(components.cryptoProperties.assetType == "algorithm") in the annotated CBOM output, apropertiesarray is present with the entries:"name": "pqcmat:risk-classification"with a non-emptyvalue."name": "pqcmat:risk-score"with one of the values:high,medium,lowornone"name": "pqcmat:rationale""name": "pqcmat:recommended-migration".
-
The annotated CBOM
metadata.propertiescontains an entry with"name": "pqcmat:scored-at". - Non-algorithm components (protocol, certificate and any where
components.cryptoProperties.assetType != "algorithm") do not havepqcmat:properties. - CBOM files are annotated regardless of whether they use the format
"type": "cryptographic-asset"or"type": "crypto-asset"to identify the components.
Expected outcome
- All the tests pass with no errors.
- All the described validations are covered by the tests.
Parent links: SRS-012 Produce a CBOM annotated with quantum risk properties
Child links: TRP-012 Test report for CBOM annotated with pqcmat properties
| Attribute | Value |
|---|---|
| platform | Visual Studio Code |
| execution_type | Manual |
| verification_method | Test, Inspection |
| release | alpha |
| complexity | 4 |
| test_data | tests/data/sample4risk-scorer-cbom.json, tests/data/sample-short-frmt-cbom.json |
| version | 0.3 |
13 Verify creation of unified CBOM TCS-013
Preconditions:
- Docker engine running
- VS Code with the "Dev Containers" extension.
Setup:
- Open the project with Dev Containers.
- Activate the virtual environment:
poetry shell
Test steps
- Run vector code on the test repository with Python and C++ files
vector code tests/data/mixed_repo/
- Go to the
tor/vector_code/output/folder and verify that the following folders exist:
cbom: containing thecrypto-combined-cbom.jsonfiledatabases: with foldersdb-cppanddb-pythonresults: containing two SARIF files, one for C++ and one for Python
- From the
outputfolder, verify that algorithms from both source files were detected by counting the number of occurrences of"location": "crypto_func.py"and"location": "crypto_utils.cpp"in the CBOM file:
grep -c '"location": "crypto_func.py"' cbom/crypto-combined-cbom.jsongrep -c '"location": "crypto_utils.cpp"' cbom/crypto-combined-cbom.json
Expected outcome
- The command finishes with the message "Completed successfully" and shows the path of the generated CBOM.
- The folder exists and contains the referred components.
- The CBOM file contains 2 occurrences of 'crypto_func.py' and 3 of 'crypto_utils.cpp'.
Parent links: SRS-014 Produce a single unified CBOM for multi-language projects
Child links: TRP-013 Test report for unified CBOM creation verification
| Attribute | Value |
|---|---|
| platform | Visual Studio Code |
| execution_type | Manual |
| verification_method | Test |
| release | alpha |
| complexity | 2 |
| test_data | tests/data/mixed_repo |
| version | 0.3 |
14 Verify Markdown risk report structure and source locations TCS-014
Preconditions and setup actions
- TCS-013 has been executed successfully; the combined CBOM exists at
tor/vector_code/output/cbom/crypto-combined-cbom.json. - Virtual environment is active (
poetry shell). cd
Test steps
- From the project home (
cd ~/vector-project/), runvector scoreon the CBOM produced by TCS-013:
vector score tor/vector_code/output/cbom/crypto-combined-cbom.json
- Verify that the output files
crypto-combined-cbom_scored.jsonandcrypto-combined-cbom_risk_report.mdwere created in thecbomdirectory:
ls tor/vector_code/output/cbom
-
Open the report and verify that it has a header that includes the name of the target application and a timestamp.
-
Verify that a summary table is present with columns "Risk classification", "Risk score" and "Count", and that the sum of the algorithms in the last column corresponds to the number of scored algorithms shown in the output of step 1.
-
Verify that the report contains two risk classification sections titled "Quantum-safe" and "Unknown/Unclassified", each with a table including the following columns: Algorithm, Primitive, Key size, Rationale, and Recommended migration.
-
Verify source locations for the files
crypto_func.pyandcrypto_utils.cppare present in the tables under each section. -
Verify that a "Normative references" section listing all the cited references is present.
Expected outcome
- The command displays the path where the risk report is written and the number of algorithms scored, which must be 5.
- Both
_scored.jsonand_risk_report.mdfiles are present. - The report includes the name of the scanned target in the header and includes a timestamp in the top section.
- A
Summarysection contains a table with a "Risk classification" column and an "Algorithm count" column; the total number of algorithms reported on the summary is 5. - The sub-sections "Quantum-safe" and "Unknown/unclassified" are present and each contains a table; the table has columns for Algorithm, Primitive, Key size, Rationale, and Recommended migration.
- Both source file names appear in the report at least once each, with an associated line number.
- A normative references section (
## Referencesor similar) is present and lists at least one standard.
Parent links: SRS-013 Produce a Markdown risk report grouped by classification, SRS-015 Show source locations of VECTOR-Code output in risk report
Child links: TRP-014 Test report for Markdown risk report
| Attribute | Value |
|---|---|
| platform | Docker container or Visual Studio Code |
| execution_type | Manual |
| verification_method | T |
| release | alpha |
| complexity | 2 |
| test_data | tor/vector_code/output/cbom/crypto-combined-cbom.json (produced in TCS-013) |
| version | 0.3 |