refactor(security): move DependencyViolation and ComplianceReport to shared module (#378)

littleKitchen · WilliamBerryiii · web-flow · commit 1dd31adc6d9c · 2026-02-03T14:14:30.000-08:00
## Summary Resolves #324 Moves inline class definitions from `Test-DependencyPinning.ps1` to a dedicated module for improved reusability and testability. ## Changes ### New: `scripts/security/Modules/SecurityClasses.psm1` - `DependencyViolation` class - represents a single pinning violation - Default constructor - Parameterized constructor for common use cases - `ComplianceReport` class - aggregates violations and generates reports - `AddViolation()` method - `CalculateScore()` method - `ToHashtable()` method for serialization - Full documentation with examples ### Updated: `Test-DependencyPinning.ps1` - Added `using module` import for SecurityClasses.psm1 - Removed ~35 lines of inline class definitions ## Testing - ✅ `npm run lint:ps` - PSScriptAnalyzer passes - ✅ `npm run test:ps` - All Pester tests pass (779 passed) ## Notes Follows the pattern established by `FrontmatterValidation.psm1` in the linting modules. --------- Co-authored-by: Bill Berry <WilliamBerryiii@users.noreply.github.com> Co-authored-by: Bill Berry <wberry@microsoft.com>
diff --git a/scripts/security/Modules/SecurityClasses.psm1 b/scripts/security/Modules/SecurityClasses.psm1
@@ -0,0 +1,138 @@
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: MIT
+
+# SecurityClasses.psm1
+#
+# Purpose: Shared class definitions for security scanning scripts.
+# Author: HVE Core Team
+
+<#
+.SYNOPSIS
+    Shared class definitions for dependency pinning and compliance reporting.
+
+.DESCRIPTION
+    This module contains class definitions used by security scanning scripts:
+    - DependencyViolation: Represents a single dependency pinning violation
+    - ComplianceReport: Aggregates violations and generates compliance reports
+
+.NOTES
+    Classes must be imported using 'using module' syntax at the top of scripts:
+    using module ./Modules/SecurityClasses.psm1
+#>
+
+class DependencyViolation {
+    <#
+    .SYNOPSIS
+        Represents a single dependency pinning violation.
+
+    .DESCRIPTION
+        Contains information about a dependency that is not properly SHA-pinned,
+        including file location, dependency details, and remediation guidance.
+    #>
+
+    [string]$File
+    [int]$Line
+    [string]$Type
+    [string]$Name
+    [string]$Version
+    [string]$CurrentRef
+    [string]$Severity
+    [string]$Description
+    [string]$Remediation
+    [hashtable]$Metadata
+
+    DependencyViolation() {
+        $this.Metadata = @{}
+    }
+
+    DependencyViolation(
+        [string]$File,
+        [int]$Line,
+        [string]$Type,
+        [string]$Name,
+        [string]$Severity,
+        [string]$Description
+    ) {
+        $this.File = $File
+        $this.Line = $Line
+        $this.Type = $Type
+        $this.Name = $Name
+        $this.Severity = $Severity
+        $this.Description = $Description
+        $this.Metadata = @{}
+    }
+}
+
+class ComplianceReport {
+    <#
+    .SYNOPSIS
+        Aggregates dependency violations and generates compliance reports.
+
+    .DESCRIPTION
+        Collects violations from dependency scans and provides metrics like
+        compliance score, total dependencies, and summary by type.
+    #>
+
+    [string]$ScanPath
+    [datetime]$Timestamp
+    [int]$TotalFiles
+    [int]$ScannedFiles
+    [int]$TotalDependencies
+    [int]$PinnedDependencies
+    [int]$UnpinnedDependencies
+    [decimal]$ComplianceScore
+    [DependencyViolation[]]$Violations
+    [hashtable]$Summary
+    [hashtable]$Metadata
+
+    ComplianceReport() {
+        $this.Timestamp = Get-Date
+        $this.Violations = @()
+        $this.Summary = @{}
+        $this.Metadata = @{}
+    }
+
+    ComplianceReport([string]$ScanPath) {
+        $this.ScanPath = $ScanPath
+        $this.Timestamp = Get-Date
+        $this.Violations = @()
+        $this.Summary = @{}
+        $this.Metadata = @{}
+    }
+
+    [void] AddViolation([DependencyViolation]$Violation) {
+        $this.Violations += $Violation
+        $this.UnpinnedDependencies = $this.Violations.Count
+    }
+
+    [void] CalculateScore() {
+        if ($this.TotalDependencies -gt 0) {
+            $this.ComplianceScore = [math]::Round(
+                ($this.PinnedDependencies / $this.TotalDependencies) * 100, 2
+            )
+        }
+        else {
+            $this.ComplianceScore = 100.0
+        }
+    }
+
+    [hashtable] ToHashtable() {
+        return @{
+            ScanPath             = $this.ScanPath
+            Timestamp            = $this.Timestamp.ToString('yyyy-MM-ddTHH:mm:ss.fffZ')
+            TotalFiles           = $this.TotalFiles
+            ScannedFiles         = $this.ScannedFiles
+            TotalDependencies    = $this.TotalDependencies
+            PinnedDependencies   = $this.PinnedDependencies
+            UnpinnedDependencies = $this.UnpinnedDependencies
+            ComplianceScore      = $this.ComplianceScore
+            Violations           = $this.Violations
+            Summary              = $this.Summary
+            Metadata             = $this.Metadata
+        }
+    }
+}
+
+# Classes are exported automatically when imported via 'using module' syntax.
+# No functions to export.
+Export-ModuleMember -Function @()
diff --git a/scripts/security/Test-DependencyPinning.ps1 b/scripts/security/Test-DependencyPinning.ps1
@@ -84,6 +84,9 @@
     https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 #>
 
+# Import security classes from shared module
+using module ./Modules/SecurityClasses.psm1
+
 [CmdletBinding()]
 param(
     [Parameter(Mandatory = $false)]
@@ -163,43 +166,7 @@ $DependencyPatterns = @{
     }
 }
 
-class DependencyViolation {
-    [string]$File
-    [int]$Line
-    [string]$Type
-    [string]$Name
-    [string]$Version
-    [string]$CurrentRef
-    [string]$Severity
-    [string]$Description
-    [string]$Remediation
-    [hashtable]$Metadata
-
-    DependencyViolation() {
-        $this.Metadata = @{}
-    }
-}
-
-class ComplianceReport {
-    [string]$ScanPath
-    [datetime]$Timestamp
-    [int]$TotalFiles
-    [int]$ScannedFiles
-    [int]$TotalDependencies
-    [int]$PinnedDependencies
-    [int]$UnpinnedDependencies
-    [decimal]$ComplianceScore
-    [DependencyViolation[]]$Violations
-    [hashtable]$Summary
-    [hashtable]$Metadata
-
-    ComplianceReport() {
-        $this.Timestamp = Get-Date
-        $this.Violations = @()
-        $this.Summary = @{}
-        $this.Metadata = @{}
-    }
-}
+# DependencyViolation and ComplianceReport classes moved to ./Modules/SecurityClasses.psm1
 
 function Test-ShellDownloadSecurity {
     <#
