test: add Api/Stig controller tests; fix current()-on-object + null 404s

Add functional coverage for ApiController and StigController (happy paths for
/api, CCI, RMF v4/v5, STIG list/summary/vuln, plus unknown-version 404s).

Writing the tests surfaced two pre-existing issues, now fixed:

- current() called on a SimpleXMLElement is deprecated as of PHP 8.4. Replace
  the 14 current($object) sites in ApiController with direct (string) casts /
  attribute access. The current($x->xpath(...)) calls take arrays and are left
  as-is. Output verified byte-identical across rmf/4, rmf/5, stig summary,
  stig vuln and scap vuln (only the intentionally-random /api/stig/tip differs).
- A missing version/release left array_pop() returning null, so $stig->filename
  warned ("property on null") before the file guard. Add an explicit null check
  that 404s first, in ApiController, StigController and ScapController.

Also ignore the subdirectory .phpunit.cache (the root-anchored rule didn't
reach cyber.trackr.live/).

Verified on PHP 8.4 (deploy target): OK (26 tests, 2065 assertions), no
warnings or deprecations.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: CyberSecDef

.gitignore

@@ -39,6 +39,7 @@
 /cyber.trackr.live/var/
 /cyber.trackr.live/vendor/
 /cyber.trackr.live/node_modules/
+/cyber.trackr.live/.phpunit.cache/
 
 # Air-gapped image tarballs produced by cyber.trackr.live/bin/build-image.sh
 # (multi-GB `docker save` output) — generated artifacts, never committed.

cyber.trackr.live/src/Controller/ApiController.php

@@ -253,7 +253,7 @@ public function api_rmfv4_show($con): Response
 
         $results['enhancements'] = [];
         foreach ($controls_xml->xpath("./aaa:control-enhancements/aaa:control-enhancement") as $enhancement) {
-            $results['enhancements'][current($enhancement->number)] = current($enhancement->title);
+            $results['enhancements'][(string)$enhancement->number] = (string)$enhancement->title;
         }
 
         return new Response(json_encode($results, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), Response::HTTP_OK, ['content-type' => 'application/json'] );
@@ -385,15 +385,15 @@ public function api_rmf_show($con): Response
         $results['references'] = [];
         foreach ($controls_xml->xpath("./xmlns:references/xmlns:reference") as $ref) {
             $results['references'][] = [
-                "href" => str_replace("\/", "/", current($ref->item)['href']),
-                "text" => current($ref->item->text),
-                "name" => current($ref->short_name)
+                "href" => str_replace("\/", "/", (string)$ref->item['href']),
+                "text" => (string)$ref->item->text,
+                "name" => (string)$ref->short_name
             ];
         }
 
         $results['enhancements'] = [];
         foreach ($controls_xml->xpath("./xmlns:control-enhancements/xmlns:control-enhancement") as $enhancement) {
-            $results['enhancements'][current($enhancement->number)] = current($enhancement->title);
+            $results['enhancements'][(string)$enhancement->number] = (string)$enhancement->title;
         }
 
         return new Response(json_encode($results, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), Response::HTTP_OK, ['content-type' => 'application/json'] );
@@ -541,9 +541,9 @@ public function api_stig_tip(): Response
         $vuln_id = (string)$group->attributes()['id'];
 
         $collection[$key]->tip = [
-            "title" => (string)current($group->Rule->title),
-            "rule" => (string)current($group->Rule->attributes()['id']),
-            "severity" => (string)current($group->Rule->attributes()['severity']),
+            "title" => (string)$group->Rule->title,
+            "rule" => (string)$group->Rule->attributes()['id'],
+            "severity" => (string)$group->Rule->attributes()['severity'],
             "vuln_id" => $vuln_id,        
         ];
 
@@ -573,6 +573,9 @@ public function api_stig_summary($title, $version, $release): Response
             return false;
         });
         $stig = array_pop($stig);
+        if ($stig === null) {
+            throw $this->createNotFoundException('The STIG does not exist');
+        }
         $stig_filename = realpath(__DIR__ . "/../../resources/data/stig/" . $stig->filename);
         if ($stig_filename === false || !is_file($stig_filename)) {
             throw $this->createNotFoundException('The STIG does not exist');
@@ -598,17 +601,17 @@ public function api_stig_summary($title, $version, $release): Response
 
         $results["profiles"] = [];
         foreach ($stig_xml->xpath('/xmlns:Benchmark/xmlns:Profile') as $profile) {
-            $results["profiles"][(string)$profile->attributes()['id']] = (string)current($profile->title);
+            $results["profiles"][(string)$profile->attributes()['id']] = (string)$profile->title;
         }
 
         $results["requirements"] = [];
         foreach ($stig_xml->xpath('/xmlns:Benchmark/xmlns:Group') as $group) {
             $vuln_id = (string)$group->attributes()['id'];
 
             $results["requirements"][$vuln_id] = [
-                "title" => (string)current($group->Rule->title),
-                "rule" => (string)current($group->Rule->attributes()['id']),
-                "severity" => (string)current($group->Rule->attributes()['severity']),
+                "title" => (string)$group->Rule->title,
+                "rule" => (string)$group->Rule->attributes()['id'],
+                "severity" => (string)$group->Rule->attributes()['severity'],
                 "link" => "/stig/{$title}/{$version}/{$release}/{$vuln_id}"
             ];
         }
@@ -634,6 +637,9 @@ public function api_stig_vuln(Request $request, $title, $version, $release, $vul
             return false;
         });
         $stig = array_pop($stig);
+        if ($stig === null) {
+            throw $this->createNotFoundException('The STIG does not exist');
+        }
         $stig_filename = realpath(__DIR__ . "/../../resources/data/stig/" . $stig->filename);
         if ($stig_filename === false || !is_file($stig_filename)) {
             throw $this->createNotFoundException('The STIG does not exist');
@@ -659,7 +665,7 @@ public function api_stig_vuln(Request $request, $title, $version, $release, $vul
         $results["stig-published"] = (string)current($stig_xml->xpath('/xmlns:Benchmark/xmlns:status/@date'));
 
         $vuln = current($stig_xml->xpath("/xmlns:Benchmark/xmlns:Group[@id='{$vuln}']"));
-        $results["id"] = (string)current($vuln->attributes()['id']);
+        $results["id"] = (string)$vuln->attributes()['id'];
         $results["group"] = (string)$vuln->title;
         $results["rule"] = (string)$vuln->Rule->attributes()['id'];
         $results["severity"] = (string)$vuln->Rule->attributes()['severity'];
@@ -725,6 +731,9 @@ public function api_scap_summary($title, $version, $release): Response
             return false;
         });
         $scap = array_pop($scap);
+        if ($scap === null) {
+            throw $this->createNotFoundException('The SCAP does not exist');
+        }
         $scap_filename = realpath(__DIR__ . "/../../resources/data/scap/" . $scap->filename);
         if ($scap_filename === false || !is_file($scap_filename)) {
             throw $this->createNotFoundException('The SCAP does not exist');
@@ -786,6 +795,9 @@ public function api_scap_vuln($title, $version, $release, $vuln): Response
             return false;
         });
         $scap = array_pop($scap);
+        if ($scap === null) {
+            throw $this->createNotFoundException('The SCAP does not exist');
+        }
         $scap_filename = realpath(__DIR__ . "/../../resources/data/scap/" . $scap->filename);
         if ($scap_filename === false || !is_file($scap_filename)) {
             throw $this->createNotFoundException('The SCAP does not exist');
@@ -816,7 +828,7 @@ public function api_scap_vuln($title, $version, $release, $vuln): Response
 
         $vuln = current($scap_xml->xpath("//xccdf:Benchmark/xccdf:Group[@id='xccdf_mil.disa.stig_group_{$vuln}']"));
 
-        $results["id"] = (string)current($vuln->attributes()['id']);
+        $results["id"] = (string)$vuln->attributes()['id'];
         $results["group"] = (string)current($vuln->xpath("./xccdf:title"));
         $results["rule"] = (string)current($vuln->xpath("./xccdf:Rule/@id"));
         $results["severity"] = (string)current($vuln->xpath("./xccdf:Rule/@severity"));

cyber.trackr.live/src/Controller/ScapController.php

@@ -73,6 +73,9 @@ public function scap_download($title, $version, $release): Response
         });
 
         $scap = array_pop($scap);
+        if ($scap === null) {
+            throw $this->createNotFoundException('The SCAP does not exist');
+        }
         $scap_filename = realpath(__DIR__ . "/../../resources/data/scap/" . $scap->filename);
 
         if (file_exists($scap_filename)) {
@@ -106,6 +109,9 @@ public function scap_view($title, $version, $release): Response
             return false;
         });
         $scap = array_pop($scap);
+        if ($scap === null) {
+            throw $this->createNotFoundException('The SCAP does not exist');
+        }
         $scap_filename = realpath(__DIR__ . "/../../resources/data/scap/" . $scap->filename);
         if ($scap_filename === false || !is_file($scap_filename)) {
             throw $this->createNotFoundException('The SCAP does not exist');

cyber.trackr.live/src/Controller/StigController.php

@@ -213,6 +213,9 @@ public function stig_compare($title, $v1, $r1, $v2, $r2): Response
             return false;
         });
         $stig1 = array_pop($stig1);
+        if ($stig1 === null) {
+            throw $this->createNotFoundException('The STIG does not exist');
+        }
         $stig1_filename = realpath(__DIR__ . "/../../resources/data/stig/" . $stig1->filename);
         if ($stig1_filename === false || !is_file($stig1_filename)) {
             throw $this->createNotFoundException('The STIG does not exist');
@@ -229,6 +232,9 @@ public function stig_compare($title, $v1, $r1, $v2, $r2): Response
             return false;
         });
         $stig2 = array_pop($stig2);
+        if ($stig2 === null) {
+            throw $this->createNotFoundException('The STIG does not exist');
+        }
         $stig2_filename = realpath(__DIR__ . "/../../resources/data/stig/" . $stig2->filename);
         if ($stig2_filename === false || !is_file($stig2_filename)) {
             throw $this->createNotFoundException('The STIG does not exist');
@@ -285,6 +291,9 @@ public function stig_view($title, $version, $release, StigDigestBuilder $digestB
             return false;
         });
         $stig = array_pop($stig);
+        if ($stig === null) {
+            throw $this->createNotFoundException('The STIG does not exist');
+        }
         $stig_filename = realpath(__DIR__ . "/../../resources/data/stig/" . $stig->filename);
         if ($stig_filename === false || !is_file($stig_filename)) {
             throw $this->createNotFoundException('The STIG does not exist');
@@ -435,6 +444,9 @@ public function stig_download($title, $version, $release): Response
         });
 
         $stig = array_pop($stig);
+        if ($stig === null) {
+            throw $this->createNotFoundException('The STIG does not exist');
+        }
         $stig_filename = realpath(__DIR__ . "/../../resources/data/stig/" . $stig->filename);
 
         if (file_exists($stig_filename)) {

cyber.trackr.live/tests/Controller/ApiControllerTest.php

@@ -0,0 +1,111 @@
+<?php
+
+namespace App\Tests\Controller;
+
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+class ApiControllerTest extends WebTestCase
+{
+    // A STIG known to exist in stig_toc.json (V4R8). The wizard test covers V6R4.
+    private const STIG_TITLE   = 'Application_Security_and_Development';
+    private const STIG_VERSION = '4';
+    private const STIG_RELEASE = '8';
+    private const STIG_VULN    = 'V-69239';
+
+    public function testApiSummaryRenders(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api');
+        $this->assertResponseIsSuccessful();
+    }
+
+    public function testCciListReturnsJson(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/cci');
+
+        $this->assertResponseIsSuccessful();
+        $data = json_decode((string) $client->getResponse()->getContent(), true);
+        $this->assertIsArray($data);
+        $this->assertNotEmpty($data);
+    }
+
+    public function testCciShowReturnsControl(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/cci/CCI-000001');
+
+        $this->assertResponseIsSuccessful();
+        $data = json_decode((string) $client->getResponse()->getContent(), true);
+        $this->assertSame('CCI-000001', $data['cci'] ?? null);
+    }
+
+    public function testRmfV4ListReturnsControls(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/rmf/4');
+
+        $this->assertResponseIsSuccessful();
+        $data = json_decode((string) $client->getResponse()->getContent(), true);
+        $this->assertArrayHasKey('controls', $data);
+        $this->assertNotEmpty($data['controls']);
+    }
+
+    public function testRmfV5ListReturnsControls(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/rmf/5');
+
+        $this->assertResponseIsSuccessful();
+        $data = json_decode((string) $client->getResponse()->getContent(), true);
+        $this->assertArrayHasKey('controls', $data);
+        $this->assertNotEmpty($data['controls']);
+    }
+
+    public function testStigListReturnsJson(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/api/stig');
+
+        $this->assertResponseIsSuccessful();
+        $data = json_decode((string) $client->getResponse()->getContent(), true);
+        $this->assertIsArray($data);
+        $this->assertNotEmpty($data);
+    }
+
+    public function testStigSummaryReturnsJson(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', sprintf(
+            '/api/stig/%s/%s/%s',
+            self::STIG_TITLE,
+            self::STIG_VERSION,
+            self::STIG_RELEASE
+        ));
+
+        $this->assertResponseIsSuccessful();
+    }
+
+    public function testStigVulnReturnsJson(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', sprintf(
+            '/api/stig/%s/%s/%s/%s',
+            self::STIG_TITLE,
+            self::STIG_VERSION,
+            self::STIG_RELEASE,
+            self::STIG_VULN
+        ));
+
+        $this->assertResponseIsSuccessful();
+    }
+
+    // Exercises the guard added in commit 8710c31: a valid title with an unknown
+    // version/release resolves to no STIG file and must 404, not fatal with 500.
+    public function testStigSummaryUnknownVersionIs404(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', sprintf('/api/stig/%s/99/99', self::STIG_TITLE));
+        $this->assertResponseStatusCodeSame(404);
+    }
+}

cyber.trackr.live/tests/Controller/StigControllerTest.php

@@ -0,0 +1,40 @@
+<?php
+
+namespace App\Tests\Controller;
+
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+
+class StigControllerTest extends WebTestCase
+{
+    private const TITLE = 'Application_Security_and_Development';
+
+    public function testStigIndexRenders(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/stig');
+        $this->assertResponseIsSuccessful();
+    }
+
+    public function testStigViewRenders(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/stig/' . self::TITLE . '/4/8');
+        $this->assertResponseIsSuccessful();
+    }
+
+    public function testStigCompareRenders(): void
+    {
+        $client = static::createClient();
+        // Compare V4R8 against V6R4 — both present in the toc for this title.
+        $client->request('GET', '/stig/' . self::TITLE . '/4/8/6/4');
+        $this->assertResponseIsSuccessful();
+    }
+
+    // Guard from commit 8710c31: valid title, unknown version/release -> 404.
+    public function testStigViewUnknownVersionIs404(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/stig/' . self::TITLE . '/99/99');
+        $this->assertResponseStatusCodeSame(404);
+    }
+}