Skip to content

Commit

Permalink
added test
Browse files Browse the repository at this point in the history
  • Loading branch information
@eyalk007
eyalk007 committed Sep 3, 2024
1 parent 4fa2643 commit 6719ecb
Show file tree
Hide file tree
Showing 2 changed files with 179 additions and 1 deletion.
15 changes: 14 additions & 1 deletion src/test/java/com/jfrog/ide/idea/scan/ScanBinaryExecutorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ public class ScanBinaryExecutorTest extends TestCase {
private final ScanBinaryExecutor scanner = new ApplicabilityScannerExecutor(new NullLog());
private final Path SIMPLE_OUTPUT = new File("src/test/resources/sourceCode/simple_output.sarif").toPath();
private final Path NOT_APPLIC_OUTPUT = new File("src/test/resources/sourceCode/not_applic_output.sarif").toPath();

private final Path NOT_APPLIC_KIND_PASS_OUTPUT = new File("src/test/resources/sourceCode/not_applic_kind_pass.sarif").toPath();
public void testInputBuilder() throws IOException {
ScanConfig.Builder inputFileBuilder = new ScanConfig.Builder();
Path inputPath = null;
Expand Down Expand Up @@ -85,6 +85,19 @@ public void testSarifParserNotApplicResults() throws IOException {
assertFalse(parsedOutput.get(3).isApplicable());
}

public void testSarifParserNotApplicResultsButKindPass() throws IOException {
List<JFrogSecurityWarning> parsedOutput = scanner.parseOutputSarif(NOT_APPLIC_KIND_PASS_OUTPUT);
assertEquals(5, parsedOutput.size());
// 1 known applicable results (code evidence returned)
assertEquals("applic_CVE-2022-25878", parsedOutput.get(0).getRuleID());
assertTrue(parsedOutput.get(0).isApplicable());
// 2 known no-applicable results (have a scanner but no code evidence returned)
assertEquals("applic_CVE-2021-25878", parsedOutput.get(2).getRuleID());
assertFalse(parsedOutput.get(2).isApplicable());
assertEquals("applic_CVE-2022-29019", parsedOutput.get(3).getRuleID());
assertFalse(parsedOutput.get(3).isApplicable());
}

public void testGetBinaryDownloadURL() {
final String externalRepoName = "test-releases-repo";
final String expectedExternalRepoUrl = "test-releases-repo/artifactory/xsc-gen-exe-analyzer-manager-local/";
Expand Down
165 changes: 165 additions & 0 deletions src/test/resources/sourceCode/not_applic_kind_pass.sarif
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
{
"runs": [
{
"tool": {
"driver": {
"name": "JFrog Applicability Scanner",
"rules": [
{
"id": "applic_CVE-2021-3807",
"fullDescription": {
"text": "The scanner checks whether the vulnerable function `ansi-regex` is called.",
"markdown": "The scanner checks whether the vulnerable function `ansi-regex` is called."
},
"name": "CVE-2021-3807",
"shortDescription": {
"text": "Scanner for CVE-2021-3807"
},
"properties": {
"applicability": "not_applicable",
"conclusion": "positive",
"security-severity": "6.9"
}
},
{
"id": "applic_CVE-2021-3918",
"fullDescription": {
"text": "The scanner checks whether any of the following vulnerable functions are called:\n\n* `util.setProperty` with external input to its 2nd (`path`) or 3rd (`value`) arguments.\n* `ReflectionObject.setParsedOption` with external input to its 2nd (`name`) or 3rd (`value`) arguments.\n* `parse` with external input to its 1st (`source`) argument.\n* `load`\n* `loadSync`\n\nThe scanner also checks whether the `Object.freeze()` remediation is not present.",
"markdown": "The scanner checks whether any of the following vulnerable functions are called:\n\n* `util.setProperty` with external input to its 2nd (`path`) or 3rd (`value`) arguments.\n* `ReflectionObject.setParsedOption` with external input to its 2nd (`name`) or 3rd (`value`) arguments.\n* `parse` with external input to its 1st (`source`) argument.\n* `load`\n* `loadSync`\n\nThe scanner also checks whether the `Object.freeze()` remediation is not present."
},
"name": "CVE-2021-3918",
"shortDescription": {
"text": "Scanner for CVE-2021-3918"
},
"properties": {
"applicability": "not_applicable",
"conclusion": "positive",
"security-severity": "6.9"
}
},
{
"id": "applic_CVE-2022-25878",
"name": "CVE-2022-25878",
"shortDescription": {
"text": "Scanner for CVE-2022-25878"
},
"fullDescription": {
"text": "The scanner checks whether any of the following vulnerable functions are called:\n\n* `util.setProperty` with external input to its 2nd (`path`) or 3rd (`value`) arguments.\n* `ReflectionObject.setParsedOption` with external input to its 2nd (`name`) or 3rd (`value`) arguments.\n* `parse` with external input to its 1st (`source`) argument.\n* `load`\n* `loadSync`\n\nThe scanner also checks whether the `Object.freeze()` remediation is not present.",
"markdown": "The scanner checks whether any of the following vulnerable functions are called:\n\n* `util.setProperty` with external input to its 2nd (`path`) or 3rd (`value`) arguments.\n* `ReflectionObject.setParsedOption` with external input to its 2nd (`name`) or 3rd (`value`) arguments.\n* `parse` with external input to its 1st (`source`) argument.\n* `load`\n* `loadSync`\n\nThe scanner also checks whether the `Object.freeze()` remediation is not present."
},
"properties": {
"applicability": "applicable",
"conclusion": "positive",
"security-severity": "6.9"
}
}
],
"version": "APPLIC_SCANNERv0.2.3"
}
},
"invocations": [
{
"executionSuccessful": true,
"arguments": [
"ca_scanner/applicability_scanner",
"scan",
"aplic_config.yaml"
],
"workingDirectory": {
"uri": "file:///Users/user/.jfrog-vscode-extension/issues/analyzerManager"
}
}
],
"results": [
{
"message": {
"text": "Prototype pollution `Object.freeze` remediation was not detected, The vulnerable function protobufjs.parse is called with external input, The vulnerable function protobufjs.load(Sync) is called"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///examples/applic-demo/../applic-demo/index.js"
},
"region": {
"endColumn": 18,
"endLine": 21,
"snippet": {
"text": "protobuf.parse(p)"
},
"startColumn": 1,
"startLine": 21
}
}
}
],
"ruleId": "applic_CVE-2022-25878"
},
{
"message": {
"text": "Prototype pollution `Object.freeze` remediation was not detected, The vulnerable function protobufjs.parse is called with external input, The vulnerable function protobufjs.load(Sync) is called"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///examples/applic-demo/../applic-demo/index.js"
},
"region": {
"endColumn": 74,
"endLine": 23,
"snippet": {
"text": "protobuf.load(\"/path/to/untrusted.proto\", function(err, root) { return })"
},
"startColumn": 1,
"startLine": 23
}
}
}
],
"ruleId": "applic_CVE-2022-25878"
},
{
"message": {
"text": "Some remediation for not applicable issue."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///examples/applic-demo/../applic-demo/index.js"
},
"region": {
"endColumn": 1,
"endLine": 23,
"snippet": {
"text": "protobuf.load(\"/path/to/untrusted.proto\", function(err, root) { return })"
},
"startColumn": 1,
"startLine": 1
}
}
}
],
"ruleId": "applic_CVE-2021-3807"
},
{
"message": {
"text": "The scanner checks whether the vulnerable function `ansi-regex` is called."
},
"kind": "pass",
"ruleId": "applic_CVE-2021-3807"
},
{
"message": {
"text": "The scanner checks whether any of the following vulnerable functions are called:\n\n* `json-schema.validate` with external input to its 1st (`instance`) argument.\n* `json-schema.checkPropertyChange` with external input to its 2nd (`schema`) argument."
},
"kind": "pass",
"ruleId": "applic_CVE-2021-3918"
}
]
}
],
"version": "2.1.0",
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json"
}

0 comments on commit 6719ecb

Please sign in to comment.