Skip to content

Commit

Permalink
added missing test
Browse files Browse the repository at this point in the history
  • Loading branch information
@eyalk007
eyalk007 committed Sep 8, 2024
1 parent 7492249 commit bba9838
Show file tree
Hide file tree
Showing 5 changed files with 192 additions and 153 deletions.
2 changes: 1 addition & 1 deletion src/main/java/com/jfrog/ide/idea/scan/ScanBinaryExecutor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ protected boolean isPackageTypeSupported(PackageManagerType type) {
return type != null && supportedPackageTypes.contains(type);
}

protected List<JFrogSecurityWarning> parseOutputSarif(Path outputFile) throws IOException {
protected List<JFrogSecurityWarning> parseOutputSarif(Path outputFile) throws IOException,IndexOutOfBoundsException {
Output output = getOutputObj(outputFile);
List<JFrogSecurityWarning> warnings = new ArrayList<>();

Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/jfrog/ide/idea/scan/data/Driver.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ public boolean equals(Object other) {
return (Objects.equals(this.name, rhs.name) && (CollectionUtils.isEqualCollection(this.rules, rhs.rules)));
}

public Rule getRuleById(String ruleId) {
public Rule getRuleById(String ruleId) throws IndexOutOfBoundsException {
return rules.stream()
.filter(rule -> rule.getId().equals(ruleId))
.findFirst()
Expand Down
24 changes: 6 additions & 18 deletions src/test/java/com/jfrog/ide/idea/scan/ScanBinaryExecutorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
import junit.framework.TestCase;
import org.apache.commons.io.FileUtils;
import org.jfrog.build.api.util.NullLog;
import org.junit.Assert;

import java.io.File;
import java.io.IOException;
Expand All @@ -23,9 +22,9 @@
**/
public class ScanBinaryExecutorTest extends TestCase {
private final ScanBinaryExecutor scanner = new ApplicabilityScannerExecutor(new NullLog());
private final Path FAULTY_OUTPUT = new File("src/test/resources/sourceCode/faulty_output.sarif").toPath();
private final Path SIMPLE_OUTPUT = new File("src/test/resources/sourceCode/simple_output.sarif").toPath();
private final Path NOT_APPLIC_OUTPUT = new File("src/test/resources/sourceCode/not_applic_output.sarif").toPath();
private final Path APPLIC_KIND_PASS_OUTPUT = new File("src/test/resources/sourceCode/applicable_kind_pass_output.sarif").toPath();
private final Path APPLIC_KIND_PASS_AND_FAIL_OUTPUT = new File("src/test/resources/sourceCode/applicable_kind_pass_output.sarif").toPath();
public void testInputBuilder() throws IOException {
ScanConfig.Builder inputFileBuilder = new ScanConfig.Builder();
Path inputPath = null;
Expand Down Expand Up @@ -72,23 +71,12 @@ public void testSarifParser() throws IOException {
assertEquals(73, parsedOutput.get(1).getColEnd());
}

public void testSarifParserNotApplicResults() throws IOException {
List<JFrogSecurityWarning> parsedOutput = scanner.parseOutputSarif(NOT_APPLIC_OUTPUT);
assertEquals(4, parsedOutput.size());
// 2 known applicable results (code evidence returned)
assertEquals("applic_CVE-2022-25878", parsedOutput.get(0).getRuleID());
assertTrue(parsedOutput.get(0).isApplicable());
assertEquals("CVE-2022-25978", parsedOutput.get(1).getRuleID());
assertTrue(parsedOutput.get(1).isApplicable());
// 2 known no-applicable results (have a scanner but no code evidence returned)
assertEquals("applic_CVE-2021-25878", parsedOutput.get(2).getRuleID());
assertFalse(parsedOutput.get(2).isApplicable());
assertEquals("applic_CVE-2022-29019", parsedOutput.get(3).getRuleID());
assertFalse(parsedOutput.get(3).isApplicable());
public void testSarifParserWithMissingRole() throws IndexOutOfBoundsException {
assertThrows(IndexOutOfBoundsException.class,() -> scanner.parseOutputSarif(FAULTY_OUTPUT));
}

public void testSarifParserApplicResultsWithKindPass() throws IOException {
List<JFrogSecurityWarning> parsedOutput = scanner.parseOutputSarif(APPLIC_KIND_PASS_OUTPUT);
public void testSarifParserApplicResultsWithKindPassAndFail() throws IOException {
List<JFrogSecurityWarning> parsedOutput = scanner.parseOutputSarif(APPLIC_KIND_PASS_AND_FAIL_OUTPUT);
assertEquals(6, parsedOutput.size());
//Not Applicable with kind pass
assertEquals("applic_CVE-2022-25878", parsedOutput.get(0).getRuleID());
Expand Down
184 changes: 184 additions & 0 deletions src/test/resources/sourceCode/faulty_output.sarif
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
{
"runs": [
{
"tool": {
"driver": {
"name": "JFrog Applicability Scanner",
"rules": [
{
"id": "applic_CVE-2022-25878",
"properties": {
"conclusion": "positive",
"applicability": "not_applicable"
},
"fullDescription": {
"text": "The scanner checks whether the vulnerable function `pem.Decode` is called.",
"markdown": "The scanner checks whether the vulnerable function `pem.Decode` is called."
},
"shortDescription": {
"text": "Scanner for applic_CVE-2022-25878"
}
},
{
"id": "applic_CVE-2022-25978",
"properties": {
"conclusion": "negative",
"applicability": "applicable"
},
"fullDescription": {
"text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.",
"markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used."
},
"shortDescription": {
"text": "Scanner for applic_CVE-2022-25978"
}
},
{
"id": "applic_CVE-2021-25878",
"fullDescription": {
"text": "The scanner checks whether the vulnerable function `pem.Decode` is called.",
"markdown": "The scanner checks whether the vulnerable function `pem.Decode` is called."
},
"shortDescription": {
"text": "Scanner for applic_CVE-2021-25878"
}
},
{
"id": "applic_CVE-2022-29019",
"fullDescription": {
"text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.",
"markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used."
},
"shortDescription": {
"text": "Scanner for applic_CVE-2022-29019"
}
},
{
"id": "applic_CVE-2022-29004",
"fullDescription": {
"text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.",
"markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used."
},
"shortDescription": {
"text": "Scanner for applic_CVE-2022-29004"
}, "properties": {
"conclusion": "positive",
"applicability": "not_covered"
}
},
{
"id": "applic_CVE-2022-29014",
"fullDescription": {
"text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.",
"markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used."
},
"shortDescription": {
"text": "Scanner for applic_CVE-2022-29014"
}, "properties": {
"conclusion": "positive",
"applicability": "undetermined"
}
}
],
"version": "APPLIC_SCANNERv0.2.0"
}
},
"invocations": [
{
"executionSuccessful": true,
"arguments": [
"scan"
],
"workingDirectory": {
"uri": ""
}
}
],
"results": [
{
"message": {
"text": "The vulnerable function protobufjs.load is called"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///examples/applic-demo/index.js"
},
"region": {
"endColumn": 17,
"endLine": 20,
"snippet": {
"text": "protobuf.parse(p)"
},
"startColumn": 0,
"startLine": 20
}
}
}
],
"ruleId": "applic_CVE-2022-25878"
},
{
"message": {
"text": "The vulnerable function protobufjs.parse is called."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///examples/applic-demo/index.js"
},
"region": {
"endColumn": 73,
"endLine": 22,
"snippet": {
"text": "protobuf.load(\"/path/to/untrusted.proto\", function(err, root) { return })"
},
"startColumn": 0,
"startLine": 18
}
}
}
],
"ruleId": "applic_CVE-2022-25978"
},
{
"message": {
"text": "The scanner checks whether the vulnerable function `ansi-regex` is called."
},
"kind": "pass",
"ruleId": "applic_CVE-2021-25878"
},
{
"message": {
"text": "The scanner checks whether the vulnerable function `ansi-regex` is called."
},
"kind": "fail",
"ruleId": "applic_CVE-2022-29019"
},
{
"message": {
"text": "The scanner checks whether the vulnerable function `call-all-ansi` is called."
},
"kind": "pass",
"ruleId": "applic_CVE-2022-29004"
},
{"message": {
"text": "The scanner checks whether the vulnerable function `not-call-all-ansi` is called."
},
"kind": "pass",
"ruleId": "applic_CVE-2022-29014"
},
{"message": {
"text": "The scanner checks whether the vulnerable function `not-call-all-ansi` is called."
},
"kind": "pass",
"ruleId": "applic_CVE-2022-29614"
}
]
}
],
"version": "2.1.0",
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json"
}
133 changes: 0 additions & 133 deletions src/test/resources/sourceCode/not_applic_output.sarif
View file

This file was deleted.

0 comments on commit bba9838

Please sign in to comment.