sastbox_sdk 1.0.0

data/spec/sastbox-sdk/codebase_spec.rb

@@ -0,0 +1,7 @@
+require_relative '../spec_helper'
+require_relative '../../lib/sastbox-sdk'
+
+
+RSpec.describe 'Codebase' do
+end
+

data/spec/sastbox-sdk/cwe_constants_spec.rb

@@ -0,0 +1,7 @@
+require_relative '../spec_helper'
+require_relative '../../lib/sastbox-sdk'
+
+
+RSpec.describe 'Cwe_constants' do
+end
+

data/spec/sastbox-sdk/cwe_detector_spec.rb

@@ -0,0 +1,216 @@
+require_relative '../spec_helper'
+require_relative '../../lib/sastbox-sdk'
+
+
+RSpec.describe 'Cwe_detector' do
+  let(:scanner) do
+    SastBox::Scanner.new(
+    name: 'test_name',
+    name_alias: 'test_alias',
+    description: 'test_desc',
+    support: ['test_support'],
+    version: '0.1',
+    tool: 'test_tool'
+  )
+  end
+
+  describe 'cwe_found?' do
+    context 'when issue has pattern' do
+      let(:issue) do
+      {
+        title: 'cmd exec',
+        description: 'cmd exec'
+      }
+      end
+
+      let(:cwe_id) { 123 }
+
+      before do
+        scanner.alternative_titles(issue)
+        @status = scanner.cwe_found?(issue, ['cmd exec'], cwe_id)
+      end
+
+      it { expect( issue[:cwe_id]).to eq cwe_id }
+      it { expect( @status).to be true }
+    end
+
+    context 'when issue does not have pattern' do
+      let(:issue) do
+      {
+        title: 'cmd exec',
+        description: 'cmd exec'
+      }
+      end
+
+      let(:cwe_id) { 123 }
+
+      before do
+        scanner.alternative_titles(issue)
+      end
+
+      it {expect( scanner.cwe_found?(issue, ['xxx'], cwe_id)).to be false}
+      it {expect( issue[:cwe_id]).to eq nil}
+    end
+  end
+
+  describe 'cwe_start_heuristics?' do
+  end
+
+  describe 'guess_cwe' do
+    context 'when cwe_id is already assigned to valid CWE' do
+      let(:issue) do
+      {
+        title: 'sql inj',
+        description: 'sql inj',
+        cwe_id: 123
+      }
+      end
+
+      before do
+        scanner.guess_cwe(issue)
+      end
+
+      it {expect(issue[:cwe_id]).to be 123}
+    end
+
+    context 'when cwe_id is already assigned to invalid CWE' do
+      let(:issue) do
+      {
+        title: 'sql inj',
+        description: 'sql inj',
+        cwe_id: -1
+      }
+      end
+
+      before do
+        scanner.guess_cwe(issue)
+      end
+
+      it {expect(issue[:cwe_id]).to eq SastBox::Cwe::SQL_INJECTION}
+    end
+
+    ############################################################################
+    context 'when has sql injection pattern and cwe_id not set' do
+      let(:issue) { { title: 'sql inj', description: 'sql inj' } }
+      before { scanner.guess_cwe(issue) }
+      it 'sql injection' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::SQL_INJECTION
+      end
+    end
+    ############################################################################
+    context 'when has xss pattern and cwe_id not set' do
+      let(:issue) { { title: 'xss', description: 'xss' } }
+      before { scanner.guess_cwe(issue) }
+      it 'xss' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::XSS
+      end
+    end
+    ############################################################################
+    context 'when has cmd injection pattern and cwe_id not set' do
+      let(:issue) { { title: 'cmd injection', description: 'cmd injection' } }
+      before { scanner.guess_cwe(issue) }
+      it 'cmd injection' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::OS_COMMAND_INJECTION
+      end
+    end
+    ############################################################################
+    context 'when has code injection pattern and cwe_id not set' do
+      let(:issue) { { title: 'code injection', description: 'code injection' } }
+      before { scanner.guess_cwe(issue) }
+      it 'code injection' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::CODE_INJECTION
+      end
+    end
+    ############################################################################
+    context 'when has session fixation pattern and cwe_id not set' do
+      let(:issue) { { title: 'session fixation', description: 'session fixation' } }
+      before { scanner.guess_cwe(issue) }
+      it 'session fixation' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::SESSION_FIXATION
+      end
+    end
+    ############################################################################
+    context 'when has csrf pattern and cwe_id not set' do
+      let(:issue) { { title: 'csrf', description: 'csrf' } }
+      before { scanner.guess_cwe(issue) }
+      it 'csrf' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::CSRF
+      end
+    end
+    ############################################################################
+    context 'when has deserialization pattern and cwe_id not set' do
+      let(:issue) { { title: 'deserialization', description: 'deserialization' } }
+      before { scanner.guess_cwe(issue) }
+      it 'deserialization' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::DESERIALIZATION_OF_UNTRUSTED_DATA
+      end
+    end
+    ############################################################################
+    context 'when has path traversal pattern and cwe_id not set' do
+      let(:issue) { { title: 'path traversal', description: 'path traversal' } }
+      before { scanner.guess_cwe(issue) }
+      it 'path traversal' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::PATH_TRAVERSAL
+      end
+    end
+    ############################################################################
+    context 'when has hardcoded password pattern and cwe_id not set' do
+      let(:issue) { { title: 'hard-coded', description: 'hard-coded' } }
+      before { scanner.guess_cwe(issue) }
+      it 'hard-coded' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::HARD_CODED_PASSWORD
+      end
+    end
+    ############################################################################
+    context 'when has null pointer deref pattern and cwe_id not set' do
+      let(:issue) { { title: 'null pointer deref', description: 'null pointer deref' } }
+      before { scanner.guess_cwe(issue) }
+      it 'null pointer deref' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::NULL_POINTER_DEREFERENCE
+      end
+    end
+    ############################################################################
+    context 'when has broken crypto pattern and cwe_id not set' do
+      let(:issue) { { title: 'broken crypto', description: 'broken crypto' } }
+      before { scanner.guess_cwe(issue) }
+      it 'broken crypto' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::BROKEN_CRYPTO
+      end
+    end
+    ############################################################################
+    context 'when has improper authorization pattern and cwe_id not set' do
+      let(:issue) { { title: 'improper authorization', description: 'improper authorization' } }
+      before { scanner.guess_cwe(issue) }
+      it 'improper authorization' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::IMPROPER_AUTHORIZATION
+      end
+    end
+    ############################################################################
+    context 'when has improper authentication pattern and cwe_id not set' do
+      let(:issue) { { title: 'improper authentication', description: 'improper authentication' } }
+      before { scanner.guess_cwe(issue) }
+      it 'improper authentication' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::IMPROPER_AUTHENTICATION
+      end
+    end
+    ############################################################################
+    context 'when has improper input validation pattern and cwe_id not set' do
+      let(:issue) { { title: 'input validation', description: 'input validation' } }
+      before { scanner.guess_cwe(issue) }
+      it 'input validation' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::IMPROPER_INPUT_VALIDATION
+      end
+    end
+    ############################################################################
+    context 'when has unrestricted file upload pattern and cwe_id not set' do
+      let(:issue) { { title: 'unrestricted file upload', description: 'unrestricted file upload' } }
+      before { scanner.guess_cwe(issue) }
+      it 'unrestricted file upload' do
+        expect(issue[:cwe_id]).to eq SastBox::Cwe::UNRESTRICTED_UPLOAD_OF_FILE_WITH_DANGEROUS_TYPE
+      end
+    end
+
+
+  end
+
+end

data/spec/sastbox-sdk/opt_parser_spec.rb

@@ -0,0 +1,47 @@
+require_relative '../spec_helper'
+require_relative '../../lib/sastbox-sdk'
+
+
+RSpec.describe 'Opt_parser' do
+  let(:scanner) do
+    SastBox::Scanner.new(
+      name: 'test_name',
+      name_alias: 'test_alias',
+      description: 'test_desc',
+      support: ['test_support'],
+      version: '0.1',
+      tool: 'test_tool'
+    )
+  end
+
+  describe 'parse_opts' do
+    context 'should parse all the provided options' do
+      subject { scanner.parse_opts(['-c', 'codebase', '-o', 'outputfile', '-v', '-t', '2', '-n']) }
+
+      it 'codebase - is expected to eq "codebase"' do
+        expect(subject.codebase).to eq 'codebase'
+      end
+
+      it "output - is expected to eq outputfile" do
+        expect(subject.output).to eq 'outputfile'
+      end
+
+      it "verbose - is expected to equal true" do
+        expect(subject.verbose).to be true
+      end
+
+      it "timeout - is expected to equal 120" do
+        expect(subject.timeout).to be 120
+      end
+
+      it "info - is expected to eq false" do
+        expect(subject.info).to be false
+      end
+
+      it "color - is expected to equal true" do
+        expect(subject.color).to be true
+      end
+    end
+  end
+end
+

data/spec/sastbox-sdk/printer_spec.rb

@@ -0,0 +1,59 @@
+require_relative '../spec_helper'
+require_relative '../../lib/sastbox-sdk'
+
+
+RSpec.describe 'Printer' do
+  let(:scanner) do
+    SastBox::Scanner.new(
+      name: 'test_name',
+      name_alias: 'test_alias',
+      description: 'test_desc',
+      support: ['test_support'],
+      version: '0.1',
+      tool: 'test_tool'
+    )
+  end
+
+  describe 'print_title' do
+    context 'should print with title format' do
+      it {expect { scanner.print_title('abc') }.to output("[*] abc\n").to_stdout }
+    end
+  end
+
+  describe 'print_normal' do
+    context 'should print with normal format' do
+      it {expect { scanner.print_normal('abc') }.to output("abc\n").to_stdout }
+    end
+  end
+
+  describe 'print_success' do
+    context 'should print with success format' do
+      it {expect { scanner.print_success('abc') }.to output("[SUCCESS] abc\n").to_stdout }
+    end
+  end
+
+  describe 'print_error' do
+    context 'should print with error format' do
+      it {expect { scanner.print_error('abc') }.to output("[ ERROR ] abc\n").to_stdout }
+    end
+  end
+
+  describe 'print_with_label' do
+    context 'should print with label format' do
+      it {expect { scanner.print_with_label('abc', 'def') }.to output("[def] abc\n").to_stdout }
+    end
+  end
+
+  describe 'print_debug' do
+    context 'should print with debug format' do
+      it {expect { scanner.print_debug('abc') }.to output(/DEBUG\|.*\| abc/).to_stdout }
+    end
+  end
+
+  describe 'print_warning' do
+    context 'should print with warning format' do
+      it {expect { scanner.print_warning('abc') }.to output("[WARNING] abc\n").to_stdout }
+    end
+  end
+end
+

data/spec/sastbox-sdk/reporter_sarif_spec.rb

@@ -0,0 +1,57 @@
+require_relative '../spec_helper'
+require_relative '../../lib/sastbox-sdk'
+
+require 'json-schema'
+
+
+RSpec.describe 'Reporter_sarif' do
+  let(:scanner) do
+    SastBox::Scanner.new(
+      name: 'test_name',
+      name_alias: 'test_alias',
+      description: 'test_desc',
+      support: ['test_support'],
+      version: '0.1',
+      tool: 'test_tool'
+    )
+  end
+
+  let(:filename) do
+    File.absolute_path(File.join(File.dirname(__FILE__), '..', 'samples/low.php'))
+  end
+
+  let(:schema) do
+    File.absolute_path(File.join(File.dirname(__FILE__), '..', 'samples/sarif-2.1.0-rtm.5.json'))
+  end
+
+  let(:snippet) do
+    scanner.snippet_read(filename, 10)
+  end
+
+  before do
+    scanner.parse_opts(['-c', 'xxx'])
+
+    scanner.add_issue(
+      title: 'title',
+      description: 'description',
+      references: [],
+      severity: :info,
+      filename: filename,
+      line: 10,
+      cwe_id: -1,
+      tags: [],
+      snippet: snippet
+    )
+  end
+
+  describe 'generate_sarif_report' do
+    context 'should generate valid SARIF' do
+      subject {scanner.generate_sarif_report() }
+
+      it {expect(subject).to be_a(String)}
+
+      it {expect(JSON::Validator.validate(schema, subject)).to be true}
+    end
+  end
+end
+

data/spec/sastbox-sdk/runner_spec.rb

@@ -0,0 +1,92 @@
+require_relative '../spec_helper'
+require_relative '../../lib/sastbox-sdk'
+
+RSpec.describe 'Runner' do
+  let(:scanner) do
+    SastBox::Scanner.new(
+      name: 'test_name',
+      name_alias: 'test_alias',
+      description: 'test_desc',
+      support: ['test_support'],
+      version: '0.1',
+      tool: 'test_tool'
+    )
+  end
+
+  let(:scanner_timeout_60_sec) do
+    SastBox::Scanner.new(
+      name: 'test_name',
+      name_alias: 'test_alias',
+      description: 'test_desc',
+      support: ['test_support'],
+      version: '0.1',
+      tool: 'test_tool'
+    )
+  end
+
+  before do
+    scanner.parse_opts([])
+    scanner_timeout_60_sec.parse_opts(['-t', '1']) # 60 secs
+
+    Thread.report_on_exception = false
+  end
+
+  describe '#command?' do
+    context 'should return true if binary exists' do
+      it { expect(scanner.command?('ls')).to eq true }
+    end
+
+    context 'should return false if binary not exists' do
+      it { expect(scanner.command?('xxx')).to eq false }
+    end
+  end
+
+  describe '#run_cmd' do
+    context 'should run a valid command and return results' do
+      subject { scanner.run_cmd(['uname']) }
+
+      it { expect(subject).to be_an(Array) }
+      it { expect(subject.length).to be(2) }
+      it { expect(subject[0]).to eq "Linux\n" }
+      it { expect(subject[1]).to eq(nil).or be_an(Process::Status) }
+    end
+
+    context 'should exit with an invalid command' do
+      it do
+        expect { scanner.run_cmd(['xxx'])}.to raise_error(SystemExit) do |error|
+          expect( error.status ).to eq(1)
+        end
+      end
+      it do
+        expect { scanner.run_cmd(['xxx'])}.to raise_error(SystemExit) do |error|
+          expect( error.message ).to eq('exit')
+        end
+      end
+    end
+  end
+
+  describe '#run_cmd_with_timeout' do
+    context 'should not fail when not exceeded timeout' do
+      subject { scanner_timeout_60_sec.run_cmd_with_timeout(['uname']) }
+
+      it { expect(subject).to be_an(Array) }
+      it { expect(subject.length).to be(2) }
+      it { expect(subject[0]).to eq "Linux\n" }
+      it { expect(subject[1]).to eq(nil).or be_an(Process::Status) }
+    end
+
+    context 'should fail when exceeded timeout' do
+      it do
+        expect { scanner_timeout_60_sec.run_cmd_with_timeout(['sleep', '70'])}.to raise_error(SystemExit) do |error|
+          expect( error.status ).to eq(1)
+        end
+      end
+      it do
+        expect { scanner_timeout_60_sec.run_cmd_with_timeout(['sleep', '70'])}.to raise_error(SystemExit) do |error|
+          expect( error.message ).to eq('exit')
+        end
+      end
+    end
+  end
+end
+