bbot 2.6.0.6840rc0__py3-none-any.whl → 2.7.2.7424rc0__py3-none-any.whl

bbot/test/test_step_1/test_manager_scope_accuracy.py

@@ -848,3 +848,48 @@ async def test_manager_scope_tagging(bbot_scanner):
     assert not distance_tags
 
     await scan._cleanup()
+
+
+@pytest.mark.asyncio
+async def test_scope_accuracy_with_special_urls(bbot_scanner, bbot_httpserver):
+    """
+    This is a regression test for https://github.com/blacklanternsecurity/bbot/issues/2785
+
+    The original bug was that the "special URL" filtering logic (for Javascript URls etc.)
+    was causing special URLs to be rejected by critical internal modules like `_scan_egress`, leading to the output of unwanted URLs.
+    """
+    bbot_httpserver.expect_request(uri="/v2/users/spacex").respond_with_data(response_data="")
+    bbot_httpserver.expect_request(uri="/u/spacex").respond_with_data(response_data="<a href='http://127.0.0.1:8888/asdf.js'/>")
+
+    scan = bbot_scanner("ORG:spacex", modules=["httpx", "social", "dockerhub"], config={"speculate": True, "excavate": True})
+
+    await scan._prep()
+    scan.modules["dockerhub"].site_url = "http://127.0.0.1:8888"
+    scan.modules["dockerhub"].api_url = "http://127.0.0.1:8888/v2"
+
+    from bbot.modules.base import BaseModule
+
+    class DummyModule(BaseModule):
+        _name = "dummy_module"
+        watched_events = ["*"]
+        scope_distance_modifier = 10
+        accept_dupes = True
+        accept_url_special = True
+        events = []
+        
+        async def handle_event(self, event):
+            self.events.append(event)
+
+    dummy_module = DummyModule(scan)
+    scan.modules["dummy_module"] = dummy_module
+
+    events = [e async for e in scan.async_start()]
+    
+    # there are actually 2 URL events. They are both from the same URL, but one was extracted by the full URL regex, and the other by the src/href= regex.
+    # however, they should be deduped by scan_ingress.
+    bad_url_events = [e for e in dummy_module.events if e.type == "URL_UNVERIFIED" and e.data == "http://127.0.0.1:8888/asdf.js"]
+    assert len(bad_url_events) == 1
+    # they should both be internal
+    assert all(e.internal is True for e in bad_url_events)
+    # but they shouldn't be output at all
+    assert not any(e.type == "URL_UNVERIFIED" for e in events)

bbot/test/test_step_1/test_modules_basic.py

@@ -29,7 +29,7 @@ async def test_modules_basic_checks(events, httpx_mock):
     localhost._internal = True
     result, reason = base_output_module_1._event_precheck(localhost)
     assert result is False
-    assert reason == "_internal is True"
+    assert reason == "event is internal and output modules don't accept internal events"
     localhost._internal = False
     result, reason = base_output_module_1._event_precheck(localhost)
     assert result is True
@@ -57,7 +57,7 @@ async def test_modules_basic_checks(events, httpx_mock):
     localhost._internal = True
     result, reason = base_output_module_2._event_precheck(localhost)
     assert result is False
-    assert reason == "_internal is True"
+    assert reason == "event is internal and output modules don't accept internal events"
     localhost._internal = False
     result, reason = base_output_module_2._event_precheck(localhost)
     assert result is True
@@ -66,7 +66,7 @@ async def test_modules_basic_checks(events, httpx_mock):
     localhost._omit = True
     result, reason = base_output_module_2._event_precheck(localhost)
     assert result is False
-    assert reason == "_omit is True"
+    assert reason == "its type is omitted in the config"
     # normal event should be accepted
     url_unverified = scan.make_event("http://127.0.0.1", "URL_UNVERIFIED", parent=scan.root_event)
     result, reason = base_output_module_2._event_precheck(url_unverified)
@@ -76,18 +76,18 @@ async def test_modules_basic_checks(events, httpx_mock):
     await scan.egress_module.handle_event(url_unverified)
     result, reason = base_output_module_2._event_precheck(url_unverified)
     assert result is False
-    assert reason == "_omit is True"
-    # omitted events that are targets should be accepted
-    dns_name = scan.make_event("evilcorp.com", "DNS_NAME", parent=scan.root_event)
-    dns_name._omit = True
-    result, reason = base_output_module_2._event_precheck(dns_name)
-    assert result is False
-    assert reason == "_omit is True"
-    # omitted results that are targets should be accepted
-    dns_name.add_tag("target")
-    result, reason = base_output_module_2._event_precheck(dns_name)
-    assert result is True
-    assert reason == "it's a target"
+    assert reason == "its type is omitted in the config"
+
+    egress_module = scan.egress_module
+    url = scan.make_event("http://evilcorp.com", "URL_UNVERIFIED", parent=scan.root_event, tags=["target"])
+    assert url._omit is False
+    # targets should not be omitted
+    await egress_module.handle_event(url)
+    assert url._omit is False
+    # non-targets should be omitted
+    url = scan.make_event("http://evilcorp.com", "URL_UNVERIFIED", parent=scan.root_event)
+    await egress_module.handle_event(url)
+    assert url._omit is True
 
     # common event filtering tests
     for module_class in (BaseModule, BaseOutputModule, BaseReportModule, BaseInternalModule):
@@ -342,6 +342,31 @@ async def test_modules_basic_perdomainonly(bbot_scanner, monkeypatch):
     await per_domain_scan._cleanup()
 
 
+@pytest.mark.asyncio
+async def test_modules_basic_setup_deps(bbot_scanner):
+    from bbot.modules.base import BaseModule
+
+    class dummy(BaseModule):
+        _name = "dummy"
+        deps_ran = False
+        setup_ran = False
+
+        async def setup_deps(self):
+            self.deps_ran = True
+            return True
+
+        async def setup(self):
+            self.setup_ran = True
+            return True
+
+    scan = bbot_scanner()
+    scan.modules["dummy"] = dummy(scan)
+    await scan.setup_modules(deps_only=True)
+    assert scan.modules["dummy"].deps_ran
+    assert not scan.modules["dummy"].setup_ran
+    await scan._cleanup()
+
+
 @pytest.mark.asyncio
 async def test_modules_basic_stats(helpers, events, bbot_scanner, httpx_mock, monkeypatch):
     from bbot.modules.base import BaseModule

bbot/test/test_step_1/test_python_api.py

@@ -10,7 +10,7 @@ async def test_python_api():
     events1 = []
     async for event in scan1.async_start():
         events1.append(event)
-    assert any("127.0.0.1" == e for e in events1)
+    assert any(e.type == "IP_ADDRESS" and e.data == "127.0.0.1" for e in events1)
     # make sure output files work
     scan2 = Scanner("127.0.0.1", output_modules=["json"], scan_name="python_api_test")
     await scan2.async_start_without_generator()
@@ -69,7 +69,7 @@ def test_python_api_sync():
     events1 = []
     for event in scan1.start():
         events1.append(event)
-    assert any("127.0.0.1" == e for e in events1)
+    assert any(e.type == "IP_ADDRESS" and e.data == "127.0.0.1" for e in events1)
     # make sure output files work
     scan2 = Scanner("127.0.0.1", output_modules=["json"], scan_name="python_api_test")
     scan2.start_without_generator()

bbot/test/test_step_1/test_regexes.py

@@ -6,9 +6,6 @@ from bbot.core.helpers import regexes
 from bbot.errors import ValidationError
 from bbot.core.event.helpers import EventSeed
 
-# NOTE: :2001:db8:: will currently cause an exception...
-# e.g. raised unknown error: split_port() failed to parse netloc ":2001:db8::"
-
 
 def test_ip_regexes():
     bad_ip = [
@@ -23,6 +20,15 @@ def test_ip_regexes():
         "2001:db8:g::",  # includes non-hex character,
         "2001.db8.80",  # weird dot separated thing that might actually resolve as a DNS_NAME
         "9e:3e:53:29:43:64",  # MAC address, poor regex patterning will often detect these.
+        "2001:db8:1:2:3:4:5",  # only 7 groups, no zero-compression
+        "2001:db8:1:2:3:4:5:6:7",  # too many groups
+        "2001:db8::1::1",  # multiple ::
+        "2001:db8::zzzz",  # non-hex character
+        "2001:db8::12345",  # hex value too long
+        ":2001:db8::1",  # starts with :
+        ":2001:db8::",  # starts with :
+        "cafe:80",  # looks like open port
+        "12:34:56:78:9A:BC",  # mac address
     ]
 
     good_ip = [
@@ -46,6 +52,17 @@ def test_ip_regexes():
         "1::1",
         "ffff::ffff",
         "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
+        "2001:db8::ff00:42:8329",
+        "2001:0db8:0000:0000:0000:0000:0000:0001",
+        "2001:db8:0:0:0:0:0:1",
+        "2001:db8::1",
+        "2001:db8::dead:beef",
+        "2001:db8:1:2:3:4:5:6",
+        "2001:db8:1:2:3:4:5:ffff",
+        "::",
+        "::ffff",
+        "::dead:beef",
+        "::DEAD:BEEF",
     ]
 
     ip_address_regexes = regexes.event_type_regexes["IP_ADDRESS"]
@@ -61,7 +78,7 @@ def test_ip_regexes():
                 if ip.startswith("["):
                     assert ip == "[2001:db8::]:80"
                 else:
-                    assert ip == "203.0.113.0:80"
+                    assert ip in ("cafe:80", "203.0.113.0:80")
                 continue
             if event_type == "DNS_NAME":
                 if ip.startswith("2001"):

bbot/test/test_step_1/test_scan.py

@@ -111,7 +111,6 @@ async def test_task_scan_handle_event_timeout(bbot_scanner):
     class LongBatchModule(BaseModule):
         watched_events = ["IP_ADDRESS"]
         handled_event = False
-        canceled = False
         _name = "long_batch"
         _batch_size = 2
 
@@ -147,24 +146,18 @@ async def test_task_scan_handle_event_timeout(bbot_scanner):
 
 @pytest.mark.asyncio
 async def test_url_extension_handling(bbot_scanner):
-    scan = bbot_scanner(config={"url_extension_blacklist": ["css"], "url_extension_httpx_only": ["js"]})
+    scan = bbot_scanner(config={"url_extension_blacklist": ["css"]})
     await scan._prep()
     assert scan.url_extension_blacklist == {"css"}
-    assert scan.url_extension_httpx_only == {"js"}
     good_event = scan.make_event("https://evilcorp.com/a.txt", "URL", tags=["status-200"], parent=scan.root_event)
     bad_event = scan.make_event("https://evilcorp.com/a.css", "URL", tags=["status-200"], parent=scan.root_event)
-    httpx_event = scan.make_event("https://evilcorp.com/a.js", "URL", tags=["status-200"], parent=scan.root_event)
     assert "blacklisted" not in bad_event.tags
-    assert "httpx-only" not in httpx_event.tags
     result = await scan.ingress_module.handle_event(good_event)
     assert result is None
     result, reason = await scan.ingress_module.handle_event(bad_event)
     assert result is False
     assert reason == "event is blacklisted"
     assert "blacklisted" in bad_event.tags
-    result = await scan.ingress_module.handle_event(httpx_event)
-    assert result is None
-    assert "httpx-only" in httpx_event.tags
 
     await scan._cleanup()
 
@@ -284,3 +277,9 @@ async def test_exclude_cdn(bbot_scanner, monkeypatch):
         "www.evilcorp.com:80",
         "www.evilcorp.com:443",
     }
+
+
+async def test_scan_name(bbot_scanner):
+    scan = bbot_scanner("evilcorp.com", name="test_scan_name")
+    assert scan.name == "test_scan_name"
+    assert scan.preset.scan_name == "test_scan_name"

bbot/test/test_step_1/test_web.py

@@ -498,3 +498,49 @@ async def test_http_sendcookies(bbot_scanner, bbot_httpserver):
     assert r1 is not None, "Request to self-signed SSL server went through even with ssl_verify=True"
     assert "bar" in r1.text
     await scan1._cleanup()
+
+
+@pytest.mark.asyncio
+async def test_api_download_api_key_cycle(bbot_scanner, bbot_httpserver):
+    from werkzeug.wrappers import Response
+    from bbot.modules.base import BaseModule
+
+    endpoint = "/api_download_cycle_one_test"
+    url = bbot_httpserver.url_for(endpoint)
+
+    seen_auth = []
+    n_request = 0
+
+    # First key should trigger 500, second key should succeed with 200
+    def handler(request):
+        nonlocal n_request
+        n_request += 1
+        auth = request.headers.get("Authorization", "")
+        seen_auth.append(auth)
+        if auth == "Bearer k1":
+            if n_request == 1:
+                return Response("ok_k1", status=200)
+            return Response("fail_k1", status=500)
+        elif auth == "Bearer k2":
+            return Response("ok_k2", status=200)
+        return Response("unexpected_key", status=400)
+
+    bbot_httpserver.expect_request(uri=endpoint).respond_with_handler(handler)
+
+    scan = bbot_scanner("127.0.0.1")
+    module = BaseModule(scan)
+    module.api_key = ["k1", "k2"]
+
+    filename = await module.api_download(url)
+    assert filename is not None
+    with open(filename) as f:
+        assert f.read() == "ok_k1"
+
+    assert seen_auth == ["Bearer k1"]
+
+    filename = await module.api_download(url)
+
+    # verify the requests occurred in expected order with expected API keys
+    assert seen_auth == ["Bearer k1", "Bearer k1", "Bearer k2"]
+
+    await scan._cleanup()

bbot/test/test_step_2/module_tests/base.py

@@ -61,6 +61,7 @@ class ModuleTestBase:
                 config=self.config,
                 whitelist=module_test_base.whitelist,
                 blacklist=module_test_base.blacklist,
+                force_start=getattr(module_test_base, "force_start", False),
             )
             self.events = []
             self.log = logging.getLogger(f"bbot.test.{module_test_base.name}")
@@ -108,10 +109,14 @@ class ModuleTestBase:
         self.log.debug("Executing setup_after_prep()")
         await self.setup_after_prep(module_test)
         self.log.debug("Starting scan")
-        module_test.events = [e async for e in module_test.scan.async_start()]
+        await self._execute_scan(module_test)
         self.log.debug(f"Finished {module_test.name} module test")
         yield module_test
 
+    async def _execute_scan(self, module_test):
+        """Execute the scan and collect events. Can be overridden by benchmark classes."""
+        module_test.events = [e async for e in module_test.scan.async_start()]
+
     @pytest.mark.asyncio
     async def test_module_run(self, module_test):
         from bbot.core.helpers.misc import execute_sync_or_async

bbot/test/test_step_2/module_tests/test_module_bucket_amazon.py

@@ -21,6 +21,8 @@ class Bucket_Amazon_Base(ModuleTestBase):
     random_bucket_2 = f"{random_bucket_name_2}.s3-ap-southeast-2.amazonaws.com"
     random_bucket_3 = f"{random_bucket_name_3}.s3.amazonaws.com"
 
+    nonexistent_is_404 = True
+
     open_bucket_body = """<?xml version="1.0" encoding="UTF-8"?>
     <ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Name>vpn-static</Name><Prefix></Prefix><Marker></Marker><MaxKeys>1000</MaxKeys><IsTruncated>false</IsTruncated><Contents><Key>style.css</Key><LastModified>2017-03-18T06:41:59.000Z</LastModified><ETag>&quot;bf9e72bdab09b785f05ff0395023cc35&quot;</ETag><Size>429</Size><StorageClass>STANDARD</StorageClass></Contents></ListBucketResult>"""
 
@@ -66,30 +68,62 @@ class Bucket_Amazon_Base(ModuleTestBase):
             url=self.url_3,
             text="",
         )
-        module_test.httpx_mock.add_response(url=re.compile(".*"), text="", status_code=404)
+        if self.nonexistent_is_404:
+            module_test.httpx_mock.add_response(url=re.compile(".*"), text="", status_code=404)
 
     def check(self, module_test, events):
-        # make sure buckets were excavated
-        assert any(e.type == "STORAGE_BUCKET" and str(e.module) == f"cloud_{self.provider}" for e in events), (
-            f'bucket not found for module "{self.module_name}"'
+        storage_buckets = [e for e in events if e.type == "STORAGE_BUCKET"]
+        assert len(storage_buckets) == 3
+        assert 1 == len(
+            [
+                e
+                for e in storage_buckets
+                if e.data["name"] == random_bucket_name_1
+                and str(e.module) == "cloudcheck"
+                and f"cloud-{self.provider}" in e.tags
+                and f"{self.provider}-domain" in e.tags
+            ]
+        )
+        assert 1 == len(
+            [
+                e
+                for e in storage_buckets
+                if e.data["name"] == random_bucket_name_2
+                and str(e.module) == "cloudcheck"
+                and f"cloud-{self.provider}" in e.tags
+                and f"{self.provider}-domain" in e.tags
+            ]
+        )
+        assert 1 == len(
+            [
+                e
+                for e in storage_buckets
+                if e.data["name"] == random_bucket_name_3
+                and str(e.module) == str(self.module_name)
+                and f"cloud-{module_test.module.cloudcheck_provider_name.lower()}" in e.tags
+                and f"{module_test.module.cloudcheck_provider_name.lower()}-domain" in e.tags
+            ]
         )
         # make sure open buckets were found
         if module_test.module.supports_open_check:
-            assert any(e.type == "FINDING" and str(e.module) == self.module_name for e in events), (
-                f'open bucket not found for module "{self.module_name}"'
-            )
-            for e in events:
-                if e.type == "FINDING" and str(e.module) == self.module_name:
-                    url = e.data.get("url", "")
-                    assert self.random_bucket_2 in url
-                    assert self.random_bucket_1 not in url
-                    assert self.random_bucket_3 not in url
+            assert 1 == len(
+                [
+                    e
+                    for e in events
+                    if e.type == "FINDING"
+                    and str(e.module) == self.module_name
+                    and e.data.get("url") == f"https://{self.random_bucket_2}/"
+                ]
+            ), f'open bucket not found for module "{self.module_name}"'
         # make sure bucket mutations were found
-        assert any(
-            e.type == "STORAGE_BUCKET"
-            and str(e.module) == self.module_name
-            and f"{random_bucket_name_3}" in e.data["url"]
-            for e in events
+        assert 1 == len(
+            [
+                e
+                for e in events
+                if e.type == "STORAGE_BUCKET"
+                and str(e.module) == self.module_name
+                and f"{random_bucket_name_3}" in e.data["url"]
+            ]
         ), f'bucket (dev mutation: {self.random_bucket_3}) not found for module "{self.module_name}"'
 
 

bbot/test/test_step_2/module_tests/test_module_bucket_google.py

@@ -22,6 +22,6 @@ class TestBucket_Google(Bucket_Amazon_Base):
         """
 
     def url_setup(self):
-        self.url_1 = f"{random_bucket_name_1}.storage.googleapis.com"
+        self.url_1 = f"https://{random_bucket_name_1}.storage.googleapis.com"
         self.url_2 = f"https://www.googleapis.com/storage/v1/b/{random_bucket_name_2}/iam/testPermissions?&permissions=storage.buckets.get&permissions=storage.buckets.list&permissions=storage.buckets.create&permissions=storage.buckets.delete&permissions=storage.buckets.setIamPolicy&permissions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.create&permissions=storage.objects.delete&permissions=storage.objects.setIamPolicy"
         self.url_3 = f"https://www.googleapis.com/storage/v1/b/{random_bucket_name_3}"

bbot/test/test_step_2/module_tests/{test_module_bucket_azure.py → test_module_bucket_microsoft.py}

@@ -2,21 +2,23 @@ from .test_module_bucket_amazon import *
 from .base import ModuleTestBase
 
 
-class TestBucket_Azure(Bucket_Amazon_Base):
-    provider = "azure"
+class TestBucket_Microsoft(Bucket_Amazon_Base):
+    provider = "microsoft"
     random_bucket_1 = f"{random_bucket_name_1}.blob.core.windows.net"
     random_bucket_2 = f"{random_bucket_name_2}.blob.core.windows.net"
     random_bucket_3 = f"{random_bucket_name_3}.blob.core.windows.net"
 
+    nonexistent_is_404 = False
+
     def url_setup(self):
         self.url_1 = f"https://{self.random_bucket_1}"
         self.url_2 = f"https://{self.random_bucket_2}"
         self.url_3 = f"https://{self.random_bucket_3}/{random_bucket_name_3}?restype=container"
 
 
-class TestBucket_Azure_NoDup(ModuleTestBase):
+class TestBucket_Microsoft_NoDup(ModuleTestBase):
     targets = ["tesla.com"]
-    module_name = "bucket_azure"
+    module_name = "bucket_microsoft"
     config_overrides = {"cloudcheck": True}
 
     async def setup_before_prep(self, module_test):
@@ -42,7 +44,7 @@ class TestBucket_Azure_NoDup(ModuleTestBase):
         )
 
 
-class TestBucket_Azure_NoDup(TestBucket_Azure_NoDup):
+class TestBucket_Microsoft_NoDup(TestBucket_Microsoft_NoDup):
     """
     This tests _suppress_chain_dupes functionality to make sure it works as expected
     """

bbot/test/test_step_2/module_tests/test_module_cloudcheck.py

@@ -13,29 +13,12 @@ class TestCloudCheck(ModuleTestBase):
         scan = Scanner(config={"cloudcheck": True})
         await scan._prep()
         module = scan.modules["cloudcheck"]
-        providers = scan.helpers.cloud.providers
-        # make sure we have all the providers
-        provider_names = (
-            "amazon",
-            "google",
-            "azure",
-            "digitalocean",
-            "oracle",
-            "akamai",
-            "cloudflare",
-            "github",
-            "zoho",
-            "fastly",
-        )
-        for provider_name in provider_names:
-            assert provider_name in providers
+        from cloudcheck import providers
 
-        amazon_ranges = list(providers["amazon"].ranges)
-        assert amazon_ranges
-        amazon_range = next(iter(amazon_ranges))
-        amazon_address = amazon_range.broadcast_address
+        # make sure we have at least one provider
+        assert providers.Amazon.name == "Amazon"
 
-        ip_event = scan.make_event(amazon_address, parent=scan.root_event)
+        ip_event = scan.make_event("8.8.8.8", parent=scan.root_event)
         aws_event1 = scan.make_event("amazonaws.com", parent=scan.root_event)
         aws_event2 = scan.make_event("asdf.amazonaws.com", parent=scan.root_event)
         aws_event3 = scan.make_event("asdfamazonaws.com", parent=scan.root_event)
@@ -44,16 +27,20 @@ class TestCloudCheck(ModuleTestBase):
         other_event1 = scan.make_event("cname.evilcorp.com", parent=scan.root_event)
         other_event2 = scan.make_event("cname2.evilcorp.com", parent=scan.root_event)
         other_event3 = scan.make_event("cname3.evilcorp.com", parent=scan.root_event)
-        other_event2._resolved_hosts = {amazon_address}
+        other_event2._resolved_hosts = {"8.8.8.8"}
         other_event3._resolved_hosts = {"asdf.amazonaws.com"}
 
-        for event in (ip_event, aws_event1, aws_event2, aws_event4, other_event2, other_event3):
+        for event in (ip_event, other_event2):
+            await module.handle_event(ip_event)
+            assert "cloud-google" in ip_event.tags
+            assert "google-ip" in ip_event.tags
+
+        for event in (aws_event1, aws_event2, aws_event4, other_event3):
             await module.handle_event(event)
             assert "cloud-amazon" in event.tags, f"{event} was not properly cloud-tagged"
 
-        assert "cloud-domain" in aws_event1.tags
-        assert "cloud-ip" in other_event2.tags
-        assert "cloud-cname" in other_event3.tags
+        assert "amazon-domain" in aws_event1.tags
+        assert "amazon-cname" in other_event3.tags
 
         for event in (aws_event3, other_event1):
             await module.handle_event(event)
@@ -70,13 +57,10 @@ class TestCloudCheck(ModuleTestBase):
         for event in (google_event1, google_event2, google_event3):
             await module.handle_event(event)
             assert "cloud-google" in event.tags, f"{event} was not properly cloud-tagged"
-        assert "cloud-storage-bucket" in google_event3.tags
 
         await scan._cleanup()
 
     def check(self, module_test, events):
-        for e in events:
-            self.log.debug(e)
         assert 2 == len([e for e in events if e.type == "STORAGE_BUCKET"])
         assert 1 == len(
             [
@@ -84,8 +68,10 @@ class TestCloudCheck(ModuleTestBase):
                 for e in events
                 if e.type == "STORAGE_BUCKET"
                 and e.data["name"] == "asdf"
+                and str(e.module) == "cloudcheck"
                 and "cloud-amazon" in e.tags
-                and "cloud-storage-bucket" in e.tags
+                and "amazon-domain" in e.tags
+                and e.scope_distance == 1
             ]
         )
         assert 1 == len(
@@ -94,7 +80,9 @@ class TestCloudCheck(ModuleTestBase):
                 for e in events
                 if e.type == "STORAGE_BUCKET"
                 and e.data["name"] == "asdf2"
+                and str(e.module) == "cloudcheck"
                 and "cloud-google" in e.tags
-                and "cloud-storage-bucket" in e.tags
+                and "google-domain" in e.tags
+                and e.scope_distance == 0
             ]
         )

bbot/test/test_step_2/module_tests/test_module_dnsbimi.py

@@ -6,11 +6,12 @@ raw_bimi_txt_default = (
 raw_bimi_txt_nondefault = '"v=BIMI1; l=https://nondefault.thirdparty.tld/brand/logo.svg;a=https://nondefault.thirdparty.tld/brand/certificate.pem;"'
 
 
-class TestBIMI(ModuleTestBase):
+class TestDnsbimi(ModuleTestBase):
     targets = ["test.localdomain"]
     modules_overrides = ["dnsbimi", "speculate"]
     config_overrides = {
         "modules": {"dnsbimi": {"emit_raw_dns_records": True, "selectors": "default,nondefault"}},
+        "omit_event_types": ["HTTP_RESPONSE", "RAW_TEXT", "DNS_NAME_UNRESOLVED", "FILESYSTEM", "WEB_PARAMETER"],
     }
 
     async def setup_after_prep(self, module_test):