Add Sast tests (#2180)

jfrog · Sep 21, 2023 · fc8c5e6 · fc8c5e6
1 parent 4f4916e
commit fc8c5e6
Show file tree

Hide file tree

Showing 7 changed files with 716 additions and 7 deletions.
diff --git a/.github/workflows/xrayTests.yml b/.github/workflows/xrayTests.yml
@@ -23,8 +23,6 @@ jobs:
     runs-on: ${{ matrix.os }}-latest
     env:
       GRADLE_OPTS: -Dorg.gradle.daemon=false
-      # Run Xray tests with latest Analyzer
-      JFROG_CLI_ANALYZER_MANAGER_VERSION: "[RELEASE]"
     steps:
       - name: Install Go
         uses: actions/setup-go@v3

diff --git a/testdata/xray/jas-test/requirements.txt b/testdata/xray/jas-test/requirements.txt
@@ -1 +1,2 @@
-PyYAML==5.2
+PyYAML==5.2
+Werkzeug==1.0.1
diff --git a/testdata/xray/jas-test/sast/flask_webgoat/__init__.py b/testdata/xray/jas-test/sast/flask_webgoat/__init__.py
@@ -0,0 +1,51 @@
+import os
+import sqlite3
+from pathlib import Path
+
+from flask import Flask, g
+
+DB_FILENAME = "database.db"
+
+
+def query_db(query, args=(), one=False, commit=False):
+    with sqlite3.connect(DB_FILENAME) as conn:
+        # vulnerability: Sensitive Data Exposure
+        conn.set_trace_callback(print)
+        cur = conn.cursor().execute(query, args)
+        if commit:
+            conn.commit()
+        return cur.fetchone() if one else cur.fetchall()
+
+
+def create_app():
+    app = Flask(__name__)
+    app.secret_key = "aeZ1iwoh2ree2mo0Eereireong4baitixaixu5Ee"
+
+    db_path = Path(DB_FILENAME)
+    if db_path.exists():
+        db_path.unlink()
+
+    conn = sqlite3.connect(DB_FILENAME)
+    create_table_query = """CREATE TABLE IF NOT EXISTS user
+    (id INTEGER PRIMARY KEY, username TEXT, password TEXT, access_level INTEGER)"""
+    conn.execute(create_table_query)
+
+    insert_admin_query = """INSERT INTO user (id, username, password, access_level)
+    VALUES (1, 'admin', 'admin', 0)"""
+    conn.execute(insert_admin_query)
+    conn.commit()
+    conn.close()
+
+    with app.app_context():
+        from . import actions
+        from . import auth
+        from . import status
+        from . import ui
+        from . import users
+
+        app.register_blueprint(actions.bp)
+        app.register_blueprint(auth.bp)
+        app.register_blueprint(status.bp)
+        app.register_blueprint(ui.bp)
+        app.register_blueprint(users.bp)
+        return app
diff --git a/testdata/xray/jas-test/sast/flask_webgoat/ui.py b/testdata/xray/jas-test/sast/flask_webgoat/ui.py
@@ -0,0 +1,25 @@
+import sqlite3
+
+from flask import Blueprint, request, render_template
+from . import query_db
+
+bp = Blueprint("ui", __name__)
+
+
+@bp.route("/search")
+def search():
+    query_param = request.args.get("query")
+    if query_param is None:
+        message = "please provide the query parameter"
+        return render_template("error.html", message=message)
+
+    try:
+        query = "SELECT username, access_level FROM user WHERE username LIKE ?;"
+        results = query_db(query, (query_param,))
+        # vulnerability: XSS
+        return render_template(
+            "search.html", results=results, num_results=len(results), query=query_param
+        )
+    except sqlite3.Error as err:
+        message = "Error while executing query " + query_param + ": " + err
+        return render_template("error.html", message=message)
diff --git a/testdata/xray/jas-test/sast/result.sarif b/testdata/xray/jas-test/sast/result.sarif
diff --git a/testdata/xray/jas-test/sast/run.py b/testdata/xray/jas-test/sast/run.py
@@ -0,0 +1,15 @@
+from flask_webgoat import create_app
+
+app = create_app()
+
+@app.after_request
+def add_csp_headers(response):
+    # vulnerability: Broken Access Control
+    response.headers['Access-Control-Allow-Origin'] = '*'
+    # vulnerability: Security Misconfiguration
+    response.headers['Content-Security-Policy'] = "script-src 'self' 'unsafe-inline'"
+    return response
+
+if __name__ == '__main__':
+    # vulnerability: Security Misconfiguration
+    app.run(debug=True)
diff --git a/xray_test.go b/xray_test.go
@@ -416,7 +416,7 @@ func TestXrayAuditMultiProjects(t *testing.T) {
 	defer cleanTestsHomeEnv()
 	output := xrayCli.WithoutCredentials().RunCliCmdWithOutput(t, "audit", "--format="+string(utils.SimpleJson), workingDirsFlag)
 	verifySimpleJsonScanResults(t, output, 35, 0)
-	verifySimpleJsonJasResults(t, output, 9, 7, 0, 1)
+	verifySimpleJsonJasResults(t, output, 3, 9, 7, 3, 1)
 }
 
 func TestXrayAuditPipJson(t *testing.T) {
@@ -750,13 +750,13 @@ func TestXrayOfflineDBSyncV3(t *testing.T) {
 
 func TestXrayAuditJasSimpleJson(t *testing.T) {
 	output := testXrayAuditJas(t, string(utils.SimpleJson), "jas-test")
-	verifySimpleJsonJasResults(t, output, 9, 7, 2, 1)
+	verifySimpleJsonJasResults(t, output, 3, 9, 7, 3, 1)
 }
 
 func TestXrayAuditJasNoViolationsSimpleJson(t *testing.T) {
 	output := testXrayAuditJas(t, string(utils.SimpleJson), "npm")
 	verifySimpleJsonScanResults(t, output, 2, 0)
-	verifySimpleJsonJasResults(t, output, 0, 0, 0, 1)
+	verifySimpleJsonJasResults(t, output, 0, 0, 0, 0, 1)
 }
 
 func testXrayAuditJas(t *testing.T, format string, project string) string {
@@ -776,10 +776,11 @@ func testXrayAuditJas(t *testing.T, format string, project string) string {
 	return xrayCli.WithoutCredentials().RunCliCmdWithOutput(t, "audit", "--format="+format)
 }
 
-func verifySimpleJsonJasResults(t *testing.T, content string, minIacViolations, minSecrets, minApplicable, minNotApplicable int) {
+func verifySimpleJsonJasResults(t *testing.T, content string, minSastViolations, minIacViolations, minSecrets, minApplicable, minNotApplicable int) {
 	var results formats.SimpleJsonResults
 	err := json.Unmarshal([]byte(content), &results)
 	if assert.NoError(t, err) {
+		assert.GreaterOrEqual(t, len(results.Sast), minSastViolations, "Found less sast then expected")
 		assert.GreaterOrEqual(t, len(results.Secrets), minSecrets, "Found less secrets then expected")
 		assert.GreaterOrEqual(t, len(results.Iacs), minIacViolations, "Found less IaC then expected")
 		var applicableResults, notApplicableResults int