From 83c1b298b7d76c45499fcce2c9bb547a3b7b24ac Mon Sep 17 00:00:00 2001 From: Yevhen Zavhorodnii Date: Wed, 5 Jun 2024 10:30:59 +0100 Subject: [PATCH] Cover wrong trust boundary type with tests --- ...o => wrong_trust_boundary_content_rule.go} | 0 .../wrong_trust_boundary_content_rule_test.go | 104 ++++++++++++++++++ 2 files changed, 104 insertions(+) rename pkg/security/risks/builtin/{wrong_trust_boundary_content.go => wrong_trust_boundary_content_rule.go} (100%) create mode 100644 pkg/security/risks/builtin/wrong_trust_boundary_content_rule_test.go diff --git a/pkg/security/risks/builtin/wrong_trust_boundary_content.go b/pkg/security/risks/builtin/wrong_trust_boundary_content_rule.go similarity index 100% rename from pkg/security/risks/builtin/wrong_trust_boundary_content.go rename to pkg/security/risks/builtin/wrong_trust_boundary_content_rule.go diff --git a/pkg/security/risks/builtin/wrong_trust_boundary_content_rule_test.go b/pkg/security/risks/builtin/wrong_trust_boundary_content_rule_test.go new file mode 100644 index 00000000..938da330 --- /dev/null +++ b/pkg/security/risks/builtin/wrong_trust_boundary_content_rule_test.go @@ -0,0 +1,104 @@ +package builtin + +import ( + "fmt" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/threagile/threagile/pkg/security/types" +) + +func TestWrongTrustBoundaryContentRuleGenerateRisksEmptyModelNotRisksCreated(t *testing.T) { + rule := NewWrongTrustBoundaryContentRule() + + risks, err := rule.GenerateRisks(&types.Model{}) + + assert.Nil(t, err) + assert.Empty(t, risks) +} + +type WrongTrustBoundaryContentRuleTest struct { + tbType types.TrustBoundaryType + machine types.TechnicalAssetMachine + + riskCreated bool +} + +func TestWrongTrustBoundaryContentRuleSendDataAssetRisksCreated(t *testing.T) { + testCases := map[string]WrongTrustBoundaryContentRuleTest{ + "NetworkOnPrem": { + tbType: types.NetworkOnPrem, + riskCreated: false, + }, + "NetworkDedicatedHoster": { + tbType: types.NetworkDedicatedHoster, + riskCreated: false, + }, + "NetworkVirtualLAN": { + tbType: types.NetworkVirtualLAN, + riskCreated: false, + }, + "NetworkCloudProvider": { + tbType: types.NetworkCloudProvider, + riskCreated: false, + }, + "NetworkCloudSecurityGroup": { + tbType: types.NetworkCloudSecurityGroup, + riskCreated: false, + }, + "ExecutionEnvironment": { + tbType: types.ExecutionEnvironment, + riskCreated: false, + }, + "container": { + tbType: types.NetworkPolicyNamespaceIsolation, + machine: types.Container, + riskCreated: false, + }, + "serverless": { + tbType: types.NetworkPolicyNamespaceIsolation, + machine: types.Serverless, + riskCreated: false, + }, + "virtual": { + tbType: types.NetworkPolicyNamespaceIsolation, + machine: types.Virtual, + riskCreated: true, + }, + "physical": { + tbType: types.NetworkPolicyNamespaceIsolation, + machine: types.Physical, + riskCreated: true, + }, + } + for name, testCase := range testCases { + t.Run(name, func(t *testing.T) { + rule := NewWrongTrustBoundaryContentRule() + risks, err := rule.GenerateRisks(&types.Model{ + TechnicalAssets: map[string]*types.TechnicalAsset{ + "ta": { + Id: "ta", + Title: "Test Technical Asset", + Machine: testCase.machine, + }, + }, + TrustBoundaries: map[string]*types.TrustBoundary{ + "tb1": { + Type: testCase.tbType, + TechnicalAssetsInside: []string{"ta"}, + }, + }, + }) + + assert.Nil(t, err) + if testCase.riskCreated { + assert.Len(t, risks, 1) + assert.Equal(t, types.LowImpact, risks[0].ExploitationImpact) + expTitle := fmt.Sprintf("Wrong Trust Boundary Content (non-container asset inside container trust boundary) at %s", "Test Technical Asset") + assert.Equal(t, expTitle, risks[0].Title) + } else { + assert.Empty(t, risks) + } + }) + } +}