forked from jfrog/jfrog-cli-security
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathxsc_test.go
273 lines (249 loc) · 14.1 KB
/
xsc_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
package main
import (
"encoding/json"
"errors"
"os"
"path/filepath"
"testing"
"github.com/stretchr/testify/assert"
"github.com/jfrog/jfrog-cli-core/v2/common/format"
"github.com/jfrog/jfrog-cli-core/v2/common/progressbar"
"github.com/jfrog/jfrog-cli-core/v2/plugins/components"
"github.com/jfrog/jfrog-cli-security/cli"
"github.com/jfrog/jfrog-cli-security/cli/docs"
"github.com/jfrog/jfrog-cli-security/utils/formats"
"github.com/jfrog/jfrog-cli-security/utils/results"
"github.com/jfrog/jfrog-cli-security/utils/validations"
"github.com/jfrog/jfrog-cli-security/utils/xsc"
"github.com/jfrog/jfrog-cli-security/tests"
securityTestUtils "github.com/jfrog/jfrog-cli-security/tests/utils"
"github.com/jfrog/jfrog-cli-security/tests/utils/integration"
"github.com/jfrog/jfrog-client-go/xray/services"
"github.com/jfrog/jfrog-client-go/xray/services/utils"
xscservices "github.com/jfrog/jfrog-client-go/xsc/services"
xscutils "github.com/jfrog/jfrog-client-go/xsc/services/utils"
)
func TestReportError(t *testing.T) {
xrayVersion, xscVersion, cleanUp := integration.InitXscTest(t)
securityTestUtils.ValidateXscVersion(t, xscVersion, xsc.MinXscVersionForErrorReport)
defer cleanUp()
errorToReport := errors.New("THIS IS NOT A REAL ERROR! This Error is posted as part of TestReportError test")
assert.NoError(t, xsc.ReportError(xrayVersion, xscVersion, tests.XscDetails, errorToReport, "cli"))
}
// In the npm tests we use a watch flag, so we would get only violations
func TestXscAuditNpmJsonWithWatch(t *testing.T) {
_, _, cleanUp := integration.InitXscTest(t)
defer cleanUp()
output := testAuditNpm(t, string(format.Json), false)
validations.VerifyJsonResults(t, output, validations.ValidationParams{
Total: &validations.TotalCount{Licenses: 1, Violations: 1},
})
}
func TestXscAuditNpmSimpleJsonWithWatch(t *testing.T) {
_, _, cleanUp := integration.InitXscTest(t)
defer cleanUp()
output := testAuditNpm(t, string(format.SimpleJson), true)
validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
Total: &validations.TotalCount{Licenses: 1, Violations: 1, Vulnerabilities: 1},
})
}
func TestXscAuditViolationsWithIgnoreRule(t *testing.T) {
// Init XSC tests also enabled analytics reporting.
_, _, cleanUpXsc := integration.InitXscTest(t, func() { securityTestUtils.ValidateXrayVersion(t, services.MinXrayVersionGitRepoKey) })
defer cleanUpXsc()
// Create the audit command with git repo context injected.
cliToRun, cleanUpHome := integration.InitTestWithMockCommandOrParams(t, false, getAuditCommandWithXscGitContext(validations.TestMockGitInfo))
defer cleanUpHome()
// Create the project to scan
_, cleanUpProject := securityTestUtils.CreateTestProjectEnvAndChdir(t, filepath.Join(filepath.FromSlash(tests.GetTestResourcesPath()), "projects", "jas", "jas"))
defer cleanUpProject()
// Create policy and watch for the git repo so we will also get violations (unknown = all vulnerabilities will be reported as violations)
policyName, cleanUpPolicy := securityTestUtils.CreateTestSecurityPolicy(t, "git-repo-ignore-rule-policy", utils.Unknown, true, false)
defer cleanUpPolicy()
_, cleanUpWatch := securityTestUtils.CreateWatchForTests(t, policyName, "git-repo-ignore-rule-watch", xscutils.GetGitRepoUrlKey(validations.TestMockGitInfo.GitRepoHttpsCloneUrl))
defer cleanUpWatch()
// Run the audit command with git repo and verify violations are reported to the platform.
output, err := testAuditCommand(t, cliToRun, auditCommandTestParams{Format: string(format.SimpleJson), WithLicense: true, WithVuln: true})
assert.NoError(t, err)
validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
Total: &validations.TotalCount{Licenses: 3, Violations: 26, Vulnerabilities: 39},
// Check that we have at least one violation for each scan type. (IAC is not supported yet)
Violations: &validations.ViolationCount{ValidateScan: &validations.ScanCount{Sca: 1, Sast: 1, Secrets: 1}},
})
// Create an ignore rules for the git repo
cleanUpCveIgnoreRule := securityTestUtils.CreateTestIgnoreRules(t, "security cli tests - Sca ignore rule", utils.IgnoreFilters{
GitRepositories: []string{xscutils.GetGitRepoUrlKey(validations.TestMockGitInfo.GitRepoHttpsCloneUrl)},
CVEs: []string{"any"}, Licenses: []string{"any"},
})
defer cleanUpCveIgnoreRule()
cleanUpExposureIgnoreRule := securityTestUtils.CreateTestIgnoreRules(t, "security cli tests - Exposure ignore rule", utils.IgnoreFilters{
GitRepositories: []string{xscutils.GetGitRepoUrlKey(validations.TestMockGitInfo.GitRepoHttpsCloneUrl)},
Exposures: &utils.ExposuresFilterName{Categories: []utils.ExposureType{utils.SecretExposureType, utils.IacExposureType}},
})
defer cleanUpExposureIgnoreRule()
cleanSastUpIgnoreRule := securityTestUtils.CreateTestIgnoreRules(t, "security cli tests - Sast ignore rule", utils.IgnoreFilters{
GitRepositories: []string{xscutils.GetGitRepoUrlKey(validations.TestMockGitInfo.GitRepoHttpsCloneUrl)},
Sast: &utils.SastFilterName{Rule: []string{"any"}},
})
defer cleanSastUpIgnoreRule()
// Run the audit command and verify no issues. (all violations are ignored)
output, err = testAuditCommand(t, cliToRun, auditCommandTestParams{Format: string(format.SimpleJson)})
assert.NoError(t, err)
validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{ExactResultsMatch: true, Total: &validations.TotalCount{}, Violations: &validations.ViolationCount{ValidateScan: &validations.ScanCount{}}})
}
func TestXrayAuditJasSkipNotApplicableCvesViolations(t *testing.T) {
// Init XSC tests also enabled analytics reporting.
_, _, cleanUpXsc := integration.InitXscTest(t, func() { securityTestUtils.ValidateXrayVersion(t, services.MinXrayVersionGitRepoKey) })
defer cleanUpXsc()
// Create the audit command with git repo context injected.
cliToRun, cleanUpHome := integration.InitTestWithMockCommandOrParams(t, false, getAuditCommandWithXscGitContext(validations.TestMockGitInfo))
defer cleanUpHome()
// Create the project to scan
_, cleanUpProject := securityTestUtils.CreateTestProjectEnvAndChdir(t, filepath.Join(filepath.FromSlash(tests.GetTestResourcesPath()), "projects", "jas", "jas"))
defer cleanUpProject()
// Create policy and watch for the git repo so we will also get violations - This watch DO NOT skip not-applicable results
var firstPolicyCleaned, firstWatchCleaned bool
policyName, cleanUpPolicy := securityTestUtils.CreateTestSecurityPolicy(t, "without-skip-non-applicable-policy", utils.Low, false, false)
defer func() {
if !firstPolicyCleaned {
cleanUpPolicy()
}
}()
watchName, cleanUpWatch := securityTestUtils.CreateWatchForTests(t, policyName, "without-skip-not-applicable-watch", xscutils.GetGitRepoUrlKey(validations.TestMockGitInfo.GitRepoHttpsCloneUrl))
defer func() {
if !firstWatchCleaned {
cleanUpWatch()
}
}()
// Run the audit command with git repo and verify violations are reported to the platform.
output, err := testAuditCommand(t, cliToRun, auditCommandTestParams{Format: string(format.SimpleJson), Watches: []string{watchName}, DisableFailOnFailedBuildFlag: true})
assert.NoError(t, err)
validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
Violations: &validations.ViolationCount{ValidateScan: &validations.ScanCount{Sca: 17, Sast: 1, Secrets: 15}},
ExactResultsMatch: true,
})
// We clean the initially created Policy and Watch that are related to the Git Repo resource, because we must have all related policies with skipNotApplicable=true
cleanUpWatch()
firstWatchCleaned = true
cleanUpPolicy()
firstPolicyCleaned = true
// Create policy and watch for the git repo so we will also get violations - This watch DO NOT skip not-applicable results
skipPolicyName, skipCleanUpPolicy := securityTestUtils.CreateTestSecurityPolicy(t, "skip-non-applicable-policy", utils.Low, false, true)
defer skipCleanUpPolicy()
skipWatchName, skipCleanUpWatch := securityTestUtils.CreateWatchForTests(t, skipPolicyName, "skip-not-applicable-watch", xscutils.GetGitRepoUrlKey(validations.TestMockGitInfo.GitRepoHttpsCloneUrl))
defer skipCleanUpWatch()
output, err = testAuditCommand(t, cliToRun, auditCommandTestParams{Format: string(format.SimpleJson), Watches: []string{skipWatchName}, DisableFailOnFailedBuildFlag: true})
assert.NoError(t, err)
validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
Violations: &validations.ViolationCount{ValidateScan: &validations.ScanCount{Sca: 12, Sast: 1, Secrets: 15}},
ExactResultsMatch: true,
})
}
func TestAuditJasViolationsProjectKeySimpleJson(t *testing.T) {
_, _, cleanUpXsc := integration.InitXscTest(t, func() { securityTestUtils.ValidateXrayVersion(t, services.MinXrayVersionGitRepoKey) })
defer cleanUpXsc()
testsJfrogPlatformProjectKey := os.Getenv(tests.TestJfrogPlatformProjectKeyEnvVar)
if testsJfrogPlatformProjectKey == "" {
t.Skipf("skipping test. %s is not set.", tests.TestJfrogPlatformProjectKeyEnvVar)
}
// Create the audit command with git repo context injected.
cliToRun, cleanUpHome := integration.InitTestWithMockCommandOrParams(t, false, getAuditCommandWithXscGitContext(validations.TestMockGitInfo))
defer cleanUpHome()
// Create the project to scan
_, cleanUpProject := securityTestUtils.CreateTestProjectEnvAndChdir(t, filepath.Join(filepath.FromSlash(tests.GetTestResourcesPath()), "projects", "jas", "jas"))
defer cleanUpProject()
// Create policy and watch for the project so we will get violations (unknown = all vulnerabilities will be reported as violations)
policyName, cleanUpPolicy := securityTestUtils.CreateTestSecurityPolicy(t, "project-key-jas-violations-policy", utils.Unknown, true, false)
defer cleanUpPolicy()
_, cleanUpWatch := securityTestUtils.CreateTestProjectKeyWatch(t, policyName, "project-key-jas-violations-watch", *tests.JfrogTestProjectKey)
defer cleanUpWatch()
// Run the audit command with project key and verify violations are reported.
output, err := testAuditCommand(t, cliToRun, auditCommandTestParams{Format: string(format.SimpleJson), ProjectKey: *tests.JfrogTestProjectKey})
assert.ErrorContains(t, err, results.NewFailBuildError().Error())
validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
Total: &validations.TotalCount{Violations: 14},
// Check that we have at least one violation for each scan type. (IAC is not supported yet)
Violations: &validations.ViolationCount{ValidateScan: &validations.ScanCount{Sca: 1, Sast: 1, Secrets: 1}},
})
}
// TODO: replace with 'Git Audit' command when it will be available.
// This method generate an audit command that will report analytics (if enabled) with the git info context provided.
// The method will generate multi-scan-id and provide it to the audit command.
// The method will also provide the git repo clone url to the audit command.
func getAuditCommandWithXscGitContext(gitInfoContext xscservices.XscGitInfoContext) func() components.Command {
return func() components.Command {
return components.Command{
Name: docs.Audit,
Flags: docs.GetCommandFlags(docs.Audit),
Action: func(c *components.Context) error {
xrayVersion, xscVersion, serverDetails, auditCmd, err := cli.CreateAuditCmd(c)
if err != nil {
return err
}
// Generate the analytics event with the git info context.
event := xsc.CreateAnalyticsEvent(xscservices.CliProduct, xscservices.CliEventType, serverDetails)
event.GitInfo = &gitInfoContext
event.IsGitInfoFlow = true
// Report analytics and get the multi scan id that was generated and attached to the git context.
multiScanId, startTime := xsc.SendNewScanEvent(xrayVersion, xscVersion, serverDetails, event)
// Set the multi scan id to the audit command to be used in the scans.
auditCmd.SetMultiScanId(multiScanId)
// Set the git repo context to the audit command to pass to the scanners to create violations if applicable.
auditCmd.SetGitRepoHttpsCloneUrl(gitInfoContext.GitRepoHttpsCloneUrl)
err = progressbar.ExecWithProgress(auditCmd)
// Send the final event to the platform.
xsc.SendScanEndedEvent(xrayVersion, xscVersion, serverDetails, multiScanId, startTime, 0, err)
return err
},
}
}
}
func TestXscAuditMavenJson(t *testing.T) {
_, _, cleanUp := integration.InitXscTest(t)
defer cleanUp()
output := testAuditMaven(t, string(format.Json))
validations.VerifyJsonResults(t, output, validations.ValidationParams{
Total: &validations.TotalCount{Licenses: 1, Vulnerabilities: 1},
})
}
func TestXscAuditMavenSimpleJson(t *testing.T) {
_, _, cleanUp := integration.InitXscTest(t)
defer cleanUp()
output := testAuditMaven(t, string(format.SimpleJson))
validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
Total: &validations.TotalCount{Licenses: 1, Vulnerabilities: 1},
})
}
func TestXscAnalyticsForAudit(t *testing.T) {
xrayVersion, xscVersion, cleanUp := integration.InitXscTest(t)
defer cleanUp()
// Scan npm project and verify that analytics general event were sent to XSC.
output := testAuditNpm(t, string(format.SimpleJson), false)
validateAnalyticsBasicEvent(t, xrayVersion, xscVersion, output)
}
func validateAnalyticsBasicEvent(t *testing.T, xrayVersion, xscVersion, output string) {
// Get MSI.
var results formats.SimpleJsonResults
err := json.Unmarshal([]byte(output), &results)
assert.NoError(t, err)
// Verify analytics metrics.
event, err := xsc.GetScanEvent(xrayVersion, xscVersion, results.MultiScanId, tests.XscDetails)
assert.NoError(t, err)
assert.NotNil(t, event)
assert.NotEmpty(t, results.MultiScanId)
// Event creation and addition information.
assert.Equal(t, xscservices.CliProduct, event.Product)
assert.Equal(t, xscservices.CliEventType, event.EventType)
assert.NotEmpty(t, event.AnalyzerManagerVersion)
assert.NotEmpty(t, event.EventStatus)
// The information that was added after updating the event with the scan's results.
assert.NotEmpty(t, event.TotalScanDuration)
assert.True(t, event.TotalFindings > 0)
}
func TestAdvancedSecurityDockerScanWithXsc(t *testing.T) {
_, _, cleanUpXsc := integration.InitXscTest(t)
defer cleanUpXsc()
testCli, cleanupDocker := integration.InitNativeDockerTest(t)
defer cleanupDocker()
runAdvancedSecurityDockerScan(t, testCli, "jfrog/demo-security:latest")
}