Skip to content

Commit

Permalink
Merge branch 'dev' into sverdlov93-patch-1
Browse files Browse the repository at this point in the history
  • Loading branch information
sverdlov93 authored Sep 21, 2023
2 parents 9109c5d + fc8c5e6 commit c0a40ba
Show file tree
Hide file tree
Showing 7 changed files with 716 additions and 7 deletions.
2 changes: 0 additions & 2 deletions .github/workflows/xrayTests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,6 @@ jobs:
runs-on: ${{ matrix.os }}-latest
env:
GRADLE_OPTS: -Dorg.gradle.daemon=false
# Run Xray tests with latest Analyzer
JFROG_CLI_ANALYZER_MANAGER_VERSION: "[RELEASE]"
steps:
- name: Install Go
uses: actions/setup-go@v3
Expand Down
3 changes: 2 additions & 1 deletion testdata/xray/jas-test/requirements.txt
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
PyYAML==5.2
PyYAML==5.2
Werkzeug==1.0.1
51 changes: 51 additions & 0 deletions testdata/xray/jas-test/sast/flask_webgoat/__init__.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
import os
import sqlite3
from pathlib import Path

from flask import Flask, g

DB_FILENAME = "database.db"


def query_db(query, args=(), one=False, commit=False):
with sqlite3.connect(DB_FILENAME) as conn:
# vulnerability: Sensitive Data Exposure
conn.set_trace_callback(print)
cur = conn.cursor().execute(query, args)
if commit:
conn.commit()
return cur.fetchone() if one else cur.fetchall()


def create_app():
app = Flask(__name__)
app.secret_key = "aeZ1iwoh2ree2mo0Eereireong4baitixaixu5Ee"

db_path = Path(DB_FILENAME)
if db_path.exists():
db_path.unlink()

conn = sqlite3.connect(DB_FILENAME)
create_table_query = """CREATE TABLE IF NOT EXISTS user
(id INTEGER PRIMARY KEY, username TEXT, password TEXT, access_level INTEGER)"""
conn.execute(create_table_query)

insert_admin_query = """INSERT INTO user (id, username, password, access_level)
VALUES (1, 'admin', 'admin', 0)"""
conn.execute(insert_admin_query)
conn.commit()
conn.close()

with app.app_context():
from . import actions
from . import auth
from . import status
from . import ui
from . import users

app.register_blueprint(actions.bp)
app.register_blueprint(auth.bp)
app.register_blueprint(status.bp)
app.register_blueprint(ui.bp)
app.register_blueprint(users.bp)
return app
25 changes: 25 additions & 0 deletions testdata/xray/jas-test/sast/flask_webgoat/ui.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
import sqlite3

from flask import Blueprint, request, render_template
from . import query_db

bp = Blueprint("ui", __name__)


@bp.route("/search")
def search():
query_param = request.args.get("query")
if query_param is None:
message = "please provide the query parameter"
return render_template("error.html", message=message)

try:
query = "SELECT username, access_level FROM user WHERE username LIKE ?;"
results = query_db(query, (query_param,))
# vulnerability: XSS
return render_template(
"search.html", results=results, num_results=len(results), query=query_param
)
except sqlite3.Error as err:
message = "Error while executing query " + query_param + ": " + err
return render_template("error.html", message=message)
618 changes: 618 additions & 0 deletions testdata/xray/jas-test/sast/result.sarif

Large diffs are not rendered by default.

15 changes: 15 additions & 0 deletions testdata/xray/jas-test/sast/run.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
from flask_webgoat import create_app

app = create_app()

@app.after_request
def add_csp_headers(response):
# vulnerability: Broken Access Control
response.headers['Access-Control-Allow-Origin'] = '*'
# vulnerability: Security Misconfiguration
response.headers['Content-Security-Policy'] = "script-src 'self' 'unsafe-inline'"
return response

if __name__ == '__main__':
# vulnerability: Security Misconfiguration
app.run(debug=True)
9 changes: 5 additions & 4 deletions xray_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -416,7 +416,7 @@ func TestXrayAuditMultiProjects(t *testing.T) {
defer cleanTestsHomeEnv()
output := xrayCli.WithoutCredentials().RunCliCmdWithOutput(t, "audit", "--format="+string(utils.SimpleJson), workingDirsFlag)
verifySimpleJsonScanResults(t, output, 35, 0)
verifySimpleJsonJasResults(t, output, 9, 7, 0, 1)
verifySimpleJsonJasResults(t, output, 3, 9, 7, 3, 1)
}

func TestXrayAuditPipJson(t *testing.T) {
Expand Down Expand Up @@ -750,13 +750,13 @@ func TestXrayOfflineDBSyncV3(t *testing.T) {

func TestXrayAuditJasSimpleJson(t *testing.T) {
output := testXrayAuditJas(t, string(utils.SimpleJson), "jas-test")
verifySimpleJsonJasResults(t, output, 9, 7, 2, 1)
verifySimpleJsonJasResults(t, output, 3, 9, 7, 3, 1)
}

func TestXrayAuditJasNoViolationsSimpleJson(t *testing.T) {
output := testXrayAuditJas(t, string(utils.SimpleJson), "npm")
verifySimpleJsonScanResults(t, output, 2, 0)
verifySimpleJsonJasResults(t, output, 0, 0, 0, 1)
verifySimpleJsonJasResults(t, output, 0, 0, 0, 0, 1)
}

func testXrayAuditJas(t *testing.T, format string, project string) string {
Expand All @@ -776,10 +776,11 @@ func testXrayAuditJas(t *testing.T, format string, project string) string {
return xrayCli.WithoutCredentials().RunCliCmdWithOutput(t, "audit", "--format="+format)
}

func verifySimpleJsonJasResults(t *testing.T, content string, minIacViolations, minSecrets, minApplicable, minNotApplicable int) {
func verifySimpleJsonJasResults(t *testing.T, content string, minSastViolations, minIacViolations, minSecrets, minApplicable, minNotApplicable int) {
var results formats.SimpleJsonResults
err := json.Unmarshal([]byte(content), &results)
if assert.NoError(t, err) {
assert.GreaterOrEqual(t, len(results.Sast), minSastViolations, "Found less sast then expected")
assert.GreaterOrEqual(t, len(results.Secrets), minSecrets, "Found less secrets then expected")
assert.GreaterOrEqual(t, len(results.Iacs), minIacViolations, "Found less IaC then expected")
var applicableResults, notApplicableResults int
Expand Down

0 comments on commit c0a40ba

Please sign in to comment.