gosec/issue/issue_test.go

package issue_test

import (
	"go/ast"

	. "github.com/onsi/ginkgo/v2"
	. "github.com/onsi/gomega"

	"github.com/securego/gosec/v2"
	"github.com/securego/gosec/v2/issue"
	"github.com/securego/gosec/v2/rules"
	"github.com/securego/gosec/v2/testutils"
)

var _ = Describe("Issue", func() {
	Context("when creating a new issue", func() {
		It("should create a code snippet from the specified ast.Node", func() {
			var target *ast.BasicLit
			source := `package main
			const foo = "bar"
			func main(){
				println(foo)
			}
			`
			pkg := testutils.NewTestPackage()
			defer pkg.Close()
			pkg.AddFile("foo.go", source)
			ctx := pkg.CreateContext("foo.go")
			v := testutils.NewMockVisitor()
			v.Callback = func(n ast.Node, ctx *gosec.Context) bool {
				if node, ok := n.(*ast.BasicLit); ok {
					target = node
					return false
				}
				return true
			}
			v.Context = ctx
			ast.Walk(v, ctx.Root)
			Expect(target).ShouldNot(BeNil())

			fobj := ctx.GetFileAtNodePos(target)
			issue := issue.New(fobj, target, "TEST", "", issue.High, issue.High)
			Expect(issue).ShouldNot(BeNil())
			Expect(issue.Code).Should(MatchRegexp(`"bar"`))
			Expect(issue.Line).Should(Equal("2"))
			Expect(issue.Col).Should(Equal("16"))
			Expect(issue.Cwe).Should(BeNil())
		})

		It("should return an error if specific context is not able to be obtained", func() {
			Skip("Not implemented")
		})

		It("should construct file path based on line and file information", func() {
			var target *ast.AssignStmt

			source := `package main
			import "fmt"
			func main() {
				username := "admin"
				password := "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"
				fmt.Println("Doing something with: ", username, password)
			}`

			pkg := testutils.NewTestPackage()
			defer pkg.Close()
			pkg.AddFile("foo.go", source)
			ctx := pkg.CreateContext("foo.go")
			v := testutils.NewMockVisitor()
			v.Callback = func(n ast.Node, ctx *gosec.Context) bool {
				if node, ok := n.(*ast.AssignStmt); ok {
					if id, ok := node.Lhs[0].(*ast.Ident); ok && id.Name == "password" {
						target = node
					}
				}
				return true
			}
			v.Context = ctx
			ast.Walk(v, ctx.Root)
			Expect(target).ShouldNot(BeNil())

			// Use hardcoded rule to check assignment
			cfg := gosec.NewConfig()
			rule, _ := rules.NewHardcodedCredentials("TEST", cfg)
			foundIssue, err := rule.Match(target, ctx)
			Expect(err).ShouldNot(HaveOccurred())
			Expect(foundIssue).ShouldNot(BeNil())
			Expect(foundIssue.FileLocation()).Should(MatchRegexp("foo.go:5"))
		})

		It("should provide accurate line and file information", func() {
			Skip("Not implemented")
		})

		It("should provide accurate line and file information for multi-line statements", func() {
			var target *ast.CallExpr
			source := `
package main
import (
   	"net"
)
func main() {
	_, _ := net.Listen("tcp", 
	"0.0.0.0:2000")
}
`
			pkg := testutils.NewTestPackage()
			defer pkg.Close()
			pkg.AddFile("foo.go", source)
			ctx := pkg.CreateContext("foo.go")
			v := testutils.NewMockVisitor()
			v.Callback = func(n ast.Node, ctx *gosec.Context) bool {
				if node, ok := n.(*ast.CallExpr); ok {
					target = node
				}
				return true
			}
			v.Context = ctx
			ast.Walk(v, ctx.Root)
			Expect(target).ShouldNot(BeNil())

			cfg := gosec.NewConfig()
			rule, _ := rules.NewBindsToAllNetworkInterfaces("TEST", cfg)
			issue, err := rule.Match(target, ctx)
			Expect(err).ShouldNot(HaveOccurred())
			Expect(issue).ShouldNot(BeNil())
			Expect(issue.File).Should(MatchRegexp("foo.go"))
			Expect(issue.Line).Should(MatchRegexp("7-8"))
			Expect(issue.Col).Should(Equal("10"))
		})

		It("should maintain the provided severity score", func() {
			Skip("Not implemented")
		})

		It("should maintain the provided confidence score", func() {
			Skip("Not implemented")
		})
	})
})
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`package issue_test`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00
			`import (`
Add test cases 2017-09-16 01:12:27 +01:00			`"go/ast"`

Update to ginkgo v2 (#753) 2022-01-03 17:11:35 +00:00			`. "github.com/onsi/ginkgo/v2"`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`. "github.com/onsi/gomega"`
correct gci linter (#946) Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com> 2023-03-30 08:31:24 +01:00
Handle properly the gosec module version v2 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-04-01 21:18:39 +01:00			`"github.com/securego/gosec/v2"`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`"github.com/securego/gosec/v2/issue"`
Handle properly the gosec module version v2 Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-04-01 21:18:39 +01:00			`"github.com/securego/gosec/v2/rules"`
			`"github.com/securego/gosec/v2/testutils"`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`)`

			`var _ = Describe("Issue", func() {`
			`Context("when creating a new issue", func() {`
Add test cases 2017-09-16 01:12:27 +01:00			`It("should create a code snippet from the specified ast.Node", func() {`
			`var target *ast.BasicLit`
			source := `package main
			`const foo = "bar"`
			`func main(){`
			`println(foo)`
			`}`
			`
			`pkg := testutils.NewTestPackage()`
			`defer pkg.Close()`
			`pkg.AddFile("foo.go", source)`
			`ctx := pkg.CreateContext("foo.go")`
			`v := testutils.NewMockVisitor()`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`v.Callback = func(n ast.Node, ctx *gosec.Context) bool {`
Add test cases 2017-09-16 01:12:27 +01:00			`if node, ok := n.(*ast.BasicLit); ok {`
			`target = node`
			`return false`
			`}`
			`return true`
			`}`
			`v.Context = ctx`
			`ast.Walk(v, ctx.Root)`
			`Expect(target).ShouldNot(BeNil())`

Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`fobj := ctx.GetFileAtNodePos(target)`
			`issue := issue.New(fobj, target, "TEST", "", issue.High, issue.High)`
Add test cases 2017-09-16 01:12:27 +01:00			`Expect(issue).ShouldNot(BeNil())`
			Expect(issue.Code).Should(MatchRegexp(`"bar"`))
Issue.Line is already a string 2017-10-01 01:31:39 +01:00			`Expect(issue.Line).Should(Equal("2"))`
Add golint format to output format (#428) Signed-off-by: Hiroki Suezawa <suezawa@gmail.com> 2020-01-03 09:56:21 +00:00			`Expect(issue.Col).Should(Equal("16"))`
Refactor : Replace Cwe with cwe.Weakness 2021-05-07 15:54:34 +01:00			`Expect(issue.Cwe).Should(BeNil())`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`})`

			`It("should return an error if specific context is not able to be obtained", func() {`
actually skip tests until implementation exists 2017-12-13 06:35:28 +00:00			`Skip("Not implemented")`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`})`

feature(formatter/text): Add color option on text format (#460) * feature(issue): Add function to return file path and line number * docs(formatter/CreateReport): Update formats accepted * feature(formatter): Add color output for text format Basic color support for text format. For now, only the "Summary" title and "Issues" section has color * feature(formatter): Highlight issues based on severity Given an issue, the file path is painted based on its severity. We're using the following rules: high is red, medium is yellow and low is simple black & white * feature(main): Add color flag It's only valid for text format * refactor(formatter): Passing color flag forward 2020-04-14 08:50:02 +01:00			`It("should construct file path based on line and file information", func() {`
			`var target *ast.AssignStmt`

			source := `package main
			`import "fmt"`
			`func main() {`
			`username := "admin"`
			`password := "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"`
			`fmt.Println("Doing something with: ", username, password)`
			}`

			`pkg := testutils.NewTestPackage()`
			`defer pkg.Close()`
			`pkg.AddFile("foo.go", source)`
			`ctx := pkg.CreateContext("foo.go")`
			`v := testutils.NewMockVisitor()`
			`v.Callback = func(n ast.Node, ctx *gosec.Context) bool {`
			`if node, ok := n.(*ast.AssignStmt); ok {`
			`if id, ok := node.Lhs[0].(*ast.Ident); ok && id.Name == "password" {`
			`target = node`
			`}`
			`}`
			`return true`
			`}`
			`v.Context = ctx`
			`ast.Walk(v, ctx.Root)`
			`Expect(target).ShouldNot(BeNil())`

Fix typos in struct fields, comments, and docs (#1023) 2023-10-05 11:59:17 +01:00			`// Use hardcoded rule to check assignment`
feature(formatter/text): Add color option on text format (#460) * feature(issue): Add function to return file path and line number * docs(formatter/CreateReport): Update formats accepted * feature(formatter): Add color output for text format Basic color support for text format. For now, only the "Summary" title and "Issues" section has color * feature(formatter): Highlight issues based on severity Given an issue, the file path is painted based on its severity. We're using the following rules: high is red, medium is yellow and low is simple black & white * feature(main): Add color flag It's only valid for text format * refactor(formatter): Passing color flag forward 2020-04-14 08:50:02 +01:00			`cfg := gosec.NewConfig()`
			`rule, _ := rules.NewHardcodedCredentials("TEST", cfg)`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`foundIssue, err := rule.Match(target, ctx)`
feature(formatter/text): Add color option on text format (#460) * feature(issue): Add function to return file path and line number * docs(formatter/CreateReport): Update formats accepted * feature(formatter): Add color output for text format Basic color support for text format. For now, only the "Summary" title and "Issues" section has color * feature(formatter): Highlight issues based on severity Given an issue, the file path is painted based on its severity. We're using the following rules: high is red, medium is yellow and low is simple black & white * feature(main): Add color flag It's only valid for text format * refactor(formatter): Passing color flag forward 2020-04-14 08:50:02 +01:00			`Expect(err).ShouldNot(HaveOccurred())`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`Expect(foundIssue).ShouldNot(BeNil())`
			`Expect(foundIssue.FileLocation()).Should(MatchRegexp("foo.go:5"))`
feature(formatter/text): Add color option on text format (#460) * feature(issue): Add function to return file path and line number * docs(formatter/CreateReport): Update formats accepted * feature(formatter): Add color output for text format Basic color support for text format. For now, only the "Summary" title and "Issues" section has color * feature(formatter): Highlight issues based on severity Given an issue, the file path is painted based on its severity. We're using the following rules: high is red, medium is yellow and low is simple black & white * feature(main): Add color flag It's only valid for text format * refactor(formatter): Passing color flag forward 2020-04-14 08:50:02 +01:00			`})`

Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`It("should provide accurate line and file information", func() {`
actually skip tests until implementation exists 2017-12-13 06:35:28 +00:00			`Skip("Not implemented")`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`})`

Add test cases 2017-09-16 01:12:27 +01:00			`It("should provide accurate line and file information for multi-line statements", func() {`
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-05-25 13:19:00 +01:00			`var target *ast.CallExpr`
			source := `
			`package main`
			`import (`
			`"net"`
			`)`
			`func main() {`
Change the issue test to verify that a multi-line finding contains a line range Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-05-26 08:05:24 +01:00			`_, _ := net.Listen("tcp",`
			`"0.0.0.0:2000")`
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-05-25 13:19:00 +01:00			`}`
			`
Add test cases 2017-09-16 01:12:27 +01:00			`pkg := testutils.NewTestPackage()`
			`defer pkg.Close()`
			`pkg.AddFile("foo.go", source)`
			`ctx := pkg.CreateContext("foo.go")`
			`v := testutils.NewMockVisitor()`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`v.Callback = func(n ast.Node, ctx *gosec.Context) bool {`
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-05-25 13:19:00 +01:00			`if node, ok := n.(*ast.CallExpr); ok {`
Add test cases 2017-09-16 01:12:27 +01:00			`target = node`
			`}`
			`return true`
			`}`
			`v.Context = ctx`
			`ast.Walk(v, ctx.Root)`
			`Expect(target).ShouldNot(BeNil())`

Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`cfg := gosec.NewConfig()`
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-05-25 13:19:00 +01:00			`rule, _ := rules.NewBindsToAllNetworkInterfaces("TEST", cfg)`
Add test cases 2017-09-16 01:12:27 +01:00			`issue, err := rule.Match(target, ctx)`
			`Expect(err).ShouldNot(HaveOccurred())`
			`Expect(issue).ShouldNot(BeNil())`
			`Expect(issue.File).Should(MatchRegexp("foo.go"))`
Change the issue test to verify that a multi-line finding contains a line range Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-05-26 08:05:24 +01:00			`Expect(issue.Line).Should(MatchRegexp("7-8"))`
Improve the SQL concatenation and string formatting rules to be applied only in the database/sql context In addition makes pattern matching used by the rules cases insensitive. Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch> 2020-05-25 13:19:00 +01:00			`Expect(issue.Col).Should(Equal("10"))`
Add test cases 2017-09-16 01:12:27 +01:00			`})`

Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`It("should maintain the provided severity score", func() {`
actually skip tests until implementation exists 2017-12-13 06:35:28 +00:00			`Skip("Not implemented")`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`})`

			`It("should maintain the provided confidence score", func() {`
actually skip tests until implementation exists 2017-12-13 06:35:28 +00:00			`Skip("Not implemented")`
Major rework of codebase - Get rid of 'core' and move CLI to cmd/gas directory - Migrate (most) tests to use Ginkgo and testutils framework - GAS now expects package to reside in $GOPATH - GAS now can resolve dependencies for better type checking (if package on GOPATH) - Simplified public API 2017-07-19 22:17:00 +01:00			`})`
			`})`
			`})`