From dcdee9636c4743e5267d235d59501f922a03037f Mon Sep 17 00:00:00 2001 From: Scott Hissam Date: Wed, 24 Aug 2022 20:58:58 +0000 Subject: [PATCH] added unit test cases for the new content-based Security Policy checks --- checks/evaluation/security_policy_test.go | 4 +- checks/raw/security_policy_test.go | 27 +++++++++++ checks/security_policy_test.go | 46 +++++++++++++++---- checks/testdata/securitypolicy/00_1byte | 1 + checks/testdata/securitypolicy/00_empty | 0 checks/testdata/securitypolicy/03_emailOnly | 1 + .../testdata/securitypolicy/03_securitypolicy | 1 + checks/testdata/securitypolicy/03_textOnly | 1 + checks/testdata/securitypolicy/03_urlOnly | 1 + .../securitypolicy/04_textAndDisclosureVuls | 1 + .../securitypolicy/06_urlAndEmailOnly | 1 + checks/testdata/securitypolicy/07_realworld | 11 +++++ .../securitypolicy/09_linkedContentAndText | 2 + .../10_linkedContentAndTextAndDisclosureVuls | 2 + checks/testdata/securitypolicy/10_realworld | 22 +++++++++ 15 files changed, 109 insertions(+), 12 deletions(-) create mode 100644 checks/testdata/securitypolicy/00_1byte create mode 100644 checks/testdata/securitypolicy/00_empty create mode 100644 checks/testdata/securitypolicy/03_emailOnly create mode 100644 checks/testdata/securitypolicy/03_securitypolicy create mode 100644 checks/testdata/securitypolicy/03_textOnly create mode 100644 checks/testdata/securitypolicy/03_urlOnly create mode 100644 checks/testdata/securitypolicy/04_textAndDisclosureVuls create mode 100644 checks/testdata/securitypolicy/06_urlAndEmailOnly create mode 100644 checks/testdata/securitypolicy/07_realworld create mode 100644 checks/testdata/securitypolicy/09_linkedContentAndText create mode 100644 checks/testdata/securitypolicy/10_linkedContentAndTextAndDisclosureVuls create mode 100644 checks/testdata/securitypolicy/10_realworld diff --git a/checks/evaluation/security_policy_test.go b/checks/evaluation/security_policy_test.go index 2c6c2df19577..10ebc9252746 100644 --- a/checks/evaluation/security_policy_test.go +++ b/checks/evaluation/security_policy_test.go @@ -68,7 +68,7 @@ func TestSecurityPolicy(t *testing.T) { }, }, want: checker.CheckResult{ - Score: 10, + Score: 0, }, }, { @@ -84,7 +84,7 @@ func TestSecurityPolicy(t *testing.T) { }, }, want: checker.CheckResult{ - Score: 10, + Score: 0, }, }, } diff --git a/checks/raw/security_policy_test.go b/checks/raw/security_policy_test.go index ae5d30896012..e69d079e39b6 100644 --- a/checks/raw/security_policy_test.go +++ b/checks/raw/security_policy_test.go @@ -15,6 +15,8 @@ package raw import ( + "fmt" + "os" "testing" "github.com/golang/mock/gomock" @@ -65,6 +67,7 @@ func TestSecurityPolicy(t *testing.T) { tests := []struct { name string files []string + path string result checker.SecurityPolicyData wantErr bool want scut.TestReturn @@ -74,30 +77,35 @@ func TestSecurityPolicy(t *testing.T) { files: []string{ "security.md", }, + path: "", }, { name: ".github/security.md", files: []string{ ".github/security.md", }, + path: "", }, { name: "docs/security.md", files: []string{ "docs/security.md", }, + path: "", }, { name: "docs/security.rst", files: []string{ "docs/security.rst", }, + path: "", }, { name: "doc/security.rst", files: []string{ "doc/security.rst", }, + path: "", }, } for _, tt := range tests { @@ -110,6 +118,25 @@ func TestSecurityPolicy(t *testing.T) { mockRepoClient.EXPECT().ListFiles(gomock.Any()).Return(tt.files, nil).AnyTimes() mockRepo.EXPECT().Org().Return(nil).AnyTimes() + // + // the revised Security Policy will immediate go for the + // file contents once found. This test will return that + // mock file, but this specific unit test is not testing + // for content. As such, this test will crash without + // a mock GetFileContent, so this will return no content + // for the existing file. content test are in overall check + // + mockRepoClient.EXPECT().GetFileContent(gomock.Any()).DoAndReturn(func(fn string) ([]byte, error) { + if tt.path == "" { + return nil, nil + } + content, err := os.ReadFile(tt.path) + if err != nil { + return content, fmt.Errorf("%w", err) + } + return content, nil + }).AnyTimes() + dl := scut.TestDetailLogger{} c := checker.CheckRequest{ RepoClient: mockRepoClient, diff --git a/checks/security_policy_test.go b/checks/security_policy_test.go index e689b9378361..88fe9a30e043 100644 --- a/checks/security_policy_test.go +++ b/checks/security_policy_test.go @@ -15,6 +15,8 @@ package checks import ( + "fmt" + "os" "testing" "github.com/golang/mock/gomock" @@ -29,12 +31,14 @@ func TestSecurityPolicy(t *testing.T) { //nolint tests := []struct { name string + path string files []string wantErr bool want scut.TestReturn }{ { name: "security.md", + path: "./testdata/securitypolicy/10_realworld", files: []string{ "security.md", }, @@ -45,76 +49,84 @@ func TestSecurityPolicy(t *testing.T) { }, { name: ".github/security.md", + path: "./testdata/securitypolicy/07_realworld", files: []string{ ".github/security.md", }, want: scut.TestReturn{ - Score: 10, + Score: 7, NumberOfInfo: 1, }, }, { name: "docs/security.md", + path: "./testdata/securitypolicy/04_textAndDisclosureVuls", files: []string{ "docs/security.md", }, want: scut.TestReturn{ - Score: 10, + Score: 4, NumberOfInfo: 1, }, }, { name: "security.rst", + path: "./testdata/securitypolicy/03_textOnly", files: []string{ "security.rst", }, want: scut.TestReturn{ - Score: 10, + Score: 3, NumberOfInfo: 1, }, }, { name: ".github/security.rst", + path: "./testdata/securitypolicy/03_urlOnly", files: []string{ ".github/security.rst", }, want: scut.TestReturn{ - Score: 10, + Score: 3, NumberOfInfo: 1, }, }, { name: "docs/security.rst", + path: "./testdata/securitypolicy/03_emailOnly", files: []string{ "docs/security.rst", }, want: scut.TestReturn{ - Score: 10, + Score: 3, NumberOfInfo: 1, }, }, { name: "doc/security.rst", + path: "./testdata/securitypolicy/06_urlAndEmailOnly", files: []string{ "doc/security.rst", }, want: scut.TestReturn{ - Score: 10, + Score: 6, NumberOfInfo: 1, }, }, { name: "security.adoc", + path: "./testdata/securitypolicy/09_linkedContentAndText", files: []string{ "security.adoc", }, want: scut.TestReturn{ - Score: 10, + Score: 9, NumberOfInfo: 1, }, }, { name: ".github/security.adoc", + path: "./testdata/securitypolicy/10_linkedContentAndTextAndDisclosureVuls", files: []string{ ".github/security.adoc", }, @@ -125,21 +137,23 @@ func TestSecurityPolicy(t *testing.T) { }, { name: "docs/security.adoc", + path: "./testdata/securitypolicy/00_empty", files: []string{ "docs/security.adoc", }, want: scut.TestReturn{ - Score: 10, + Score: 0, NumberOfInfo: 1, }, }, { name: "Pass Case: Case-insensitive testing", + path: "./testdata/securitypolicy/00_1byte", files: []string{ "dOCs/SeCuRIty.rsT", }, want: scut.TestReturn{ - Score: 10, + Score: 0, NumberOfInfo: 1, }, }, @@ -153,6 +167,18 @@ func TestSecurityPolicy(t *testing.T) { mockRepo := mockrepo.NewMockRepoClient(ctrl) mockRepo.EXPECT().ListFiles(gomock.Any()).Return(tt.files, nil).AnyTimes() + + mockRepo.EXPECT().GetFileContent(gomock.Any()).DoAndReturn(func(fn string) ([]byte, error) { + if tt.path == "" { + return nil, nil + } + content, err := os.ReadFile(tt.path) + if err != nil { + return content, fmt.Errorf("%w", err) + } + return content, nil + }).AnyTimes() + dl := scut.TestDetailLogger{} c := checker.CheckRequest{ RepoClient: mockRepo, @@ -162,7 +188,7 @@ func TestSecurityPolicy(t *testing.T) { res := SecurityPolicy(&c) if !scut.ValidateTestReturn(t, tt.name, &tt.want, &res, &dl) { - t.Errorf("test failed: log message not present: %+v", tt.want) + t.Errorf("test failed: log message not present: %+v on %+v", tt.want, res) } }) } diff --git a/checks/testdata/securitypolicy/00_1byte b/checks/testdata/securitypolicy/00_1byte new file mode 100644 index 000000000000..8b137891791f --- /dev/null +++ b/checks/testdata/securitypolicy/00_1byte @@ -0,0 +1 @@ + diff --git a/checks/testdata/securitypolicy/00_empty b/checks/testdata/securitypolicy/00_empty new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/checks/testdata/securitypolicy/03_emailOnly b/checks/testdata/securitypolicy/03_emailOnly new file mode 100644 index 000000000000..7ead344a58cf --- /dev/null +++ b/checks/testdata/securitypolicy/03_emailOnly @@ -0,0 +1 @@ +security@example.com diff --git a/checks/testdata/securitypolicy/03_securitypolicy b/checks/testdata/securitypolicy/03_securitypolicy new file mode 100644 index 000000000000..450c3c918987 --- /dev/null +++ b/checks/testdata/securitypolicy/03_securitypolicy @@ -0,0 +1 @@ +now is the time for all goodness for vulnerabilities and disclosures diff --git a/checks/testdata/securitypolicy/03_textOnly b/checks/testdata/securitypolicy/03_textOnly new file mode 100644 index 000000000000..a75492cecf66 --- /dev/null +++ b/checks/testdata/securitypolicy/03_textOnly @@ -0,0 +1 @@ +now is the time for all goodness diff --git a/checks/testdata/securitypolicy/03_urlOnly b/checks/testdata/securitypolicy/03_urlOnly new file mode 100644 index 000000000000..2786204fedc0 --- /dev/null +++ b/checks/testdata/securitypolicy/03_urlOnly @@ -0,0 +1 @@ +https://security.example.com diff --git a/checks/testdata/securitypolicy/04_textAndDisclosureVuls b/checks/testdata/securitypolicy/04_textAndDisclosureVuls new file mode 100644 index 000000000000..450c3c918987 --- /dev/null +++ b/checks/testdata/securitypolicy/04_textAndDisclosureVuls @@ -0,0 +1 @@ +now is the time for all goodness for vulnerabilities and disclosures diff --git a/checks/testdata/securitypolicy/06_urlAndEmailOnly b/checks/testdata/securitypolicy/06_urlAndEmailOnly new file mode 100644 index 000000000000..bff8aa0585e0 --- /dev/null +++ b/checks/testdata/securitypolicy/06_urlAndEmailOnly @@ -0,0 +1 @@ +https://security.example.com security@example.com diff --git a/checks/testdata/securitypolicy/07_realworld b/checks/testdata/securitypolicy/07_realworld new file mode 100644 index 000000000000..65b40899abbb --- /dev/null +++ b/checks/testdata/securitypolicy/07_realworld @@ -0,0 +1,11 @@ +# Reporting Security Issues + +To report a security issue, please email +[oss-security@googlegroups.com](mailto:oss-security@googlegroups.com) +with a description of the issue, the steps you took to create the issue, +affected versions, and, if known, mitigations for the issue. + +Our vulnerability management team will respond within 3 working days of your +email. If the issue is confirmed as a vulnerability, we will open a +Security Advisory and acknowledge your contributions as part of it. This project +follows a 90 day disclosure timeline. diff --git a/checks/testdata/securitypolicy/09_linkedContentAndText b/checks/testdata/securitypolicy/09_linkedContentAndText new file mode 100644 index 000000000000..b41b6042f089 --- /dev/null +++ b/checks/testdata/securitypolicy/09_linkedContentAndText @@ -0,0 +1,2 @@ +https://security.example.com security@example.com +now is the time for all goodness diff --git a/checks/testdata/securitypolicy/10_linkedContentAndTextAndDisclosureVuls b/checks/testdata/securitypolicy/10_linkedContentAndTextAndDisclosureVuls new file mode 100644 index 000000000000..6a887ae1d0ec --- /dev/null +++ b/checks/testdata/securitypolicy/10_linkedContentAndTextAndDisclosureVuls @@ -0,0 +1,2 @@ +https://security.example.com security@example.com +now is the time for all goodness for vulnerabilities and disclosures diff --git a/checks/testdata/securitypolicy/10_realworld b/checks/testdata/securitypolicy/10_realworld new file mode 100644 index 000000000000..2083d44cdf90 --- /dev/null +++ b/checks/testdata/securitypolicy/10_realworld @@ -0,0 +1,22 @@ +# Security Policy + +## Security Announcements + +Join the [kubernetes-security-announce] group for security and vulnerability announcements. + +You can also subscribe to an RSS feed of the above using [this link][kubernetes-security-announce-rss]. + +## Reporting a Vulnerability + +Instructions for reporting a vulnerability can be found on the +[Kubernetes Security and Disclosure Information] page. + +## Supported Versions + +Information about supported Kubernetes versions can be found on the +[Kubernetes version and version skew support policy] page on the Kubernetes website. + +[kubernetes-security-announce]: https://groups.google.com/forum/#!forum/kubernetes-security-announce +[kubernetes-security-announce-rss]: https://groups.google.com/forum/feed/kubernetes-security-announce/msgs/rss_v2_0.xml?num=50 +[Kubernetes version and version skew support policy]: https://kubernetes.io/docs/setup/release/version-skew-policy/#supported-versions +[Kubernetes Security and Disclosure Information]: https://kubernetes.io/docs/reference/issues-security/security/#report-a-vulnerability