mirrors
/
sonarqube
镜像自地址 https://github.com/SonarSource/sonarqube.git
关注 1
点赞 0
派生 0
代码 工单 0 版本发布 237 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
34603 提交
59 分支
目录树: c62e96c158
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 'c62e96c158'
${ noResults }
sonarqube/server/sonar-server-common/src/test/java/org/sonar/server/security/SecurityStandardsTest.java

SecurityStandardsTest.java 7.7KB
原始文件 Blame 文件历史

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2023 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.security;

  21. 

  22. import java.util.Arrays;

  23. import java.util.EnumSet;

  24. import java.util.List;

  25. import java.util.Set;

  26. import java.util.stream.Collectors;

  27. import org.junit.Test;

  28. import org.sonar.api.server.rule.RulesDefinition.OwaspAsvsVersion;

  29. import org.sonar.server.security.SecurityStandards.OwaspAsvs;

  30. import org.sonar.server.security.SecurityStandards.PciDss;

  31. import org.sonar.server.security.SecurityStandards.SQCategory;

  32. 

  33. import static java.util.Collections.emptySet;

  34. import static java.util.Collections.singleton;

  35. import static java.util.stream.Collectors.toSet;

  36. import static org.assertj.core.api.Assertions.assertThat;

  37. import static org.junit.Assert.assertEquals;

  38. import static org.junit.Assert.assertTrue;

  39. import static org.sonar.server.security.SecurityStandards.CWES_BY_SQ_CATEGORY;

  40. import static org.sonar.server.security.SecurityStandards.OWASP_ASVS_REQUIREMENTS_BY_LEVEL;

  41. import static org.sonar.server.security.SecurityStandards.SQ_CATEGORY_KEYS_ORDERING;

  42. import static org.sonar.server.security.SecurityStandards.fromSecurityStandards;

  43. import static org.sonar.server.security.SecurityStandards.getRequirementsForCategoryAndLevel;

  44. 

  45. public class SecurityStandardsTest {

  46.   @Test

  47.   public void fromSecurityStandards_from_empty_set_has_SQCategory_OTHERS() {

  48.     SecurityStandards securityStandards = fromSecurityStandards(emptySet());

  49. 

  50.     assertThat(securityStandards.getStandards()).isEmpty();

  51.     assertThat(securityStandards.getSqCategory()).isEqualTo(SQCategory.OTHERS);

  52.     assertThat(securityStandards.getIgnoredSQCategories()).isEmpty();

  53.   }

  54. 

  55.   @Test

  56.   public void fromSecurityStandards_from_empty_set_has_unkwown_cwe_standard() {

  57.     SecurityStandards securityStandards = fromSecurityStandards(emptySet());

  58. 

  59.     assertThat(securityStandards.getStandards()).isEmpty();

  60.     assertThat(securityStandards.getCwe()).containsOnly("unknown");

  61.   }

  62. 

  63.   @Test

  64.   public void fromSecurityStandards_from_empty_set_has_no_OwaspTop10_standard() {

  65.     SecurityStandards securityStandards = fromSecurityStandards(emptySet());

  66. 

  67.     assertThat(securityStandards.getStandards()).isEmpty();

  68.     assertThat(securityStandards.getOwaspTop10()).isEmpty();

  69.   }

  70. 

  71.   @Test

  72.   public void fromSecurityStandards_from_empty_set_has_no_SansTop25_standard() {

  73.     SecurityStandards securityStandards = fromSecurityStandards(emptySet());

  74. 

  75.     assertThat(securityStandards.getStandards()).isEmpty();

  76.     assertThat(securityStandards.getSansTop25()).isEmpty();

  77.   }

  78. 

  79.   @Test

  80.   public void fromSecurityStandards_from_empty_set_has_no_CweTop25_standard() {

  81.     SecurityStandards securityStandards = fromSecurityStandards(emptySet());

  82. 

  83.     assertThat(securityStandards.getStandards()).isEmpty();

  84.     assertThat(securityStandards.getCweTop25()).isEmpty();

  85.   }

  86. 

  87.   @Test

  88.   public void fromSecurityStandards_finds_SQCategory_from_any_if_the_mapped_CWE_standard() {

  89.     CWES_BY_SQ_CATEGORY.forEach((sqCategory, cwes) -> {

  90.       cwes.forEach(cwe -> {

  91.         SecurityStandards securityStandards = fromSecurityStandards(singleton("cwe:" + cwe));

  92. 

  93.         assertThat(securityStandards.getSqCategory()).isEqualTo(sqCategory);

  94.       });

  95.     });

  96.   }

  97. 

  98.   @Test

  99.   public void fromSecurityStandards_finds_SQCategory_from_multiple_of_the_mapped_CWE_standard() {

  100.     CWES_BY_SQ_CATEGORY.forEach((sqCategory, cwes) -> {

  101.       SecurityStandards securityStandards = fromSecurityStandards(cwes.stream().map(t -> "cwe:" + t).collect(toSet()));

  102. 

  103.       assertThat(securityStandards.getSqCategory()).isEqualTo(sqCategory);

  104.     });

  105.   }

  106. 

  107.   @Test

  108.   public void fromSecurityStandards_finds_SQCategory_first_in_order_when_CWEs_map_to_multiple_SQCategories() {

  109.     EnumSet<SQCategory> sqCategories = EnumSet.allOf(SQCategory.class);

  110.     sqCategories.remove(SQCategory.OTHERS);

  111. 

  112.     while (!sqCategories.isEmpty()) {

  113.       SQCategory expected = sqCategories.stream().min(SQ_CATEGORY_KEYS_ORDERING.onResultOf(SQCategory::getKey)).get();

  114.       SQCategory[] expectedIgnored = sqCategories.stream().filter(t -> t != expected).toArray(SQCategory[]::new);

  115. 

  116.       Set<String> cwes = sqCategories.stream()

  117.         .flatMap(t -> CWES_BY_SQ_CATEGORY.get(t).stream().map(e -> "cwe:" + e))

  118.         .collect(Collectors.toSet());

  119.       SecurityStandards securityStandards = fromSecurityStandards(cwes);

  120. 

  121.       assertThat(securityStandards.getSqCategory()).isEqualTo(expected);

  122.       assertThat(securityStandards.getIgnoredSQCategories()).containsOnly(expectedIgnored);

  123. 

  124.       sqCategories.remove(expected);

  125.     }

  126.   }

  127. 

  128.   @Test

  129.   public void pciDss_categories_check() {

  130.     List<String> pciDssCategories = Arrays.stream(PciDss.values()).map(PciDss::category).toList();

  131. 

  132.     assertThat(pciDssCategories).hasSize(12).containsExactly("1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12");

  133.   }

  134. 

  135.   @Test

  136.   public void owaspAsvs_categories_check() {

  137.     List<String> owaspAsvsCategories = Arrays.stream(OwaspAsvs.values()).map(OwaspAsvs::category).toList();

  138. 

  139.     assertThat(owaspAsvsCategories).hasSize(14).containsExactly("1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14");

  140.   }

  141. 

  142.   @Test

  143.   public void owaspAsvs40_requirements_distribution_by_level_check() {

  144.     assertTrue(OWASP_ASVS_REQUIREMENTS_BY_LEVEL.containsKey(OwaspAsvsVersion.V4_0));

  145.     assertTrue(OWASP_ASVS_REQUIREMENTS_BY_LEVEL.get(OwaspAsvsVersion.V4_0).containsKey(1));

  146.     assertTrue(OWASP_ASVS_REQUIREMENTS_BY_LEVEL.get(OwaspAsvsVersion.V4_0).containsKey(2));

  147.     assertTrue(OWASP_ASVS_REQUIREMENTS_BY_LEVEL.get(OwaspAsvsVersion.V4_0).containsKey(3));

  148.     assertEquals(135, OWASP_ASVS_REQUIREMENTS_BY_LEVEL.get(OwaspAsvsVersion.V4_0).get(1).size());

  149.     assertEquals(266, OWASP_ASVS_REQUIREMENTS_BY_LEVEL.get(OwaspAsvsVersion.V4_0).get(2).size());

  150.     assertEquals(286, OWASP_ASVS_REQUIREMENTS_BY_LEVEL.get(OwaspAsvsVersion.V4_0).get(3).size());

  151.   }

  152. 

  153.   @Test

  154.   public void owaspAsvs40_requirements_by_category_and_level_check() {

  155.     assertEquals(0, getRequirementsForCategoryAndLevel(OwaspAsvs.C1, 1).size());

  156.     assertEquals(31, getRequirementsForCategoryAndLevel(OwaspAsvs.C2, 1).size());

  157.     assertEquals(12, getRequirementsForCategoryAndLevel(OwaspAsvs.C3, 1).size());

  158.     assertEquals(9, getRequirementsForCategoryAndLevel(OwaspAsvs.C4, 1).size());

  159.     assertEquals(27, getRequirementsForCategoryAndLevel(OwaspAsvs.C5, 1).size());

  160.     assertEquals(1, getRequirementsForCategoryAndLevel(OwaspAsvs.C6, 1).size());

  161.     assertEquals(3, getRequirementsForCategoryAndLevel(OwaspAsvs.C7, 1).size());

  162.     assertEquals(7, getRequirementsForCategoryAndLevel(OwaspAsvs.C8, 1).size());

  163.     assertEquals(3, getRequirementsForCategoryAndLevel(OwaspAsvs.C9, 1).size());

  164.     assertEquals(3, getRequirementsForCategoryAndLevel(OwaspAsvs.C10, 1).size());

  165.     assertEquals(5, getRequirementsForCategoryAndLevel(OwaspAsvs.C11, 1).size());

  166.     assertEquals(11, getRequirementsForCategoryAndLevel(OwaspAsvs.C12, 1).size());

  167.     assertEquals(7, getRequirementsForCategoryAndLevel(OwaspAsvs.C13, 1).size());

  168.     assertEquals(16, getRequirementsForCategoryAndLevel(OwaspAsvs.C14, 1).size());

  169.   }

  170. }