Skip to content

Commit

Permalink
tests/csgrep: added tests for column property in Coverity JSONv10
Browse files Browse the repository at this point in the history 
Related https://issues.redhat.com/browse/OSH-11

Added tests for the column property in Coverity using JSON v10 results. Two different tests cases have been added: IN one of them, the column number is present in the results. In the second one, the column number is null
  • Loading branch information
@jperezdealgaba
jperezdealgaba committed Apr 2, 2024
1 parent 1461144 commit ac8946d
Show file tree
Hide file tree
Showing 4 changed files with 267 additions and 0 deletions.
1 change: 1 addition & 0 deletions tests/csgrep/0122-json-parser-cov-v10-column-args.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
--mode=json
195 changes: 195 additions & 0 deletions tests/csgrep/0122-json-parser-cov-v10-column-stdin.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,195 @@
{
"type" : "Coverity issues",
"formatVersion" : 10,
"suppressedIssueCount" : 0,
"issues" : [
{
"mergeKey" : "0d67db2be2df7aa477796bac827f024b",
"occurrenceCountForMK" : 1,
"occurrenceNumberInMK" : 1,
"referenceOccurrenceCountForMK" : null,
"checkerName" : "HARDCODED_CREDENTIALS",
"subcategory" : "none",
"type" : "hardcoded_credentials",
"code-language" : "python",
"extra" : "\"app\",\"secret_key\"",
"domain" : "OTHER",
"language" : "Python 3",
"mainEventFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"strippedMainEventFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"mainEventLineNumber" : 56,
"mainEventColumnNumber" : 1,
"properties" : {},
"functionDisplayName" : "<script>",
"functionMangledName" : "!productpage.py!%SCRIPT",
"functionHtmlDisplayName" : "!productpage.py!%SCRIPT",
"functionSimpleName" : "function",
"functionSearchName" : "<script>",
"localStatus" : null,
"ordered" : true,
"events" : [
{
"covLStrEventDescription" : "{CovLStrv2{{t{Assigning: {0} = {1}.}{{code{app}}}{{code{Flask(__name__)}}}}}}",
"eventDescription" : "Assigning: \"app\" = \"Flask(__name__)\".",
"eventNumber" : 1,
"eventTreePosition" : "1",
"eventSet" : 0,
"eventTag" : "assign",
"filePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"strippedFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"lineNumber" : 47,
"columnNumber" : 1,
"main" : false,
"moreInformationId" : null,
"remediation" : false,
"events" : null
},
{
"covLStrEventDescription" : "{CovLStrv2{{t{Assigning: {0} = {1}.}{{code{app.secret_key}}}{{code{b\"_5#y2L\\\"F4Q8z\\n\\xec]/\"}}}}}}",
"eventDescription" : "Assigning: \"app.secret_key\" = \"b\"_5#y2L\\\"F4Q8z\\n\\xec]/\"\".",
"eventNumber" : 2,
"eventTreePosition" : "2",
"eventSet" : 0,
"eventTag" : "assign",
"filePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"strippedFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"lineNumber" : 56,
"columnNumber" : 1,
"main" : false,
"moreInformationId" : null,
"remediation" : false,
"events" : null
},
{
"covLStrEventDescription" : "{CovLStrv2{{t{{0} uses the constant string as credentials.}{{code{app.secret_key}}}}}}",
"eventDescription" : "\"app.secret_key\" uses the constant string as credentials.",
"eventNumber" : 3,
"eventTreePosition" : "3",
"eventSet" : 0,
"eventTag" : "credentials_use",
"filePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"strippedFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"lineNumber" : 56,
"columnNumber" : 1,
"main" : true,
"moreInformationId" : null,
"remediation" : false,
"events" : null
},
{
"covLStrEventDescription" : "{CovLStrv2{{t{Credentials should be stored in a configuration file or database that is inaccessible to unauthorized users.}}}}",
"eventDescription" : "Credentials should be stored in a configuration file or database that is inaccessible to unauthorized users.",
"eventNumber" : 4,
"eventTreePosition" : "4",
"eventSet" : 0,
"eventTag" : "remediation",
"filePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"strippedFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"lineNumber" : 56,
"columnNumber" : 1,
"main" : false,
"moreInformationId" : null,
"remediation" : true,
"events" : null
}
],
"stateOnServer" : null,
"localTriage" : null,
"checkerProperties" : {
"category" : "Medium impact security",
"categoryDescription" : "Medium impact security",
"cweCategory" : "798",
"weaknessIdCategory" : "410",
"issueKinds" : [
"SECURITY"
],
"eventSetCaptions" : [],
"impact" : "Medium",
"impactDescription" : "Medium",
"subcategoryLocalEffect" : "Users with access to this source code can use these credentials to access production services or data. Changing these credentials requires changing the code and re-deploying the application.",
"subcategoryShortDescription" : "Use of hard-coded credentials",
"subcategoryLongDescription" : "Credentials are stored directly in the source code"
}
},
{
"mergeKey" : "0b1c337fa107a6e55fcc49555eaa2f90",
"occurrenceCountForMK" : 1,
"occurrenceNumberInMK" : 1,
"referenceOccurrenceCountForMK" : null,
"checkerName" : "SIGMA.access_to_secret",
"subcategory" : "kubernetes",
"type" : "sigma.access_to_secret",
"subtype" : "kubernetes",
"code-language" : "text",
"extra" : "access_to_secret_kubernetes -- istio-discovery/templates/role.yaml -- ##Σ-markup - ##Σ-markup - rules - ##Σ-markup",
"domain" : "OTHER",
"language" : "Text",
"mainEventFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
"strippedMainEventFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
"mainEventLineNumber" : 17,
"mainEventColumnNumber" : null,
"properties" : {},
"functionDisplayName" : null,
"functionMangledName" : null,
"functionHtmlDisplayName" : null,
"functionSimpleName" : null,
"functionSearchName" : null,
"localStatus" : null,
"ordered" : true,
"events" : [
{
"covLStrEventDescription" : "The `secrets` resource is granted `get`, `list`, or `watch` access on the Kubernetes API. This can allow an attacker to view Kubernetes cluster or external resources whose credentials are stored in `secrets`.",
"eventDescription" : "The `secrets` resource is granted `get`, `list`, or `watch` access on the Kubernetes API. This can allow an attacker to view Kubernetes cluster or external resources whose credentials are stored in `secrets`.",
"eventNumber" : 1,
"eventTreePosition" : "1",
"eventSet" : 0,
"eventTag" : "Sigma main event",
"filePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
"strippedFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
"lineNumber" : 17,
"columnNumber" : null,
"main" : true,
"moreInformationId" : null,
"remediation" : false,
"events" : null
},
{
"covLStrEventDescription" : "Avoid granting `get`, `list`, or `watch` permissions for `secrets`.",
"eventDescription" : "Avoid granting `get`, `list`, or `watch` permissions for `secrets`.",
"eventNumber" : 2,
"eventTreePosition" : "2",
"eventSet" : 0,
"eventTag" : "remediation",
"filePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
"strippedFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
"lineNumber" : 17,
"columnNumber" : null,
"main" : false,
"moreInformationId" : null,
"remediation" : true,
"events" : null
}
],
"stateOnServer" : null,
"localTriage" : null,
"checkerProperties" : {
"category" : "Sigma",
"categoryDescription" : "Sigma",
"cweCategory" : "284",
"weaknessIdCategory" : "none",
"issueKinds" : [
"SECURITY"
],
"eventSetCaptions" : [],
"impact" : "Low",
"impactDescription" : "Low",
"subcategoryLocalEffect" : "",
"subcategoryShortDescription" : "Access to secret",
"subcategoryLongDescription" : "The `secrets` resource is granted `get`, `list`, or `watch` access on the Kubernetes API. This can allow an attacker to view Kubernetes cluster or external resources whose credentials are stored in `secrets`."
}
}
],
"desktopAnalysisSettings" : null,
"error" : null,
"warnings" : []
}
70 changes: 70 additions & 0 deletions tests/csgrep/0122-json-parser-cov-v10-column-stdout.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
{
"defects": [
{
"checker": "HARDCODED_CREDENTIALS",
"cwe": 798,
"function": "<script>",
"language": "python",
"tool": "coverity",
"key_event_idx": 2,
"events": [
{
"file_name": "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"line": 47,
"column": 1,
"event": "assign",
"message": "Assigning: \"app\" = \"Flask(__name__)\".",
"verbosity_level": 1
},
{
"file_name": "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"line": 56,
"column": 1,
"event": "assign",
"message": "Assigning: \"app.secret_key\" = \"b\"_5#y2L\\\"F4Q8z\\n\\xec]/\"\".",
"verbosity_level": 1
},
{
"file_name": "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"line": 56,
"column": 1,
"event": "credentials_use",
"message": "\"app.secret_key\" uses the constant string as credentials.",
"verbosity_level": 0
},
{
"file_name": "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
"line": 56,
"column": 1,
"event": "remediation",
"message": "Credentials should be stored in a configuration file or database that is inaccessible to unauthorized users.",
"verbosity_level": 1
}
]
},
{
"checker": "SIGMA.access_to_secret",
"cwe": 284,
"function": "null",
"language": "text",
"tool": "coverity",
"key_event_idx": 0,
"events": [
{
"file_name": "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
"line": 17,
"event": "Sigma main event",
"message": "The `secrets` resource is granted `get`, `list`, or `watch` access on the Kubernetes API. This can allow an attacker to view Kubernetes cluster or external resources whose credentials are stored in `secrets`.",
"verbosity_level": 0
},
{
"file_name": "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
"line": 17,
"event": "remediation",
"message": "Avoid granting `get`, `list`, or `watch` permissions for `secrets`.",
"verbosity_level": 1
}
]
}
]
}
1 change: 1 addition & 0 deletions tests/csgrep/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,3 +165,4 @@ test_csgrep("0118-gcc-parser-ubsan-dedup" )
test_csgrep("0119-cov-parser-sigma" )
test_csgrep("0120-sarif-parser-semgrep" )
test_csgrep("0121-cov-parser-lock-evasion" )
test_csgrep("0122-json-parser-cov-v10-column" )

0 comments on commit ac8946d

Please sign in to comment.