secfinding 0.3.0

Universal security finding types for vulnerability scanners.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167

//! Verification tests for secfinding audit findings.
//! These tests are expected to FAIL on the current codebase.

use std::collections::hash_map::DefaultHasher;
use std::hash::{Hash, Hasher};

use secfinding::{Finding, FindingKind, Severity};

// FINDING 1: FindingKind::from_str never errors
#[test]
fn verify_kind_from_str_rejects_unknown() {
    let res = "totally-invalid-kind".parse::<FindingKind>();
    assert!(
        res.is_err(),
        "Unknown kind strings must be rejected, not silently mapped to Other"
    );
}

// FINDING 2: Finding::hash contract violated for signed-zero floats
#[test]
fn verify_hash_contract_for_signed_zero() {
    fn hash_finding(f: &Finding) -> u64 {
        let mut s = DefaultHasher::new();
        f.hash(&mut s);
        s.finish()
    }

    let f1 = Finding::builder("s", "t", Severity::Info)
        .title("x")
        .confidence(0.0)
        .build()
        .unwrap();

    // Round-trip through JSON so f2 has the same id as f1, differing only in confidence bits.
    let mut json = serde_json::to_string(&f1).unwrap();
    json = json.replace("0.0", "-0.0");
    let f2: Finding = serde_json::from_str(&json).unwrap();

    assert_eq!(f1.id(), f2.id(), "IDs must match after round-trip");
    assert_eq!(f1, f2, "0.0 and -0.0 confidence must be equal");
    assert_eq!(
        hash_finding(&f1),
        hash_finding(&f2),
        "Equal findings must have equal hashes"
    );
}

// FINDING 3: merge_chain silently drops references
#[test]
fn verify_merge_chain_preserves_references() {
    let a = Finding::builder("s", "t", Severity::Low)
        .title("A")
        .reference("https://ref-a.com")
        .build()
        .unwrap();
    let b = Finding::builder("s", "t", Severity::Low)
        .title("B")
        .reference("https://ref-b.com")
        .build()
        .unwrap();

    let merged = Finding::merge_chain(&a, &b).unwrap();
    let refs: Vec<&str> = merged.references().iter().map(|r| r.as_ref()).collect();
    assert!(refs.contains(&"https://ref-a.com"));
    assert!(refs.contains(&"https://ref-b.com"));
}

// FINDING 4: merge_chain silently drops cvss_score and confidence
#[test]
fn verify_merge_chain_preserves_cvss_and_confidence() {
    let a = Finding::builder("s", "t", Severity::Low)
        .title("A")
        .cvss_score(7.5)
        .confidence(0.8)
        .build()
        .unwrap();
    let b = Finding::builder("s", "t", Severity::Low)
        .title("B")
        .build()
        .unwrap();

    let merged = Finding::merge_chain(&a, &b).unwrap();
    assert_eq!(
        merged.cvss_score(),
        Some(7.5),
        "CVSS score must be preserved in merge"
    );
    assert_eq!(
        merged.confidence(),
        Some(0.8),
        "Confidence must be preserved in merge"
    );
}

// FINDING 5: builder fails to deduplicate references
#[test]
fn verify_builder_deduplicates_references() {
    let f = Finding::builder("s", "t", Severity::Info)
        .title("x")
        .reference("https://example.com")
        .reference("https://example.com")
        .build()
        .unwrap();
    assert_eq!(
        f.references().len(),
        1,
        "Duplicate references must be deduplicated"
    );
}

// FINDING 6: CVSS score clamps out-of-range values instead of rejecting
#[test]
fn verify_cvss_rejects_out_of_range() {
    let res = Finding::builder("s", "t", Severity::Info)
        .title("x")
        .cvss_score(15.0)
        .build();
    assert!(
        res.is_err(),
        "CVSS score above 10.0 must be rejected, not clamped"
    );
}

// FINDING 7: confidence clamps out-of-range values instead of rejecting
#[test]
fn verify_confidence_rejects_out_of_range() {
    let res = Finding::builder("s", "t", Severity::Info)
        .title("x")
        .confidence(1.5)
        .build();
    assert!(
        res.is_err(),
        "Confidence above 1.0 must be rejected, not clamped"
    );
}

// FINDING 8: deserialization accepts arbitrary format version
#[test]
fn verify_deserialization_rejects_unknown_version() {
    let json = r#"{"version":999,"scanner":"s","target":"t","severity":"high","title":"x"}"#;
    let res: Result<Finding, _> = serde_json::from_str(json);
    assert!(
        res.is_err(),
        "Unknown format versions must be rejected during deserialization"
    );
}

// FINDING 9: bridge::to_universal duplicates matched_values
#[cfg(feature = "secir")]
#[test]
fn verify_bridge_no_duplicate_matched_values() {
    let mut ir = secir::finding::Finding::new(
        "xss".to_string(),
        "XSS".to_string(),
        "https://example.com".to_string(),
        secir::Severity::High,
        "https://example.com/search".to_string(),
    );
    ir.matched_values = vec!["<script>".to_string()];

    let finding = secfinding::bridge::to_universal(&ir, "calyx").unwrap();
    assert_eq!(
        finding.matched_values().len(),
        1,
        "bridge must not duplicate matched_values"
    );
}