secfinding 0.3.0

Universal security finding types for vulnerability scanners.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114

// Extracted from src/evidence.rs
use secfinding::*;
use secfinding::evidence::*;

use super::*;

#[test]
fn serde_tagged() {
    let ev = Evidence::HttpResponse {
        status: 403,
        headers: vec![("server".into(), "cloudflare".into())],
        body_excerpt: Some("blocked".into()),
    };
    let json = serde_json::to_value(&ev).unwrap();
    assert_eq!(json["type"], "http_response");
    assert_eq!(json["status"], 403);
}

#[test]
fn code_snippet_roundtrip() {
    let ev = Evidence::code("src/main.rs", 42, "let key = \"AKIA...\";", None, None).unwrap();
    let json = serde_json::to_string(&ev).unwrap();
    let back: Evidence = serde_json::from_str(&json).unwrap();
    if let Evidence::CodeSnippet {
        file,
        line,
        snippet,
        ..
    } = back
    {
        assert_eq!(file, "src/main.rs");
        assert_eq!(line, 42);
        assert_eq!(snippet, "let key = \"AKIA...\";");
    } else {
        panic!("wrong variant");
    }
}

#[test]
fn helper_constructors_roundtrip() {
    let ev = Evidence::http_status(201).unwrap();
    let json = serde_json::to_string(&ev).unwrap();
    let back: Evidence = serde_json::from_str(&json).unwrap();
    if let Evidence::HttpResponse {
        status,
        headers,
        body_excerpt,
    } = back
    {
        assert_eq!(status, 201);
        assert!(headers.is_empty());
        assert!(body_excerpt.is_none());
    } else {
        panic!("wrong variant");
    }

    let snippet = Evidence::code("lib.rs", 10, "secret = 'x'", None, None).unwrap();
    let json = serde_json::to_string(&snippet).unwrap();
    let back: Evidence = serde_json::from_str(&json).unwrap();
    if let Evidence::CodeSnippet { line, snippet, .. } = back {
        assert_eq!(line, 10);
        assert!(snippet.contains("secret"));
    } else {
        panic!("wrong variant");
    }
}

#[test]
fn serde_multiple_evidence_variants() {
    let samples = vec![
        Evidence::HttpRequest {
            method: "GET".into(),
            url: "https://example.com/login".into(),
            headers: vec![("host".into(), "example.com".into())],
            body: Some("a=1".into()),
        },
        Evidence::Certificate {
            subject: "CN=example".into(),
            san: vec!["DNS:example.com".into()],
            issuer: "Let's Encrypt".into(),
            expires: "2028-01-01".into(),
        },
        Evidence::PatternMatch {
            pattern: "api_key=[A-Za-z]+".into(),
            matched: "api_key=abc".into(),
        },
    ];

    for sample in samples {
        let json = serde_json::to_string(&sample).unwrap();
        let back: Evidence = serde_json::from_str(&json).unwrap();
        match (sample, back) {
            (
                Evidence::HttpRequest { method: m1, .. },
                Evidence::HttpRequest { method: m2, .. },
            ) => {
                assert_eq!(m1, m2);
            }
            (
                Evidence::Certificate { subject: s1, .. },
                Evidence::Certificate { subject: s2, .. },
            ) => {
                assert_eq!(s1, s2);
            }
            (
                Evidence::PatternMatch { pattern: p1, .. },
                Evidence::PatternMatch { pattern: p2, .. },
            ) => {
                assert_eq!(p1, p2);
            }
            _ => panic!("roundtrip mismatch"),
        }
    }
}