spec/lib/gitlab/security/scan_configuration_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe ::Gitlab::Security::ScanConfiguration do
  using RSpec::Parameterized::TableSyntax

  let_it_be(:project) { create(:project, :repository) }

  let(:scan) { described_class.new(project: project, type: type, configured: configured) }

  describe '#available?' do
    subject { scan.available? }

    let(:configured) { true }

    context 'with a core scanner' do
      where(type: %i[sast sast_iac secret_detection container_scanning])

      with_them do
        it { is_expected.to be_truthy }
      end
    end

    context 'with custom scanner' do
      let(:type) { :my_scanner }

      it { is_expected.to be_falsey }
    end
  end

  describe '#configured?' do
    subject { scan.configured? }

    let(:type) { :sast }
    let(:configured) { false }

    it { is_expected.to be_falsey }
  end

  describe '#configuration_path' do
    subject { scan.configuration_path }

    let(:configured) { true }
    let(:type) { :sast }

    it { is_expected.to be_nil }
  end

  describe '#meta_info_path' do
    subject { scan.meta_info_path }

    let(:configured) { true }
    let(:available) { true }
    let(:type) { :dast }

    it { is_expected.to be_nil }
  end

  describe '#on_demand_available?' do
    subject { scan.on_demand_available? }

    let(:configured) { true }
    let(:available) { true }
    let(:type) { :sast }

    it { is_expected.to be_falsey }
  end

  describe '#can_enable_by_merge_request?' do
    subject { scan.can_enable_by_merge_request? }

    let(:configured) { true }

    context 'with a core scanner' do
      where(type: %i[sast sast_iac secret_detection])

      with_them do
        it { is_expected.to be_truthy }
      end
    end

    context 'with a custom scanner' do
      let(:type) { :my_scanner }

      it { is_expected.to be_falsey }
    end
  end

  describe '#security_features' do
    subject { scan.security_features }

    using RSpec::Parameterized::TableSyntax

    where(:scan_type, :features_hash) do
      :sast | { name: "Static Application Security Testing (SAST)",
         short_name: "SAST",
         description: "Analyze your source code for known vulnerabilities.",
         help_path: "/help/user/application_security/sast/index",
         configuration_help_path: "/help/user/application_security/sast/index#configuration",
         type: "sast" }
      :sast_iac | { name: "Infrastructure as Code (IaC) Scanning",
        short_name: "SAST IaC",
        description: "Analyze your infrastructure as code configuration files for known vulnerabilities.",
        help_path: "/help/user/application_security/iac_scanning/index",
        configuration_help_path: "/help/user/application_security/iac_scanning/index#configuration",
        type: "sast_iac" }
      :dast | {
        badge: { text: "Available on demand",
                 tooltip_text: "On-demand scans run outside of the DevOps " \
                               "cycle and find vulnerabilities in your projects",
                 variant: "info" },
        secondary: {
          type: "dast_profiles",
          name: "DAST profiles",
          description: "Manage profiles for use by DAST scans.",
          configuration_text: "Manage profiles"
        },
        name: "Dynamic Application Security Testing (DAST)",
        short_name: "DAST",
        description: "Analyze a deployed version of your web application for known " \
                     "vulnerabilities by examining it from the outside in. DAST works by simulating " \
                     "external attacks on your application while it is running.",
        help_path: "/help/user/application_security/dast/index",
        configuration_help_path: "/help/user/application_security/dast/index#enable-automatic-dast-run",
        type: "dast",
        anchor: "dast"
      }
      :dependency_scanning | { name: "Dependency Scanning",
        description: "Analyze your dependencies for known vulnerabilities.",
        help_path: "/help/user/application_security/dependency_scanning/index",
        configuration_help_path: "/help/user/application_security/dependency_scanning/index#configuration",
        type: "dependency_scanning",
        anchor: "dependency-scanning" }
      :container_scanning | { name: "Container Scanning",
        description: "Check your Docker images for known vulnerabilities.",
        help_path: "/help/user/application_security/container_scanning/index",
        configuration_help_path: "/help/user/application_security/container_scanning/index#configuration",
        type: "container_scanning" }
      :secret_detection | { name: "Secret Detection",
        description: "Analyze your source code and git history for secrets.",
        help_path: "/help/user/application_security/secret_detection/index",
        configuration_help_path: "/help/user/application_security/secret_detection/index#configuration",
        type: "secret_detection" }
      :api_fuzzing | { name: "API Fuzzing",
        description: "Find bugs in your code with API fuzzing.",
        help_path: "/help/user/application_security/api_fuzzing/index",
        type: "api_fuzzing" }
      :coverage_fuzzing | { name: "Coverage Fuzzing",
        description: "Find bugs in your code with coverage-guided fuzzing.",
        help_path: "/help/user/application_security/coverage_fuzzing/index",
        configuration_help_path: \
          "/help/user/application_security/coverage_fuzzing/index#enable-coverage-guided-fuzz-testing",
        type: "coverage_fuzzing",
        secondary: { type: "corpus_management",
                     name: "Corpus Management",
                     description: "Manage corpus files used as " \
                                  "seed inputs with coverage-guided fuzzing.",
                     configuration_text: "Manage corpus" } }
      :breach_and_attack_simulation | { anchor: "bas",
        badge: { always_display: true,
                 text: "Incubating feature",
                 tooltip_text: "Breach and Attack Simulation is an incubating feature " \
                               "extending existing security " \
                               "testing by simulating adversary activity.",
                 variant: "info" },
        description: "Simulate breach and attack scenarios against your running " \
                     "application by attempting to detect " \
                     "and exploit known vulnerabilities.",
        name: "Breach and Attack Simulation (BAS)",
        help_path: "/help/user/application_security/breach_and_attack_simulation/index",
        secondary: { configuration_help_path: "/help/user/application_security/breach_and_attack_simulation/" \
                                              "index#extend-dynamic-application-security-testing-dast",
                     description: "Enable incubating Breach and " \
                                  "Attack Simulation focused features " \
                                  "such as callback attacks in your DAST scans.",
                     name: "Out-of-Band Application Security Testing (OAST)" },
        short_name: "BAS",
        type: "breach_and_attack_simulation" }
      :invalid | {}
    end

    with_them do
      let(:type) { scan_type }
      let(:configured) { true }

      it { is_expected.to eq features_hash }
    end
  end
end