Jon Chery
f7fff95cbe
---ci---
project: ci
phase: 3
milestone: v0.8
status: complete
decisions:
- id: D-029
decision: Full STRIDE 7-category coverage with CWE mapping
rationale: Industry standard threat classification with actionable CWE remediation
confidence: 0.88
- id: D-030
decision: Reduce exec/eval false positives via string interpolation detection
rationale: execSync("ls") is safe; execSync(`rm ${x}`) is not
confidence: 0.85
requirements:
covered: [SEC-01, SEC-02, SEC-03, SEC-04, SEC-05, SEC-06]
---/ci---
SEC-01: Fixed STRIDE category misassignments. Hardcoded password is
information_disclosure (CWE-259), not spoofing. exec with interpolation
is elevation_of_privilege (CWE-78), not tampering. All 17 patterns
correctly categorized.
SEC-02: Added missing STRIDE categories: repudiation (empty catch blocks,
CWE-778) and spoofing (jwt.decode without verify, CWE-287). Also added
denial_of_service (JSON body parser without size limit, CWE-400) and
prototype pollution (CWE-1321), weak crypto (CWE-328), unsafe
deserialization (CWE-502), path traversal (CWE-22).
SEC-03: Reduced false positives: exec/eval patterns now require string
interpolation (template literal or dynamic concat), not all exec/calls.
SEC-04: Every SECURITY_PATTERNS entry has a cwe field with valid CWE ID.
SEC-05: Confidence-based auto-disposition: each pattern has a confidence
score. High confidence findings are flagged, medium require verification,
low are suppressed. Threshold configurable via constructor.
SEC-06: Security passed=false when any high-severity finding exists
(already enforced by hasHighFail check, now more explicit).
135 lines
5.4 KiB
TypeScript
135 lines
5.4 KiB
TypeScript
import * as fs from "node:fs";
|
|
import * as path from "node:path";
|
|
import * as os from "node:os";
|
|
import { SecurityVerification } from "../verification/security.js";
|
|
|
|
describe("SecurityVerification", () => {
|
|
let tempDir: string;
|
|
|
|
beforeEach(() => {
|
|
tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "ciagent-security-test-"));
|
|
});
|
|
|
|
afterEach(() => {
|
|
fs.rmSync(tempDir, { recursive: true, force: true });
|
|
});
|
|
|
|
it("passes when no security threats detected", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "app.ts"), "export function main() { return 1; }");
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n.env\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
expect(result.layer).toBe(3);
|
|
expect(result.name).toBe("Security");
|
|
const highThreatsCheck = result.checks.find((c) => c.name.includes("High severity"));
|
|
expect(highThreatsCheck?.status).toBe("pass");
|
|
});
|
|
|
|
it("detects hardcoded passwords as high severity (information_disclosure)", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "config.ts"), 'const password = "supersecret123";');
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n.env\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
const highCheck = result.checks.find((c) => c.name.includes("High severity"));
|
|
expect(highCheck?.status).toBe("fail");
|
|
expect(highCheck?.details).toContain("information_disclosure");
|
|
});
|
|
|
|
it("detects repudiation: empty catch blocks", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "err.ts"), 'try { doWork(); } catch(e) {}');
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n.env\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
const mediumCheck = result.checks.find((c) => c.name.includes("Medium severity"));
|
|
expect(mediumCheck?.details).toContain("repudiation");
|
|
});
|
|
|
|
it("does not flag execSync with string literals (reduced FP)", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "run.ts"), 'execSync("git status");');
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n.env\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
expect(result.passed).toBe(true);
|
|
});
|
|
|
|
it("includes CWE IDs in threat details", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "api.ts"), 'const api_key = "abc123def456";');
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n.env\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
const highCheck = result.checks.find((c) => c.name.includes("High severity"));
|
|
expect(highCheck?.details).toContain("CWE-312");
|
|
});
|
|
|
|
it("uses confidence-based disposition", async () => {
|
|
const verifier = new SecurityVerification(0.5);
|
|
expect(verifier).toBeDefined();
|
|
});
|
|
|
|
it("detects hardcoded API keys", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "api.ts"), 'const api_key = "abc123def456";');
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n.env\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
const highCheck = result.checks.find((c) => c.name.includes("High severity"));
|
|
expect(highCheck?.status).toBe("fail");
|
|
});
|
|
|
|
it("detects eval() usage", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "eval.ts"), 'function run(code: string) { eval(`${code}`); }');
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n.env\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
const highCheck = result.checks.find((c) => c.name.includes("High severity"));
|
|
expect(highCheck?.status).toBe("fail");
|
|
});
|
|
|
|
it("warns about missing .gitignore patterns", async () => {
|
|
const srcDir = path.join(tempDir, "src");
|
|
fs.mkdirSync(srcDir, { recursive: true });
|
|
fs.writeFileSync(path.join(srcDir, "app.ts"), "export function main() { return 1; }");
|
|
fs.writeFileSync(path.join(tempDir, ".gitignore"), "node_modules\n");
|
|
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
const gitignoreCheck = result.checks.find((c) => c.name.includes(".gitignore"));
|
|
expect(gitignoreCheck?.status).toBe("warning");
|
|
});
|
|
|
|
it("skips checks when no src/ directory", async () => {
|
|
const verifier = new SecurityVerification();
|
|
const result = await verifier.verify(tempDir, 1);
|
|
|
|
const lowCheck = result.checks.find((c) => c.name.includes("Low severity"));
|
|
expect(lowCheck?.status).toBe("pass");
|
|
});
|
|
}); |