package fortify import ( "net/http" "strings" "testing" "github.com/SAP/jenkins-library/pkg/format" "github.com/piper-validation/fortify-client-go/models" "github.com/stretchr/testify/assert" ) func TestParse(t *testing.T) { //use a test FVDL file here. The file should not be committed unless stripped of information. testFvdl := ` UUID PROJECTNAME BUILDID 42 301 747 465 198 C:/java C:/fortify-reference-pipeline result/rules/Custom_Rules_for_Annotation_Management.xml B5C0FEFD-DUMMY SAST Configuration Custom Rules configuration 5.0 DUMMY 5.0 5.0 B5C0FEFD-DUMMY SAST Configuration Custom Rules configuration 5.0 DUMMY 5.0 5.0 getMessage(return) Direct : java.lang.Throwable.getMessage This scan contains project-specific custom rules. Please see the recommendation section on how to proceed. Custom rules can help improve scan quality. They can reduce both false positives and false negatives by tailoring the scan settings to match the threat model and other specifics of an application. At the same time, custom rules need to be part of the review when a scan is reviewed by an auditor. This issue is a reminder of this fact. If you are an auditor reviewing this project, please review the custom rules and the associated documentation. If unsure, please consult the Security Testing team. If you are a developer or other project member, please mark this finding as "Not an issue". <Content><Paragraph>The function <Replace key="EnclosingFunction.name"/> in <Replace key="PrimaryLocation.file"/> reveals system data or debug information by calling <Replace key="PrimaryCall.name"/> on line <Replace key="PrimaryLocation.line"/>. The information revealed by <Replace key="PrimaryCall.name"/> could help an adversary form a plan of attack.<AltParagraph>Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.</AltParagraph></Paragraph></Content> <Content>An external information leak occurs when system data or debug information leaves the program to a remote machine via a socket or network connection. External leaks can help an attacker by revealing specific data about operating systems, full pathnames, the existence of usernames, or locations of configuration files, and are more serious than internal information leaks, which are more difficult for an attacker to access. <Paragraph> In this case, <Replace key="PrimaryCall.name" link="PrimaryLocation"/> is called in <Replace key="PrimaryLocation.file"/> at line <Replace key="PrimaryLocation.line"/>. </Paragraph> <b>Example 1:</b> The following code leaks Exception information in the HTTP response: <pre> protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException { ... PrintWriter out = res.getWriter(); try { ... } catch (Exception e) { out.println(e.getMessage()); } } </pre> This information can be exposed to a remote user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In <code>Example 1</code>, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program. Information leaks are also a concern in a mobile computing environment. With mobile platforms, applications are downloaded from various sources and are run alongside each other on the same device. The likelihood of running a piece of malware next to a banking application is high, which is why application authors need to be careful about what information they include in messages addressed to other applications running on the device. <b>Example 2:</b> The following code broadcasts the stack trace of a caught exception to all the registered Android receivers. <pre> ... try { ... } catch (Exception e) { String exception = Log.getStackTraceString(e); Intent i = new Intent(); i.setAction("SEND_EXCEPTION"); i.putExtra("exception", exception); view.getContext().sendBroadcast(i); } ... </pre> This is another scenario specific to the mobile environment. Most mobile devices now implement a Near-Field Communication (NFC) protocol for quickly sharing information between devices using radio communication. It works by bringing devices in close proximity or having the devices touch each other. Even though the communication range of NFC is limited to just a few centimeters, eavesdropping, data modification and various other types of attacks are possible, because NFC alone does not ensure secure communication. <b>Example 3:</b> The Android platform provides support for NFC. The following code creates a message that gets pushed to the other device within range. <pre> ... public static final String TAG = "NfcActivity"; private static final String DATA_SPLITTER = "__:DATA:__"; private static final String MIME_TYPE = "application/my.applications.mimetype"; ... TelephonyManager tm = (TelephonyManager)Context.getSystemService(Context.TELEPHONY_SERVICE); String VERSION = tm.getDeviceSoftwareVersion(); ... NfcAdapter nfcAdapter = NfcAdapter.getDefaultAdapter(this); if (nfcAdapter == null) return; String text = TAG + DATA_SPLITTER + VERSION; NdefRecord record = new NdefRecord(NdefRecord.TNF_MIME_MEDIA, MIME_TYPE.getBytes(), new byte[0], text.getBytes()); NdefRecord[] records = { record }; NdefMessage msg = new NdefMessage(records); nfcAdapter.setNdefPushMessage(msg, this); ... </pre> An NFC Data Exchange Format (NDEF) message contains typed data, a URI, or a custom application payload. If the message contains information about the application, such as its name, MIME type, or device software version, this information could be leaked to an eavesdropper.</Content> <Content>Write error messages with security in mind. In production environments, turn off detailed error information in favor of brief messages. Restrict the generation and storage of detailed output that can help administrators and programmers diagnose problems. Debug traces can sometimes appear in non-obvious places (embedded in comments in the HTML for an error page, for example). Even brief error messages that do not reveal stack traces or database dumps can potentially aid an attacker. For example, an "Access Denied" message can reveal that a file or user exists on the system. Because of this, never send information to a resource directly outside the program. <b>Example 4:</b> The following code broadcasts the stack trace of a caught exception within your application only, so that it cannot be leaked to other apps on the system. Additionally, this technique is more efficient than globally broadcasting through the system. <pre> ... try { ... } catch (Exception e) { String exception = Log.getStackTraceString(e); Intent i = new Intent(); i.setAction("SEND_EXCEPTION"); i.putExtra("exception", exception); LocalBroadcastManager.getInstance(view.getContext()).sendBroadcast(i); } ... </pre> If you are concerned about leaking system data via NFC on an Android device, you could do one of the following three things. Do not include system data in the messages pushed to other devices in range, encrypt the payload of the message, or establish a secure communication channel at a higher layer.</Content> Do not rely on wrapper scripts, corporate IT policy, or quick-thinking system administrators to prevent system information leaks. Write software that is secure on its own. This category of vulnerability does not apply to all types of programs. For example, if your application executes on a client machine where system information is already available to an attacker, or if you print system information only to a trusted log file, you can use Audit Guide to filter out this category from your scan results. Security in Near Field Communication (NFC): Strengths and Weaknesses Ernst Haselsteiner and Klemens Breitfuss http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.475.3812&rep=rep1&type=pdf result/rules/Custom_Rules_for_Annotation_Management.xml 1 5 57658246-DUMMY SKU-094b9c82-DUMMY ]]> 20.2.0.0139 14EE50EB-DUMMY RUL13078 Fortify Secure Coding Rules, Core, Annotations 2020.4.0.0007 DUMMY== os.name Windows 10 -verbose W-E XXXXXXX Windows 10 5 5 1 5 owner S - FAN23043 VSPlugins 2032-12-31 ` sys, server := spinUpServer(func(rw http.ResponseWriter, req *http.Request) { if strings.Split(req.URL.Path, "/")[1] == "projectVersions" { header := rw.Header() header.Add("Content-type", "application/json") rw.Write([]byte( `{ "data": [ { "projectVersionId": 11037, "issueInstanceId": "DUMMYDUMMYDUMMY", "issueName": "Dummy issue", "primaryTag": "Exploitable", "audited": true, "issueStatus": "Reviewed", "folderGuid": "aaaaaaaa-1111-aaaa-1111-1111aaaaaaaa", "hasComments": true, "friority": "High", "_href": "https://fortify-stage.tools.sap/ssc/api/v1/projectVersions/11037" } ], "count": 1, "responseCode": 200}`)) return } if strings.Split(req.URL.Path, "/")[1] == "issues" { header := rw.Header() header.Add("Content-type", "application/json") rw.Write([]byte( `{ "data": [ { "issueId": 47009919, "comment": "Dummy comment." } ], "count": 1, "responseCode": 200}`)) return } }) // Close the server when test finishes defer server.Close() filterSet := new(models.FilterSet) filterSet.Folders = append(filterSet.Folders, &models.FolderDto{GUID: "aaaaaaaa-1111-aaaa-1111-1111aaaaaaaa", Name: "Audit All"}) t.Run("Valid config", func(t *testing.T) { project := models.Project{} projectVersion := models.ProjectVersion{ID: 11037} sarif, err := Parse(sys, &project, &projectVersion, []byte(testFvdl), filterSet) assert.NoError(t, err, "error") assert.Equal(t, len(sarif.Runs[0].Results), 2) assert.Equal(t, len(sarif.Runs[0].Tool.Driver.Rules), 1) assert.Equal(t, sarif.Runs[0].Results[0].Properties.ToolState, "Exploitable") assert.Equal(t, sarif.Runs[0].Results[0].Properties.ToolAuditMessage, "Dummy comment.") }) t.Run("Missing data", func(t *testing.T) { project := models.Project{} projectVersion := models.ProjectVersion{ID: 11037} _, err := Parse(sys, &project, &projectVersion, []byte{}, filterSet) assert.Error(t, err, "EOF") }) t.Run("No system instance", func(t *testing.T) { project := models.Project{} projectVersion := models.ProjectVersion{ID: 11037} sarif, err := Parse(nil, &project, &projectVersion, []byte(testFvdl), filterSet) assert.NoError(t, err, "error") assert.Equal(t, len(sarif.Runs[0].Results), 2) assert.Equal(t, len(sarif.Runs[0].Tool.Driver.Rules), 1) assert.Equal(t, sarif.Runs[0].Results[0].Properties.ToolState, "Unknown") assert.Equal(t, sarif.Runs[0].Results[0].Properties.ToolAuditMessage, "Cannot fetch audit state") }) } func TestIntegrateAuditData(t *testing.T) { sys, server := spinUpServer(func(rw http.ResponseWriter, req *http.Request) { if strings.Split(req.URL.Path, "/")[1] == "projectVersions" { header := rw.Header() header.Add("Content-type", "application/json") rw.Write([]byte( `{ "data": [ { "projectVersionId": 11037, "issueInstanceId": "DUMMYDUMMYDUMMY", "issueName": "Dummy issue", "primaryTag": "Exploitable", "audited": true, "issueStatus": "Reviewed", "folderGuid": "aaaaaaaa-1111-aaaa-1111-1111aaaaaaaa", "hasComments": true, "friority": "High", "_href": "https://fortify-stage.tools.sap/ssc/api/v1/projectVersions/11037" } ], "count": 1, "responseCode": 200}`)) return } if strings.Split(req.URL.Path, "/")[1] == "issues" { header := rw.Header() header.Add("Content-type", "application/json") rw.Write([]byte( `{ "data": [ { "issueId": 47009919, "comment": "Dummy comment." } ], "count": 1, "responseCode": 200}`)) return } }) // Close the server when test finishes defer server.Close() filterSet := new(models.FilterSet) filterSet.Folders = append(filterSet.Folders, &models.FolderDto{GUID: "aaaaaaaa-1111-aaaa-1111-1111aaaaaaaa", Name: "Audit All"}) t.Run("Successful lookup", func(t *testing.T) { ruleProp := *new(format.SarifProperties) project := models.Project{} projectVersion := models.ProjectVersion{ID: 11037} err := integrateAuditData(&ruleProp, "11037", sys, &project, &projectVersion, filterSet) assert.NoError(t, err, "error") assert.Equal(t, ruleProp.Audited, true) assert.Equal(t, ruleProp.ToolState, "Exploitable") assert.Equal(t, ruleProp.ToolStateIndex, 5) assert.Equal(t, ruleProp.ToolSeverity, "High") assert.Equal(t, ruleProp.ToolSeverityIndex, 3) assert.Equal(t, ruleProp.ToolAuditMessage, "Dummy comment.") assert.Equal(t, ruleProp.FortifyCategory, "Audit All") }) t.Run("Missing project", func(t *testing.T) { ruleProp := *new(format.SarifProperties) projectVersion := models.ProjectVersion{ID: 11037} err := integrateAuditData(&ruleProp, "11037", sys, nil, &projectVersion, filterSet) assert.Error(t, err, "project or projectVersion is undefined: lookup aborted for 11037") }) t.Run("Missing project version", func(t *testing.T) { ruleProp := *new(format.SarifProperties) project := models.Project{} err := integrateAuditData(&ruleProp, "11037", sys, &project, nil, filterSet) assert.Error(t, err, "project or projectVersion is undefined: lookup aborted for 11037") }) t.Run("Missing sys", func(t *testing.T) { ruleProp := *new(format.SarifProperties) project := models.Project{} projectVersion := models.ProjectVersion{ID: 11037} err := integrateAuditData(&ruleProp, "11037", nil, &project, &projectVersion, filterSet) assert.Error(t, err, "no system instance, lookup impossible for 11037") }) t.Run("Missing filterSet", func(t *testing.T) { ruleProp := *new(format.SarifProperties) project := models.Project{} projectVersion := models.ProjectVersion{ID: 11037} err := integrateAuditData(&ruleProp, "11037", sys, &project, &projectVersion, nil) assert.Error(t, err, "no filter set defined, category will be missing from 11037") }) }