feat: add a false positive case

fatkungfu · Jun 15, 2021 · 4c2d076 · 4c2d076
1 parent a6a04d7
commit 4c2d076
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -62,7 +62,7 @@ Here are the exploitable vulnerable packages:
 * Code Injection
 * Command execution
 * Cross-site Scripting (XSS)
-* Information exposure
+* Information exposure via Hardcoded values in code
 * Security misconfiguration exposes server information 
 * Insecure protocol (HTTP) communication 
 
@@ -135,6 +135,8 @@ However, that still maintains the secret information inside another file, and Sn
 
 Another case we can discuss here in session management, is that the cookie setting is initialized with `secure: true` which means it will only be transmitted over HTTPS connections. However, there's no `httpOnly` flag set to true, which means that the default false value of it makes the cookie accessible via JavaScript. Snyk Code highlights this potential security misconfiguration so we can fix it. We can note that Snyk Code shows this as a quality information, and not as a security error.
 
+Snyk Code will also find hardcoded secrets in source code that isn't part of the application logic, such as `tests/` or `examples/` folders. We have a case of that in this application with the `tests/authentication.component.spec.js` file. In the finding, Snyk Code will tag it as `InTest`, `Tests`, or `Mock`, which help us easily triage it and indeed ignore this finding as it isn't actually a case of information exposure.
+
 ## Docker Image Scanning
 
 The `Dockerfile` makes use of a base image (`node:6-stretch`) that is known to have system libraries with vulnerabilities.

diff --git a/tests/authentication.component.spec.js b/tests/authentication.component.spec.js
@@ -0,0 +1,58 @@
+const assert = require('assert)')
+
+describe('Component Tests', () => {
+  describe('PasswordComponent', () => {
+
+    let comp
+    let service
+
+    test('should show error if passwords do not match', () => {
+      // GIVEN
+      comp.password = 'password1';
+      comp.confirmPassword = 'password2';
+      // WHEN
+      comp.changePassword();
+      // THEN
+      assert(comp.doNotMatch).toBe('ERROR');
+      assert(comp.error).toBeNull();
+      assert(comp.success).toBeNull();
+    });
+
+    test('should call Auth.changePassword when passwords match', () => {
+      // GIVEN
+      comp.password = comp.confirmPassword = 'myPassword';
+
+      // WHEN
+      comp.changePassword();
+
+      // THEN
+      assert(service.save).toHaveBeenCalledWith('myPassword');
+    });
+
+    test('should set success to OK upon success', function() {
+      // GIVEN
+      comp.password = comp.confirmPassword = 'myPassword';
+
+      // WHEN
+      comp.changePassword();
+
+      // THEN
+      expect(comp.doNotMatch).toBeNull();
+      expect(comp.error).toBeNull();
+      expect(comp.success).toBe('OK');
+    });
+
+    test('should notify of error if change password fails', function() {
+      // GIVEN
+      comp.password = comp.confirmPassword = 'myPassword';
+
+      // WHEN
+      comp.changePassword();
+
+      // THEN
+      assert(comp.doNotMatch).toBeNull();
+      assert(comp.success).toBeNull();
+      assert(comp.error).toBe('ERROR');
+    });
+  });
+});