chore: improve test-coverage of yaml runtime

Author: unnxt30

analysis/testdata/yaml_tests/path_filters/malformed_path.yml

@@ -0,0 +1,24 @@
+language: java
+name: malformed_path
+message: "Testing"
+category: security
+severity: critical
+
+pattern: >
+  (method_invocation
+    object: (identifier) @cipherClass
+    name: (identifier) @instanceMethod
+    arguments: (argument_list
+      (string_literal
+        (string_fragment) @str))
+    (#match? @str ".*CBC.*PKCS5Padding")
+    (#eq? @cipherClass "Cipher")
+    (#eq? @instanceMethod "getInstance")) @cbc-padding-oracle
+
+  
+exclude:
+  - "file[.js"
+
+description: >
+  test
+  

analysis/testdata/yaml_tests/path_filters/valid_path.yml

@@ -0,0 +1,29 @@
+language: java
+name: cbc-padding-oracle
+message: "Using CBC mode with PKCS5Padding can cause padding oracle attacks"
+category: security
+severity: critical
+
+pattern: >
+  (method_invocation
+    object: (identifier) @cipherClass
+    name: (identifier) @instanceMethod
+    arguments: (argument_list
+      (string_literal
+        (string_fragment) @str))
+    (#match? @str ".*CBC.*PKCS5Padding")
+    (#eq? @cipherClass "Cipher")
+    (#eq? @instanceMethod "getInstance")) @cbc-padding-oracle
+
+  
+exclude:
+  - "tests/**"
+  - "vendor/**"
+  - "**/Test_*.java"
+  - "**/*Test.java"
+
+include:
+  - "*.java"
+
+description: >
+  Java applications using CBC mode with PKCS5Padding for encryption are vulnerable to padding oracle attacks, where attackers can distinguish between valid and invalid padding to potentially decrypt sensitive data without knowing the encryption key. This vulnerability is compounded by CBC mode's lack of built-in integrity checks. The recommended approach is using AES/GCM/NoPadding instead, which provides both confidentiality and integrity protection through authenticated encryption.

analysis/testdata/yaml_tests/patterns/multi-pattern.yml

@@ -0,0 +1,11 @@
+language: javascript
+name: multi-pattern
+message: "Checking precense of multiple patterns"
+category: style
+severity: info
+patterns:
+  - >
+    (call_expression)
+  - >
+    (function_declaration)
+description: "Test checker no-pattern"

analysis/testdata/yaml_tests/patterns/no-pattern.yml

@@ -0,0 +1,7 @@
+language: javascript
+name: no-pattern
+message: "Checking absence of Patterns"
+category: style
+severity: info
+pattern: 
+description: "Test checker no-pattern"

analysis/testdata/yaml_tests/patterns/single-multiple.yml

@@ -0,0 +1,12 @@
+language: javascript
+name: single-multiple
+message: "Checking precense of multiple patterns and single pattern"
+category: style
+severity: info
+pattern: (call_expression)
+patterns:
+  - >
+    (call_expression)
+  - >
+    (function_declaration)
+description: "Test checker no-pattern"

analysis/testdata/yaml_tests/patterns/wrong-pattern.yml

@@ -0,0 +1,7 @@
+language: javascript
+name: wrong-pattern
+message: "Checking wrong pattern presence"
+category: style
+severity: info
+pattern: "hello world"
+description: "Test checker no-pattern"

analysis/yaml.go

@@ -87,17 +87,9 @@ func ReadFromBytes(fileContent []byte) (Analyzer, YamlAnalyzer, error) {
 		return Analyzer{}, YamlAnalyzer{}, err
 	}
 
-	lang := DecodeLanguage(checker.Language)
-	if lang == LangUnknown {
-		return Analyzer{}, YamlAnalyzer{}, fmt.Errorf("unknown language code: '%s'", checker.Language)
-	}
-
-	if checker.Code == "" {
-		return Analyzer{}, YamlAnalyzer{}, fmt.Errorf("no name provided in checker definition")
-	}
-
-	if checker.Message == "" {
-		return Analyzer{}, YamlAnalyzer{}, fmt.Errorf("no message provided in checker '%s'", checker.Code)
+	lang, code, message, err := verifyChecker(checker)
+	if err != nil {
+		return Analyzer{}, YamlAnalyzer{}, err
 	}
 
 	var patterns []*sitter.Query
@@ -116,7 +108,7 @@ func ReadFromBytes(fileContent []byte) (Analyzer, YamlAnalyzer, error) {
 			patterns = append(patterns, pattern)
 		}
 	} else {
-		return Analyzer{}, YamlAnalyzer{}, fmt.Errorf("no pattern provided in checker '%s'", checker.Code)
+		return Analyzer{}, YamlAnalyzer{}, fmt.Errorf("no pattern provided in checker '%s'", code)
 	}
 
 	if checker.Pattern != "" && len(checker.Patterns) > 0 {
@@ -134,7 +126,7 @@ func ReadFromBytes(fileContent []byte) (Analyzer, YamlAnalyzer, error) {
 		for _, exclude := range checker.Exclude {
 			g, err := glob.Compile(exclude)
 			if err != nil {
-				return Analyzer{}, YamlAnalyzer{}, err
+				return Analyzer{}, YamlAnalyzer{}, fmt.Errorf("invalid exclude pattern in yaml checker")
 			}
 			pathFilter.ExcludeGlobs = append(pathFilter.ExcludeGlobs, g)
 		}
@@ -156,7 +148,7 @@ func ReadFromBytes(fileContent []byte) (Analyzer, YamlAnalyzer, error) {
 				queryStr := filter.PatternInside + " @" + filterPatternKey
 				query, err := sitter.NewQuery([]byte(queryStr), lang.Grammar())
 				if err != nil {
-					return Analyzer{}, YamlAnalyzer{}, err
+					return Analyzer{}, YamlAnalyzer{}, fmt.Errorf("invalid tree-sitter pattern inside 'pattern-inside' field")
 				}
 
 				filters = append(filters, NodeFilter{
@@ -169,7 +161,7 @@ func ReadFromBytes(fileContent []byte) (Analyzer, YamlAnalyzer, error) {
 				queryStr := filter.PatternNotInside + " @" + filterPatternKey
 				query, err := sitter.NewQuery([]byte(queryStr), lang.Grammar())
 				if err != nil {
-					return Analyzer{}, YamlAnalyzer{}, err
+					return Analyzer{}, YamlAnalyzer{}, fmt.Errorf("invalid tree-sitter pattern inside 'pattern-not-inside' field")
 				}
 
 				filters = append(filters, NodeFilter{
@@ -181,7 +173,7 @@ func ReadFromBytes(fileContent []byte) (Analyzer, YamlAnalyzer, error) {
 	}
 
 	patternChecker := Analyzer{
-		Name:        checker.Code,
+		Name:        code,
 		Language:    lang,
 		Description: checker.Description,
 		Category:    checker.Category,
@@ -193,7 +185,7 @@ func ReadFromBytes(fileContent []byte) (Analyzer, YamlAnalyzer, error) {
 		Patterns:   patterns,
 		NodeFilter: filters,
 		PathFilter: pathFilter,
-		Message:    checker.Message,
+		Message:    message,
 	}
 
 	patternChecker.Run = RunYamlAnalyzer(yamlAnalyzer)
@@ -285,3 +277,19 @@ func filterMatchesParent(filter *NodeFilter, parent *sitter.Node, source []byte)
 
 	return false
 }
+
+func verifyChecker(checker Yaml) (Language, string, string, error) {
+	lang := DecodeLanguage(checker.Language)
+	code := checker.Code
+	msg := checker.Message
+
+	if lang == LangUnknown {
+		return lang, code, msg, fmt.Errorf("unknown language code: %v", lang)
+	}
+
+	if (code == "") || (msg == "") {
+		return lang, code, msg, fmt.Errorf("missing necessary field in checker definition")
+	}
+
+	return lang, code, msg, nil
+}