Code Samples and Test Targets

Overview

See below for code samples and test targets you can use to test Jit's suite of security requirements.

Scan code for vulnerabilities (Python)

File name: test.py

import subprocess
output = subprocess.check_output(f"nslookup2 {my_domain}", shell=True, encoding='UTF-8')

Expected output:

Scan code for vulnerabilities (Javascript)

File name: test.js

document.getElementById('userForm').addEventListener('submit', function(e) {
  e.preventDefault();
  
  // This is an unsafe practice and can lead to XSS vulnerabilities
  const userInput = document.getElementById('userInput').value;
  document.getElementById('content').innerHTML = userInput;
});

Expected output:

Scan code for vulnerabilities (GO)

File name: test.go

package testutil // import "github.com/docker/docker/testutil"

import "math/rand"

// GenerateRandomAlphaOnlyString generates an alphabetical random string with length n.
func GenerateRandomAlphaOnlyString(n int) string {
	// make a really long string
	letters := []byte("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
	b := make([]byte, n)
	for i := range b {
		b[i] = letters[rand.Intn(len(letters))] //nolint: gosec // G404: Use of weak random number generator (math/rand instead of crypto/rand)
	}
	return string(b)
}

Expected output:

Scan code dependencies for vulnerabilities (Node)

File name: package.json

{
  "name": "dependencygoat2",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "minimist": "0.0.8"
  }
}

Expected output:

Scan code dependencies for vulnerabilities (Python)

File name: requirements.txt

requests==2.18.2
urllib3==1.26.4

Expected output:

Scan code for hard-coded secrets (Multi-languages)

File name: secret.txt

MY_AWS_SECRET="AKIAIOSFODNN7EXAMPLE"

Expected output:

Scan IaC for static misconfigurations (Terraform)

Code sample: EC2 instance has Public IP

File name: public-ip.tf

//test public ip
data "aws_ami" "ubuntu1" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  owners = ["099720109477"] # Canonical
}

resource "aws_instance" "web2" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t3.micro"

  tags = {
    Name = "HelloWorld"
  }
}

resource "aws_instance" "web3" {
  ami           = data.aws_ami.ubuntu.id
  associate_public_ip_address = true
  instance_type = "t3.micro"

  tags = {
    Name = "HelloWorld"
  }
}

Expected output:

Code sample: S3 Bucket without restriction of Public Bucket

File Name: public-bucket.tf

//test public bucket
resource "aws_s3_bucket" "positive1" {
  bucket = "example"
}

// comment
resource "aws_s3_bucket_public_access_block" "positive2" {
  bucket = aws_s3_bucket.example.id

  block_public_acls   = true
  block_public_policy = true
  restrict_public_buckets = false
}

resource "aws_s3_bucket_public_access_block" "positive3" {
  bucket = aws_s3_bucket.example.id

  block_public_acls   = true
  block_public_policy = true
}

Expected output:

Code sample: ALB listening on HTTP

File Name: alb-http.tf

resource "aws_lb_listener" "listener6" {
  load_balancer_arn = aws_lb.test3.arn
  port = 80
  default_action {
    type = "redirect"

    redirect {
      port        = "80"
      protocol    = "HTTP"
      status_code = "HTTP_301"
    }
  }
}

resource "aws_lb" "test3" {
  name = "test123"
  load_balancer_type = "application"
  subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
  internal = true
}

Expected output:

Run a Web Application Scanner / Ensure Your APIs are Secure (ZAP-based security requirements)

Use the following tests to verify that your security requirements based on ZAP (which include Run a Web Application Scanner and Ensure Your APIs are Secure) are functional.

Test target: Google Firing Range

https://www.zaproxy.org/docs/scans/firingrange/

Test target: Google Security Crawl Maze

https://www.zaproxy.org/docs/scans/crawlmaze/

Test target: OWASP Benchmark

https://www.zaproxy.org/docs/scans/benchmark/

Test target: Websites Vulnerable to SSTI

https://www.zaproxy.org/docs/scans/ssti/

Test target: Yahoo Webseclab

https://www.zaproxy.org/docs/scans/webseclab/