README
ΒΆ
π Crypto Rules Test Suite
This test suite validates that our crypto scanning rules correctly distinguish between different contexts and assign appropriate severity levels.
π― Test Categories
1. Protocol Implementation (protocol_implementation/)
Expected Severity: INFO
Tests legitimate crypto implementations required by networking protocols:
dnssec_legitimate.c- DNSSEC SHA-1 support (RFC 4034/5155 compliance)dns_over_tls_client.c- DNS-over-TLS client implementation (RFC 7858)
Why INFO? These are legitimate protocol implementations required for standards compliance, not security vulnerabilities.
2. Application Vulnerabilities (application_vulnerabilities/)
Expected Severity: HIGH/CRITICAL
Tests actual crypto vulnerabilities in application code:
password_hashing_vulnerabilities.c- MD5/SHA-1 for passwords (CRITICAL)key_generation_vulnerabilities.go- RSA/ECDSA key generation (HIGH)
Why HIGH/CRITICAL? These are real security issues that need immediate attention.
3. Test Context (test_context/)
Expected Severity: INFO
Tests crypto usage in test files and testing frameworks:
crypto_test_suite.py- MD5/SHA-1 in unit tests
Why INFO? Testing legacy crypto compatibility is legitimate and should not alarm security teams.
4. Configuration (configuration/)
Expected Severity: INFO
Tests build-time configuration files:
Kconfig.crypto- Embedded system crypto configuration
Why INFO? Build configuration options are planning/compatibility items, not runtime vulnerabilities.
πββοΈ Running Tests
Quick Test
make test-crypto-rules
Manual Test
# Build scanner first
make build
# Run test suite
cd test/crypto_rules/runner
go run test_runner.go
Test Individual Files
./build/pqswitch scan test/crypto_rules/protocol_implementation/dnssec_legitimate.c --output json
π Expected Results
| Test File | Category | Expected Severity | Expected Rules |
|---|---|---|---|
dnssec_legitimate.c |
Protocol | INFO | dnssec-protocol-sha1 |
dns_over_tls_client.c |
Protocol | INFO | dns-tls-client-usage |
password_hashing_vulnerabilities.c |
Vulnerability | CRITICAL | weak-hash-md5 |
key_generation_vulnerabilities.go |
Vulnerability | HIGH | go-rsa-keygen |
crypto_test_suite.py |
Test | INFO | weak-hash-md5-test-context |
Kconfig.crypto |
Config | INFO | tls-config-kconfig |
π§ͺ Test Validation
The test runner validates:
- Severity Levels - Ensures protocol implementation gets INFO vs application vulnerabilities get HIGH/CRITICAL
- Rule Triggering - Verifies expected rules are triggered
- Message Content - Checks that appropriate context-aware messages are generated
- False Positive Reduction - Confirms legitimate protocol code isn't flagged as vulnerable
π§ Adding New Tests
- Create test file in appropriate category directory
- Add expected results to
runner/test_runner.goinloadTestCases() - Run tests to validate
Example test case:
{
File: "test/crypto_rules/new_category/test_file.c",
ExpectedSeverity: "info",
ExpectedRuleIDs: []string{"rule-id-1", "rule-id-2"},
ExpectedMessage: "expected message content",
Description: "What this test validates",
Category: "new_category",
}
π― Success Criteria
- Protocol implementations β INFO severity (not HIGH)
- Application vulnerabilities β HIGH/CRITICAL severity
- Test files β INFO severity (not HIGH)
- Configuration files β INFO severity (not MEDIUM)
- Context-aware messages β Specific to usage context
- False positive rate β <10% for legitimate code
π Coverage Goals
- β DNSSEC protocol support (RFC compliance)
- β DNS-over-TLS implementation (service protocols)
- β Application crypto vulnerabilities (real security issues)
- β Test framework usage (development context)
- β Build configuration (planning context)
- π§ TLS library implementations (protocol libraries)
- π§ Crypto driver code (kernel/hardware context)
- π§ Migration guidance (hybrid approaches)
This test suite ensures our scanner provides actionable intelligence rather than alert fatigue.