Files
Aperant/tests/test_security_scanner.py
T
StillKnotKnown ed93df698b test: improve backend agent test coverage to 94% (#1779)
* fix: add mock reset fixtures and resolve async iterator mock issues

- Add pytest_runtest_setup and pytest_runtest_teardown hooks to reset
  shared module-level mocks between tests
- Add module-specific mock reset fixtures for test_qa_fixer and
  test_qa_reviewer to prevent test interference
- Fix async iterator mock for receive_response to properly return
  an AsyncIteratorMock instance
- Update test_qa_fixer.py and test_qa_reviewer.py with proper mock
  setup for isolated test execution

* docs(agents): add CLAUDE.md documentation for agents module

Documents the agents module architecture including:
- Module components (coder, planner, session, memory_manager, base)
- Single-agent architecture without external parallelism
- Subagent architecture clarification

* Revert "docs(agents): add CLAUDE.md documentation for agents module"

This reverts commit bf1ddd7da08f2f34352d11a5d823da981f1a98bb.

* chore: update gitignore to allow agents/tests/

* fix(tests): resolve mock isolation and path permission issues

- Fix test_tool_concurrency_error_detection by patching where functions
  are used (qa.fixer) instead of where they're defined
- Add Path.exists/is_dir/glob mocks to avoid permission errors on
  nonexistent directories in test_validation_strategy.py
- Add helper function clean_project_index_files() to reduce code
  duplication in prereqs_validator tests
- Add comprehensive tests for spec validation validators
  (context, prereqs, spec_document)
- Fix similar mock/path issues in test_qa_reviewer.py,
  test_service_orchestrator.py, test_ci_discovery.py,
  test_prompt_generator.py, test_security_scanner.py

All 2103 tests now pass.

* fix(tests): remove unused imports and fix double assignment

- Remove unused 'patch' import from validator test files
- Remove unused 'pytest' import where not needed
- Fix double assignment typo in test_error_message_includes_filename

* fix(tests): move agents tests to tests/agents/ directory

- Move test_agent_architecture.py, test_agent_configs.py, and
  test_agent_flow.py from apps/backend/agents/tests/ to tests/agents/
- Fix path resolution to work from new location
- Remove gitignore exception for agents/tests/ (no longer needed)

This resolves the issue where tests were not included in the PR
because they were in an untracked location.

* fix(tests): simplify conftest.py mock management

- Remove redundant pytest_runtest_teardown and pytest_runtest_call hooks
  (autouse fixtures in test files already handle mock reset)
- Add prompts_pkg.project_context to potentially mocked modules list
- Remove prompts_pkg from test_qa_fixer entry (not used there)

This reduces maintenance burden by having mock reset in one place.

* refactor(tests): consolidate duplicate mock setup into shared helper

- Create tests/qa_test_helpers.py with shared mock infrastructure:
  - AsyncIteratorMock and ReceiveResponseMock classes
  - setup_qa_mocks(), cleanup_qa_mocks(), reset_qa_mocks() functions
  - Mock response creation helpers
  - Accessor functions for mock objects
- Refactor test_qa_fixer.py to use shared helpers
- Reduces ~80 lines of duplicated code per test file
- Fixes potential mock binding issues by using accessor functions

This addresses code quality issues identified in PR review:
- Duplicate mock setup between test_qa_fixer.py and test_qa_reviewer.py
- Duplicated _AsyncIteratorMock class across files

* refactor(tests): consolidate test_qa_reviewer.py with shared helpers

- Refactor test_qa_reviewer.py to use shared qa_test_helpers
- Remove ~170 lines of duplicated mock setup and helper functions
- Fix unused imports in test_qa_fixer.py (json, sys, MagicMock, etc.)
- Fix rate limit error detection tests to patch where functions are used
- Consolidate duplicated _create_*_response helper methods to module level

Addresses CodeQL warnings about unused imports and reduces code
duplication between test_qa_fixer.py and test_qa_reviewer.py.

* fix(tests): remove unused Path import from test_qa_reviewer.py

* fix(tests): address all PR review findings

PR Review Fixes:
- Remove unused create_mock_qa_approved_response/rejected_response functions
- Guard against overwriting _original_modules on second setup_qa_mocks() call
- Clear _original_modules in cleanup_qa_mocks() to prevent stale state
- Add prompts_pkg.project_context to test_qa_reviewer preserved_mocks in conftest
- Convert asyncio.run() pattern to native async tests in test_agent_flow.py
- Remove redundant @pytest.mark.asyncio decorators (asyncio_mode=auto)
- Remove unused pytest import from qa_test_helpers.py
- Fix structural duplication by keeping fixtures in test files

Code Quality:
- Removed ~100 lines of duplicated/unused code
- Consistent async test patterns across all QA test files
- Proper mock state management to prevent test pollution

* fix(tests): save original modules individually in setup_qa_mocks

The boolean guard `setup_done` prevented saving original modules on
subsequent calls with different parameters. When setup_qa_mocks was
called first with include_prompts_pkg=False, then with True, the
prompts_pkg modules were never saved to _original_modules. During
cleanup, these unsaved modules were deleted from sys.modules instead
of being restored, causing ModuleNotFoundError in subsequent tests.

Now checks each module individually before mocking, ensuring all
originals are saved across multiple setup calls.

* fix(tests): address all PR review findings including low priority

- Fix path in test_no_subtask_worker_config (parent.parent.parent)
- Add guard to prevent double setup in setup_qa_mocks()
- Don't clear _original_modules in cleanup to fix multi-module cleanup

* fix(tests): address PR review follow-up findings

- Fix module-level mock setup ordering dependency: now tracks
  include_prompts_pkg config and allows incremental setup when
  test_qa_fixer.py (False) is imported before test_qa_reviewer.py (True)
- Remove unused asyncio import from test_agent_flow.py
- Replace os.chdir() with monkeypatch.chdir() in prereqs validator
  tests for safe parallel test execution

---------

Co-authored-by: StillKnotKnown <stillknotknown@users.noreply.github.com>
2026-02-12 15:06:25 +01:00

496 lines
16 KiB
Python

#!/usr/bin/env python3
"""
Tests for the security_scanner module.
Tests cover:
- Secrets scanning integration
- SAST tool integration
- Dependency audit integration
- Result aggregation
- Blocking logic
"""
import json
import tempfile
from pathlib import Path
from unittest.mock import patch, MagicMock
import pytest
# Add auto-claude to path for imports
import sys
sys.path.insert(0, str(Path(__file__).parent.parent / "apps" / "backend"))
from security_scanner import (
SecurityVulnerability,
SecurityScanResult,
SecurityScanner,
scan_for_security_issues,
has_security_issues,
scan_secrets_only,
HAS_SECRETS_SCANNER,
)
# =============================================================================
# FIXTURES
# =============================================================================
@pytest.fixture
def temp_dir():
"""Create a temporary directory for tests."""
with tempfile.TemporaryDirectory() as tmpdir:
yield Path(tmpdir)
@pytest.fixture
def scanner():
"""Create a SecurityScanner instance."""
return SecurityScanner()
@pytest.fixture
def python_project(temp_dir):
"""Create a simple Python project structure."""
(temp_dir / "requirements.txt").write_text("flask==2.0.0\n")
(temp_dir / "app.py").write_text("print('hello')\n")
return temp_dir
@pytest.fixture
def node_project(temp_dir):
"""Create a simple Node.js project structure."""
(temp_dir / "package.json").write_text(json.dumps({
"name": "test",
"dependencies": {"express": "^4.18.0"}
}))
return temp_dir
# =============================================================================
# DATA CLASS TESTS
# =============================================================================
class TestSecurityVulnerability:
"""Tests for SecurityVulnerability dataclass."""
def test_create_vulnerability(self):
"""Test creating a security vulnerability."""
vuln = SecurityVulnerability(
severity="high",
source="bandit",
title="SQL Injection",
description="Potential SQL injection",
file="app.py",
line=42,
)
assert vuln.severity == "high"
assert vuln.source == "bandit"
assert vuln.title == "SQL Injection"
assert vuln.file == "app.py"
assert vuln.line == 42
def test_vulnerability_optional_fields(self):
"""Test vulnerability with optional fields."""
vuln = SecurityVulnerability(
severity="low",
source="npm_audit",
title="Outdated dependency",
description="Package is outdated",
)
assert vuln.file is None
assert vuln.line is None
assert vuln.cwe is None
class TestSecurityScanResult:
"""Tests for SecurityScanResult dataclass."""
def test_create_result(self):
"""Test creating a scan result."""
result = SecurityScanResult()
assert result.secrets == []
assert result.vulnerabilities == []
assert result.scan_errors == []
assert result.has_critical_issues is False
assert result.should_block_qa is False
def test_result_with_data(self):
"""Test result with actual data."""
result = SecurityScanResult(
secrets=[{"file": "config.py", "pattern": "api_key"}],
vulnerabilities=[
SecurityVulnerability(
severity="critical",
source="secrets",
title="API Key exposed",
description="Found API key",
)
],
has_critical_issues=True,
should_block_qa=True,
)
assert len(result.secrets) == 1
assert len(result.vulnerabilities) == 1
assert result.has_critical_issues is True
assert result.should_block_qa is True
# =============================================================================
# SCANNER TESTS
# =============================================================================
class TestSecurityScanner:
"""Tests for SecurityScanner class."""
def test_scan_empty_project(self, scanner, temp_dir):
"""Test scanning an empty project."""
result = scanner.scan(temp_dir)
assert isinstance(result, SecurityScanResult)
def test_scan_python_project(self, scanner, python_project):
"""Test scanning a Python project."""
result = scanner.scan(python_project)
assert isinstance(result, SecurityScanResult)
def test_scan_node_project(self, scanner, node_project):
"""Test scanning a Node.js project."""
result = scanner.scan(node_project)
assert isinstance(result, SecurityScanResult)
def test_scan_with_spec_dir(self, scanner, python_project, temp_dir):
"""Test that results are saved to spec dir."""
spec_dir = temp_dir / "spec"
spec_dir.mkdir()
scanner.scan(python_project, spec_dir=spec_dir)
results_file = spec_dir / "security_scan_results.json"
assert results_file.exists()
def test_scan_secrets_only(self, scanner, python_project):
"""Test scanning only for secrets."""
result = scanner.scan(
python_project,
run_sast=False,
run_dependency_audit=False,
)
assert isinstance(result, SecurityScanResult)
# =============================================================================
# SECRETS DETECTION TESTS
# =============================================================================
class TestSecretsDetection:
"""Tests for secrets detection integration."""
@pytest.mark.skipif(not HAS_SECRETS_SCANNER, reason="scan_secrets not available")
def test_detects_api_key(self, scanner, temp_dir):
"""Test detecting an API key in code."""
# Create a file with a fake API key
code_file = temp_dir / "config.py"
code_file.write_text('API_KEY = "sk-test1234567890abcdefghij1234567890abcdefghij"')
result = scanner.scan(temp_dir, run_sast=False, run_dependency_audit=False)
# Note: This may or may not find the key depending on the patterns
# The test is more about ensuring no crashes occur
assert isinstance(result, SecurityScanResult)
def test_secrets_block_qa(self, scanner, temp_dir):
"""Test that secrets block QA approval."""
result = SecurityScanResult(
secrets=[{"file": "config.py", "pattern": "api_key", "line": 1}],
)
# Manually set the blocking flag as the scan method would
result.should_block_qa = len(result.secrets) > 0
assert result.should_block_qa is True
# =============================================================================
# BLOCKING LOGIC TESTS
# =============================================================================
class TestBlockingLogic:
"""Tests for QA blocking logic."""
def test_secrets_always_block(self):
"""Test that any secrets always block QA."""
result = SecurityScanResult(
secrets=[{"file": "test.py", "pattern": "password"}],
has_critical_issues=True,
should_block_qa=True,
)
assert result.should_block_qa is True
def test_critical_vulns_block(self):
"""Test that critical vulnerabilities block QA."""
result = SecurityScanResult(
vulnerabilities=[
SecurityVulnerability(
severity="critical",
source="npm_audit",
title="Remote code execution",
description="Critical CVE",
)
],
has_critical_issues=True,
should_block_qa=True,
)
assert result.should_block_qa is True
def test_high_vulns_dont_block_alone(self):
"""Test that high (non-critical) vulnerabilities don't block alone."""
result = SecurityScanResult(
vulnerabilities=[
SecurityVulnerability(
severity="high",
source="bandit",
title="SQL Injection",
description="Possible SQL injection",
)
],
)
# High should mark as critical issue but not necessarily block
result.has_critical_issues = True
result.should_block_qa = False # Only critical blocks
assert result.has_critical_issues is True
assert result.should_block_qa is False
def test_no_issues_doesnt_block(self):
"""Test that clean scans don't block."""
result = SecurityScanResult()
assert result.has_critical_issues is False
assert result.should_block_qa is False
# =============================================================================
# SERIALIZATION TESTS
# =============================================================================
class TestSerialization:
"""Tests for result serialization."""
def test_to_dict(self, scanner):
"""Test converting result to dictionary."""
result = SecurityScanResult(
secrets=[{"file": "test.py", "pattern": "api_key", "line": 1}],
vulnerabilities=[
SecurityVulnerability(
severity="high",
source="bandit",
title="Test issue",
description="Description",
file="app.py",
line=10,
)
],
scan_errors=["Test error"],
has_critical_issues=True,
should_block_qa=True,
)
result_dict = scanner.to_dict(result)
assert isinstance(result_dict, dict)
assert "secrets" in result_dict
assert "vulnerabilities" in result_dict
assert "summary" in result_dict
assert result_dict["summary"]["total_secrets"] == 1
assert result_dict["summary"]["high_count"] == 1
def test_json_serializable(self, scanner):
"""Test that result is JSON serializable."""
result = SecurityScanResult(
vulnerabilities=[
SecurityVulnerability(
severity="medium",
source="test",
title="Test",
description="Test",
)
],
)
result_dict = scanner.to_dict(result)
# Should not raise
json_str = json.dumps(result_dict)
assert isinstance(json_str, str)
# =============================================================================
# CONVENIENCE FUNCTION TESTS
# =============================================================================
class TestConvenienceFunctions:
"""Tests for convenience functions."""
def test_scan_for_security_issues(self, python_project):
"""Test scan_for_security_issues function."""
result = scan_for_security_issues(python_project)
assert isinstance(result, SecurityScanResult)
def test_has_security_issues_clean(self, temp_dir):
"""Test has_security_issues on clean project."""
(temp_dir / "app.py").write_text("print('hello')")
# This should return False for a clean project
# (actual behavior depends on secrets scanner availability)
result = has_security_issues(temp_dir)
assert isinstance(result, bool)
def test_scan_secrets_only_function(self, temp_dir):
"""Test scan_secrets_only function."""
(temp_dir / "app.py").write_text("print('hello')")
secrets = scan_secrets_only(temp_dir)
assert isinstance(secrets, list)
# =============================================================================
# EDGE CASES
# =============================================================================
class TestEdgeCases:
"""Tests for edge cases."""
def test_nonexistent_directory(self, scanner):
"""Test handling of non-existent directory."""
fake_dir = Path("/nonexistent/path")
# Should not crash, may have errors - mock exists to avoid permission error
with patch.object(Path, 'exists', return_value=False):
result = scanner.scan(fake_dir)
assert isinstance(result, SecurityScanResult)
def test_scan_specific_files(self, scanner, python_project):
"""Test scanning specific files only."""
result = scanner.scan(
python_project,
changed_files=["app.py"],
run_sast=False,
run_dependency_audit=False,
)
assert isinstance(result, SecurityScanResult)
def test_redact_secret_short(self, scanner):
"""Test secret redaction for short strings."""
redacted = scanner._redact_secret("abc123")
assert "abc123" not in redacted
assert "*" in redacted
def test_redact_secret_long(self, scanner):
"""Test secret redaction for long strings."""
secret = "sk-test1234567890abcdefghij"
redacted = scanner._redact_secret(secret)
# Should show first 4 and last 4 chars
assert redacted.startswith("sk-t")
assert redacted.endswith("ghij")
assert "*" in redacted
def test_is_python_project_detection(self, scanner, temp_dir):
"""Test Python project detection."""
assert scanner._is_python_project(temp_dir) is False
(temp_dir / "requirements.txt").write_text("flask\n")
assert scanner._is_python_project(temp_dir) is True
def test_is_python_project_pyproject(self, scanner, temp_dir):
"""Test Python project detection with pyproject.toml."""
(temp_dir / "pyproject.toml").write_text("[project]\nname='test'")
assert scanner._is_python_project(temp_dir) is True
# =============================================================================
# SAST TOOL INTEGRATION TESTS
# =============================================================================
class TestSASTIntegration:
"""Tests for SAST tool integration."""
def test_bandit_availability_check(self, scanner):
"""Test Bandit availability check."""
# Just verify it doesn't crash
result = scanner._check_bandit_available()
assert isinstance(result, bool)
@patch("subprocess.run")
def test_bandit_output_parsing(self, mock_run, scanner, python_project):
"""Test parsing Bandit JSON output."""
mock_run.return_value = MagicMock(
stdout=json.dumps({
"results": [
{
"issue_severity": "HIGH",
"issue_text": "Test issue",
"filename": "app.py",
"line_number": 10,
"issue_cwe": {"id": "CWE-89"},
}
]
}),
returncode=0,
)
result = SecurityScanResult()
scanner._bandit_available = True
scanner._run_bandit(python_project, result)
# If bandit ran (may be skipped if not available)
# Check that parsing works
if result.vulnerabilities:
assert result.vulnerabilities[0].severity == "high"
assert result.vulnerabilities[0].source == "bandit"
@patch("subprocess.run")
def test_npm_audit_output_parsing(self, mock_run, scanner, node_project):
"""Test parsing npm audit JSON output."""
mock_run.return_value = MagicMock(
stdout=json.dumps({
"vulnerabilities": {
"lodash": {
"severity": "critical",
"via": [{"title": "Prototype Pollution"}],
}
}
}),
returncode=0,
)
result = SecurityScanResult()
scanner._run_npm_audit(node_project, result)
# Check parsing worked
if result.vulnerabilities:
assert any(v.source == "npm_audit" for v in result.vulnerabilities)