Merge pull request #180 from frack113/coverage

Add more coverage
SigmaHQ · Dec 16, 2023 · 0a56e1d · 0a56e1d
2 parents 96935ca + 9bc76c2
commit 0a56e1d
Show file tree

Hide file tree

Showing 3 changed files with 128 additions and 7 deletions.
diff --git a/sigma/rule.py b/sigma/rule.py
@@ -881,6 +881,12 @@ def from_dict(
                     "Sigma rule must have a log source", source=source
                 )
             )
+        except AttributeError:
+            errors.append(
+                sigma_exceptions.SigmaLogsourceError(
+                    "Sigma logsource must be a valid YAML map", source=source
+                )
+            )
         except SigmaError as e:
             errors.append(e)
 

diff --git a/tests/test_pipelines_common.py b/tests/test_pipelines_common.py
@@ -4,7 +4,6 @@
     logsource_linux_network_connection,
     logsource_linux_file_create,
     logsource_linux_process_creation,
-    logsource_windows,
     logsource_windows_dns_query,
     logsource_windows_file_change,
     logsource_windows_file_event,
@@ -29,7 +28,18 @@
     logsource_windows_driver_load,
     logsource_windows_create_stream_hash,
     logsource_windows_create_remote_thread,
+    logsource_macos_process_creation,
+    logsource_macos_file_create,
+    logsource_azure_riskdetection,
+    logsource_azure_pim,
+    logsource_azure_auditlogs,
+    logsource_azure_azureactivity,
+    logsource_azure_signinlogs,
+    logsource_linux,
+    logsource_macos,
+    logsource_windows,
     generate_windows_logsource_items,
+    logsource_category,
 )
 from sigma.processing.conditions import (
     LogsourceCondition,
@@ -45,11 +55,16 @@ def test_windows_logsource_mapping():
     assert windows_logsource_mapping["security"] == "Security"
 
 
-def test_logsource_windows():
-    assert logsource_windows("security") == LogsourceCondition(
-        product="windows",
-        service="security",
-    )
+@pytest.mark.parametrize(
+    ("func", "service", "product"),
+    [
+        (logsource_windows, "test", "windows"),
+        (logsource_linux, "test", "linux"),
+        (logsource_macos, "test", "macos"),
+    ],
+)
+def test_generic_service_sources(func, service, product):
+    assert func(service) == LogsourceCondition(service=service, product=product)
 
 
 @pytest.mark.parametrize(
@@ -81,6 +96,13 @@ def test_logsource_windows():
         (logsource_linux_process_creation, "process_creation", "linux"),
         (logsource_linux_network_connection, "network_connection", "linux"),
         (logsource_linux_file_create, "file_create", "linux"),
+        (logsource_macos_process_creation, "process_creation", "macos"),
+        (logsource_macos_file_create, "file_create", "macos"),
+        (logsource_azure_riskdetection, "riskdetection", "azure"),
+        (logsource_azure_pim, "pim", "azure"),
+        (logsource_azure_auditlogs, "auditlogs", "azure"),
+        (logsource_azure_azureactivity, "azureactivity", "azure"),
+        (logsource_azure_signinlogs, "signinlogs", "azure"),
     ],
 )
 def test_generic_log_sources(func, category, product):
@@ -137,3 +159,7 @@ def test_generate_windows_logsource_items():
             ]
         }
     )
+
+
+def test_logsource_category():
+    assert logsource_category("test") == LogsourceCondition(category="test")
diff --git a/tests/test_rule.py b/tests/test_rule.py
@@ -114,6 +114,17 @@ def test_sigmalogsource_empty():
         SigmaLogSource(None, None, None, source=sigma_exceptions.SigmaRuleLocation("test.yml"))
 
 
+def test_sigmalogsource_str():
+    with pytest.raises(
+        sigma_exceptions.SigmaLogsourceError,
+        match="Sigma logsource must be a valid YAML map.*test.yml",
+    ):
+        SigmaRule.from_dict(
+            {"title": "test", "logsource": "windows"},
+            source=sigma_exceptions.SigmaRuleLocation("test.yml"),
+        )
+
+
 def test_sigmalogsource_eq():
     assert SigmaLogSource("category", "product", "service") == SigmaLogSource(
         "category", "product", "service"
@@ -772,11 +783,47 @@ def test_sigmarule_bad_status():
         )
 
 
+def test_sigmarule_bad_status_type():
+    with pytest.raises(
+        sigma_exceptions.SigmaStatusError, match="Sigma rule status cannot be a list.*test.yml"
+    ):
+        SigmaRule.from_dict(
+            {"status": ["test"]}, source=sigma_exceptions.SigmaRuleLocation("test.yml")
+        )
+
+
 def test_sigmarule_bad_date():
     with pytest.raises(sigma_exceptions.SigmaDateError, match="Rule date.*test.yml"):
         SigmaRule.from_dict({"date": "bad"}, source=sigma_exceptions.SigmaRuleLocation("test.yml"))
 
 
+def test_sigmarule_bad_modified():
+    with pytest.raises(sigma_exceptions.SigmaModifiedError, match="Rule modified.*test.yml"):
+        SigmaRule.from_dict(
+            {"modified": "bad"}, source=sigma_exceptions.SigmaRuleLocation("test.yml")
+        )
+
+
+def test_sigmarule_bad_falsepositives():
+    with pytest.raises(
+        sigma_exceptions.SigmaFalsePositivesError,
+        match="Sigma rule falsepositives must be a list.*test.yml",
+    ):
+        SigmaRule.from_dict(
+            {"falsepositives": "bad"}, source=sigma_exceptions.SigmaRuleLocation("test.yml")
+        )
+
+
+def test_sigmarule_bad_references():
+    with pytest.raises(
+        sigma_exceptions.SigmaReferencesError,
+        match="Sigma rule references must be a list.*test.yml",
+    ):
+        SigmaRule.from_dict(
+            {"references": "bad"}, source=sigma_exceptions.SigmaRuleLocation("test.yml")
+        )
+
+
 def test_sigmarule_date():
     expected_date = date(3000, 1, 2)
     rule = SigmaRule.from_yaml(
@@ -1211,7 +1258,7 @@ def test_invalid_related_id():
         )
 
 
-def test_invalid_related_subfield():
+def test_invalid_related_id_subfield():
     with pytest.raises(
         sigma_exceptions.SigmaRelatedError, match="Sigma related must have an id field"
     ):
@@ -1232,6 +1279,48 @@ def test_invalid_related_subfield():
         )
 
 
+def test_invalid_related_type_subfield():
+    with pytest.raises(
+        sigma_exceptions.SigmaRelatedError, match="Sigma related must have a type field"
+    ):
+        SigmaRule.from_yaml(
+            """
+    title: Test
+    related:
+        - id: 08fbc97d-0a2f-491c-ae21-8ffcfd3174e9
+          types: derived
+    status: test
+    logsource:
+        category: test
+    detection:
+        sel:
+            field: value
+        condition: sel
+    """
+        )
+
+
+def test_invalid_related_list():
+    with pytest.raises(
+        sigma_exceptions.SigmaRelatedError, match="Sigma rule related must be a list"
+    ):
+        SigmaRule.from_yaml(
+            """
+    title: Test
+    related:
+        id: 08fbc97d-0a2f-491c-ae21-8ffcfd3174e9
+        types: derived
+    status: test
+    logsource:
+        category: test
+    detection:
+        sel:
+            field: value
+        condition: sel
+    """
+        )
+
+
 def test_invalid_author():
     with pytest.raises(
         sigma_exceptions.SigmaAuthorError, match="Sigma rule author must be a string"