Skip to content

Add SqlSinkGuardTests covering block/audit/no-threat branches (separate from the taint tests) #39

Description

@JVBotelho

Summary

SqlSinkGuard has one test file, SqlSinkGuardTaintTests.cs, but it only exercises the
[Tainted] enrichment tag — never the guard's own block/audit/no-threat decision in
isolation. Add a new Rasp.Core.Tests/Guard/SqlSinkGuardTests.cs alongside it (don't grow
the taint file with unrelated assertions).

Background

Every *DetectionEngine has a dedicated test file; most Guard classes don't, and even
SqlSinkGuard's existing test file is narrowly scoped. This is one of five identical-shaped
issues — see docs/good-first-issues-dotnet.md for the full list and the shared rationale
(this is about naming concrete gaps, not chasing a coverage percentage).

Pattern to copy

Rasp.Core.Tests/Guard/SqlSinkGuardTaintTests.cs itself — NoOpRaspMetrics fake, a real
RaspAlertBus, Options.Create(new RaspOptions {...}), NullLogger<T>.Instance. Reuse
NoOpRaspMetrics from that file rather than redefining it (or, if convenient, move it to a
shared test helper as part of this PR — flag the decision either way).

What to test

AnalyzeCommand(commandText, context) (src/Rasp.Core/Guard/SqlSinkGuard.cs)'s own
decision branches, gated by RaspOptions.BlockOnDetection — separate from (and in addition
to) the existing taint-enrichment coverage:

  • Threat detected + audit mode: alert pushed via RaspAlertBus, no exception thrown.
  • Threat detected + block mode: RaspSecurityException thrown, alert still pushed
    before the throw.
  • No threat: no alert, no exception.
  • New file added as SqlSinkGuardTests.cs, not merged into SqlSinkGuardTaintTests.cs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    .NETPull requests that update .NET codegood first issueGood for newcomershelp wantedExtra attention is needed

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions