| 1 | package org.egothor.methodatlas.ai; | |
| 2 | ||
| 3 | /** | |
| 4 | * Provides the default built-in taxonomy used to guide AI-based security | |
| 5 | * classification of JUnit test methods. | |
| 6 | * | |
| 7 | * <p> | |
| 8 | * This class exposes a human-readable taxonomy definition that is supplied to | |
| 9 | * the AI suggestion engine when no external taxonomy file is configured and | |
| 10 | * {@link org.egothor.methodatlas.ai.AiOptions.TaxonomyMode#DEFAULT} is | |
| 11 | * selected. The taxonomy defines the controlled vocabulary, decision rules, and | |
| 12 | * naming conventions used when classifying security-relevant tests. | |
| 13 | * </p> | |
| 14 | * | |
| 15 | * <h2>Purpose</h2> | |
| 16 | * | |
| 17 | * <p> | |
| 18 | * The taxonomy is designed to improve classification consistency by providing | |
| 19 | * the AI provider with a stable and explicit specification of: | |
| 20 | * </p> | |
| 21 | * <ul> | |
| 22 | * <li>what constitutes a security-relevant test</li> | |
| 23 | * <li>which security category tags are allowed</li> | |
| 24 | * <li>how tags should be selected</li> | |
| 25 | * <li>how security-oriented display names should be formed</li> | |
| 26 | * </ul> | |
| 27 | * | |
| 28 | * <p> | |
| 29 | * The default taxonomy favors readability and professional descriptive clarity. | |
| 30 | * For a more compact taxonomy tuned specifically for model reliability, see | |
| 31 | * {@link OptimizedSecurityTaxonomy}. | |
| 32 | * </p> | |
| 33 | * | |
| 34 | * <p> | |
| 35 | * This class is a non-instantiable utility holder. | |
| 36 | * </p> | |
| 37 | * | |
| 38 | * @see OptimizedSecurityTaxonomy | |
| 39 | * @see org.egothor.methodatlas.ai.AiSuggestionEngineImpl | |
| 40 | * @see org.egothor.methodatlas.ai.AiOptions.TaxonomyMode | |
| 41 | */ | |
| 42 | public final class DefaultSecurityTaxonomy { | |
| 43 | /** | |
| 44 | * Prevents instantiation of this utility class. | |
| 45 | */ | |
| 46 | private DefaultSecurityTaxonomy() { | |
| 47 | } | |
| 48 | ||
| 49 | /** | |
| 50 | * Returns the default built-in taxonomy text used for AI classification. | |
| 51 | * | |
| 52 | * <p> | |
| 53 | * The returned text is intended to be embedded directly into provider prompts | |
| 54 | * and therefore contains both conceptual guidance and operational | |
| 55 | * classification rules. It defines: | |
| 56 | * </p> | |
| 57 | * <ul> | |
| 58 | * <li>scope of security-relevant tests</li> | |
| 59 | * <li>mandatory and optional tagging rules</li> | |
| 60 | * <li>allowed taxonomy categories</li> | |
| 61 | * <li>guidance for class-level versus method-level tagging</li> | |
| 62 | * <li>display name conventions</li> | |
| 63 | * <li>AI-oriented decision instructions</li> | |
| 64 | * </ul> | |
| 65 | * | |
| 66 | * <p> | |
| 67 | * The taxonomy includes the following category tags: {@code auth}, | |
| 68 | * {@code access-control}, {@code crypto}, {@code input-validation}, | |
| 69 | * {@code injection}, {@code data-protection}, {@code logging}, | |
| 70 | * {@code error-handling}, and {@code owasp}. | |
| 71 | * </p> | |
| 72 | * | |
| 73 | * <p> | |
| 74 | * The returned value is immutable text and may safely be reused across multiple | |
| 75 | * AI requests. | |
| 76 | * </p> | |
| 77 | * | |
| 78 | * @return default taxonomy text used to instruct AI classification | |
| 79 | * | |
| 80 | * @see OptimizedSecurityTaxonomy#text() | |
| 81 | * @see org.egothor.methodatlas.ai.AiSuggestionEngineImpl | |
| 82 | */ | |
| 83 | public static String text() { | |
| 84 |
1
1. text : replaced return value with "" for org/egothor/methodatlas/ai/DefaultSecurityTaxonomy::text → SURVIVED |
return """ |
| 85 | SECURITY TEST TAGGING TAXONOMY | |
| 86 | ============================== | |
| 87 | ||
| 88 | Purpose | |
| 89 | ------- | |
| 90 | This taxonomy defines a controlled vocabulary for labeling security-relevant JUnit tests. | |
| 91 | The goal is to enable automated classification of test methods that validate security | |
| 92 | properties, controls, mitigations, or invariants. | |
| 93 | ||
| 94 | The taxonomy is intentionally small and stable to avoid uncontrolled tag proliferation. | |
| 95 | ||
| 96 | Classification Scope | |
| 97 | -------------------- | |
| 98 | ||
| 99 | Applies to: | |
| 100 | - JUnit 5 test classes and methods | |
| 101 | - primarily unit tests | |
| 102 | - integration tests may follow the same model when applicable | |
| 103 | ||
| 104 | A test should be considered *security-relevant* if its failure could plausibly lead to: | |
| 105 | ||
| 106 | - loss of confidentiality | |
| 107 | - loss of integrity | |
| 108 | - loss of availability | |
| 109 | - unauthorized actions | |
| 110 | - exposure of sensitive data | |
| 111 | - bypass of security controls | |
| 112 | ||
| 113 | Examples of security-relevant verification: | |
| 114 | ||
| 115 | - access control decisions | |
| 116 | - authentication or identity validation | |
| 117 | - cryptographic correctness or misuse resistance | |
| 118 | - input validation or canonicalization | |
| 119 | - injection prevention | |
| 120 | - safe handling of sensitive data | |
| 121 | - correct security event logging | |
| 122 | - secure error handling | |
| 123 | ||
| 124 | ||
| 125 | Non-Security Tests (Out of Scope) | |
| 126 | --------------------------------- | |
| 127 | ||
| 128 | Do NOT classify tests as security tests when they only verify: | |
| 129 | ||
| 130 | - functional correctness unrelated to security | |
| 131 | - performance characteristics | |
| 132 | - UI behavior | |
| 133 | - formatting or presentation logic | |
| 134 | - internal implementation details with no security implications | |
| 135 | ||
| 136 | If a test contains security logic but its intent is purely functional, | |
| 137 | prefer NOT classifying it as a security test. | |
| 138 | ||
| 139 | ||
| 140 | Tagging Model | |
| 141 | ------------- | |
| 142 | ||
| 143 | Every security-relevant test MUST include: | |
| 144 | ||
| 145 | @Tag("security") | |
| 146 | ||
| 147 | and SHOULD include a descriptive display name: | |
| 148 | ||
| 149 | @DisplayName("SECURITY: <control/property> - <scenario>") | |
| 150 | ||
| 151 | ||
| 152 | Example: | |
| 153 | ||
| 154 | @Test | |
| 155 | @Tag("security") | |
| 156 | @Tag("access-control") | |
| 157 | @DisplayName("SECURITY: access control - deny non-owner account access") | |
| 158 | ||
| 159 | Category tags provide additional classification. | |
| 160 | ||
| 161 | ||
| 162 | Allowed Category Tags | |
| 163 | --------------------- | |
| 164 | ||
| 165 | Only the following category tags may be used. | |
| 166 | ||
| 167 | Use lowercase and hyphenated names exactly as defined. | |
| 168 | ||
| 169 | ||
| 170 | 1. auth | |
| 171 | ------- | |
| 172 | ||
| 173 | Authentication and identity validation. | |
| 174 | ||
| 175 | Use when the test validates: | |
| 176 | ||
| 177 | - login or credential verification | |
| 178 | - authentication workflows | |
| 179 | - MFA enforcement | |
| 180 | - token validation | |
| 181 | - session binding | |
| 182 | - subject or identity claims | |
| 183 | ||
| 184 | Typical signals: | |
| 185 | ||
| 186 | - login handlers | |
| 187 | - token parsing | |
| 188 | - identity providers | |
| 189 | - credential verification | |
| 190 | ||
| 191 | ||
| 192 | 2. access-control | |
| 193 | ----------------- | |
| 194 | ||
| 195 | Authorization and permission enforcement. | |
| 196 | ||
| 197 | Use when the test validates: | |
| 198 | ||
| 199 | - role-based or attribute-based access control | |
| 200 | - ACL evaluation | |
| 201 | - policy decision logic | |
| 202 | - object ownership checks | |
| 203 | - deny-by-default behavior | |
| 204 | ||
| 205 | Typical signals: | |
| 206 | ||
| 207 | - permission checks | |
| 208 | - policy evaluation | |
| 209 | - role validation | |
| 210 | - ownership checks | |
| 211 | ||
| 212 | ||
| 213 | 3. crypto | |
| 214 | --------- | |
| 215 | ||
| 216 | Cryptographic correctness or misuse resistance. | |
| 217 | ||
| 218 | Use when the test validates: | |
| 219 | ||
| 220 | - encryption and decryption | |
| 221 | - signature verification | |
| 222 | - key handling | |
| 223 | - nonce or IV requirements | |
| 224 | - secure randomness | |
| 225 | - hashing or key derivation | |
| 226 | ||
| 227 | Typical signals: | |
| 228 | ||
| 229 | - cryptographic libraries | |
| 230 | - key material | |
| 231 | - ciphersuites | |
| 232 | - signature APIs | |
| 233 | ||
| 234 | ||
| 235 | 4. input-validation | |
| 236 | ------------------- | |
| 237 | ||
| 238 | Validation or normalization of untrusted inputs. | |
| 239 | ||
| 240 | Use when the test validates: | |
| 241 | ||
| 242 | - schema validation | |
| 243 | - format validation | |
| 244 | - canonicalization rules | |
| 245 | - path normalization | |
| 246 | - rejection of malformed inputs | |
| 247 | ||
| 248 | Typical signals: | |
| 249 | ||
| 250 | - parsing logic | |
| 251 | - validation layers | |
| 252 | - normalization routines | |
| 253 | ||
| 254 | ||
| 255 | 5. injection | |
| 256 | ------------ | |
| 257 | ||
| 258 | Prevention of injection vulnerabilities. | |
| 259 | ||
| 260 | Use when the test validates protection against: | |
| 261 | ||
| 262 | - SQL injection | |
| 263 | - NoSQL injection | |
| 264 | - command injection | |
| 265 | - template injection | |
| 266 | - XPath/LDAP injection | |
| 267 | - deserialization attacks | |
| 268 | ||
| 269 | Typical signals: | |
| 270 | ||
| 271 | - query construction | |
| 272 | - escaping | |
| 273 | - parameterization | |
| 274 | - command execution | |
| 275 | ||
| 276 | ||
| 277 | 6. data-protection | |
| 278 | ------------------ | |
| 279 | ||
| 280 | Protection of sensitive or regulated data. | |
| 281 | ||
| 282 | Use when the test validates: | |
| 283 | ||
| 284 | - encryption of stored data | |
| 285 | - encryption in transit at unit level | |
| 286 | - masking or redaction | |
| 287 | - secret handling | |
| 288 | - secure storage of credentials | |
| 289 | ||
| 290 | Typical signals: | |
| 291 | ||
| 292 | - PII handling | |
| 293 | - encryption enforcement | |
| 294 | - secrets management | |
| 295 | ||
| 296 | ||
| 297 | 7. logging | |
| 298 | ---------- | |
| 299 | ||
| 300 | Security event logging and auditability. | |
| 301 | ||
| 302 | Use when the test validates: | |
| 303 | ||
| 304 | - absence of secrets in logs | |
| 305 | - presence of required audit events | |
| 306 | - correct security event messages | |
| 307 | - traceability identifiers | |
| 308 | ||
| 309 | Typical signals: | |
| 310 | ||
| 311 | - log assertions | |
| 312 | - audit event emission | |
| 313 | ||
| 314 | ||
| 315 | 8. error-handling | |
| 316 | ----------------- | |
| 317 | ||
| 318 | Security-safe error behavior. | |
| 319 | ||
| 320 | Use when the test validates: | |
| 321 | ||
| 322 | - absence of information leakage | |
| 323 | - sanitized error messages | |
| 324 | - safe fallback behavior | |
| 325 | - secure default behavior on failure | |
| 326 | ||
| 327 | Typical signals: | |
| 328 | ||
| 329 | - negative path tests | |
| 330 | - exception handling checks | |
| 331 | ||
| 332 | ||
| 333 | 9. owasp | |
| 334 | -------- | |
| 335 | ||
| 336 | Optional mapping tag linking the test to a widely recognized OWASP risk category. | |
| 337 | ||
| 338 | Use when the test explicitly addresses a vulnerability class defined by the | |
| 339 | OWASP Top 10 or related OWASP guidance. | |
| 340 | ||
| 341 | Examples include tests targeting: | |
| 342 | ||
| 343 | - injection vulnerabilities | |
| 344 | - broken authentication | |
| 345 | - broken access control | |
| 346 | - sensitive data exposure | |
| 347 | - security misconfiguration | |
| 348 | - insecure deserialization | |
| 349 | - cross-site scripting | |
| 350 | ||
| 351 | Important: | |
| 352 | ||
| 353 | The `owasp` tag should only be used when the test clearly maps to a well-known | |
| 354 | OWASP vulnerability category. | |
| 355 | ||
| 356 | When possible, the `owasp` tag should be combined with a more precise category | |
| 357 | from this taxonomy (for example `injection` or `access-control`). | |
| 358 | ||
| 359 | ||
| 360 | Tagging Rules | |
| 361 | ------------- | |
| 362 | ||
| 363 | Mandatory rules: | |
| 364 | ||
| 365 | - Every security-relevant test MUST include the tag: | |
| 366 | ||
| 367 | security | |
| 368 | ||
| 369 | - Security tests SHOULD include 1 to 3 category tags. | |
| 370 | ||
| 371 | - Category tags MUST be selected only from the allowed taxonomy. | |
| 372 | ||
| 373 | - Do NOT invent new tags. | |
| 374 | ||
| 375 | ||
| 376 | Class-Level vs Method-Level Tags | |
| 377 | -------------------------------- | |
| 378 | ||
| 379 | Class-level tags may be used when: | |
| 380 | ||
| 381 | - all tests in the class validate the same security concern. | |
| 382 | ||
| 383 | Method-level tags should be used when: | |
| 384 | ||
| 385 | - only some tests are security-relevant | |
| 386 | - tests cover different security categories | |
| 387 | ||
| 388 | ||
| 389 | Display Name Convention | |
| 390 | ----------------------- | |
| 391 | ||
| 392 | Security test names should follow this format: | |
| 393 | ||
| 394 | SECURITY: <security property> - <test scenario> | |
| 395 | ||
| 396 | Examples: | |
| 397 | ||
| 398 | SECURITY: access control - deny non-owner account access | |
| 399 | SECURITY: crypto - reject reused nonce in AEAD | |
| 400 | SECURITY: input validation - reject path traversal sequences | |
| 401 | ||
| 402 | ||
| 403 | AI Classification Guidance | |
| 404 | -------------------------- | |
| 405 | ||
| 406 | When classifying tests: | |
| 407 | ||
| 408 | 1. Identify the security property validated. | |
| 409 | 2. Determine whether the test enforces or validates a security control. | |
| 410 | 3. Assign the umbrella tag `security` when applicable. | |
| 411 | 4. Select 1–3 category tags that best describe the security concern. | |
| 412 | 5. Prefer specific categories over broad ones. | |
| 413 | 6. Avoid assigning tags when the security intent is unclear. | |
| 414 | """; | |
| 415 | } | |
| 416 | } | |
Mutations | ||
| 84 |
1.1 |