pub/compliance-scan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f60de7c2dafe9e8d46c831847e369f828a9b75dd
compliance-scan/tests/scanner/test_ssh_output_parsing.py
Heiko f60de7c2da Add SSH scan support with BSI TR-02102-4 compliance 
- SSH scanning via ssh-audit (KEX, encryption, MAC, host keys)
- BSI TR-02102-4 and IANA compliance validation for SSH
- CSV/Markdown/reST reports for SSH results
- Unified compliance schema and database views
- Code optimization: modular query/writer architecture
2026-01-23 11:05:01 +01:00

99 lines
3.6 KiB
Python
Raw Blame History

"""Tests for SSH output parsing functionality."""
from src.sslysze_scan.ssh_scanner import extract_ssh_scan_results_from_output
def test_extract_ssh_scan_results_from_output():
"""Test extraction of SSH scan results from ssh-audit output."""
# Sample output from ssh-audit that includes actual algorithm listings
# Without ANSI color codes since we disable them in the configuration
sample_output = """(gen) banner: SSH-2.0-OpenSSH_8.9
(gen) software: OpenSSH 8.9
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(kex) curve25519-sha256
(kex) curve25519-sha256@libssh.org
(kex) diffie-hellman-group1-sha1
(kex) diffie-hellman-group14-sha256
(key) rsa-sha2-512 (3072-bit)
(key) rsa-sha2-256 (3072-bit)
(key) ssh-rsa (3072-bit)
(key) ssh-ed25519
(enc) chacha20-poly1305@openssh.com
(enc) aes128-gcm@openssh.com
(enc) aes256-gcm@openssh.com
(enc) aes128-ctr
(enc) aes192-ctr
(enc) aes256-ctr
(mac) umac-64-etm@openssh.com
(mac) hmac-sha2-256-etm@openssh.com
(mac) hmac-sha2-512-etm@openssh.com
(mac) hmac-sha1-etm@openssh.com
"""
# Call the function
result = extract_ssh_scan_results_from_output(sample_output)
# Assertions
assert result["ssh_version"] == "SSH-2.0-OpenSSH_8.9"
assert "curve25519-sha256" in result["kex_algorithms"]
assert "curve25519-sha256@libssh.org" in result["kex_algorithms"]
assert "diffie-hellman-group1-sha1" in result["kex_algorithms"]
assert "diffie-hellman-group14-sha256" in result["kex_algorithms"]
assert len(result["kex_algorithms"]) >= 4
assert (
"chacha20-poly1305@openssh.com"
in result["encryption_algorithms_client_to_server"]
)
assert "aes128-gcm@openssh.com" in result["encryption_algorithms_client_to_server"]
assert "aes256-gcm@openssh.com" in result["encryption_algorithms_client_to_server"]
assert "aes128-ctr" in result["encryption_algorithms_client_to_server"]
assert "aes192-ctr" in result["encryption_algorithms_client_to_server"]
assert "aes256-ctr" in result["encryption_algorithms_client_to_server"]
assert len(result["encryption_algorithms_client_to_server"]) >= 6
assert "umac-64-etm@openssh.com" in result["mac_algorithms_client_to_server"]
assert "hmac-sha2-256-etm@openssh.com" in result["mac_algorithms_client_to_server"]
assert "hmac-sha2-512-etm@openssh.com" in result["mac_algorithms_client_to_server"]
assert "hmac-sha1-etm@openssh.com" in result["mac_algorithms_client_to_server"]
assert len(result["mac_algorithms_client_to_server"]) >= 4
assert len(result["host_keys"]) >= 4 # Should have at least 4 host keys
assert any("ssh-ed25519" in hk.get("algorithm", "") for hk in result["host_keys"])
assert any("rsa" in hk.get("algorithm", "") for hk in result["host_keys"])
assert result["is_old_ssh_version"] is False # Should not detect SSH-1
def test_extract_ssh_scan_results_ssh1_detection():
"""Test SSH-1 detection in scan results."""
# Sample output with SSH-1
sample_output = """(gen) banner: SSH-1.5-test
(kex) diffie-hellman-group1-sha1
"""
# Call the function
result = extract_ssh_scan_results_from_output(sample_output)
# Assertions
assert result["is_old_ssh_version"] is True
def test_extract_ssh_scan_results_empty():
"""Test extraction with empty results."""
# Empty output
sample_output = ""
# Call the function
result = extract_ssh_scan_results_from_output(sample_output)
# Assertions
assert result["kex_algorithms"] == []
assert result["host_keys"] == []
assert result["is_old_ssh_version"] is False
assert result["raw_output"] == ""
Reference in New Issue View Git Blame Copy Permalink