nginx:chore - Adding improvements on nginx rules (#1041)

In this commit I changed to add Safe and Unsafe code
in all rules of the nginx. Reference from issue #630 and #1020.

Signed-off-by: Wilian Gabriel <wilian.silva@zup.com.br>

internal/services/engines/nginx/rules.go

@@ -27,11 +27,13 @@ import (
 func NewIncludeXFrameOptionsHeader() *text.Rule {
 	return &text.Rule{
 		Metadata: engine.Metadata{
-			ID:          "HS-NGINX-1",
-			Name:        "Improper Restriction of Rendered UI Layers or Frames",
-			Description: "Your Nginx file must include the X-Frame-Options header. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. For more information checkout the CWE-1021 (https://cwe.mitre.org/data/definitions/1021.html) advisory.",
-			Severity:    severities.Medium.ToString(),
-			Confidence:  confidence.Medium.ToString(),
+			ID:            "HS-NGINX-1",
+			Name:          "Improper Restriction of Rendered UI Layers or Frames",
+			Description:   "Your Nginx file must include the X-Frame-Options header. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. For more information checkout the CWE-1021 (https://cwe.mitre.org/data/definitions/1021.html) advisory.",
+			Severity:      severities.Medium.ToString(),
+			Confidence:    confidence.Medium.ToString(),
+			SafeExample:   SampleSafeHSNGINX1,
+			UnsafeExample: SampleVulnerableHSNGINX1,
 		},
 		Type: text.NotMatch,
 		Expressions: []*regexp.Regexp{
@@ -43,11 +45,13 @@ func NewIncludeXFrameOptionsHeader() *text.Rule {
 func NewIncludeXContentTypeOptionsHeader() *text.Rule {
 	return &text.Rule{
 		Metadata: engine.Metadata{
-			ID:          "HS-NGINX-2",
-			Name:        "Missing X-Content-Type-Options header",
-			Description: "Setting this header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header (e.g. treating text/plain as text/css). For more information checkout https://owasp.org/www-project-secure-headers/#x-content-type-options",
-			Severity:    severities.Medium.ToString(),
-			Confidence:  confidence.Medium.ToString(),
+			ID:            "HS-NGINX-2",
+			Name:          "Missing X-Content-Type-Options header",
+			Description:   "Setting this header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header (e.g. treating text/plain as text/css). For more information checkout https://owasp.org/www-project-secure-headers/#x-content-type-options",
+			Severity:      severities.Medium.ToString(),
+			Confidence:    confidence.Medium.ToString(),
+			SafeExample:   SampleSafeHSNGINX2,
+			UnsafeExample: SampleVulnerableHSNGINX2,
 		},
 		Type: text.NotMatch,
 		Expressions: []*regexp.Regexp{
@@ -59,11 +63,13 @@ func NewIncludeXContentTypeOptionsHeader() *text.Rule {
 func NewIncludeContentSecurityPolicyHeader() *text.Rule {
 	return &text.Rule{
 		Metadata: engine.Metadata{
-			ID:          "HS-NGINX-3",
-			Name:        "Missing Content-Security-Policy header",
-			Description: "A Content Security Policy (also named CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections. For more information checkout https://owasp.org/www-project-secure-headers/#content-security-policy",
-			Severity:    severities.Medium.ToString(),
-			Confidence:  confidence.Medium.ToString(),
+			ID:            "HS-NGINX-3",
+			Name:          "Missing Content-Security-Policy header",
+			Description:   "A Content Security Policy (also named CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections. For more information checkout https://owasp.org/www-project-secure-headers/#content-security-policy",
+			Severity:      severities.Medium.ToString(),
+			Confidence:    confidence.Medium.ToString(),
+			SafeExample:   SampleSafeHSNGINX3,
+			UnsafeExample: SampleVulnerableHSNGINX3,
 		},
 		Type: text.NotMatch,
 		Expressions: []*regexp.Regexp{
@@ -75,11 +81,13 @@ func NewIncludeContentSecurityPolicyHeader() *text.Rule {
 func NewIncludeServerTokensOff() *text.Rule {
 	return &text.Rule{
 		Metadata: engine.Metadata{
-			ID:          "HS-NGINX-4",
-			Name:        "Exposure of Sensitive Information",
-			Description: "Your Nginx file must include 'server_tokens off;' configuration. There are many different kinds of mistakes that introduce information exposures. The severities of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. For more information checkout the CWE-200 (https://cwe.mitre.org/data/definitions/200.html) advisory.",
-			Severity:    severities.Medium.ToString(),
-			Confidence:  confidence.Medium.ToString(),
+			ID:            "HS-NGINX-4",
+			Name:          "Exposure of Sensitive Information",
+			Description:   "Your Nginx file must include 'server_tokens off;' configuration. There are many different kinds of mistakes that introduce information exposures. The severities of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. For more information checkout the CWE-200 (https://cwe.mitre.org/data/definitions/200.html) advisory.",
+			Severity:      severities.Medium.ToString(),
+			Confidence:    confidence.Medium.ToString(),
+			SafeExample:   SampleSafeHSNGINX4,
+			UnsafeExample: SampleVulnerableHSNGINX4,
 		},
 		Type: text.NotMatch,
 		Expressions: []*regexp.Regexp{

internal/services/engines/nginx/rules_test.go

@@ -15,7 +15,6 @@
 package nginx
 
 import (
-	"fmt"
 	"path/filepath"
 	"testing"
 
@@ -31,12 +30,12 @@ func TestRulesVulnerableCode(t *testing.T) {
 			Name:     "HS-NGINX-1",
 			Rule:     NewIncludeXFrameOptionsHeader(),
 			Src:      SampleVulnerableHSNGINX1,
-			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-1", ".test")),
+			Filename: filepath.Join(tempDir, "HS-NGINX-1.test"),
 			Findings: []engine.Finding{
 				{
 					CodeSample: "",
 					SourceLocation: engine.Location{
-						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-1", ".test")),
+						Filename: filepath.Join(tempDir, "HS-NGINX-1.test"),
 						Line:     0,
 						Column:   0,
 					},
@@ -47,12 +46,12 @@ func TestRulesVulnerableCode(t *testing.T) {
 			Name:     "HS-NGINX-2",
 			Rule:     NewIncludeXContentTypeOptionsHeader(),
 			Src:      SampleVulnerableHSNGINX2,
-			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-2", ".test")),
+			Filename: filepath.Join(tempDir, "HS-NGINX-2.test"),
 			Findings: []engine.Finding{
 				{
 					CodeSample: "",
 					SourceLocation: engine.Location{
-						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-2", ".test")),
+						Filename: filepath.Join(tempDir, "HS-NGINX-2.test"),
 						Line:     0,
 						Column:   0,
 					},
@@ -63,12 +62,12 @@ func TestRulesVulnerableCode(t *testing.T) {
 			Name:     "HS-NGINX-3",
 			Rule:     NewIncludeContentSecurityPolicyHeader(),
 			Src:      SampleVulnerableHSNGINX3,
-			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-3", ".test")),
+			Filename: filepath.Join(tempDir, "HS-NGINX-3.test"),
 			Findings: []engine.Finding{
 				{
 					CodeSample: "",
 					SourceLocation: engine.Location{
-						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-3", ".test")),
+						Filename: filepath.Join(tempDir, "HS-NGINX-3.test"),
 						Line:     0,
 						Column:   0,
 					},
@@ -79,12 +78,12 @@ func TestRulesVulnerableCode(t *testing.T) {
 			Name:     "HS-NGINX-4",
 			Rule:     NewIncludeServerTokensOff(),
 			Src:      SampleVulnerableHSNGINX4,
-			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-4", ".test")),
+			Filename: filepath.Join(tempDir, "HS-NGINX-4.test"),
 			Findings: []engine.Finding{
 				{
 					CodeSample: "",
 					SourceLocation: engine.Location{
-						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-4", ".test")),
+						Filename: filepath.Join(tempDir, "HS-NGINX-4.test"),
 						Line:     0,
 						Column:   0,
 					},
@@ -103,25 +102,25 @@ func TestRulesSafeCode(t *testing.T) {
 			Name:     "HS-NGINX-1",
 			Rule:     NewIncludeXFrameOptionsHeader(),
 			Src:      SampleSafeHSNGINX1,
-			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-1", ".test")),
+			Filename: filepath.Join(tempDir, "HS-NGINX-1.test"),
 		},
 		{
 			Name:     "HS-NGINX-2",
 			Rule:     NewIncludeXContentTypeOptionsHeader(),
 			Src:      SampleSafeHSNGINX2,
-			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-2", ".test")),
+			Filename: filepath.Join(tempDir, "HS-NGINX-2.test"),
 		},
 		{
 			Name:     "HS-NGINX-3",
 			Rule:     NewIncludeContentSecurityPolicyHeader(),
 			Src:      SampleSafeHSNGINX3,
-			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-3", ".test")),
+			Filename: filepath.Join(tempDir, "HS-NGINX-3.test"),
 		},
 		{
 			Name:     "HS-NGINX-4",
 			Rule:     NewIncludeServerTokensOff(),
 			Src:      SampleSafeHSNGINX4,
-			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-NGINX-4", ".test")),
+			Filename: filepath.Join(tempDir, "HS-NGINX-4.test"),
 		},
 	}