nightshift: test-gap -- Testing Coverage Analysis for Jarspect

[nightshift-micr]

Nightshift: test-gap — Testing Coverage Analysis for Jarspect

Task: test-gap | Category: analysis | Repo: Microck/jarspect
Analyzed: 28 Rust source files, 9230 LOC, 148 lines of integration tests

---

Summary

Jarspect has 55 inline unit tests across its detector and analysis modules, plus 3 integration tests in tests/regression-fixtures.rs. However, several critical modules have zero test coverage, and some tested modules have gaps in edge-case coverage.

---

Files With NO Tests (7 files)

CRITICAL — Core pipeline modules

File	LOC	Risk	Description
src/malwarebazaar.rs	140	High	Layer 1 threat intel lookup. Contains JSON parsing logic (value_string, value_string_array, value_yara_rules) that could silently fail on malformed API responses. No tests for hash_not_found, malformed data, empty arrays, missing fields.
src/lib.rs	486	High	Contains AppState, ScanRequest, run_scan (the full pipeline orchestrator), load_signatures, load_yara_rules, and static_override logic. The static_override function is a security-critical guard that overrides AI verdicts -- untested.
src/main.rs	320	Medium	HTTP server (Axum routes, upload/scan/health handlers). No handler-level tests. The upload handler has file size validation, extension checks, and storage logic that should be integration-tested.
src/analysis/classfile_evidence.rs	254	High	Constant-pool parsing and invoke resolution -- the core of bytecode evidence extraction. Tests exist in evidence.rs and byte_array_strings.rs for downstream consumers, but the classfile parsing itself is untested. Edge cases: malformed class files, truncated constant pools, invalid invoke indices.
src/analysis/mod.rs	12	Low	Module re-exports only. No logic to test.
src/bin/build-regression-fixtures.rs	91	Low	Build utility, not runtime code.
src/verdict.rs (partial)	1060	Medium	Has 3 tests, but this is the largest file (1060 LOC) containing the AI verdict prompt, response parsing, and verdict adjudication logic. The prompt construction and response deserialization are undertested for edge cases.

---

Modules With Gaps in Existing Tests

src/scan.rs (8 tests)

• Missing: Test for archive depth limit enforcement, budget gate behavior when inflation exceeds cap, handling of corrupt zip entries that panic during inflation, concurrent scan isolation (two scans running simultaneously should not share temp files).

src/malwarebazaar.rs (0 tests)

• Missing tests for:
  • check_hash with empty api_key returns None
  • check_hash with hash_not_found response returns None
  • check_hash with non-ok query_status returns None
  • MalwareBazaarResult deserialization from real API response JSON
  • value_yara_rules with both rule_name and yara_rule_name fields
  • value_string_array with empty/mixed types in array

src/verdict.rs (3 tests, 1060 LOC)

• Missing: Test for malformed AI response (invalid JSON), test for static_override escalation paths (each override signal individually), test for verdict method field correctness across all paths.

src/profile.rs (2 tests)

• Missing: Test for profile with all capabilities present, test for empty profile, test for indicator deduplication, test for suspicious manifest flag aggregation.

src/analysis/evidence.rs (4 tests)

• Missing: Test for EvidenceIndex with zero entries, test for class-scoped correlation gate escalation logic, test for indicator severity thresholds.

---

Coverage Metrics Estimate

Category	Files	Tested Files	Estimated Line Coverage
Detectors (src/detectors/)	14	14	~70% (good per-detector coverage, missing edge cases)
Analysis (src/analysis/)	5	4	~40% (classfile_evidence.rs untested)
Pipeline (src/scan.rs, src/lib.rs)	2	1	~30% (run_scan orchestrator untested)
Verdict (src/verdict.rs)	1	1	~20% (large file, few tests)
Transport (src/main.rs)	1	0	0%
Threat Intel (src/malwarebazaar.rs)	1	0	0%
Profile (src/profile.rs)	1	1	~50%
Integration (tests/)	1	1	N/A (3 regression tests)

Overall estimated coverage: ~35-40%

---

Recommendations (Priority Order)

1. Add unit tests for malwarebazaar.rs (CRITICAL)

This is Layer 1 of the 3-layer pipeline and has zero tests. The JSON parsing helpers could fail silently on API changes. Add tests for: empty key, hash_not_found, malformed response, successful lookup, yara_rules parsing.

2. Add tests for static_override logic in lib.rs (CRITICAL)

The static_override function is the security guardrail that prevents the AI from downgrading known malware. It must be tested for every trigger signal: prod YARA hits, DETC-03.BASE64_STAGER, DETC-02.DISCORD_WEBHOOK, NET-DISCORD-WEBHOOK.

3. Add tests for classfile_evidence.rs parsing (HIGH)

The constant-pool parser is the foundation of all bytecode analysis. Test with: valid class files, truncated inputs, invalid magic bytes, edge-case constant pool sizes.

4. Add integration tests for HTTP handlers (MEDIUM)

Test the upload endpoint (file size limits, extension validation), scan endpoint (invalid upload_id), and health endpoint.

5. Add verdict.rs edge-case tests (MEDIUM)

Test AI response parsing with malformed JSON, missing fields, unexpected verdict values, and confidence boundary conditions.

6. Add concurrent scan isolation test (MEDIUM)

Verify that two simultaneous scan requests use separate temp directories and do not interfere with each other.

---

Quick Win: Test File for malwarebazaar.rs

A test module could be added to malwarebazaar.rs with:

• test_value_string_empty_key returns None
• test_value_string_array_mixed_types filters non-strings
• test_value_yara_rules_extracts_rule_name
• test_check_hash_empty_key_returns_none (unit, no network)
• test_check_hash_parses_successful_response (mock HTTP)

These tests require no external dependencies and can use inline JSON fixtures.