class TestViewEndpointMetaData(TestCase):
def setUp(self):
self.p = Product()
self.p.Name = 'Test Product'
self.p.Description = 'Product for Testing Endpoint functionality'
self.p.save()
self.e = Endpoint()
self.e.product = self.p
self.e.host = '127.0.0.1'
self.e.save()
self.util = EndpointMetaDataTestUtil()
self.util.save_custom_field(self.e, 'TestField', 'TestValue')
def test_view_endpoint_without_metadata_has_no_additional_info(self):
self.util.delete_custom_field(self.e, 'TestField')
get_request = self.util.create_get_request(self.util.create_user(True), 'endpoint/1')
v = views.view_endpoint(get_request, 1)
self.assertNotContains(v, 'Additional Information')
def test_view_endpoint_with_metadata_has_additional_info(self):
get_request = self.util.create_get_request(self.util.create_user(True), 'endpoint/1')
v = views.view_endpoint(get_request, 1)
self.assertContains(v, "Additional Information")
self.assertContains(v, 'TestField')
self.assertContains(v, 'TestValue')
def setup(self, testfile):
product_type = Product_Type(critical_product=True, key_product=False)
product_type.save()
test_type = Test_Type(static_tool=True, dynamic_tool=False)
test_type.save()
product = Product(prod_type=product_type)
product.save()
engagement = Engagement(
product=product, target_start=timezone.now(), target_end=timezone.now()
)
engagement.save()
parser = AWSScout2Parser()
findings = parser.get_findings(
testfile,
Test(
engagement=engagement,
test_type=test_type,
target_start=timezone.now(),
target_end=timezone.now(),
),
)
testfile.close()
return findings
class TestViewEndpointMetaData(TestCase):
def setUp(self):
self.p = Product()
self.p.Name = 'Test Product'
self.p.Description = 'Product for Testing Endpoint functionality'
self.p.save()
self.e = Endpoint()
self.e.product = self.p
self.e.host = '127.0.0.1'
self.e.save()
self.util = EndpointMetaDataTestUtil()
self.util.save_custom_field(self.e, 'TestField', 'TestValue')
def test_view_endpoint_without_metadata_has_no_additional_info(self):
self.util.delete_custom_field(self.e, 'TestField')
get_request = self.util.create_get_request(self.util.create_user(True),
'endpoint/1')
v = views.view_endpoint(get_request, 1)
self.assertNotContains(v, 'Additional Information')
def test_view_endpoint_with_metadata_has_additional_info(self):
get_request = self.util.create_get_request(self.util.create_user(True),
'endpoint/1')
v = views.view_endpoint(get_request, 1)
self.assertContains(v, "Additional Information")
self.assertContains(v, 'TestField')
self.assertContains(v, 'TestValue')
def setup(self, testfile):
file = MockFileObject(testfile)
product_type = Product_Type(critical_product=True, key_product=False)
product_type.save()
test_type = Test_Type(static_tool=True, dynamic_tool=False)
test_type.save()
product = Product(prod_type=product_type)
product.save()
engagement = Engagement(
product=product, target_start=timezone.now(), target_end=timezone.now()
)
engagement.save()
parser = ScoutSuiteParser()
return parser.get_findings(
file,
Test(
engagement=engagement,
test_type=test_type,
target_start=timezone.now(),
target_end=timezone.now(),
),
)
def setUp(self):
p = Product()
p.Name = 'Test Product'
p.Description = 'Product for Testing Endpoint functionality'
p.save()
e = Endpoint()
e.product = p
e.host = '127.0.0.1'
e.save()
def setUp(self):
p = Product()
p.Name = 'Test Product'
p.Description = 'Product for Testing Endpoint functionality'
p.save()
e = Endpoint()
e.product = p
e.host = '127.0.0.1'
e.save()
call_command('loaddata', 'dojo/fixtures/system_settings', verbosity=0)
def create_product(self,
name,
*args,
description='dummy description',
prod_type=None,
**kwargs):
if not prod_type:
prod_type = Product_Type.objects.first()
product = Product(name=name,
description=description,
prod_type=prod_type)
product.save()
def setUp(self):
p = Product()
p.Name = 'Test Product'
p.Description = 'Product for Testing Endpoint functionality'
p.save()
e = Endpoint()
e.product = p
e.host = '127.0.0.1'
e.save()
EndpointMetaDataTestUtil.save_custom_field(e, 'TestField', 'TestValue')
EndpointMetaDataTestUtil.save_custom_field(p, 'TestProductField', 'TestProductValue')
def setUp(self):
self.p = Product()
self.p.Name = 'Test Product'
self.p.Description = 'Product for Testing Endpoint functionality'
self.p.save()
self.e = Endpoint()
self.e.product = self.p
self.e.host = '127.0.0.1'
self.e.save()
self.util = EndpointMetaDataTestUtil()
self.util.save_custom_field(self.e, 'TestField', 'TestValue')
def setUp(self):
p = Product()
p.Name = 'Test Product'
p.Description = 'Product for Testing Endpoint functionality'
p.save()
e = Endpoint()
e.product = p
e.host = '127.0.0.1'
e.save()
EndpointMetaDataTestUtil.save_custom_field(e, 'TestField', 'TestValue')
EndpointMetaDataTestUtil.save_custom_field(p, 'TestProductField', 'TestProductValue')
call_command('loaddata', 'dojo/fixtures/system_settings', verbosity=0)
def test_parse_file_with_multiple_vuln_has_multiple_finding(self):
test = Test()
test.engagement = Engagement()
test.engagement.product = Product()
testfile = open(
get_unit_tests_path() +
"/scans/microfocus_webinspect/Webinspect_many_vuln.xml")
parser = MicrofocusWebinspectParser()
findings = parser.get_findings(testfile, test)
for finding in findings:
for endpoint in finding.unsaved_endpoints:
endpoint.clean()
self.assertEqual(8, len(findings))
item = findings[1]
self.assertEqual(525, item.cwe)
self.assertIsNotNone(item.references)
self.assertEqual("1cfe38ee-89f7-4110-ad7c-8fca476b2f04",
item.unique_id_from_tool)
self.assertEqual(1, len(item.unsaved_endpoints))
endpoint = item.unsaved_endpoints[0]
self.assertEqual("php.vulnweb.com", endpoint.host)
self.assertEqual(80, endpoint.port)
self.assertIsNone(
endpoint.path
) # path begins with '/' but Endpoint store "root-less" path
def setUpTestData(cls):
cls.user = User()
cls.product_type = Product_Type()
cls.product_type_member = Product_Type_Member()
cls.product = Product()
cls.product_member = Product_Member()
cls.product.prod_type = cls.product_type
cls.engagement = Engagement()
cls.engagement.product = cls.product
cls.test = Test()
cls.test.engagement = cls.engagement
cls.finding = Finding()
cls.finding.test = cls.test
cls.endpoint = Endpoint()
cls.endpoint.product = cls.product
cls.product_type_member_reader = Product_Type_Member()
cls.product_type_member_reader.user = cls.user
cls.product_type_member_reader.product_type = cls.product_type
cls.product_type_member_reader.role = Roles.Reader
cls.product_type_member_owner = Product_Type_Member()
cls.product_type_member_owner.user = cls.user
cls.product_type_member_owner.product_type = cls.product_type
cls.product_type_member_owner.role = Roles.Owner
cls.product_member_reader = Product_Member()
cls.product_member_reader.user = cls.user
cls.product_member_reader.product = cls.product
cls.product_member_reader.role = Roles.Reader
cls.product_member_owner = Product_Member()
cls.product_member_owner.user = cls.user
cls.product_member_owner.product = cls.product
cls.product_member_owner.role = Roles.Owner
def test_parse_file(self):
test = Test()
engagement = Engagement()
engagement.product = Product()
test.engagement = engagement
testfile = open("unittests/scans/mobsf/report1.json")
parser = MobSFParser()
findings = parser.get_findings(testfile, test)
testfile.close()
self.assertEqual(18, len(findings))
item = findings[0]
self.assertEquals('android.permission.WRITE_EXTERNAL_STORAGE',
item.title)
self.assertEquals('High', item.severity)
item = findings[2]
self.assertEquals('android.permission.INTERNET', item.title)
self.assertEquals('Info', item.severity)
item = findings[10]
self.assertEquals('Symbols are stripped', item.title)
self.assertEquals('Info', item.severity)
self.assertEquals('lib/armeabi-v7a/libdivajni.so', item.file_path)
self.assertEquals(7, item.nb_occurences)
item = findings[17]
self.assertEquals('Loading Native Code (Shared Library)', item.title)
self.assertEquals('Info', item.severity)
self.assertEquals(1, item.nb_occurences)
def init(self, reportFilename):
my_file_handle = open(reportFilename)
product = Product()
engagement = Engagement()
test = Test()
engagement.product = product
test.engagement = engagement
return my_file_handle, product, engagement, test
def test_parse_file_3_1_9_ios(self):
test = Test()
engagement = Engagement()
engagement.product = Product()
test.engagement = engagement
testfile = open("dojo/unittests/scans/mobsf/ios.json")
parser = MobSFParser(testfile, test)
testfile.close()
def test_parse_file_with_one_vuln_has_one_finding(self):
test = Test()
engagement = Engagement()
engagement.product = Product()
test.engagement = engagement
testfile = open("dojo/unittests/scans/nikto/nikto-report-one-vuln.xml")
parser = NiktoXMLParser(testfile, test)
self.assertEqual(1, len(parser.items))
def test_parse_file(self):
test = Test()
engagement = Engagement()
engagement.product = Product()
test.engagement = engagement
testfile = open("dojo/unittests/scans/mobsf/report1.json")
parser = MobSFParser()
findings = parser.get_findings(testfile, test)
testfile.close()
def test_parse_file_with_no_vuln_has_no_findings(self):
test = Test()
test.engagement = Engagement()
test.engagement.product = Product()
testfile = open(get_unit_tests_path() +
"/scans/microfocus_webinspect/Webinspect_no_vuln.xml")
parser = MicrofocusWebinspectParser()
findings = parser.get_findings(testfile, test)
self.assertEqual(0, len(findings))
def setUp(self):
tool_type = Tool_Type.objects.create(name='SonarQube')
Tool_Configuration.objects.create(name='SonarQube',
tool_type=tool_type,
authentication_type="API")
product = Product(name='product')
engagement = Engagement(product=product)
self.test = Test(engagement=engagement)
def test_parse_file_with_old_format(self):
test = Test()
engagement = Engagement()
engagement.product = Product()
test.engagement = engagement
testfile = open("dojo/unittests/scans/nikto/nikto-report-old-format.xml")
parser = NiktoParser()
findings = parser.get_findings(testfile, test)
self.assertEqual(1, len(findings))
def test_parse_file_with_multiple_vuln_has_multiple_findings(self):
test = Test()
engagement = Engagement()
engagement.product = Product()
test.engagement = engagement
testfile = open("dojo/unittests/scans/nikto/nikto-report-many-vuln.xml")
parser = NiktoParser()
findings = parser.get_findings(testfile, test)
self.assertTrue(len(findings) == 10)
def test_parse_file_with_no_vuln_has_no_findings(self):
test = Test()
test.engagement = Engagement()
test.engagement.product = Product()
testfile = open(
"dojo/unittests/scans/microfocus_webinspect/Webinspect_no_vuln.xml"
)
parser = MicrofocusWebinspectXMLParser(testfile, test)
self.assertEqual(0, len(parser.items))
def new_product(request):
jform = None
if request.method == 'POST':
form = ProductForm(request.POST, instance=Product())
if get_system_setting('enable_jira'):
jform = JIRAPKeyForm(request.POST, instance=JIRA_PKey())
else:
jform = None
if form.is_valid():
product = form.save()
tags = request.POST.getlist('tags')
t = ", ".join('"{0}"'.format(w) for w in tags)
product.tags = t
messages.add_message(request,
messages.SUCCESS,
'Product added successfully.',
extra_tags='alert-success')
if get_system_setting('enable_jira'):
if jform.is_valid():
jira_pkey = jform.save(commit=False)
if jira_pkey.conf is not None:
jira_pkey.product = product
jira_pkey.save()
messages.add_message(
request,
messages.SUCCESS,
'JIRA information added successfully.',
extra_tags='alert-success')
# SonarQube API Configuration
sonarqube_form = Sonarqube_ProductForm(request.POST)
if sonarqube_form.is_valid():
sonarqube_product = sonarqube_form.save(commit=False)
sonarqube_product.product = product
sonarqube_product.save()
create_notification(event='product_added',
title=product.name,
url=reverse('view_product',
args=(product.id, )))
return HttpResponseRedirect(
reverse('view_product', args=(product.id, )))
else:
form = ProductForm()
if get_system_setting('enable_jira'):
jform = JIRAPKeyForm()
else:
jform = None
add_breadcrumb(title="New Product", top_level=False, request=request)
return render(request, 'dojo/new_product.html', {
'form': form,
'jform': jform,
'sonarqube_form': Sonarqube_ProductForm()
})
def test_parse_file_3_1_9_ios(self):
test = Test()
engagement = Engagement()
engagement.product = Product()
test.engagement = engagement
testfile = open("unittests/scans/mobsf/ios.json")
parser = MobSFParser()
findings = parser.get_findings(testfile, test)
testfile.close()
self.assertEqual(11, len(findings))
def test_parse_file_with_no_vulnerabilities_has_no_findings(self):
my_file_handle = open("dojo/unittests/scans/checkmarx/no_finding.xml")
product = Product()
engagement = Engagement()
test = Test()
engagement.product = product
test.engagement = engagement
self.parser = CheckmarxXMLParser(my_file_handle, test)
my_file_handle.close()
self.assertEqual(0, len(self.parser.items))
def test_validate_more(self):
testfile = 'dojo/unittests/scans/burp_api/many_vulns.json'
with open(testfile) as f:
test = Test()
test.engagement = Engagement()
test.engagement.product = Product()
parser = BurpApiParser(f, test)
for item in parser.items:
item.clean()
self.assertIsNotNone(item.impact)
def test_parse_file_with_utf8_various_non_ascii_char(self):
my_file_handle = open(
"dojo/unittests/scans/checkmarx/utf8_various_non_ascii_char.xml")
product = Product()
engagement = Engagement()
test = Test()
engagement.product = product
test.engagement = engagement
self.parser = CheckmarxXMLParser(my_file_handle, test)
my_file_handle.close()
self.assertEqual(1, len(self.parser.items))
def test_validate(self):
testfile = "dojo/unittests/scans/burp_suite_pro/example.json"
with open(testfile) as f:
test = Test()
test.engagement = Engagement()
test.engagement.product = Product()
parser = BurpApiParser()
findings = parser.get_findings(f, test)
for item in findings:
item.clean()
self.assertIsNotNone(item.impact)
def setUp(self):
product = Product.objects.get(name='product')
engagement = Engagement(product=product)
self.test = Test(
engagement=engagement,
sonarqube_config=Sonarqube_Product.objects.all().last())
other_product = Product(name='other product')
other_engagement = Engagement(product=other_product)
self.other_test = Test(
engagement=other_engagement,
sonarqube_config=Sonarqube_Product.objects.all().last())
def test_parse_file_with_no_vulnerabilities_has_no_findings(self):
my_file_handle = open(
"dojo/unittests/scans/sonarqube/sonar-no-finding.html")
product = Product()
engagement = Engagement()
test = Test()
engagement.product = product
test.engagement = engagement
self.parser = SonarQubeHtmlParser(my_file_handle, test)
my_file_handle.close()
self.assertEqual(0, len(self.parser.items))
def test_appspider_parser_has_one_finding(self):
test = Test()
test.engagement = Engagement()
test.engagement.product = Product()
testfile = open("dojo/unittests/scans/appspider/one_vuln.xml")
parser = AppSpiderXMLParser(testfile, test)
testfile.close()
self.assertEqual(1, len(parser.items))
item = parser.items[0]
with self.subTest(item=0):
self.assertEqual(525, item.cwe)
def test_parse_file_with_multiple_vuln_has_multiple_findings(self):
test = Test()
engagement = Engagement()
engagement.product = Product()
test.engagement = engagement
testfile = open("unittests/scans/nikto/nikto-report-many-vuln.xml")
parser = NiktoParser()
findings = parser.get_findings(testfile, test)
for finding in findings:
for endpoint in finding.unsaved_endpoints:
endpoint.clean()
self.assertTrue(len(findings) == 10)
def setUp(self):
product = Product.objects.get(name='product')
engagement = Engagement(product=product)
self.test = Test(engagement=engagement,
api_scan_configuration=Product_API_Scan_Configuration.
objects.all().last())
other_product = Product(name='other product')
other_engagement = Engagement(product=other_product)
self.other_test = Test(
engagement=other_engagement,
api_scan_configuration=Product_API_Scan_Configuration.objects.all(
).last())
def test_parse_file_with_one_vuln_has_one_findings(self):
test = Test()
test.engagement = Engagement()
test.engagement.product = Product()
testfile = open(
"dojo/unittests/scans/microfocus_webinspect/Webinspect_one_vuln.xml"
)
parser = MicrofocusWebinspectXMLParser(testfile, test)
self.assertEqual(1, len(parser.items))
item = parser.items[0]
self.assertEqual(200, item.cwe)
self.assertLess(0, len(item.unsaved_endpoints))
def test_parse_file_with_one_vuln_has_one_finding(self):
test = Test()
engagement = Engagement()
engagement.product = Product()
test.engagement = engagement
testfile = open("dojo/unittests/scans/nikto/nikto-report-one-vuln.xml")
parser = NiktoParser()
findings = parser.get_findings(testfile, test)
for finding in findings:
for endpoint in finding.unsaved_endpoints:
endpoint.clean()
self.assertEqual(1, len(findings))
def setUp(self):
self.p = Product()
self.p.Name = 'Test Product'
self.p.Description = 'Product for Testing Endpoint functionality'
self.p.save()
self.e = Endpoint()
self.e.product = self.p
self.e.host = '127.0.0.1'
self.e.save()
self.util = EndpointMetaDataTestUtil()
self.util.save_custom_field(self.e, 'TestField', 'TestValue')
def setUp(self):
self.p = Product()
self.p.Name = 'Test Product'
self.p.Description = 'Product for Testing Endpoint functionality'
self.p.save()
self.e = Endpoint()
self.e.product = self.p
self.e.host = '127.0.0.1'
self.e.save()
call_command('loaddata', 'dojo/fixtures/system_settings', verbosity=0)
self.util = EndpointMetaDataTestUtil()
self.util.save_custom_field(self.e, 'TestField', 'TestValue')
def create():
settings = System_Settings()
settings.save()
p = Product()
p.Name = 'Test Product'
p.Description = 'Product for Testing Apply Template functionality'
p.save()
e = Engagement()
e.product = p
e.target_start = timezone.now()
e.target_end = e.target_start + datetime.timedelta(days=5)
e.save()
tt = Test_Type()
tt.name = 'Temporary Test'
tt.save()
t = Test()
t.engagement = e
t.test_type = tt
t.target_start = timezone.now()
t.target_end = t.target_start + datetime.timedelta(days=5)
t.save()
user = FindingTemplateTestUtil.create_user(True)
f = Finding()
f.title = 'Finding for Testing Apply Template functionality'
f.severity = 'High'
f.description = 'Finding for Testing Apply Template Functionality'
f.test = t
f.reporter = user
f.last_reviewed = timezone.now()
f.last_reviewed_by = user
f.save()
