async def test_list_component_vulnerabilitites_return_vulnerabilities_for_each_component(
self):
components_version = {'plugin0': "1.2.3", 'plugin1': "1.4.0"}
plugin0_vuln_list = VulnerabilityList(
key="plugin0",
producer="",
vulnerabilities=[Vulnerability(id="1234")])
plugin1_vuln_list = VulnerabilityList(
key="plugin1",
producer="",
vulnerabilities=[Vulnerability(id="2345")])
vuln_list_group = MagicMock()
vuln_list_group.vulnerability_lists = [
plugin0_vuln_list, plugin1_vuln_list
]
def fake_list_vuln(self, version, vuln_list, no_version_match_all):
return vuln_list.vulnerabilities
with patch(
"vane.vulnerabilitylister.VulnerabilityLister.list_vulnerabilities",
fake_list_vuln):
vulns = self.vane.list_component_vulnerabilities(
components_version, vuln_list_group, no_version_match_all=True)
self.assertEqual(plugin0_vuln_list.vulnerabilities,
vulns['plugin0'])
self.assertEqual(plugin1_vuln_list.vulnerabilities,
vulns['plugin1'])
def test_list_vulnerabilities_return_vulnerabilities_with_introduced_in_lower_than_version_and_fixed_in_upper_than_version(
self):
vuln0 = Vulnerability(id="12345",
title="Vulnerability0",
affected_versions=[
VersionRange(introduced_in="2.5.9",
fixed_in="4.7.2")
])
vuln1 = Vulnerability(id="23456",
title="Vulnerability1",
affected_versions=[
VersionRange(introduced_in="1.6.2",
fixed_in="4.9")
])
vuln_list = VulnerabilityList(key="wordpress",
producer="producer",
vulnerabilities=[vuln0, vuln1])
applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities(
"4.7", vuln_list)
applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities(
"3.5.8", vuln_list)
applicable_vuln2 = self.vulnerability_lister.list_vulnerabilities(
"2.4.8", vuln_list)
self.assertIn(vuln0, applicable_vuln0)
self.assertIn(vuln1, applicable_vuln0)
self.assertIn(vuln0, applicable_vuln1)
self.assertIn(vuln1, applicable_vuln1)
self.assertNotIn(vuln0, applicable_vuln2)
self.assertIn(vuln1, applicable_vuln2)
def test_multiple_ranges(self):
v = Vulnerability(id="1")
v.add_affected_version(VersionRange(fixed_in="1.2"))
v.add_affected_version(VersionRange(fixed_in="1.3"))
self.assertEqual(v.affected_versions, [
VersionRange(fixed_in="1.2"),
VersionRange(fixed_in="1.3"),
])
def test_added_fix_conflicts_with_known_information(self):
v = Vulnerability(id="1")
v.add_affected_version(VersionRange(fixed_in="1.5"))
v.add_affected_version(
VersionRange(introduced_in="2.0", fixed_in="2.5"))
v.add_affected_version(VersionRange(fixed_in="1.3"))
v.add_affected_version(VersionRange(fixed_in="2.3"))
v.add_affected_version(VersionRange(introduced_in="2.3"))
self.assertEqual(v.affected_versions, [
VersionRange(fixed_in="1.5"),
VersionRange(introduced_in="2.0", fixed_in="2.5"),
])
def test_list_vulnerabilities_remove_affected_versions_ranges_not_including_target_version(
self):
vuln = Vulnerability(id="12345",
title="Vulnerability",
affected_versions=[
VersionRange(introduced_in="3.7",
fixed_in="3.7.5"),
VersionRange(introduced_in="4.0",
fixed_in="4.0.10"),
VersionRange(introduced_in="4.5",
fixed_in="4.5.2")
])
vuln_list = VulnerabilityList(key="wordpress",
producer="producer",
vulnerabilities=[vuln])
vuln_software0 = self.vulnerability_lister.list_vulnerabilities(
"3.7.3", vuln_list)
vuln_software1 = self.vulnerability_lister.list_vulnerabilities(
"4.0.9", vuln_list)
vuln_software2 = self.vulnerability_lister.list_vulnerabilities(
"4.5", vuln_list)
self.assertEqual(vuln_software0[0].affected_versions,
[VersionRange(introduced_in="3.7", fixed_in="3.7.5")])
self.assertEqual(
vuln_software1[0].affected_versions,
[VersionRange(introduced_in="4.0", fixed_in="4.0.10")])
self.assertEqual(vuln_software2[0].affected_versions,
[VersionRange(introduced_in="4.5", fixed_in="4.5.2")])
def test_serialize_vulnerability_cvss(self):
schema = VulnerabilitySchema()
vuln = Vulnerability(id="1234", title="Multiple XSS", cvss=4.5)
expect = '{"id": "1234", "title": "Multiple XSS", "cvss": 4.5}'
self.assertEqual(expect, serialize(schema, vuln, indent=None)[0])
data, err = schema.loads(expect)
self.assertEqual(4.5, data.cvss)
def test_list_vulnerabilities_return_all_vulnerabilities_if_version_is_none_and_no_version_match_all_is_true(
self):
vuln0 = Vulnerability(
id="12345",
title="Vulnerability0",
affected_versions=[VersionRange(introduced_in="2.3.4")])
vuln1 = Vulnerability(
id="23456",
title="Vulnerability1",
affected_versions=[VersionRange(introduced_in="1.5.6")])
vuln_list = VulnerabilityList(key="wordpress",
producer="producer",
vulnerabilities=[vuln0, vuln1])
applicable_vuln = self.vulnerability_lister.list_vulnerabilities(
None, vuln_list, no_version_match_all=True)
self.assertEqual(len(applicable_vuln), 2)
def test_vulnerability_introduced_in_only(self):
v = Vulnerability(id="1")
v.add_affected_version(VersionRange(introduced_in="2.0"))
self.assertFalse(v.applies_to("1.0"))
self.assertFalse(v.applies_to("1.9"))
self.assertFalse(v.applies_to("2.0-beta3"))
self.assertTrue(v.applies_to("2.0"))
self.assertTrue(v.applies_to("2.1"))
def test_unaffected_versions(self):
v = Vulnerability(id="1")
v.unaffected_versions = [
VersionRange(introduced_in="6.0", fixed_in="6.1.2"),
VersionRange(introduced_in="7.0", fixed_in="7.0.7"),
]
v.add_affected_version(VersionRange(fixed_in="1.5"))
v.add_affected_version(
VersionRange(introduced_in="6.0", fixed_in="6.1.2"))
v.add_affected_version(VersionRange(fixed_in="6.1.1"))
self.assertEqual(v.affected_versions, [
VersionRange(fixed_in="1.5"),
])
def test_regroup_vulnerabilities_of_key_in_one_list(self):
plugin_vuln0 = Vulnerability(id="0")
plugin_vuln1 = Vulnerability(id="1")
self.storage.vulnerability_lists[
'plugins/plugin/producer0'] = VulnerabilityList(
producer="producer0",
key="plugins/plugin",
vulnerabilities=[plugin_vuln0])
self.storage.vulnerability_lists[
'plugins/plugin/producer1'] = VulnerabilityList(
producer="producer1",
key="plugins/plugin",
vulnerabilities=[plugin_vuln1])
plugin_vuln_list = self.exporter._regroup_vulnerabilities_of_key_in_one_list(
"plugins/plugin")
self.assertIn(plugin_vuln0, plugin_vuln_list.vulnerabilities)
self.assertIn(plugin_vuln1, plugin_vuln_list.vulnerabilities)
def test_serialize_all_values(self):
reference_date = datetime.now()
schema = VulnerabilitySchema()
vuln = Vulnerability(id="1234",
title="Multiple XSS",
reported_type="XSS",
created_at=reference_date,
updated_at=reference_date + timedelta(days=6))
vuln.add_affected_version(VersionRange(fixed_in="1.3"))
vuln.add_unaffected_version(VersionRange(fixed_in="2.4"))
vuln.references.append(
Reference(type="other", url="http://example.com/test"))
data = serialize(schema, vuln, indent=None)[0]
self.assertIn(reference_date.strftime("%Y-%m-%d"), data)
self.assertIn(
(reference_date + timedelta(days=6)).strftime("%Y-%m-%d"), data)
self.assertIn('"reported_type": "XSS"', data)
self.assertIn('1.3', data)
self.assertIn('example.com', data)
out, errors = schema.loads(data)
self.assertEqual("1.3", out.affected_versions[0].fixed_in)
self.assertEqual("2.4", out.unaffected_versions[0].fixed_in)
self.assertEqual("other", out.references[0].type)
def test_list_vulnerabilities_return_empty_list_if_no_vuln_applicable_to_version(
self):
vuln0 = Vulnerability(id="12345",
title="Vulnerability0",
affected_versions=[
VersionRange(introduced_in="4.4",
fixed_in="4.6")
])
vuln1 = Vulnerability(id="23456",
title="Vulnerability1",
affected_versions=[VersionRange(fixed_in="3.9")])
vuln_list = VulnerabilityList(key="wordpress",
producer="producer",
vulnerabilities=[vuln0, vuln1])
applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities(
"4.7", vuln_list)
applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities(
"4.3", vuln_list)
self.assertEqual(len(applicable_vuln0), 0)
self.assertEqual(len(applicable_vuln1), 0)
def test_list_vulnerabilities_return_all_vulnerabilities_with_no_introduced_nor_fixed_in(
self):
vuln0 = Vulnerability(id="12345", title="Vulnerability0")
vuln1 = Vulnerability(id="23456",
title="Vulnerability1",
affected_versions=[VersionRange()])
vuln_list = VulnerabilityList(key="wordpress",
producer="producer",
vulnerabilities=[vuln0, vuln1])
applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities(
"4.7", vuln_list)
applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities(
"0.1", vuln_list)
applicable_vuln2 = self.vulnerability_lister.list_vulnerabilities(
"100.2.3", vuln_list)
self.assertIn(vuln0, applicable_vuln0)
self.assertIn(vuln1, applicable_vuln0)
self.assertIn(vuln0, applicable_vuln1)
self.assertIn(vuln1, applicable_vuln1)
self.assertIn(vuln0, applicable_vuln2)
self.assertIn(vuln1, applicable_vuln2)
def test_serialize_vunlerability_list(self):
schema = VulnerabilityListSchema()
vuln_list = VulnerabilityList(
producer="Test Provider",
key="plugins/test-plugin",
copyright="2016- Delve Labs inc.",
license="GNU General Public License, version 2",
vulnerabilities=[
Vulnerability(id="1234", title="Multiple XSS"),
])
data = serialize(schema, vuln_list)[0]
self.assertIn('"producer": "Test Provider"', data)
self.assertIn('"key": "plugins/test-plugin"', data)
self.assertIn('"license": "GNU General Public License, version 2"',
data)
self.assertIn('"copyright": "2016- Delve Labs inc."', data)
self.assertIn('Multiple XSS', data)
out, errors = schema.loads(data)
self.assertEqual("1234", out.vulnerabilities[0].id)
def test_list_vulnerabilities_apply_vulnerabilities_with_multiple_affected_versions(
self):
vuln = Vulnerability(id="12345",
title="Vulnerability",
affected_versions=[
VersionRange(introduced_in="3.7",
fixed_in="3.7.5"),
VersionRange(introduced_in="4.0",
fixed_in="4.0.10"),
VersionRange(introduced_in="4.5",
fixed_in="4.5.2")
])
vuln_list = VulnerabilityList(key="wordpress",
producer="producer",
vulnerabilities=[vuln])
vuln_software0 = self.vulnerability_lister.list_vulnerabilities(
"4.1.5", vuln_list)
vuln_software1 = self.vulnerability_lister.list_vulnerabilities(
"4.0.9", vuln_list)
self.assertEqual(vuln_software0, [])
self.assertEqual(vuln_software1[0].id, vuln.id)
def test_vulnerability_fixed_in_only(self):
v = Vulnerability(id="1")
v.add_affected_version(VersionRange(fixed_in="1.0"))
self.assertFalse(v.applies_to("1.1"))
self.assertFalse(v.applies_to("1.0"))
self.assertTrue(v.applies_to("0.9"))
def test_export_vulnerabilities_export_all_vuln_lists_in_one_file(self):
plugin0_vuln0 = Vulnerability(id="0")
plugin0_vuln1 = Vulnerability(id="1")
plugin0_vuln_list = VulnerabilityList(
producer="test",
key="plugins/plugin0",
vulnerabilities=[plugin0_vuln0, plugin0_vuln1])
plugin1_vuln0 = Vulnerability(id="2")
plugin1_vuln1 = Vulnerability(id="3")
plugin1_vuln_list = VulnerabilityList(
producer="test",
key="plugins/plugin1",
vulnerabilities=[plugin1_vuln0, plugin1_vuln1])
theme_vuln0 = Vulnerability(id="4")
theme_vuln1 = Vulnerability(id="5")
theme_vuln_list = VulnerabilityList(
producer="test",
key="themes/theme",
vulnerabilities=[theme_vuln0, theme_vuln1])
wordpress_vuln0 = Vulnerability(id="6")
wordpress_vuln1 = Vulnerability(id="7")
wordpress_vuln_list = VulnerabilityList(
producer="test",
key="wordpress",
vulnerabilities=[wordpress_vuln0, wordpress_vuln1])
self.storage.add_vulnerability_lists({
'plugins/plugin0': plugin0_vuln_list,
'plugins/plugin1': plugin1_vuln_list,
'themes/theme': theme_vuln_list,
'wordpress': wordpress_vuln_list
})
self.exporter.export_vulnerabilities("path_to_dir")
args, kwargs = self.exporter._dump.call_args
vulnerability_list_group = args[1]
self.assertEqual(vulnerability_list_group.producer, "vane2_export")
vulnerability_lists = vulnerability_list_group.vulnerability_lists
self.assert_object_with_attribute_value_in_container(
"key", "plugins/plugin0", vulnerability_lists)
self.assert_object_with_attribute_value_in_container(
"key", "plugins/plugin1", vulnerability_lists)
self.assert_object_with_attribute_value_in_container(
"key", "themes/theme", vulnerability_lists)
self.assert_object_with_attribute_value_in_container(
"key", "wordpress", vulnerability_lists)
exported_plugin0_vuln_list = self.get_object_with_attribute_value_in_container(
"key", "plugins/plugin0", vulnerability_lists)
exported_plugin1_vuln_list = self.get_object_with_attribute_value_in_container(
"key", "plugins/plugin1", vulnerability_lists)
exported_theme_vuln_list = self.get_object_with_attribute_value_in_container(
"key", "themes/theme", vulnerability_lists)
exported_wordpress_vuln_list = self.get_object_with_attribute_value_in_container(
"key", "wordpress", vulnerability_lists)
self.assertIn(plugin0_vuln0,
exported_plugin0_vuln_list.vulnerabilities)
self.assertIn(plugin0_vuln1,
exported_plugin0_vuln_list.vulnerabilities)
self.assertIn(plugin1_vuln0,
exported_plugin1_vuln_list.vulnerabilities)
self.assertIn(plugin1_vuln1,
exported_plugin1_vuln_list.vulnerabilities)
self.assertIn(theme_vuln0, exported_theme_vuln_list.vulnerabilities)
self.assertIn(theme_vuln1, exported_theme_vuln_list.vulnerabilities)
self.assertIn(wordpress_vuln0,
exported_wordpress_vuln_list.vulnerabilities)
self.assertIn(wordpress_vuln1,
exported_wordpress_vuln_list.vulnerabilities)
def test_vulnerability_has_no_applicable_ranges(self):
v = Vulnerability(id="1")
self.assertTrue(v.applies_to("1.0"))
def test_multiple_ranges(self):
v = Vulnerability(id="1")
v.add_affected_version(
VersionRange(introduced_in="1.0", fixed_in="1.2"))
v.add_affected_version(
VersionRange(introduced_in="2.0", fixed_in="2.3"))
v.add_affected_version(
VersionRange(introduced_in="3.0", fixed_in="3.1"))
self.assertFalse(v.applies_to("0.9"))
self.assertTrue(v.applies_to("2.1"))
self.assertTrue(v.applies_to("3.0"))
self.assertFalse(v.applies_to("3.1"))
def test_serialize_vulnerability_minimal(self):
schema = VulnerabilitySchema()
vuln = Vulnerability(id="1234", title="Multiple XSS")
self.assertEqual('{"id": "1234", "title": "Multiple XSS"}',
serialize(schema, vuln, indent=None)[0])