def test_cve_search(requests_mock):
requests_mock.get(f'{MOCK_BASE_URL}/vulnerabilities/fulltext?q={MOCK_CVE_QUERY}', json=MOCK_CVE_SEARCH_RESP)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
_, outputs, _ = cve_search_command(client, {'q': MOCK_CVE_QUERY})
assert outputs['XFE.CVESearch']['TotalRows'] == len(outputs[outputPaths['cve']]), 'Mismatch rows and outputs'
def test_file(requests_mock):
"""
Given:
- A hash.
When:
- When running the file command.
Then:
- Validate that the file outputs are created properly
- Validate that the DbotScore outputs are created properly
"""
dbot_score_key = 'DBotScore(val.Indicator && val.Indicator == obj.Indicator &&' \
' val.Vendor == obj.Vendor && val.Type == obj.Type)'
requests_mock.get(f'{MOCK_BASE_URL}/malware/{MOCK_HASH}',
json=MOCK_HASH_RESP)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
outputs = file_command(client,
{'file': MOCK_HASH})[0].to_context()['EntryContext']
file_key = next(filter(lambda k: 'File' in k, outputs.keys()), 'File')
assert outputs[file_key][0].get(
'MD5', '') == MOCK_HASH, 'The indicator value is wrong'
assert outputs[dbot_score_key][0][
'Indicator'] == MOCK_HASH, 'The indicator is not matched'
assert outputs[dbot_score_key][0][
'Type'] == 'file', 'The indicator type should be file'
assert 1 <= outputs[dbot_score_key][0][
'Score'] <= 3, 'Invalid indicator score range'
def test_cve_latest(requests_mock):
requests_mock.get(f'{MOCK_BASE_URL}/vulnerabilities',
json=MOCK_RECENT_CVE_RESP)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
_, outputs, _ = cve_search_command(client, {})
assert len(
outputs[outputPaths['cve']]) == 1, 'CVE output length should be 1'
def test_url(requests_mock):
requests_mock.get(f'{MOCK_BASE_URL}/url/{MOCK_URL}', json=MOCK_URL_RESP)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
args = {'url': MOCK_URL}
_, outputs, _ = url_command(client, args)
assert outputs[outputPaths['url']][0]['Data'] == MOCK_URL
def test_ip(requests_mock):
requests_mock.get(f'{MOCK_BASE_URL}/ipr/{MOCK_IP}', json=MOCK_IP_RESP)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
args = {'ip': MOCK_IP}
_, outputs, _ = ip_command(client, args)
assert outputs[outputPaths['ip']][0]['Address'] == MOCK_IP
def test_whois(requests_mock):
requests_mock.get(f'{MOCK_BASE_URL}/whois/{MOCK_HOST}', json=MOCK_HOST_RESP)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
_, outputs, _ = whois_command(client, {'host': MOCK_HOST})
whois_result = outputs['XFE.Whois(obj.Host==val.Host)']
assert whois_result['Host'] == MOCK_HOST, 'The host from output is different'
assert isinstance(whois_result['Contact'], list), 'Contact information should be list'
def test_url(requests_mock):
requests_mock.get(f'{MOCK_BASE_URL}/url/{MOCK_URL}', json=MOCK_URL_RESP)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
args = {
'url': MOCK_URL
}
result = url_command(client, args)
assert result[0].indicator.url == MOCK_URL
assert result[0].indicator.dbot_score.indicator == MOCK_URL_RESP[DBOT_SCORE_KEY]['Indicator']
assert result[0].indicator.dbot_score.score == MOCK_URL_RESP[DBOT_SCORE_KEY]['Score']
assert result[0].indicator.dbot_score.reliability == MOCK_URL_RESP[DBOT_SCORE_KEY]['Reliability']
def test_get_cve(requests_mock):
requests_mock.get(f'{MOCK_BASE_URL}/vulnerabilities/search/{MOCK_CVE}', json=MOCK_CVE_RESP)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
args = {
'cve_id': MOCK_CVE
}
_, outputs, _ = cve_get_command(client, args)
assert outputs[outputPaths['cve']][0]['ID'] == MOCK_CVE
assert outputs[DBOT_SCORE_KEY][0]['Indicator'] == MOCK_CVE, 'The indicator is not matched'
assert outputs[DBOT_SCORE_KEY][0]['Type'] == 'cve', 'The indicator type should be cve'
assert 1 <= outputs[DBOT_SCORE_KEY][0]['Score'] <= 3, 'Invalid indicator score range'
assert outputs[DBOT_SCORE_KEY][0]['Reliability'] == 'C - Fairly reliable'
def test_file__no_family(requests_mock):
"""
Given:
- Hash with results that have family set to None
When:
- Running the file commandd
Then:
- Ensure the Relationships object is empty
"""
requests_mock.get(f'{MOCK_BASE_URL}/malware/{MOCK_HASH_NO_FAMILY}', json=HASH_RESP_NO_FAMILY)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
outputs = file_command(client, {'file': MOCK_HASH_NO_FAMILY})[0].to_context()
assert not outputs['Relationships']
def test_file(requests_mock):
requests_mock.get(f'{MOCK_BASE_URL}/malware/{MOCK_HASH}',
json=MOCK_HASH_RESP)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
_, outputs, _ = file_command(client, {'file': MOCK_HASH})
file_key = next(filter(lambda k: 'File' in k, outputs.keys()), 'File')
assert outputs[file_key][0].get(
'MD5', '') == MOCK_HASH, 'The indicator value is wrong'
assert outputs[DBOT_SCORE_KEY][0][
'Indicator'] == MOCK_HASH, 'The indicator is not matched'
assert outputs[DBOT_SCORE_KEY][0][
'Type'] == 'file', 'The indicator type should be file'
assert 1 <= outputs[DBOT_SCORE_KEY][0][
'Score'] <= 3, 'Invalid indicator score range'
def test_file_connections(requests_mock):
"""
Given:
- A hash.
When:
- When running the file command.
Then:
- Validate that the relationships are crated correctly
"""
requests_mock.get(f'{MOCK_BASE_URL}/malware/{MOCK_HASH}', json=MOCK_HASH_RESP)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
relations = file_command(client, {'file': MOCK_HASH})[0].relationships[0].to_context()
assert relations.get('Relationship') == 'related-to'
assert relations.get('EntityA') == MOCK_HASH
assert relations.get('EntityAType') == 'File'
assert relations.get('EntityB') == 'badur'
assert relations.get('EntityBType') == 'STIX Malware'
def test_ip(requests_mock):
"""
Given: Arguments for ip command
When: The server response is complete
Then: validates the outputs
"""
requests_mock.get(f'{MOCK_BASE_URL}/ipr/{MOCK_IP}', json=MOCK_IP_RESP)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
args = {
'ip': MOCK_IP
}
_, outputs, _ = ip_command(client, args)
assert outputs[outputPaths['ip']][0]['Address'] == MOCK_IP
assert outputs[DBOT_SCORE_KEY][0] == MOCK_IP_RESP[DBOT_SCORE_KEY]
def test_ip_with_invalid_resp(requests_mock):
"""
Given: Arguments for ip command
When: The server response is not complete and some data fields are empty
Then: validates the outputs
"""
requests_mock.get(f'{MOCK_BASE_URL}/ipr/{MOCK_IP}', json=MOCK_INVALID_IP_RESP)
client = Client(MOCK_BASE_URL, MOCK_API_KEY, MOCK_PASSWORD, True, False)
args = {
'ip': MOCK_IP
}
md, outputs, reports = ip_command(client, args)
assert outputs[outputPaths['ip']][0]['Address'] == MOCK_IP
assert reports[0] == {'ip': '8.8.8.8', 'history': [], 'subnets': [], 'cats': {}, 'score': 1, 'tags': []}
assert md == """### X-Force IP Reputation for: 8.8.8.8