def test_transfer_vulnerability_timestamps_single(
self, test_source, test_destination
):
random = VulnerabilityMatch(
artifact=Artifact(
name="blah",
location="/usr/local/java/blah",
pkg_type="java",
version="1.2.3maven",
),
vulnerability=Vulnerability(
feed="vulnerabilities",
feed_group="whatever:hello",
vulnerability_id="meh",
),
fix=FixedArtifact(),
)
source = copy.deepcopy(random)
source.match = Match(detected_at=test_source)
destination = copy.deepcopy(random)
destination.match = Match(detected_at=test_destination)
results = transfer_vulnerability_timestamps(
source=[source], destination=[destination]
)
assert results and len(results) == 1
assert results[0].match.detected_at == test_source
def to_engine(
self,
result: Dict,
package_mapper: PackageMapper,
now: datetime.datetime,
):
artifact_dict = result.get("artifact")
vuln_dict = result.get("vulnerability")
# parse cvss fields
cvss_objs = VulnerabilityMapper._try_parse_cvss(
vuln_dict.get("cvss", []))
# parse fix details
fix_dict = vuln_dict.get("fix")
fix_obj = FixedArtifact(versions=[],
wont_fix=False,
observed_at=None,
advisories=[])
if fix_dict:
fix_obj.versions = fix_dict.get("versions", [])
fix_obj.wont_fix = (fix_dict.get("state").lower() == "wont-fix"
) # TODO format check with toolbox
fix_obj.observed_at = now if fix_obj.versions else None
fix_obj.advisories = VulnerabilityMapper._try_parse_advisories(
fix_dict.get("advisories", []))
# parse nvd references
nvd_objs = VulnerabilityMapper._try_parse_related_vulnerabilities(
result.get("relatedVulnerabilities", []))
# parse package path
pkg_path = (artifact_dict.get("locations")[0].get("path")
if artifact_dict.get("locations") else "NA")
vuln_match = VulnerabilityMatch(
vulnerability=Vulnerability(
vulnerability_id=vuln_dict.get("id"),
description=vuln_dict.get("description"),
severity=vuln_dict.get("severity"),
link=vuln_dict.get("dataSource"),
feed="grypedb",
feed_group=vuln_dict.get("namespace"),
cvss=cvss_objs,
),
artifact=Artifact(
name=artifact_dict.get("name"),
version=artifact_dict.get("version"),
pkg_type=package_mapper.engine_type,
location=pkg_path,
cpe=None, # vestige of the old system
cpes=self._try_parse_matched_cpes(result),
),
fix=fix_obj,
match=Match(detected_at=now),
nvd=nvd_objs,
)
return vuln_match
def test_filter_vulnerability_matches_vendor_only(self, test_input,
test_filter,
expected_output):
vuln_match = VulnerabilityMatch(
vulnerability=Vulnerability(vulnerability_id="CVE-xyz"),
artifact=Artifact(name="foo"),
fix=FixedArtifact(wont_fix=test_input),
)
results = GrypeProvider._filter_vulnerability_matches(
matches=[vuln_match],
vulnerability_id="CVE-xyz",
severity_filter=None,
namespace_filter=None,
affected_package_filter=None,
vendor_only=test_filter,
)
assert results == expected_output
class TestGrypeProvider:
@pytest.mark.parametrize(
"test_input",
[
pytest.param(
[VulnerabilityMatch(fix=FixedArtifact(wont_fix="true"))],
id="str",
),
pytest.param(
[VulnerabilityMatch(fix=FixedArtifact(wont_fix=" "))],
id="whitespace",
),
pytest.param(
[VulnerabilityMatch(fix=FixedArtifact(wont_fix=""))],
id="blank",
),
pytest.param(
[VulnerabilityMatch(fix=FixedArtifact(wont_fix=False))],
id="boolean_false",
),
pytest.param(
[VulnerabilityMatch(fix=None)],
id="fix_none",
),
],
)
def test_exclude_wont_fix_false(self, test_input):
assert len(GrypeProvider._exclude_wont_fix(test_input)) == 1
@pytest.mark.parametrize(
"test_input",
[
pytest.param(
[VulnerabilityMatch(fix=FixedArtifact(wont_fix=True))],
id="boolean_true",
),
],
)
def test_exclude_wont_fix_true(self, test_input):
assert len(GrypeProvider._exclude_wont_fix(test_input)) == 0
@pytest.mark.parametrize(
"test_input, expected_output",
[
pytest.param(
Vulnerability(vulnerability_id="CVE-xyz"),
[{
"name": "foo",
"version": "0.0",
"type": "bar",
"namespace": None,
"severity": None,
}],
id="match-1",
),
pytest.param(
Vulnerability(vulnerability_id="CVE-xyz",
severity="Critical",
feed_group="meh"),
[{
"name": "foo",
"version": "0.0",
"type": "bar",
"namespace": "meh",
"severity": "Critical",
}],
id="match-2",
),
pytest.param(
Vulnerability(vulnerability_id="CVE-pqr",
severity="Critical",
feed_group="meh"),
[],
id="no-match",
),
],
)
def test_filter_vulnerability_matches_no_optional_filters(
self, test_input, expected_output):
vuln_match = VulnerabilityMatch(
vulnerability=test_input,
artifact=Artifact(
name="foo",
version="0.0",
pkg_type="bar",
location="/usr/local/lib",
),
)
results = GrypeProvider._filter_vulnerability_matches(
matches=[vuln_match],
vulnerability_id="CVE-xyz",
severity_filter=None,
namespace_filter=None,
affected_package_filter=None,
vendor_only=None,
)
assert results == expected_output
@pytest.mark.parametrize(
"test_input, test_filter, expected_output",
[
pytest.param(
True,
False,
[{
"name": "foo",
"version": None,
"type": None,
"namespace": None,
"severity": None,
}],
id="wontfix-true_vendoronly_false",
),
pytest.param(
False,
False,
[{
"name": "foo",
"version": None,
"type": None,
"namespace": None,
"severity": None,
}],
id="wontfix-false_vendoronly_false",
),
pytest.param(
False,
True,
[{
"name": "foo",
"version": None,
"type": None,
"namespace": None,
"severity": None,
}],
id="wontfix-false_vendoronly_true",
),
pytest.param(
True,
True,
[],
id="wontfix-true_vendoronly_true",
),
],
)
def test_filter_vulnerability_matches_vendor_only(self, test_input,
test_filter,
expected_output):
vuln_match = VulnerabilityMatch(
vulnerability=Vulnerability(vulnerability_id="CVE-xyz"),
artifact=Artifact(name="foo"),
fix=FixedArtifact(wont_fix=test_input),
)
results = GrypeProvider._filter_vulnerability_matches(
matches=[vuln_match],
vulnerability_id="CVE-xyz",
severity_filter=None,
namespace_filter=None,
affected_package_filter=None,
vendor_only=test_filter,
)
assert results == expected_output
@pytest.mark.parametrize(
"test_input, test_filter, expected_output",
[
pytest.param(
"High",
"Critical",
[],
id="no-match",
),
pytest.param(
"High",
"High",
[{
"name": "foo",
"version": None,
"type": None,
"namespace": None,
"severity": "High",
}],
id="match",
),
],
)
def test_filter_vulnerability_matches_severity(self, test_input,
test_filter,
expected_output):
vuln_match = VulnerabilityMatch(
vulnerability=Vulnerability(vulnerability_id="CVE-xyz",
severity=test_input),
artifact=Artifact(name="foo"),
)
results = GrypeProvider._filter_vulnerability_matches(
matches=[vuln_match],
vulnerability_id="CVE-xyz",
severity_filter=test_filter,
namespace_filter=None,
affected_package_filter=None,
vendor_only=None,
)
assert results == expected_output
@pytest.mark.parametrize(
"test_input, test_filter, expected_output",
[
pytest.param(
"foo",
"bar",
[],
id="no-match",
),
pytest.param(
"meh",
"meh",
[{
"name": "foo",
"version": None,
"type": None,
"namespace": "meh",
"severity": None,
}],
id="match",
),
],
)
def test_filter_vulnerability_matches_namespace(self, test_input,
test_filter,
expected_output):
vuln_match = VulnerabilityMatch(
vulnerability=Vulnerability(vulnerability_id="CVE-xyz",
feed_group=test_input),
artifact=Artifact(name="foo"),
)
results = GrypeProvider._filter_vulnerability_matches(
matches=[vuln_match],
vulnerability_id="CVE-xyz",
severity_filter=None,
namespace_filter=test_filter,
affected_package_filter=None,
vendor_only=None,
)
assert results == expected_output
def test_transfer_vulnerability_timestamps_multiple(self):
dest_ts = datetime.datetime.utcnow()
src_ts = datetime.datetime.utcnow() - datetime.timedelta(days=1)
destination = [
VulnerabilityMatch(
artifact=Artifact(
name="blah",
location="/usr/local/java/blah",
pkg_type="java",
version="1.2.3maven",
),
vulnerability=Vulnerability(
feed="vulnerabilities",
feed_group="whatever:hello",
vulnerability_id="meh",
),
match=Match(detected_at=dest_ts),
fix=FixedArtifact(),
),
VulnerabilityMatch(
artifact=Artifact(
name="blah",
location="/usr/local/java/blah",
pkg_type="java",
version="1.2.3maven",
),
vulnerability=Vulnerability(
feed="vulnerabilities",
feed_group="whatever:hello",
vulnerability_id="foo",
),
match=Match(detected_at=dest_ts),
fix=FixedArtifact(),
),
]
source = [
VulnerabilityMatch(
artifact=Artifact(
name="blah",
location="/usr/local/java/blah",
pkg_type="java",
version="1.2.3maven",
),
vulnerability=Vulnerability(
feed="vulnerabilities",
feed_group="whatever:hello",
vulnerability_id="meh",
),
match=Match(detected_at=src_ts),
fix=FixedArtifact(),
)
]
results = transfer_vulnerability_timestamps(
source=source, destination=destination
)
assert results and len(results) == 2
for result in results:
if (
result.vulnerability.vulnerability_id
== source[0].vulnerability.vulnerability_id
):
assert result.match.detected_at == src_ts
else:
assert result.match.detected_at == dest_ts
class TestTimestampMerger:
@pytest.mark.parametrize(
"test_source, test_destination, expected",
[
pytest.param([], [], [], id="empty"),
pytest.param(None, None, [], id="none"),
pytest.param([], None, [], id="destination-none"),
pytest.param(None, [], [], id="source-none"),
],
)
def test_transfer_vulnerability_timestamps_invalid_input(
self, test_source, test_destination, expected
):
assert (
transfer_vulnerability_timestamps(
source=test_source, destination=test_destination
)
== expected
)
@pytest.mark.parametrize(
"test_source, test_destination",
[
pytest.param(
datetime.datetime.utcnow(),
datetime.datetime.utcnow() + datetime.timedelta(days=1),
id="source-behind-destination",
),
pytest.param(
datetime.datetime.utcnow() + datetime.timedelta(days=1),
datetime.datetime.utcnow(),
id="source-ahead-destination",
),
],
)
def test_transfer_vulnerability_timestamps_single(
self, test_source, test_destination
):
random = VulnerabilityMatch(
artifact=Artifact(
name="blah",
location="/usr/local/java/blah",
pkg_type="java",
version="1.2.3maven",
),
vulnerability=Vulnerability(
feed="vulnerabilities",
feed_group="whatever:hello",
vulnerability_id="meh",
),
fix=FixedArtifact(),
)
source = copy.deepcopy(random)
source.match = Match(detected_at=test_source)
destination = copy.deepcopy(random)
destination.match = Match(detected_at=test_destination)
results = transfer_vulnerability_timestamps(
source=[source], destination=[destination]
)
assert results and len(results) == 1
assert results[0].match.detected_at == test_source
def test_transfer_vulnerability_timestamps_multiple(self):
dest_ts = datetime.datetime.utcnow()
src_ts = datetime.datetime.utcnow() - datetime.timedelta(days=1)
destination = [
VulnerabilityMatch(
artifact=Artifact(
name="blah",
location="/usr/local/java/blah",
pkg_type="java",
version="1.2.3maven",
),
vulnerability=Vulnerability(
feed="vulnerabilities",
feed_group="whatever:hello",
vulnerability_id="meh",
),
match=Match(detected_at=dest_ts),
fix=FixedArtifact(),
),
VulnerabilityMatch(
artifact=Artifact(
name="blah",
location="/usr/local/java/blah",
pkg_type="java",
version="1.2.3maven",
),
vulnerability=Vulnerability(
feed="vulnerabilities",
feed_group="whatever:hello",
vulnerability_id="foo",
),
match=Match(detected_at=dest_ts),
fix=FixedArtifact(),
),
]
source = [
VulnerabilityMatch(
artifact=Artifact(
name="blah",
location="/usr/local/java/blah",
pkg_type="java",
version="1.2.3maven",
),
vulnerability=Vulnerability(
feed="vulnerabilities",
feed_group="whatever:hello",
vulnerability_id="meh",
),
match=Match(detected_at=src_ts),
fix=FixedArtifact(),
)
]
results = transfer_vulnerability_timestamps(
source=source, destination=destination
)
assert results and len(results) == 2
for result in results:
if (
result.vulnerability.vulnerability_id
== source[0].vulnerability.vulnerability_id
):
assert result.match.detected_at == src_ts
else:
assert result.match.detected_at == dest_ts
@pytest.mark.parametrize(
"test_source, test_destination, expected",
[
pytest.param(
FixedArtifact(
versions=[], observed_at=datetime.datetime.utcfromtimestamp(0)
),
FixedArtifact(
versions=[], observed_at=datetime.datetime.utcfromtimestamp(10)
),
datetime.datetime.utcfromtimestamp(10),
id="empty-versions",
),
pytest.param(
FixedArtifact(
versions=None, observed_at=datetime.datetime.utcfromtimestamp(0)
),
FixedArtifact(
versions=None, observed_at=datetime.datetime.utcfromtimestamp(10)
),
datetime.datetime.utcfromtimestamp(10),
id="none-versions",
),
pytest.param(
FixedArtifact(
versions=[], observed_at=datetime.datetime.utcfromtimestamp(0)
),
FixedArtifact(
versions=["foo"], observed_at=datetime.datetime.utcfromtimestamp(10)
),
datetime.datetime.utcfromtimestamp(10),
id="different-versions",
),
pytest.param(
FixedArtifact(
versions=["bar", "foo", "meh"],
observed_at=datetime.datetime.utcfromtimestamp(0),
),
FixedArtifact(
versions=["meh", "bar", "foo"],
observed_at=datetime.datetime.utcfromtimestamp(10),
),
datetime.datetime.utcfromtimestamp(0),
id="same-versions-ordered-differently",
),
],
)
def test_transfer_vulnerability_timestamps_fix_observed_at(
self, test_source, test_destination, expected
):
random = VulnerabilityMatch(
artifact=Artifact(
name="blah",
location="/usr/local/java/blah",
pkg_type="java",
version="1.2.3maven",
),
vulnerability=Vulnerability(
feed="vulnerabilities",
feed_group="whatever:hello",
vulnerability_id="meh",
),
match=Match(detected_at=datetime.datetime.utcnow()),
)
source = copy.deepcopy(random)
source.fix = test_source
destination = copy.deepcopy(random)
destination.fix = test_destination
results = transfer_vulnerability_timestamps(
source=[source], destination=[destination]
)
assert results and len(results) == 1
assert results[0].fix.observed_at == expected