def testSysCVEAllowlist(self):
# 1. User(RA) reads the system level CVE allowlist and it's empty.
wl = self.system.get_cve_allowlist(**self.USER_RA_CLIENT)
self.assertEqual(
0, len(wl.items),
"The initial system level CVE allowlist is not empty: %s" %
wl.items)
# 2. User(RA) updates the system level CVE allowlist, verify it's failed.
cves = ['CVE-2019-12310']
self.system.set_cve_allowlist(None, 403, *cves, **self.USER_RA_CLIENT)
# 3. Update user(RA) to system admin
self.user.update_user_role_as_sysadmin(self.user_ra_id, True,
**ADMIN_CLIENT)
# 4. User(RA) updates the system level CVE allowlist, verify it's successful.
self.system.set_cve_allowlist(None, 200, *cves, **self.USER_RA_CLIENT)
# 5. User(RA) reads the system level CVE allowlist, verify the CVE list is updated.
expect_wl = [swagger_client.CVEAllowlistItem(cve_id='CVE-2019-12310')]
wl = self.system.get_cve_allowlist(**self.USER_RA_CLIENT)
self.assertIsNone(wl.expires_at)
self.assertEqual(expect_wl, wl.items)
# 6. User(RA) updates the expiration date of system level CVE allowlist.
exp = int(time.time()) + 3600
self.system.set_cve_allowlist(exp, 200, *cves, **self.USER_RA_CLIENT)
# 7. User(RA) reads the system level CVE allowlist, verify the expiration date is updated.
wl = self.system.get_cve_allowlist(**self.USER_RA_CLIENT)
self.assertEqual(exp, wl.expires_at)
def set_cve_allowlist(self, expires_at=None, expected_status_code=200, *cve_ids, **kwargs):
client = self._get_client(**kwargs)
cve_list = [swagger_client.CVEAllowlistItem(cve_id=c) for c in cve_ids]
allowlist = swagger_client.CVEAllowlist(expires_at=expires_at, items=cve_list)
try:
r = client.system_cve_allowlist_put_with_http_info(allowlist=allowlist, _preload_content=False)
except Exception as e:
base._assert_status_code(expected_status_code, e.status)
else:
base._assert_status_code(expected_status_code, r.status)
def testProjectLevelCVEAllowlist(self):
# User(RA) reads the project(PA), verify the "reuse_sys_cve_allowlist" is empty in the metadata,
# and the CVE allowlist is empty
p = self.project.get_project(self.project_pa_id, **self.USER_RA_CLIENT)
self.assertIsNone(p.metadata.reuse_sys_cve_allowlist)
self.assertEqual(0, len(p.cve_allowlist.items))
# User(RA) updates the project CVE allowlist, verify it fails with Forbidden error.
item_list = [swagger_client.CVEAllowlistItem(cve_id="CVE-2019-12310")]
exp = int(time.time()) + 1000
wl = swagger_client.CVEAllowlist(expires_at=exp, items=item_list)
self.project.update_project(self.project_pa_id,
cve_allowlist=wl,
expect_status_code=403,
**self.USER_RA_CLIENT)
# Admin user updates User(RA) as project admin.
self.project.update_project_member_role(self.project_pa_id,
self.member_id, 1,
**ADMIN_CLIENT)
# User(RA) updates the project CVE allowlist with expiration date and one item in the items list.
self.project.update_project(self.project_pa_id,
cve_allowlist=wl,
**self.USER_RA_CLIENT)
p = self.project.get_project(self.project_pa_id, **self.USER_RA_CLIENT)
self.assertEqual("CVE-2019-12310", p.cve_allowlist.items[0].cve_id)
self.assertEqual(exp, p.cve_allowlist.expires_at)
# User(RA) updates the project CVE allowlist with empty items list
wl2 = swagger_client.CVEAllowlist(items=[])
self.project.update_project(self.project_pa_id,
cve_allowlist=wl2,
**self.USER_RA_CLIENT)
p = self.project.get_project(self.project_pa_id, **self.USER_RA_CLIENT)
self.assertEqual(0, len(p.cve_allowlist.items))
self.assertIsNone(p.cve_allowlist.expires_at)
# User(RA) updates the project metadata to set "reuse_sys_cve_allowlist" to true.
meta = swagger_client.ProjectMetadata(reuse_sys_cve_allowlist="true")
self.project.update_project(self.project_pa_id,
metadata=meta,
**self.USER_RA_CLIENT)
p = self.project.get_project(self.project_pa_id, **self.USER_RA_CLIENT)
self.assertEqual("true", p.metadata.reuse_sys_cve_allowlist)
