def test_nagios_warning_all():
opt = MockOpt()
opt.priority = "all"
sr = [ScanResult("CVE-2020-1000", "medium", "pkg1", None, None)]
nof = NagiosOutputFormatter(opt, None)
(results_msg, return_code) = nof.format_output(sr, None)
assert "priority" not in results_msg
assert return_code == const.NAGIOS_WARNING_RETURN_CODE
def test_nagios_critical_medium():
opt = MockOpt()
opt.priority = "medium"
sr = [
ScanResult("CVE-2020-1000", "medium", "pkg1", "1.2.3-2",
const.UBUNTU_ARCHIVE)
]
nof = NagiosOutputFormatter(opt, None)
(results_msg, return_code) = nof.format_output(sr, None)
assert '"medium" or higher priority' in results_msg
assert return_code == const.NAGIOS_CRITICAL_RETURN_CODE
def test_vulnerable_patch_available_repository(cve_output_formatter):
sr = filter_scan_results_by_cve_ids(["CVE-2020-1001", "CVE-2020-1003"])
sr.append(
ScanResult("CVE-2020-1000", "low", "pkg3", "1.2.3-4", const.UBUNTU_ARCHIVE),
)
msg, rc = cve_output_formatter.format_output(sr, MockSysInfo())
expected_msg = (
"Vulnerable to CVE-2020-1000, but fixes are available from "
"the Ubuntu Archive."
)
assert msg == expected_msg
assert rc == 4
def priority_scan_results():
return [
ScanResult("CVE-2020-1000", const.MEDIUM, "pkg4", None, None),
ScanResult("CVE-2020-1001", const.NEGLIGIBLE, "pkg5", None, None),
ScanResult("CVE-2020-1002", const.CRITICAL, "pkg6", None, None),
ScanResult("CVE-2020-1003", const.UNTRIAGED, "pkg7", None, None),
ScanResult("CVE-2020-1004", const.LOW, "pkg1", None, None),
ScanResult("CVE-2020-1005", const.HIGH, "pkg2", None, None),
]
def _filter_on_experimental(self, scan_results):
if self.opt.experimental_mode:
return scan_results
filtered_scan_results = []
for sr in scan_results:
if sr.repository in {const.UA_APPS, const.UA_INFRA}:
new_sr = ScanResult(sr.cve_id, sr.priority, sr.package_name,
None, None)
filtered_scan_results.append(new_sr)
else:
filtered_scan_results.append(sr)
return filtered_scan_results
def shuffled_scan_results():
return [
ScanResult(
"CVE-2020-1002", const.CRITICAL, "pkg4", "2.0.0-1+deb9u1", const.UA_INFRA
),
ScanResult("CVE-2020-1000", const.MEDIUM, "pkg4", "1.2.3-4", const.UA_APPS),
ScanResult(
"CVE-2020-1005", const.HIGH, "pkg2", "2.0.0-2", const.UBUNTU_ARCHIVE
),
ScanResult(
"CVE-2020-1002", const.CRITICAL, "pkg6", "2.0.0-1+deb9u1", const.UA_APPS
),
ScanResult("CVE-2020-1001", const.MEDIUM, "pkg4", None, None),
ScanResult(
"CVE-2020-10000", const.UNTRIAGED, "pkg7", "2.2.19-1", const.UA_APPS
),
ScanResult(
"CVE-2020-1002", const.CRITICAL, "pkg3", "2.0.0-1+deb9u1", const.UA_APPS
),
ScanResult("CVE-2020-1003", const.NEGLIGIBLE, "pkg5", None, None),
ScanResult("CVE-2020-2000", const.LOW, "pkg1", "1.0.0-2", const.UBUNTU_ARCHIVE),
]
def _scan_for_single_cve(self, cve_id, uct_record, codename, installed_pkgs):
affected_cves = list()
for src_pkg_details in uct_record["releases"][codename].values():
if src_pkg_details["status"][0] in {"DNE", "not-affected"}:
continue
# TODO: This is a temporary measure. The entire JSON should be
# validated prior to scanning. The "binaries" key should
# not be missing.
if "binaries" not in src_pkg_details.keys():
continue
installed_binaries = [
(b, installed_pkgs[b])
for b in src_pkg_details["binaries"]
if b in installed_pkgs
]
vulnerable_binaries = self._find_vulnerable_binaries(
src_pkg_details, installed_binaries
)
for vb in vulnerable_binaries:
repo = vb[2]
# TODO: This is a hack to work around the fact that the UA
# product names (presentation layer) are provided by the
# JSON database (data layer). Fix the root cause of this
# issue instead of working around it like this.
if repo == "UA Apps":
repo = const.UA_APPS
elif repo == "UA Infra":
repo = const.UA_INFRA
affected_cves.append(
ScanResult(cve_id, uct_record["priority"], vb[0], vb[1], repo)
)
return affected_cves
def misc_scan_results():
return [
ScanResult("CVE-2020-1000", "low", "pkg3", None, None),
ScanResult(
"CVE-2020-1001",
"high",
"pkg1",
"1:1.2.3-4+deb9u2ubuntu0.2",
const.UBUNTU_ARCHIVE,
),
ScanResult(
"CVE-2020-1001",
"high",
"pkg2",
"1:1.2.3-4+deb9u2ubuntu0.2",
const.UBUNTU_ARCHIVE,
),
ScanResult(
"CVE-2020-1002", "low", "pkg4", "2.0.0+dfsg-1ubuntu1.1", const.UA_APPS
),
ScanResult(
"CVE-2020-1002", "low", "pkg5", "2.0.0+dfsg-1ubuntu1.1", const.UA_APPS
),
ScanResult(
"CVE-2020-1002", "low", "pkg6", "2.0.0+dfsg-1ubuntu1.1", const.UA_APPS
),
ScanResult("CVE-2020-1003", "medium", "pkg4", None, None),
ScanResult("CVE-2020-1003", "medium", "pkg5", None, None),
ScanResult("CVE-2020-1003", "medium", "pkg6", None, None),
ScanResult("CVE-2020-1004", "medium", "pkg7", None, None),
ScanResult("CVE-2020-1005", "low", "pkg1", "1:1.2.3-4+deb9u3", const.UA_APPS),
ScanResult("CVE-2020-1005", "low", "pkg2", "1:1.2.3-4+deb9u3", const.UA_APPS),
ScanResult("CVE-2020-1005", "low", "pkg3", "10.2.3-2ubuntu0.1", const.UA_INFRA),
ScanResult("CVE-2020-1006", "untriaged", "pkg5", None, None),
ScanResult("CVE-2020-1007", "critical", "pkg4", None, None),
ScanResult("CVE-2020-1008", "negligible", "pkg1", None, None),
ScanResult("CVE-2020-1009", "low", "pkg2", "1:1.2.3-4+deb9u3", const.UA_APPS),
ScanResult("CVE-2020-1010", "low", "pkg3", "10.2.3-2ubuntu0.1", const.UA_INFRA),
ScanResult(
"CVE-2020-1011", "low", "pkg3", "10.2.3-2ubuntu0.1", "INVALID_ARCHIVE"
),
]
def test_whole_uct_json_file(default_cve_scanner, uct_data,
default_installed_pkgs):
expected_results = [
ScanResult("CVE-2020-1000", "low", "pkg3", None, None),
ScanResult(
"CVE-2020-1001",
"high",
"pkg1",
"1:1.2.3-4+deb9u2ubuntu0.2",
const.UBUNTU_ARCHIVE,
),
ScanResult(
"CVE-2020-1001",
"high",
"pkg2",
"1:1.2.3-4+deb9u2ubuntu0.2",
const.UBUNTU_ARCHIVE,
),
ScanResult("CVE-2020-1002", "low", "pkg4", "2.0.0+dfsg-1ubuntu1.1",
const.UA_APPS),
ScanResult("CVE-2020-1002", "low", "pkg5", "2.0.0+dfsg-1ubuntu1.1",
const.UA_APPS),
ScanResult("CVE-2020-1002", "low", "pkg6", "2.0.0+dfsg-1ubuntu1.1",
const.UA_APPS),
ScanResult("CVE-2020-1003", "medium", "pkg4", None, None),
ScanResult("CVE-2020-1003", "medium", "pkg5", None, None),
ScanResult("CVE-2020-1003", "medium", "pkg6", None, None),
ScanResult("CVE-2020-1004", "medium", "pkg7", None, None),
ScanResult("CVE-2020-1005", "low", "pkg1", "1:1.2.3-4+deb9u3",
const.UA_APPS),
ScanResult("CVE-2020-1005", "low", "pkg2", "1:1.2.3-4+deb9u3",
const.UA_APPS),
ScanResult("CVE-2020-1005", "low", "pkg3", "10.2.3-2ubuntu0.1",
const.UA_INFRA),
]
results = default_cve_scanner.scan("bionic", uct_data,
default_installed_pkgs)
assert results == expected_results
