def setUp(self): time.sleep = MagicMock() # pylint: disable=protected-access Checkmarx._fetch_project_id.cache_clear() with patch.object(url_opener.UrlOpener, 'url_read', return_value='{"access_token": "abc123"}'): self.__report = Checkmarx('http://url', 'username', 'password')
def test_issue(self): """ Test if issue is created correctly. """ issue = Checkmarx.Issue('a_group', 'the_name', 'http://url', 3, 'New') self.assertEqual('a group', issue.group) self.assertEqual('the name', issue.title) self.assertEqual('http://url', issue.display_url) self.assertEqual(3, issue.count) self.assertEqual('New', issue.status)
def test_checkmarx_init_http_error(self, mock_url_read, mock_error): """ Test initialization of checkmarx when http error occures. """ mock_url_read.side_effect = urllib.error.HTTPError('raise', None, None, None, None) marx = Checkmarx(url='http://url', username='******', password='******') # nosec self.assertIsNotNone(marx) mock_url_read.assert_called_once_with( 'http://url/cxrestapi/auth/identity/connect/token', post_body=b'username=un&password=pwd&scope=sast_rest_api&grant_type=password&' b'client_id=resource_owner_client&client_secret=014DF517-39D1-4453-B7B3-9930C563627C') mock_error.assert_called_once_with("HTTP error during the retrieving of access token!")
def test_checkmarx_init_no_ssl(self, mock_url_read, mock_create_unverified_context): """ Test that initialization of checkmarx goes correctly without ssl. """ # pylint: disable=protected-access delattr(ssl, '_create_unverified_context') mock_url_read.return_value = '{"access_token": "abc123"}' marx = Checkmarx(url='http://url', username='******', password='******') # nosec self.assertIsNotNone(marx) self.assertFalse(hasattr(ssl, '_create_unverified_context')) self.assertTrue(hasattr(ssl, '_create_default_https_context')) mock_create_unverified_context.assert_not_called()
def test_checkmarx_init(self, mock_url_read, mock_error): """ Test that initialization of checkmarx goes correctly. """ mock_url_read.return_value = '{"access_token": "abc123"}' marx = Checkmarx(url='http://url', username='******', password='******') # nosec self.assertIsNotNone(marx) mock_url_read.assert_called_once_with( 'http://url/cxrestapi/auth/identity/connect/token', post_body=b'username=un&password=pwd&scope=sast_rest_api&grant_type=password&' b'client_id=resource_owner_client&client_secret=014DF517-39D1-4453-B7B3-9930C563627C') mock_error.assert_not_called()
def test_checkmarx_init_invalid_jon_error(self, mock_url_read, mock_error): """ Test initialization of checkmarx with invalid json response. """ mock_url_read.return_value = 'non-json' marx = Checkmarx(url='http://url', username='******', password='******') # nosec self.assertIsNotNone(marx) mock_url_read.assert_called_once_with( 'http://url/cxrestapi/auth/identity/connect/token', post_body=b'username=un&password=pwd&scope=sast_rest_api&grant_type=password&' b'client_id=resource_owner_client&client_secret=014DF517-39D1-4453-B7B3-9930C563627C') self.assertEqual(mock_error.call_args[0][0], "Couldn't load access token from json: %s.") self.assertIsInstance(mock_error.call_args[0][1], ValueError)
def test_checkmarx_init_key_missing_error(self, mock_url_read, mock_error): """ Test initialization of checkmarx with invalid json response. """ # pylint: disable=protected-access mock_url_read.return_value = '{}' marx = Checkmarx(url='http://url', username='******', password='******') # nosec self.assertIsNotNone(marx) mock_url_read.assert_called_once_with( 'http://url/cxrestapi/auth/identity/connect/token', post_body=b'username=un&password=pwd&scope=sast_rest_api&grant_type=password&' b'client_id=resource_owner_client&client_secret=014DF517-39D1-4453-B7B3-9930C563627C') self.assertEqual(mock_error.call_args[0][0], "Couldn't load access token from json: %s.") self.assertIsInstance(mock_error.call_args[0][1], KeyError) self.assertEqual(ssl._create_default_https_context, ssl._create_unverified_context)
def setUp(self): self.__opener = FakeUrlOpener() self.__report = Checkmarx('http://url', 'username', 'password', url_open=self.__opener)
class CheckmarxTest(unittest.TestCase): """ Unit tests for the Checkmarx class. """ def setUp(self): self.__opener = FakeUrlOpener() self.__report = Checkmarx('http://url', 'username', 'password', url_open=self.__opener) def test_high_risk_warnings(self): """ Test the number of high risk warnings. """ self.assertEqual(0, self.__report.nr_warnings(['id'], 'high')) def test_medium_risk_warnins(self): """ Test the number of medium risk warnings. """ self.assertEqual(1, self.__report.nr_warnings(['id'], 'medium')) def test_passed_raise(self): """ Test that the value is -1 when the report can't be opened. """ self.assertEqual(-1, self.__report.nr_warnings(['raise'], 'high')) def test_multiple_urls(self): """ Test the number of alerts for multiple urls. """ self.assertEqual(2, self.__report.nr_warnings(['id1', 'id2'], 'medium')) def test_metric_source_urls_without_report(self): """ Test the metric source urls without metric ids. """ self.assertEqual([], self.__report.metric_source_urls()) def test_metric_source_urls(self): """ Test the metric source urls with one metric id. """ self.assertEqual([], self.__report.metric_source_urls('id')) def test_metric_source_urls_on_error(self): """ Test the metric source urls when an error occurs. """ self.assertEqual(["http://url/"], self.__report.metric_source_urls('raise')) def test_url(self): """ Test the metric source base url. """ self.assertEqual("http://url/", self.__report.url()) def test_datetime(self): """ Test the date and time of the report. """ self.assertEqual(datetime.datetime(2017, 9, 20, 0, 43, 35), self.__report.datetime('id')) def test_datetime_missing(self): """ Test a missing date and time of the report. """ self.__opener.json = '{}' self.assertEqual(datetime.datetime.min, self.__report.datetime('id')) def test_datetime_when_code_unchanged(self): """ Test that the date and time of the report is the date and time of the last check when code is unchanged. """ self.__opener.json = '{"value": [{"LastScan": {"ScanCompletedOn": "2017-09-20T00:43:35.73+01:00", ' \ '"Comment": "Attempt to perform scan on 9/26/2017 12:30:24 PM - No code changes ' \ 'were detected; "}}]}' self.assertEqual(datetime.datetime(2017, 9, 26, 12, 30, 24), self.__report.datetime('id')) def test_datetime_when_code_unchanged_multiple_times(self): """ Test that the date and time of the report is the date and time of the last check when code is unchanged. """ self.__opener.json = '{"value": [{"LastScan": {"ScanCompletedOn": "2017-09-20T00:43:35.73+01:00", ' \ '"Comment": "Attempt to perform scan on 9/26/2017 12:30:24 PM - No code changes ' \ 'were detected; Attempt to perform scan on 9/27/2017 12:30:24 PM - No code changes ' \ 'were detected; "}}]}' self.assertEqual(datetime.datetime(2017, 9, 27, 12, 30, 24), self.__report.datetime('id')) def test_datetime_when_some_checks_have_no_date(self): """ Test that the date and time of the report is the date and time of the last check when code is unchanged. """ self.__opener.json = '{"value": [{"LastScan": {"ScanCompletedOn": "2016-12-14T00:01:30.737+01:00", ' \ '"Comment": "Attempt to perform scan on 2/13/2017 8:00:06 PM - No code changes were ' \ 'detected; No code changes were detected No code changes were detected"}}]}' self.assertEqual(datetime.datetime(2017, 2, 13, 20, 0, 6), self.__report.datetime('id')) def test_nr_warnings_on_missing_values(self): """ Test dealing with empty list of values. """ self.__opener.json = '{"value": []}' self.assertEqual(-1, self.__report.nr_warnings(['id'], 'medium')) def test_datetime_on_missing_values(self): """ Test dealing with empty list of values. """ self.__opener.json = '{"value": []}' self.assertEqual(datetime.datetime.min, self.__report.datetime('id')) def test_datetime_on_url_exception(self): """ Test dealing with empty list of values. """ self.__opener.json = '{"value": []}' self.assertEqual(datetime.datetime.min, self.__report.datetime('raise'))
class CheckmarxTest(unittest.TestCase): """ Unit tests for the Checkmarx class. """ # pylint: disable=too-many-public-methods def setUp(self): time.sleep = MagicMock() # pylint: disable=protected-access Checkmarx._fetch_project_id.cache_clear() with patch.object(url_opener.UrlOpener, 'url_read', return_value='{"access_token": "abc123"}'): self.__report = Checkmarx('http://url', 'username', 'password') def test_high_risk_warnings(self, mock_url_read): """ Test the number of high risk warnings. """ mock_url_read.side_effect = [PROJECTS, LAST_SCAN, STATISTICS] self.assertEqual( 4, self.__report.nr_warnings(['metric_source_id'], 'high')) self.assertEqual(mock_url_read.call_args_list[0][0][0], 'http://url/CxRestAPI/projects') self.assertEqual( mock_url_read.call_args_list[1][0][0], 'http://url/CxRestAPI/sast/scans?projectId=11&last=1') self.assertEqual( mock_url_read.call_args_list[2][0][0], 'http://url/CxRestAPI/sast/scans/10111/resultsStatistics') @patch.object(logging, 'error') def test_nr_warnings_no_project(self, mock_error, mock_url_read): """ Test the number of high risk warnings. """ mock_url_read.return_value = PROJECTS self.assertEqual( -1, self.__report.nr_warnings(['unknown_proj_id'], 'high')) mock_error.assert_called_once_with( "Error: no project id found for project with name '%s'.", 'unknown_proj_id') def test_obtain_issues(self, mock_url_read): """ Test that issues are correctly obtained. """ mock_url_read.side_effect = [ PROJECTS, LAST_SCAN, '{"reportId": 22}', '{"status": {"value": "Created"}}', SAST_REPORT.format(false_positive=False, severity='High') ] self.__report.obtain_issues(['metric_source_id'], 'high') issues = self.__report.issues() self.assertIsInstance(issues, List) self.assertIsInstance(issues[0], Checkmarx.Issue) self.assertEqual('JScript Vulnerabilities', issues[0].group) self.assertEqual('Reflected XSS', issues[0].title) self.assertEqual( 'http://url/CxWebClient/ScanQueryDescription.aspx?queryID=789&' 'queryVersionCode=842956&queryTitle=Reflected_XSS', issues[0].display_url) self.assertEqual(1, issues[0].count) self.assertEqual("Recurrent", issues[0].status) self.assertEqual(mock_url_read.call_args_list[0][0][0], 'http://url/CxRestAPI/projects') self.assertEqual( mock_url_read.call_args_list[1][0][0], 'http://url/CxRestAPI/sast/scans?projectId=11&last=1') self.assertEqual(mock_url_read.call_args_list[2][0][0], 'http://url/CxRestAPI/reports/sastScan') self.assertEqual(mock_url_read.call_args_list[3][0][0], 'http://url/CxRestAPI/reports/sastScan/22/status') self.assertEqual(mock_url_read.call_args_list[4][0][0], 'http://url/CxRestAPI/reports/sastScan/22') @patch.object(logging, 'error') def test_obtain_issues_xml_error(self, mock_error, mock_url_read): """ Test that issues are correctly obtained. """ mock_url_read.side_effect = \ [PROJECTS, LAST_SCAN, '{"reportId": 22}', '{"status": {"value": "Created"}}', 'not-an-xml'] self.__report.obtain_issues(['metric_source_id'], 'high') issues = self.__report.issues() self.assertIsInstance(issues, List) self.assertEqual(len(issues), 0) self.assertEqual(mock_error.call_args[0][0], "Error in checkmarx report xml: %s.") self.assertIsInstance(mock_error.call_args[0][1], xml.etree.ElementTree.ParseError) @patch.object(logging, 'error') def test_obtain_issue_ssast_report_not_created(self, mock_error, mock_url_read): """ Test that issues are correctly obtained. """ mock_url_read.side_effect = [PROJECTS, LAST_SCAN, '{"reportId": 22}'] + \ ['{"status": {"value": "InProgress"}}'] * 10 self.__report.obtain_issues(['metric_source_id'], 'high') issues = self.__report.issues() self.assertIsInstance(issues, List) self.assertEqual(len(issues), 0) mock_error.assert_called_once_with( "SAST report is not created on the Checkmarx server!") @patch.object(logging, 'error') def test_obtain_issues_xml_tag_error(self, mock_error, mock_url_read): """ Test that issues are correctly obtained. """ mock_url_read.side_effect = [ PROJECTS, LAST_SCAN, '{"reportId": 22}', '{"status": {"value": "Created"}}', '<CxXMLResults><Query /></CxXMLResults>' ] self.__report.obtain_issues(['metric_source_id'], 'high') issues = self.__report.issues() self.assertIsInstance(issues, List) self.assertEqual(len(issues), 0) self.assertEqual(mock_error.call_args[0][0], "Tag %s could not be found.") self.assertIsInstance(mock_error.call_args[0][1], KeyError) def test_obtain_issues_exclude_false_positives(self, mock_url_read): """ Test that issues are omitted when false positive. """ mock_url_read.side_effect = [ PROJECTS, LAST_SCAN, '{"reportId": 22}', '{"status": {"value": "Created"}}', SAST_REPORT.format(false_positive=True, severity='High') ] self.__report.obtain_issues(['metric_source_id'], 'high') issues = self.__report.issues() self.assertIsInstance(issues, List) self.assertEqual(len(issues), 0) def test_obtain_issues_exclude_wrong_severity(self, mock_url_read): """ Test that issues are omitted when severity does not match. """ mock_url_read.side_effect = [ PROJECTS, LAST_SCAN, '{"reportId": 22}', '{"status": {"value": "Created"}}', SAST_REPORT.format(false_positive=False, severity='Low') ] self.__report.obtain_issues(['metric_source_id'], 'high') issues = self.__report.issues() self.assertIsInstance(issues, List) self.assertEqual(len(issues), 0) def test_obtain_issues_no_query(self, mock_url_read): """ Test that issues are omitted when there is no query. """ mock_url_read.side_effect = \ [PROJECTS, LAST_SCAN, '{"reportId": 22}', '{"status": {"value": "Created"}}', '<CxXMLResults />'] self.__report.obtain_issues(['metric_source_id'], 'high') issues = self.__report.issues() self.assertIsInstance(issues, List) self.assertEqual(len(issues), 0) def test_obtain_issues_http_error(self, mock_url_read): """ Test that issues are omitted when http error occurs. """ mock_url_read.side_effect = urllib.error.HTTPError( 'raise', None, None, None, None) self.__report.obtain_issues(['metric_source_id'], 'high') issues = self.__report.issues() self.assertIsInstance(issues, List) self.assertEqual(len(issues), 0) @patch.object(logging, 'error') def test_obtain_issues_response_error(self, mock_error, mock_url_read): """ Test that issues are omitted when json error occurs. """ mock_url_read.return_value = 'non-json' self.__report.obtain_issues(['metric_source_id'], 'high') issues = self.__report.issues() self.assertIsInstance(issues, List) self.assertEqual(len(issues), 0) self.assertEqual(mock_error.call_args[0][0], "Error loading json: %s.") self.assertIsInstance(mock_error.call_args[0][1], ValueError) @patch.object(logging, 'error') def test_obtain_issues_json_error(self, mock_error, mock_url_read): """ Test that issues are omitted when json error occurs. """ mock_url_read.side_effect = [PROJECTS, '{}'] self.__report.obtain_issues(['metric_source_id'], 'high') issues = self.__report.issues() self.assertIsInstance(issues, List) self.assertEqual(len(issues), 0) self.assertEqual(mock_error.call_args[0][0], "Tag %s could not be found.") self.assertIsInstance(mock_error.call_args[0][1], KeyError) def test_medium_risk_warnings(self, mock_url_read): """ Test the number of medium risk warnings. """ mock_url_read.side_effect = [PROJECTS, LAST_SCAN, STATISTICS] self.assertEqual( 7, self.__report.nr_warnings(['metric_source_id'], 'medium')) def test_passed_raise(self, mock_url_read): """ Test that the value is -1 when the report can't be opened. """ mock_url_read.side_effect = urllib.error.HTTPError( 'raise', None, None, None, None) self.assertEqual(-1, self.__report.nr_warnings(['raise'], 'high')) mock_url_read.assert_called_once_with('http://url/CxRestAPI/projects') def test_multiple_urls(self, mock_url_read): """ Test the number of alerts for multiple urls. """ mock_url_read.side_effect = [ PROJECTS, LAST_SCAN, STATISTICS, PROJECTS, '[{"id": 202222}]', STATISTICS ] self.assertEqual( 14, self.__report.nr_warnings(['metric_source_id', 'id2'], 'medium')) self.assertEqual([ call('http://url/CxRestAPI/projects'), call('http://url/CxRestAPI/sast/scans?projectId=11&last=1'), call('http://url/CxRestAPI/sast/scans/10111/resultsStatistics'), call('http://url/CxRestAPI/projects'), call('http://url/CxRestAPI/sast/scans?projectId=22&last=1'), call('http://url/CxRestAPI/sast/scans/202222/resultsStatistics') ], mock_url_read.call_args_list) def test_metric_source_urls_without_report(self, mock_url_read): """ Test the metric source urls without metric ids. """ mock_url_read.return_value = None self.assertEqual([], self.__report.metric_source_urls()) def test_metric_source_urls(self, mock_url_read): """ Test the metric source urls with one metric id. """ mock_url_read.side_effect = [PROJECTS, LAST_SCAN] self.assertEqual([ 'http://url/CxWebClient/ViewerMain.aspx?scanId=10111&ProjectID=22' ], self.__report.metric_source_urls('id2')) @patch.object(logging, 'error') def test_metric_source_urls_key_error(self, mock_error, mock_url_read): """ Test the metric source urls with empty scan response.. """ mock_url_read.side_effect = [PROJECTS, '{}'] self.assertEqual(["http://url/"], self.__report.metric_source_urls('id2')) self.assertEqual(mock_error.call_args_list[0][0][0], "Couldn't load values from json: %s - %s") self.assertEqual(mock_error.call_args_list[0][0][1], 'id2') self.assertIsInstance(mock_error.call_args_list[0][0][2], KeyError) @patch.object(logging, 'error') def test_metric_source_urls_index_error(self, mock_error, mock_url_read): """ Test the metric source urls with empty scan response.. """ mock_url_read.side_effect = [PROJECTS, '[]'] self.assertEqual(["http://url/"], self.__report.metric_source_urls('id2')) self.assertEqual(mock_error.call_args_list[0][0][0], "Couldn't load values from json: %s - %s") self.assertEqual(mock_error.call_args_list[0][0][1], 'id2') self.assertIsInstance(mock_error.call_args_list[0][0][2], IndexError) def test_metric_source_urls_on_error(self, mock_url_read): """ Test the metric source urls when an error occurs. """ mock_url_read.side_effect = [ PROJECTS, urllib.error.HTTPError(None, None, None, None, None) ] self.assertEqual(["http://url/"], self.__report.metric_source_urls('id2')) self.assertEqual([ call('http://url/CxRestAPI/projects'), call('http://url/CxRestAPI/sast/scans?projectId=22&last=1') ], mock_url_read.call_args_list) def test_url(self, mock_url_read): """ Test the metric source base url. """ mock_url_read.return_value = LAST_SCAN self.assertEqual("http://url/", self.__report.url()) def test_datetime(self, mock_url_read): """ Test the date and time of the report. """ mock_url_read.side_effect = [PROJECTS, LAST_SCAN] self.assertEqual(datetime.datetime(2017, 10, 24, 20, 0, 47), self.__report.datetime('id2')) self.assertEqual([ call('http://url/CxRestAPI/projects'), call('http://url/CxRestAPI/sast/scans?projectId=22&last=1') ], mock_url_read.call_args_list) def test_datetime_http_error(self, mock_url_read): """ Test the date and time of the report. """ mock_url_read.side_effect = [ PROJECTS, urllib.error.HTTPError(None, None, None, None, None) ] self.assertEqual(datetime.datetime.min, self.__report.datetime('id2')) self.assertEqual([ call('http://url/CxRestAPI/projects'), call('http://url/CxRestAPI/sast/scans?projectId=22&last=1') ], mock_url_read.call_args_list) @patch.object(logging, 'error') def test_datetime_missing(self, mock_error, mock_url_read): """ Test a missing date and time of the report. """ mock_url_read.side_effect = [PROJECTS, '[{"id": 202222}]'] self.assertEqual(datetime.datetime.min, self.__report.datetime('id2')) self.assertEqual( mock_error.call_args_list[0][0][0], "Couldn't parse date and time for project %s from %s: %s") self.assertEqual(mock_error.call_args_list[0][0][1], 'id2') self.assertEqual(mock_error.call_args_list[0][0][2], 'http://url/') self.assertIsInstance(mock_error.call_args_list[0][0][3], KeyError) @patch.object(logging, 'error') def test_datetime_empty_scan(self, mock_error, mock_url_read): """ Test a missing scan data. """ mock_url_read.side_effect = [PROJECTS, '[]'] self.assertEqual(datetime.datetime.min, self.__report.datetime('id2')) self.assertEqual( mock_error.call_args_list[0][0][0], "Couldn't parse date and time for project %s from %s: %s") self.assertEqual(mock_error.call_args_list[0][0][1], 'id2') self.assertEqual(mock_error.call_args_list[0][0][2], 'http://url/') self.assertIsInstance(mock_error.call_args_list[0][0][3], IndexError) @patch.object(logging, 'error') def test_datetime_format_error(self, mock_error, mock_url_read): """ Test a invalid date and time of the report. """ mock_url_read.side_effect = [ PROJECTS, '[{"id": 3, "dateAndTime": {"finishedOn": "2017-40-24T20:00:47.553"}}]' ] self.assertEqual(datetime.datetime.min, self.__report.datetime('id2')) self.assertEqual( mock_error.call_args_list[0][0][0], "Couldn't parse date and time for project %s from %s: %s") self.assertEqual(mock_error.call_args_list[0][0][1], 'id2') self.assertEqual(mock_error.call_args_list[0][0][2], 'http://url/') self.assertIsInstance(mock_error.call_args_list[0][0][3], ValueError) @patch.object(logging, 'error') def test_nr_warnings_on_missing_values(self, mock_error, mock_url_read): """ Test dealing with empty list of values. """ mock_url_read.side_effect = [PROJECTS, '{}'] self.assertEqual(-1, self.__report.nr_warnings(['id2'], 'medium')) self.assertEqual( mock_error.call_args_list[0][0][0], "Couldn't parse alerts for project %s with %s risk level from %s: %s" ) self.assertEqual(mock_error.call_args_list[0][0][1], 'id2') self.assertEqual(mock_error.call_args_list[0][0][2], 'medium') self.assertEqual(mock_error.call_args_list[0][0][3], 'http://url/') self.assertIsInstance(mock_error.call_args_list[0][0][4], KeyError)