def test_number_of_new_false_positives(self):
# Add a couple of false positives to database as new issues,
# and check that the they're counted properly
issue = {'scenario_id': '1',
'timestamp': datetime.datetime.utcnow(),
'test_runner_host': 'localhost',
'url': 'url',
'severity': 'severity',
'issuetype': 'issuetype',
'issuename': 'issuename',
'issuedetail': 'issuedetail',
'confidence': 'confidence',
'host': 'host',
'port': 'port',
'protocol': 'protocol',
'messages': 'messagejson'}
# Add one, expect count to be 1
dbtools.add_false_positive(self.context, issue)
self.assertEqual(dbtools.number_of_new_in_database(self.context),
1, "After adding one, expect one finding in database")
# Add a second one, expect count to be 2
dbtools.add_false_positive(self.context, issue)
self.assertEqual(dbtools.number_of_new_in_database(self.context),
2, "After adding two, expect two findings in db")
def test_number_of_new_false_positives(self):
# Add a couple of false positives to database as new issues,
# and check that the they're counted properly
issue = {
'scenario_id': '1',
'timestamp': datetime.datetime.utcnow(),
'test_runner_host': 'localhost',
'url': 'url',
'severity': 'severity',
'issuetype': 'issuetype',
'issuename': 'issuename',
'issuedetail': 'issuedetail',
'confidence': 'confidence',
'host': 'host',
'port': 'port',
'protocol': 'protocol',
'messages': 'messagejson'
}
# Add one, expect count to be 1
dbtools.add_false_positive(self.context, issue)
self.assertEqual(dbtools.number_of_new_in_database(self.context), 1,
"After adding one, expect one finding in database")
# Add a second one, expect count to be 2
dbtools.add_false_positive(self.context, issue)
self.assertEqual(dbtools.number_of_new_in_database(self.context), 2,
"After adding two, expect two findings in db")
def test_add_false_positive(self):
# Add a false positive to database and check that all fields
# get populated and can be compared back originals
issue = {
'scenario_id': '1',
'url': 'testurl',
'severity': 'testseverity',
'issuetype': 'testissuetype',
'issuename': 'testissuename',
'issuedetail': 'testissuedetail',
'confidence': 'testconfidence',
'host': 'testhost',
'port': 'testport',
'protocol': 'testprotocol',
'messages': '{foo=bar}'
}
dbtools.add_false_positive(self.context, issue)
# Connect directly to the database and check the data is there
db_engine = sqlalchemy.create_engine(self.context.dburl)
dbconn = db_engine.connect()
db_metadata = sqlalchemy.MetaData()
headlessscanner_issues = Table(
'headlessscanner_issues',
db_metadata,
Column('new_issue', types.Boolean),
Column('issue_no', types.Integer, primary_key=True,
nullable=False), # Implicit autoincrement
Column('timestamp', types.DateTime(timezone=True)),
Column('test_runner_host', types.Text),
Column('scenario_id', types.Text),
Column('url', types.Text),
Column('severity', types.Text),
Column('issuetype', types.Text),
Column('issuename', types.Text),
Column('issuedetail', types.Text),
Column('confidence', types.Text),
Column('host', types.Text),
Column('port', types.Text),
Column('protocol', types.Text),
Column('messages', types.LargeBinary))
db_select = sqlalchemy.sql.select([headlessscanner_issues])
db_result = dbconn.execute(db_select)
result = db_result.fetchone()
for key, value in issue.iteritems():
if key == 'messages':
self.assertEqual(result[key], json.dumps(value))
else:
self.assertEqual(result[key], value,
'%s not found in database after add' % key)
self.assertEqual(result['test_runner_host'],
socket.gethostbyname(socket.getfqdn()),
'Test runner host name not correct in database')
self.assertLessEqual(result['timestamp'], datetime.datetime.utcnow(),
'Timestamp not correctly stored in database')
dbconn.close()
def test_add_false_positive(self):
# Add a false positive to database and check that all fields
# get populated and can be compared back originals
issue = {'scenario_id': '1',
'url': 'testurl',
'severity': 'testseverity',
'issuetype': 'testissuetype',
'issuename': 'testissuename',
'issuedetail': 'testissuedetail',
'confidence': 'testconfidence',
'host': 'testhost',
'port': 'testport',
'protocol': 'testprotocol',
'messages': '{foo=bar}'}
dbtools.add_false_positive(self.context, issue)
# Connect directly to the database and check the data is there
db_engine = sqlalchemy.create_engine(self.context.dburl)
dbconn = db_engine.connect()
db_metadata = sqlalchemy.MetaData()
headlessscanner_issues = Table(
'headlessscanner_issues',
db_metadata,
Column('new_issue', types.Boolean),
Column('issue_no', types.Integer, primary_key=True, nullable=False), # Implicit autoincrement
Column('timestamp', types.DateTime(timezone=True)),
Column('test_runner_host', types.Text),
Column('scenario_id', types.Text),
Column('url', types.Text),
Column('severity', types.Text),
Column('issuetype', types.Text),
Column('issuename', types.Text),
Column('issuedetail', types.Text),
Column('confidence', types.Text),
Column('host', types.Text),
Column('port', types.Text),
Column('protocol', types.Text),
Column('messages', types.LargeBinary)
)
db_select = sqlalchemy.sql.select([headlessscanner_issues])
db_result = dbconn.execute(db_select)
result = db_result.fetchone()
for key, value in issue.iteritems():
if key == 'messages':
self.assertEqual(result[key], json.dumps(value))
else:
self.assertEqual(result[key], value,
'%s not found in database after add' % key)
self.assertEqual(result['test_runner_host'], socket.gethostbyname(socket.getfqdn()),
'Test runner host name not correct in database')
self.assertLessEqual(result['timestamp'], datetime.datetime.utcnow(),
'Timestamp not correctly stored in database')
dbconn.close()
def step_impl(context):
"""Check whether the findings reported by Burp have already been found earlier"""
scanissues = context.results
# Go through each issue, and add issues that aren't in the database
# into the database. If we've found new issues, assert False.
new_items = 0
for issue in scanissues:
issue['scenario_id'] = context.scenario_id
if scandb.known_false_positive(context, issue) is False:
new_items += 1
scandb.add_false_positive(context, issue)
unprocessed_items = scandb.number_of_new_in_database(context)
if unprocessed_items > 0:
assert False, "Unprocessed findings in database. %s new issue(s), total %s issue(s)." % (new_items, unprocessed_items)
assert True
def step_impl(context):
"""Check whether the findings reported by Burp have already been found earlier"""
scanissues = context.results
# Go through each issue, and add issues that aren't in the database
# into the database. If we've found new issues, assert False.
new_items = 0
for issue in scanissues:
issue['scenario_id'] = context.scenario_id
if scandb.known_false_positive(context, issue) is False:
new_items += 1
scandb.add_false_positive(context, issue)
unprocessed_items = scandb.number_of_new_in_database(context)
if unprocessed_items > 0:
assert False, "Unprocessed findings in database. %s new issue(s), total %s issue(s)." % (
new_items, unprocessed_items)
assert True
def test_false_positive_detection(self):
# Test whether false positives in database are identified properly
issue = {'scenario_id': '1',
'timestamp': datetime.datetime.utcnow(),
'test_runner_host': 'localhost',
'url': 'url',
'severity': 'severity',
'issuetype': 'issuetype',
'issuename': 'issuename',
'issuedetail': 'issuedetail',
'confidence': 'confidence',
'host': 'host',
'port': 'port',
'protocol': 'protocol',
'messages': 'messagejson'}
# First add one false positive and try checking against it
dbtools.add_false_positive(self.context, issue)
self.assertEqual(dbtools.known_false_positive(self.context,
issue),
True, "Duplicate false positive not detected")
# Change one of the differentiating fields, and test, and
# add the tested one to the database.
issue['scenario_id'] = '2' # Non-duplicate
self.assertEqual(dbtools.known_false_positive(self.context,
issue),
False, "Not a duplicate: scenario_id different")
dbtools.add_false_positive(self.context, issue)
# Repeat for all the differentiating fields
issue['url'] = 'another url'
self.assertEqual(dbtools.known_false_positive(self.context,
issue),
False, "Not a duplicate: url different")
dbtools.add_false_positive(self.context, issue)
issue['issuetype'] = 'foo'
self.assertEqual(dbtools.known_false_positive(self.context,
issue),
False, "Not a duplicate: issuetype different")
dbtools.add_false_positive(self.context, issue)
# Finally, test the last one again twice, now it ought to be
# reported back as a duplicate
self.assertEqual(dbtools.known_false_positive(self.context,
issue),
True, "A duplicate case not detected")
def test_false_positive_detection(self):
# Test whether false positives in database are identified properly
issue = {
'scenario_id': '1',
'timestamp': datetime.datetime.utcnow(),
'test_runner_host': 'localhost',
'url': 'url',
'severity': 'severity',
'issuetype': 'issuetype',
'issuename': 'issuename',
'issuedetail': 'issuedetail',
'confidence': 'confidence',
'host': 'host',
'port': 'port',
'protocol': 'protocol',
'messages': 'messagejson'
}
# First add one false positive and try checking against it
dbtools.add_false_positive(self.context, issue)
self.assertEqual(dbtools.known_false_positive(self.context, issue),
True, "Duplicate false positive not detected")
# Change one of the differentiating fields, and test, and
# add the tested one to the database.
issue['scenario_id'] = '2' # Non-duplicate
self.assertEqual(dbtools.known_false_positive(self.context, issue),
False, "Not a duplicate: scenario_id different")
dbtools.add_false_positive(self.context, issue)
# Repeat for all the differentiating fields
issue['url'] = 'another url'
self.assertEqual(dbtools.known_false_positive(self.context, issue),
False, "Not a duplicate: url different")
dbtools.add_false_positive(self.context, issue)
issue['issuetype'] = 'foo'
self.assertEqual(dbtools.known_false_positive(self.context, issue),
False, "Not a duplicate: issuetype different")
dbtools.add_false_positive(self.context, issue)
# Finally, test the last one again twice, now it ought to be
# reported back as a duplicate
self.assertEqual(dbtools.known_false_positive(self.context, issue),
True, "A duplicate case not detected")
