def test_confusing_ranges(self):
vuln = Vulnerability(id=1, title="Some Plugin 1.5 - XSS")
vuln.affected_versions.append(VersionRange(introduced_in="1.2"))
vuln.affected_versions.append(VersionRange(fixed_in="1.3"))
vuln.clean()
self.importer.apply_data(vuln, {
"title": "Some Plugin 1.5 - XSS",
})
self.assertFalse(vuln.dirty)
self.assertNotIn(VersionRange(introduced_in="1.5"),
vuln.affected_versions)
def test_test_collect_wordpress_vulnerabilities(self):
self.importer.manager.filter_for_version = MagicMock()
self.importer.manager.filter_for_version.return_value = [
Vulnerability(id="1121"),
Vulnerability(id="9920"),
Vulnerability(id="1231"),
]
obtained = self.importer.dump_wordpress_vulnerabilities_for_version(
"some input data", "2.1")
self.assertEqual(["1121", "9920", "1231"], [x["id"] for x in obtained])
self.importer.manager.filter_for_version.assert_called_with(
"2.1", "some input data")
def test_no_version_data_is_no_data(self):
vuln = Vulnerability(id=1)
self.importer.apply_data(vuln, {
"title": "Some Plugin - XSS",
})
self.assertEqual(vuln.affected_versions, [])
def test_apply_check_exploitdb_as_int(self):
vuln = Vulnerability(id=1)
self.importer.apply_data(vuln, {
"exploitdb": 12345,
})
self.assertEqual(vuln.references[0].type, "exploitdb")
self.assertEqual(vuln.references[0].id, "12345")
def test_apply_dates(self):
vuln = Vulnerability(id=1)
self.importer.apply_data(
vuln, {
"created_at": "2014-08-01T10:58:35.000Z",
"updated_at": "2014-08-01T11:58:35.000Z",
})
self.assertEqual(
vuln.created_at,
datetime(year=2014,
month=8,
day=1,
hour=10,
minute=58,
second=35,
microsecond=0))
self.assertEqual(
vuln.updated_at,
datetime(year=2014,
month=8,
day=1,
hour=11,
minute=58,
second=35,
microsecond=0))
self.assertTrue(vuln.dirty)
def test_vuln_type(self):
vuln = Vulnerability(id=1)
self.importer.apply_data(vuln, {
"vuln_type": "LFI",
})
self.assertEqual(vuln.reported_type, 'LFI')
self.assertTrue(vuln.dirty)
def test_apply_check_metaspoit(self):
vuln = Vulnerability(id=1)
self.importer.apply_data(vuln, {
"metasploit": ["exploit/unix/webapp/php_wordpress_optimizepress"],
})
self.assertEqual(vuln.references[0].type, "metasploit")
self.assertEqual(vuln.references[0].id,
"exploit/unix/webapp/php_wordpress_optimizepress")
self.assertTrue(vuln.dirty)
def test_dump_vulnerability_current_branch_not_fixed(self):
v = Vulnerability(id="1234",
affected_versions=[
VersionRange(fixed_in="1.7"),
VersionRange(introduced_in="2.0"),
])
self.assertEqual(
self.importer.dump_vulnerability(v, for_version="2.2"), {
"id": "1234",
})
def test_vulnerability_only_has_fixed_fixed_in(self):
vuln = Vulnerability(id=1)
self.importer.apply_data(vuln, {
"fixed_in": "1.2.3.4",
})
self.assertTrue(vuln.dirty)
self.assertEqual(vuln.affected_versions, [
VersionRange(fixed_in="1.2.3.4"),
])
def test_no_menttion_of_fixed_in(self):
vuln = Vulnerability(id=1)
self.importer.apply_data(vuln, {
"title": "Some Plugin 1.2.0.1 - XSS",
})
self.assertTrue(vuln.dirty)
self.assertEqual(vuln.affected_versions, [
VersionRange(introduced_in="1.2.0.1"),
])
def test_consider_key_as_convention(self):
vuln = Vulnerability(id=1)
self.importer.apply_data(vuln, {
"title": "Some Plugin - XSS",
},
key="1.4")
self.assertEqual(vuln.affected_versions, [
VersionRange(introduced_in="1.4", fixed_in="1.5"),
])
def test_dump_vulnerabilities_dates(self):
v = Vulnerability(id="1234",
created_at=datetime.now() -
timedelta(days=2, hours=3),
updated_at=datetime.now())
self.assertEqual(
self.importer.dump_vulnerability(v), {
"id": "1234",
"updated_at": "2016-08-12T10:31:22.123Z",
"created_at": "2016-08-10T07:31:22.123Z",
})
def test_title_contains_introduction_date(self):
vuln = Vulnerability(id=1)
self.importer.apply_data(vuln, {
"title": "Some Plugin 1.2.0 - XSS",
"fixed_in": "1.2.3.4",
})
self.assertTrue(vuln.dirty)
self.assertEqual(vuln.affected_versions, [
VersionRange(introduced_in="1.2.0", fixed_in="1.2.3.4"),
])
def test_version_was_already_present(self):
vuln = Vulnerability(id=1)
vuln.affected_versions.append(VersionRange(introduced_in="1.2"))
self.importer.apply_data(vuln, {
"title": "Some Plugin 1.2 - XSS",
})
self.assertTrue(vuln.dirty)
self.assertEqual(vuln.affected_versions, [
VersionRange(introduced_in="1.2"),
])
def test_fixed_in_has_precedence(self):
vuln = Vulnerability(id=1)
self.importer.apply_data(vuln, {
"title": "Some Plugin 1.4.1 - XSS",
"fixed_in": "1.4.2"
},
key="1.4")
self.assertEqual(vuln.affected_versions, [
VersionRange(introduced_in="1.4", fixed_in="1.4.2"),
])
def test_dump_vulnerabilities_refs(self):
v = Vulnerability(id="1234",
references=[
Reference(type="cve",
id="2015-1234",
url="https://example.com/test123"),
Reference(type="osvdb", id="12345"),
])
self.assertEqual(self.importer.dump_vulnerability(v), {
"id": "1234",
"cve": ["2015-1234"],
"osvdb": ["12345"],
})
def test_dump_vulnerability_pick_highest_when_nothing_relative_specified_with_closed_range(
self):
v = Vulnerability(id="1234",
title="My Description",
affected_versions=[
VersionRange(introduced_in="2.0",
fixed_in="2.4"),
VersionRange(introduced_in="3.0",
fixed_in="3.3"),
])
self.assertEqual(self.importer.dump_vulnerability(v), {
"id": "1234",
"title": "My Description (2.0+)",
"fixed_in": "3.3",
})
def test_dump_vulnerabilities_urls(self):
v = Vulnerability(id="1234",
references=[
Reference(type="other",
url="https://example.com/test123"),
Reference(type="other",
url="https://example.com/test456"),
])
self.assertEqual(
self.importer.dump_vulnerability(v), {
"id":
"1234",
"url":
["https://example.com/test123", "https://example.com/test456"],
})
def test_dump_vulnerability_finds_appropriate_fixed_in(self):
v = Vulnerability(id="1234",
title="My Description",
affected_versions=[
VersionRange(fixed_in="1.7"),
VersionRange(introduced_in="2.0",
fixed_in="2.4"),
VersionRange(introduced_in="3.0",
fixed_in="3.3"),
])
dumped = self.importer.dump_vulnerability(v, for_version="2.2")
self.assertEqual(dumped, {
"id": "1234",
"title": "My Description (2.0+)",
"fixed_in": "2.4",
})
def test_dump_vulnerabilities_basic(self):
v = Vulnerability(id="1234", title="Hello World")
self.assertEqual(self.importer.dump_vulnerability(v), {
"id": "1234",
"title": "Hello World",
})
def test_dump_vulnerability_no_appropriate_fix(self):
v = Vulnerability(id="1234")
self.assertEqual(
self.importer.dump_vulnerability(v, for_version="2.2"), {
"id": "1234",
})
def test_reference_matches_by_url(self):
refs = [Reference(type="test", url="1234")]
self.assertTrue(
Vulnerability(id="1234", references=refs).matches(
match_reference=Reference(type="test", url="1234")))
def test_no_filters(self):
self.assertTrue(Vulnerability(id="1234").matches())
def test_reference_does_not_match(self):
self.assertFalse(
Vulnerability(id="1234").matches(
match_reference=Reference(type="test", id="1234")))
def test_vuln_type(self):
v = Vulnerability(id="1234", reported_type="LFI")
self.assertEqual(self.importer.dump_vulnerability(v), {
"id": "1234",
"vuln_type": "LFI",
})
def test_reference_matches_by_id_but_not_type(self):
refs = [Reference(type="test", id="1234")]
self.assertFalse(
Vulnerability(id="1234", references=refs).matches(
match_reference=Reference(type="test2", id="1234")))
def test_vuln_cvss(self):
v = Vulnerability(id="1234", cvss=2.6)
self.assertEqual(self.importer.dump_vulnerability(v), {
"id": "1234",
"cvss": 2.6,
})