def test_cyclonedx_bom_report(self):
     with open("unittests/scans/cyclonedx/cyclonedx_bom.xml") as file:
         parser = CycloneDXParser()
         findings = parser.get_findings(file, Test())
         for finding in findings:
             self.assertIn(finding.severity, Finding.SEVERITIES)
         self.assertEqual(0, len(findings))
 def test_cyclonedx_retirejs_report(self):
     """Test a report generated by RetireJS"""
     with open("unittests/scans/cyclonedx/retirejs.latest.xml") as file:
         parser = CycloneDXParser()
         findings = parser.get_findings(file, Test())
         for finding in findings:
             self.assertIn(finding.severity, Finding.SEVERITIES)
         self.assertEqual(0, len(findings))
 def test_cyclonedx_1_4_jake_json(self):
     """ClyconeDX version 1.4 JSON format produced by jake 1.4.1"""
     with open("unittests/scans/cyclonedx/jake2.json") as file:
         parser = CycloneDXParser()
         findings = parser.get_findings(file, Test())
         self.assertEqual(7, len(findings))
         for finding in findings:
             finding.clean()
             if "CVE-2021-33203" == finding.vuln_id_from_tool:
                 with self.subTest(i="CVE-2021-33203"):
                     self.assertIn(finding.severity, Finding.SEVERITIES)
                     self.assertEqual("Django:2.0.1 | CVE-2021-33203",
                                      finding.title)
                     self.assertEqual("High", finding.severity)
                     self.assertEqual("Django", finding.component_name)
                     self.assertEqual("2.0.1", finding.component_version)
                     self.assertEqual("CVE-2021-33203", finding.cve)
                     self.assertEqual(
                         "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                         finding.cvssv3)
                     self.assertIn(
                         "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal",
                         finding.description,
                     )
             elif "CVE-2021-33203" == finding.vuln_id_from_tool:
                 with self.subTest(i="CVE-2021-33203"):
                     self.assertEqual("Django:2.0.1 | CVE-2018-7536",
                                      finding.title)
                     self.assertEqual("Medium", finding.severity)
                     self.assertEqual("Django", finding.component_name)
                     self.assertEqual("2.0.1", finding.component_version)
                     self.assertEqual("CVE-2018-7489", finding.cve)
                     self.assertEqual(
                         "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                         finding.cvssv3)
                     self.assertIn(
                         "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19.",
                         finding.description,
                     )
                     self.assertEqual("CVE-2018-7536",
                                      finding.vuln_id_from_tool)
             elif "CVE-2018-6188" == finding.vuln_id_from_tool:
                 with self.subTest(i="CVE-2018-6188"):
                     self.assertEqual("High", finding.severity)
                     self.assertEqual("Django", finding.component_name)
                     self.assertEqual("2.0.1", finding.component_version)
                     self.assertEqual("CVE-2018-6188", finding.cve)
                     self.assertEqual(
                         "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                         finding.cvssv3)
                     self.assertIn(
                         "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information",
                         finding.description,
                     )
                     self.assertEqual("CVE-2018-6188",
                                      finding.vuln_id_from_tool)
Exemple #4
0
 def test_cyclonedx_bom_report(self):
     with open("dojo/unittests/scans/cyclonedx/cyclonedx_bom.xml") as file:
         parser = CycloneDXParser()
         findings = parser.get_findings(file, Test())
         for finding in findings:
             self.assertIn(finding.severity, Finding.SEVERITIES)
         self.assertEqual(73, len(findings))
         with self.subTest(i=0):
             finding = findings[0]
             self.assertEqual("Info", finding.severity)
             self.assertEqual("asteval", finding.component_name)
             self.assertEqual("0.9.23", finding.component_version)
Exemple #5
0
 def test_cyclonedx_jake_report(self):
     """Test a report generated by Jake"""
     with open("dojo/unittests/scans/cyclonedx/jake.xml") as file:
         parser = CycloneDXParser()
         findings = parser.get_findings(file, Test())
         for finding in findings:
             self.assertIn(finding.severity, Finding.SEVERITIES)
         self.assertEqual(204, len(findings))
         with self.subTest(i=0):
             finding = findings[0]
             self.assertEqual("Info", finding.severity)
             self.assertEqual("yaspin", finding.component_name)
             self.assertEqual("0.16.0", finding.component_version)
 def test_cyclonedx_grype_11_report(self):
     """Test a report generated by Grype 0.11"""
     with open("dojo/unittests/scans/cyclonedx/dd_1_15_0.xml") as file:
         parser = CycloneDXParser()
         findings = parser.get_findings(file, Test())
         for finding in findings:
             self.assertIn(finding.severity, Finding.SEVERITIES)
         self.assertEqual(689, len(findings))
         with self.subTest(i=0):
             finding = findings[0]
             self.assertEqual("Info", finding.severity)
             self.assertEqual("Deprecated", finding.component_name)
             self.assertEqual("1.2.12", finding.component_version)
         with self.subTest(i=5):
             finding = findings[5]
             self.assertEqual("Info", finding.severity)
             self.assertEqual("Jinja2", finding.component_name)
             self.assertEqual("2.11.3", finding.component_version)
         with self.subTest(i=640):
             finding = findings[640]
             self.assertEqual("High", finding.severity)
             self.assertEqual("redis", finding.component_name)
             self.assertEqual("3.5.3", finding.component_version)
             self.assertEqual("CVE-2018-12326", finding.cve)
             self.assertEqual(
                 "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                 finding.cvssv3)
             self.assertIn(
                 "Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 RC3",
                 finding.description)
             self.assertEqual("CVE-2018-12326", finding.vuln_id_from_tool)
         with self.subTest(i=641):
             finding = findings[641]
             self.assertEqual("High", finding.severity)
             self.assertEqual("redis", finding.component_name)
             self.assertEqual("3.5.3", finding.component_version)
             self.assertEqual("CVE-2018-12453", finding.cve)
             self.assertEqual(
                 "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                 finding.cvssv3)
             self.assertEqual(
                 "Type confusion in the xgroupCommand function in t_stream.c in redis-server in Redis before 5.0 allows"
                 " remote attackers to cause denial-of-service via an XGROUP command in which the key is not a stream.",
                 finding.description)
             self.assertEqual("CVE-2018-12453", finding.vuln_id_from_tool)
Exemple #7
0
 def test_cyclonedx_retirejs_report(self):
     """Test a report generated by RetireJS"""
     with open("unittests/scans/cyclonedx/retirejs.latest.xml") as file:
         parser = CycloneDXParser()
         findings = parser.get_findings(file, Test())
         for finding in findings:
             self.assertIn(finding.severity, Finding.SEVERITIES)
         self.assertEqual(6, len(findings))
         with self.subTest(i=0):
             finding = findings[0]
             self.assertEqual("Info", finding.severity)
             self.assertEqual("handlebars", finding.component_name)
             self.assertEqual("3.0.0", finding.component_version)
         with self.subTest(i=5):
             finding = findings[5]
             self.assertEqual("Info", finding.severity)
             self.assertEqual("jquery", finding.component_name)
             self.assertEqual("1.8.0", finding.component_version)
Exemple #8
0
 def test_grype_report(self):
     with open("dojo/unittests/scans/cyclonedx/grype_dd_1_14_1.xml") as file:
         parser = CycloneDXParser()
         findings = list(parser.get_findings(file, Test()))
         for finding in findings:
             self.assertIn(finding.severity, Finding.SEVERITIES)
         self.assertEqual(619, len(findings))
         with self.subTest(i=0):
             finding = findings[0]
             self.assertEqual("Info", finding.severity)
             self.assertEqual("Deprecated", finding.component_name)
             self.assertEqual("1.2.12", finding.component_version)
             self.assertEqual(datetime.date(2021, 4, 13), datetime.datetime.date(finding.date))
         with self.subTest(i=200):
             finding = findings[200]
             self.assertEqual("High", finding.severity)
             self.assertEqual("jira", finding.component_name)
             self.assertEqual("2.0.0", finding.component_version)
             self.assertEqual("CVE-2019-8443", finding.cve)
             self.assertEqual(datetime.date(2021, 4, 13), datetime.datetime.date(finding.date))
Exemple #9
0
 def test_spec1_report(self):
     """Test a report from the spec itself"""
     with open("unittests/scans/cyclonedx/spec1.xml") as file:
         parser = CycloneDXParser()
         findings = list(parser.get_findings(file, Test()))
         for finding in findings:
             self.assertIn(finding.severity, Finding.SEVERITIES)
         self.assertEqual(2, len(findings))
         with self.subTest(i=0):
             finding = findings[0]
             self.assertIsNone(finding.cve)
             self.assertEqual("Info", finding.severity)
         with self.subTest(i=1):
             finding = findings[1]
             self.assertEqual("CVE-2018-7489", finding.cve)
             self.assertEqual("Critical", finding.severity)
             self.assertIn(finding.cwe, [184, 502])  # there is 2 CWE in the report
             self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", finding.cvssv3)
             self.assertEqual("jackson-databind", finding.component_name)
             self.assertEqual("2.9.9", finding.component_version)
             self.assertEqual("CVE-2018-7489", finding.vuln_id_from_tool)
 def test_cyclonedx_1_4_json(self):
     """ClyconeDX version 1.4 JSON format"""
     with open("unittests/scans/cyclonedx/valid-vulnerability-1.4.json"
               ) as file:
         parser = CycloneDXParser()
         findings = parser.get_findings(file, Test())
         for finding in findings:
             self.assertIn(finding.severity, Finding.SEVERITIES)
             finding.clean()
         self.assertEqual(1, len(findings))
         with self.subTest(i=0):
             finding = findings[0]
             self.assertEqual(
                 "jackson-databind:2.9.4 | SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111",
                 finding.title)
             self.assertEqual("Critical", finding.severity)
             self.assertEqual("jackson-databind", finding.component_name)
             self.assertEqual("2.9.4", finding.component_version)
             self.assertEqual("CVE-2018-7489", finding.cve)
             self.assertEqual(
                 "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                 finding.cvssv3)
             self.assertIn(
                 "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution",
                 finding.description,
             )
             self.assertIn(
                 "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.",
                 finding.mitigation,
             )
             self.assertIn(
                 "GitHub Commit",
                 finding.references,
             )
             self.assertIn(
                 "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2",
                 finding.references,
             )
             self.assertEqual("SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111",
                              finding.vuln_id_from_tool)
 def test_grype_report(self):
     with open("unittests/scans/cyclonedx/grype_dd_1_14_1.xml") as file:
         parser = CycloneDXParser()
         findings = list(parser.get_findings(file, Test()))
         for finding in findings:
             self.assertIn(finding.severity, Finding.SEVERITIES)
         self.assertEqual(312, len(findings))
         with self.subTest(i=0):
             finding = findings[0]
             self.assertEqual("Low", finding.severity)
             self.assertEqual("Django", finding.component_name)
             self.assertEqual("2.2.18", finding.component_version)
             self.assertEqual(datetime.date(2021, 4, 13),
                              datetime.datetime.date(finding.date))
         with self.subTest(i=200):
             finding = findings[200]
             self.assertEqual("Low", finding.severity)
             self.assertEqual("libopenjp2-7", finding.component_name)
             self.assertEqual("2.3.0-2+deb10u2", finding.component_version)
             self.assertEqual("CVE-2019-6988", finding.cve)
             self.assertEqual(datetime.date(2021, 4, 13),
                              datetime.datetime.date(finding.date))
 def test_cyclonedx_grype_11_report(self):
     """Test a report generated by Grype 0.11"""
     with open("unittests/scans/cyclonedx/dd_1_15_0.xml") as file:
         parser = CycloneDXParser()
         findings = parser.get_findings(file, Test())
         for finding in findings:
             self.assertIn(finding.severity, Finding.SEVERITIES)
         self.assertEqual(381, len(findings))
         with self.subTest(i=0):
             finding = findings[0]
             self.assertEqual("Low", finding.severity)
             self.assertEqual("apt", finding.component_name)
             self.assertEqual("1.8.2.1", finding.component_version)
         with self.subTest(i=5):
             finding = findings[5]
             self.assertEqual("Info", finding.severity)
             self.assertEqual("bind9-host", finding.component_name)
             self.assertEqual("1:9.11.5.P4+dfsg-5.1+deb10u3",
                              finding.component_version)
         with self.subTest(i=379):
             finding = findings[379]
             self.assertEqual("Low", finding.severity)
             self.assertEqual("tar", finding.component_name)
             self.assertEqual("1.30+dfsg-6", finding.component_version)
             self.assertEqual("CVE-2019-9923", finding.cve)
             self.assertIn("urn:uuid:be0e9032-5b6b-4ce4-9be4-e5956a0309c1",
                           finding.description)
             self.assertEqual("CVE-2019-9923", finding.vuln_id_from_tool)
         with self.subTest(i=380):
             finding = findings[380]
             self.assertEqual("Low", finding.severity)
             self.assertEqual("tar", finding.component_name)
             self.assertEqual("1.30+dfsg-6", finding.component_version)
             self.assertEqual("CVE-2021-20193", finding.cve)
             self.assertIn("urn:uuid:17a8ccee-f13b-4d9d-abfc-f3964597df9a",
                           finding.description)
             self.assertEqual("CVE-2021-20193", finding.vuln_id_from_tool)