def test_blackduck_graph():
bl_list = []
p = Package.load_from_json(serve_static_json)
assert p.save() is not None
v = Version.load_from_json(serve_static_json, package=p)
v.save()
p.create_version_edge(v)
assert p.last_updated is not None
assert v.last_updated is not None
bl_list = bl.load_from_json(input_json['analyses'])
assert len(bl_list) == 1
objBlackduck = bl.add_blackduck_issue(bl_list[0])
v.add_blackduck_cve_edge(objBlackduck.id)
bl_criteria = {'vulnerability_name': 'CVE-2015-1164'}
obj_fetch = SecurityDetails.find_by_criteria('CVE', bl_criteria)
assert obj_fetch.last_updated == objBlackduck.last_updated
SecurityDetails.delete_by_id(obj_fetch.id)
Version.delete_by_id(v.id)
Package.delete_by_id(p.id)
def add_blackduck_issue(issue):
blcve_criteria = {'cve_id': issue['vulnerabilityName']}
obj_returned = SecurityDetails.find_by_criteria('CVE', blcve_criteria)
if obj_returned is None:
obj_returned = SecurityDetails(issue['vulnerabilityName'])
obj_returned.save()
obj_returned.add_blackduck_data(issue)
return obj_returned
def test_security_object():
bl_list = bl.load_from_json(input_json['analyses'])
assert len(bl_list) == 1
objBlackduck = bl.add_blackduck_issue(bl_list[0])
assert objBlackduck.bl_base_score == 4.3
assert objBlackduck.bl_description == 'Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.'
assert objBlackduck.bl_exploitability_subscore == 8.6
assert objBlackduck.bl_impact_subscore == 2.9
assert objBlackduck.bl_remediation_status.lower() == 'new'
assert objBlackduck.bl_remediation_updated_at == '2016-08-05T13:42:07.705Z'
assert objBlackduck.bl_remediation_created_at == '2016-08-05T13:42:07.705Z'
assert objBlackduck.bl_severity.lower() == 'medium'
assert objBlackduck.bl_source.lower() == 'nvd'
assert objBlackduck.bl_vulnerability_name == 'CVE-2015-1164'
assert objBlackduck.bl_vulnerability_published_date == '2015-01-22T19:08:21.013Z'
assert objBlackduck.bl_vulnerability_updated_date == '2015-01-23T21:11:11.353Z'
assert objBlackduck.last_updated is not None
SecurityDetails.delete_by_id(objBlackduck.id)
def test_additional_data_as_attr():
add_details = {}
pck_obj = Package.load_from_json(serve_static_json)
assert pck_obj.last_updated is None
assert pck_obj.save() is not None
ver_obj = Version.load_from_json(serve_static_json, package=pck_obj)
assert ver_obj.last_updated is None
ver_obj.save()
v_ts1 = ver_obj.last_updated
assert pck_obj.last_updated is not None
assert v_ts1 is not None
pck_obj.create_version_edge(ver_obj)
code_metrics = CMR.load_from_json(
npm_crumb_data["analyses"]["code_metrics"])
security_data = serve_static_json["analyses"]["security_issues"]
security_list, cvss_score, cve_ids = SD.load_from_json(security_data)
if len(cvss_score) > 0 and len(cve_ids) > 0:
cve_ids = cve_ids
cvss = cvss_score
add_details["cve_ids"] = cve_ids[0]
add_details["cvss"] = cvss[0]
ver_obj.add_additional_data_as_attr(code_metrics)
ver_obj.add_cve_ids(add_details["cvss"], add_details["cve_ids"])
assert ver_obj.last_updated >= v_ts1
version_criteria = {
'pecosystem': pck_obj.ecosystem,
'pname': pck_obj.name,
'version': ver_obj.version
}
present_version = Version.find_by_criteria(ver_obj.label, pck_obj,
version_criteria)
logger.info(present_version.__dict__)
assert present_version.cm_loc == 1351
assert present_version.cm_num_files == 16
assert present_version.cm_avg_cyclomatic_complexity == -1
assert present_version.cve_ids == ['CVE-2015-1164:7.5']
assert present_version.last_updated == ver_obj.last_updated
Version.delete_by_id(ver_obj.id)
Package.delete_by_id(pck_obj.id)
def load_package_version_values(filename):
input_json = gv.read_from_file(filename)
objpackage = Package.load_from_json(input_json)
objversion = Version.load_from_json(input_json, objpackage)
github_data = input_json["analyses"]["github_details"]
github_result = GithubResult.load_from_json(github_data)
objversion.github_details = github_result
authors_data = input_json["analyses"]["metadata"]
authors_list = Author.load_from_json(authors_data)
for objauthor in authors_list:
objversion.version_authored_by(objauthor)
contributors_data = input_json["analyses"]["metadata"]
contributor_list = Contributor.load_from_json(contributors_data)
for objcontributor in contributor_list:
objversion.version_contributed_by(objcontributor)
license_data = input_json["analyses"]["source_licenses"]
license_details_list, license_counts_list, license_names = LicenseDetails.load_from_json(
license_data)
for objlicense, license_count in zip(license_details_list,
license_counts_list):
objversion.version_covered_under(objlicense, license_count)
objversion.licenses = license_names
dependency_data = input_json["analyses"]["dependency_snapshot"]
_, dependency_ver_list, dependency_type = \
vdv.load_dependencies(
objversion.ecosystem_package.ecosystem, dependency_data)
for d_ver, d_type in zip(dependency_ver_list, dependency_type):
objversion.version_depends_on(d_ver, d_type)
security_data = input_json["analyses"]["security_issues"]
security_list, __, _ = SecurityDetails.load_from_json(security_data)
for objsecurity in security_list:
objversion.version_has_nvd_issues(objsecurity)
return objversion
def populate_from_json(cls, input_json):
# NPM packages with dependencies, versions i.e. Package version
# insertion
logger.info("Instantiating package ...")
package = Package.load_from_json(input_json)
logger.info("Saving package ...")
pkg_id = package.save()
logger.info(" Package node ID: %s" % pkg_id)
if pkg_id is None:
return
version = Version.load_from_json(input_json, package=package)
ver_id = version.save()
logger.info(" Version node ID: %s" % ver_id)
package.create_version_edge(version)
analyses = input_json["analyses"]
if "dependency_snapshot" in analyses:
dependency_snapshot = analyses["dependency_snapshot"]
dependency_pck_list, dependency_ver_list, dependency_type = vdv.load_dependencies(
version.ecosystem_package.ecosystem, dependency_snapshot)
for d_pck, d_ver, d_type in zip(dependency_pck_list,
dependency_ver_list,
dependency_type):
d_pck.save()
if d_pck is None:
continue
d_ver.save()
d_pck.create_version_edge(d_ver)
version.add_edge_dependency(d_ver, d_type)
if "metadata" in analyses:
meta_data = analyses["metadata"]
print(" Adding authors_list")
authors_list = Author.load_from_json(meta_data)
for author in authors_list:
a_id = author.save()
print(" author ID: %s" % a_id)
version.add_edge_author(author)
print(" Adding contributor_list")
contributor_list = Contributor.load_from_json(meta_data)
for contributor in contributor_list:
c_id = contributor.save()
print(" contributor ID: %s" % c_id)
version.add_edge_author(contributor)
# License Information
if "source_licenses" in analyses:
print(" Adding source_licenses")
licenses = set()
license_data = analyses["source_licenses"]
license_details_list, license_counts_list, licenses = LicenseDetails.load_from_json(
license_data)
for used_license, license_count in zip(license_details_list,
license_counts_list):
lic_id = used_license.save()
print(" license_data ID: %s" % lic_id)
version.add_license_edge(used_license, license_count)
version.add_license_attribute(licenses)
# NVD Security Information
if "security_issues" in analyses:
print(" Adding security_issues")
security_data = analyses["security_issues"]
security_list, cvss_score, cve_ids = SecurityDetails.load_from_json(
security_data)
for s, cvss, cve_id in zip(security_list, cvss_score, cve_ids):
ss_id = s.save()
print(" security_data ID: %s" % ss_id)
version.add_security_edge(s, cvss)
version.add_cve_ids(cvss, cve_id)
# GitHub Details
if "github_details" in analyses:
print(" Adding github_details")
github_data = analyses["github_details"]
github_result = GithubResult.load_from_json(github_data)
package.add_github_details_as_attr(github_result)
version.add_edge_github_details(github_result)
# Code Metrics
if "code_metrics" in analyses:
print(" Adding code_metrics")
code_metrics_data = analyses["code_metrics"]
code_metrics = CodeMetricsResult.load_from_json(code_metrics_data)
version.add_code_metrics_edge(code_metrics)
version.add_additional_data_as_attr(code_metrics)
if "blackduck" in analyses:
print("Adding extra security info via blackduck")
blackduck_cve = analyses["blackduck"]
issue_list = bl.load_from_json(blackduck_cve)
for issue in issue_list:
bl_obj = bl.add_blackduck_issue(issue)
version.add_blackduck_cve_edge(bl_obj.id)
def test_support_vector_security():
p = Package.load_from_json(serve_static_json)
assert p.save() is not None
v = Version.load_from_json(serve_static_json, package=p)
v.save()
p.create_version_edge(v)
assert p.last_updated is not None
assert v.last_updated is not None
security_data = serve_static_json["analyses"]["security_issues"]
security_list, cvss_score, cve_ids = SecurityDetails.load_from_json(
security_data)
ts_list = []
for s, cvss, cve in zip(security_list, cvss_score, cve_ids):
s.save()
assert s.last_updated is not None
ts_list.append(s.last_updated)
v.add_security_edge(s, cvss)
security_before = SecurityDetails.count()
assert (security_before == 1)
present_security = SecurityDetails.find_by_criteria(
'CVE', {'cve_id': 'CVE-2015-1164'})
assert (len(present_security.references) == 5)
ref_list = [
"https://github.com/expressjs/serve-static/issues/26",
"https://bugzilla.redhat.com/show_bug.cgi?id=1181917",
"http://xforce.iss.net/xforce/xfdb/99936",
"http://www.securityfocus.com/bid/72064",
"http://nodesecurity.io/advisories/serve-static-open-redirect"
]
assert (all(r in ref_list for r in present_security.references))
repeat_security_detail = SecurityDetails(cve_id='CVE-2015-1164',
cvss=4.3,
summary='')
repeat_security_detail.issue_has_access('authentication', '')
repeat_security_detail.issue_has_access('vector', 'NETWORK')
repeat_security_detail.issue_has_access('complexity', 'MEDIUM')
repeat_security_detail.issue_has_impact('integrity', 'partial')
repeat_security_detail.issue_has_impact('confidentiality', '')
repeat_security_detail.issue_has_impact('availability', '')
repeat_security_detail.save()
assert repeat_security_detail.id == s.id
assert repeat_security_detail.last_updated >= ts_list[0]
assert (SecurityDetails.count() == 1)
for s in security_list:
SecurityDetails.delete_by_id(s.id)
SecurityDetails.delete_by_id(repeat_security_detail.id)
Version.delete_by_id(v.id)
Package.delete_by_id(p.id)