def _query_victims(self, arguments, ecosystem):
"""Check EPV with VictimsDB."""
db = None
try:
db = VictimsDB.from_s3()
if not db:
self.log.debug(
'No Victims CVE DB found on S3, cloning from github')
db = VictimsDB.build_from_git()
db.store_on_s3()
return db.get_vulnerabilities_for_epv(ecosystem, arguments['name'],
arguments['version'])
finally:
if db:
db.close()
def test_mark_in_graph(victims_zip, mocker):
"""Test VictimsCheck.mark_in_graph()."""
graph_mock = mocker.patch("f8a_worker.workers.victims.update_properties")
graph_mock.return_value = None
# Total number of affected artifacts (EPVs) for all 3 CVEs in our test database;
vuln_count = 11
with VictimsDB.from_zip(victims_zip) as db:
task = VictimsCheck.create_test_instance()
packages = task.get_vulnerable_packages(db)
task.mark_in_graph(packages)
assert graph_mock.call_count == vuln_count
def execute(self, arguments):
"""Task to analyze vulnerable packages and mark them in graph as such.
:param arguments: dictionary with task arguments
:return: None
"""
with VictimsDB.build_from_git() as db:
self.log.info('Storing the VictimsDB zip on S3')
db.store_on_s3()
vulnerable_packages = self.get_vulnerable_packages(db)
self.analyze_vulnerable_components(vulnerable_packages)
self.mark_in_graph(vulnerable_packages)
def test_get_vulnerable_java_packages(victims_zip):
"""Test VictimsDB.get_vulnerable_java_packages()."""
with VictimsDB.from_zip(victims_zip) as db:
vulns = [x for x in db.get_details_for_ecosystem('maven')]
assert len(vulns) == 3
expected_packages = [
'commons-fileupload:commons-fileupload',
'commons-fileupload:commons-fileupload',
'org.apache.commons:commons-compress'
]
expected_cves = ['CVE-2014-0050', 'CVE-2016-1000031', 'CVE-2012-2098']
for record in vulns:
assert record['package'] in expected_packages
expected_packages.pop(expected_packages.index(record['package']))
assert record['cve_id'] in expected_cves
expected_cves.pop(expected_cves.index(record['cve_id']))
def test_get_vulnerable_packages(victims_zip):
"""Test VictimsCheck.get_vulnerable_packages()."""
with VictimsDB.from_zip(victims_zip) as db:
task = VictimsCheck.create_test_instance()
packages = task.get_vulnerable_packages(db)
assert len(packages) == 2
expected_packages = [
'commons-fileupload:commons-fileupload',
'org.apache.commons:commons-compress'
]
for package, data in packages.items():
assert package in expected_packages
if package == 'commons-fileupload:commons-fileupload':
# there are multiple vulnerabilities for this package
assert len(data) == 2
else:
assert len(data) == 1
def test_notify_gemini(maven, victims_zip, mocker):
"""Test VictimsCheck.notify_gemini()."""
response = requests.Response()
response.status_code = 200
sa_mock = mocker.patch("f8a_worker.workers.victims.VictimsCheck.init_auth_sa_token")
sa_mock.return_value = 'access_token'
gemini_mock = mocker.patch("requests.post")
gemini_mock.return_value = response
# Total number of affected packages
vuln_count = 2
with VictimsDB.from_zip(victims_zip) as db:
task = VictimsCheck.create_test_instance()
packages = task.get_vulnerable_packages(db, maven)
task.notify_gemini(packages, maven)
assert gemini_mock.call_count == vuln_count
def update_victims_cve_db_on_s3():
"""Update Victims CVE DB on S3."""
with VictimsDB.build_from_git() as db:
db.store_on_s3()
def test_java_vulnerabilities(victims_zip):
"""Test VictimsDB.java_vulnerabilities()."""
with VictimsDB.from_zip(victims_zip) as db:
vulns = [x for x in db.java_vulnerabilities]
assert len(vulns) == 3
def victims_zip_s3():
"""Upload VictimsDB zip file to S3."""
dispatcher_setup()
archive = victims_zip()
with VictimsDB.from_zip(archive) as db:
db.store_on_s3()