def test_get_details_invalid(self):
# Arrange
nvdxml = utilities.NvdXml()
# Act
actual = nvdxml.get_details('CVE-2016-99999999')
# Assert
self.assertIsNone(actual)
def test_get_details_valid(self):
# Arrange
nvdxml = utilities.NvdXml()
expected = {
'score': '9.3',
'impact-subscore': 10.0,
'exploitability-subscore': 8.6,
'access-vector': 'NETWORK',
'access-complexity': 'MEDIUM',
'authentication': 'NONE',
'confidentiality-impact': 'COMPLETE',
'integrity-impact': 'COMPLETE',
'availability-impact': 'COMPLETE',
'source': 'http://nvd.nist.gov',
'generated-on-datetime': '2016-01-13T22:20:01.847-05:00'
}
# Act
actual = nvdxml.get_details('CVE-2016-0002')
# Assert
self.assertDictEqual(expected, actual)
def load(file_):
nvdxml = utilities.NvdXml()
session = Session()
reader = csv.reader(file_)
next(reader, None) # Ignoring the header
for row in reader:
debug(row)
cve = Cve(id=row[0], year=utilities.get_year(row[0]), product=row[1])
nvd_details = nvdxml.get_details(cve.id)
if nvd_details:
cve.cvss = Cvss()
cve.cvss.access_complexity = nvd_details['access-complexity']
cve.cvss.access_vector = nvd_details['access-vector']
cve.cvss.authentication = nvd_details['authentication']
cve.cvss.availability_impact = nvd_details['availability-impact']
cve.cvss.confidentiality_impact = nvd_details[
'confidentiality-impact']
cve.cvss.integrity_impact = nvd_details['integrity-impact']
cve.cvss.score = nvd_details['score']
cve.cvss.exploitability_subscore = nvd_details[
'exploitability-subscore']
cve.cvss.impact_subscore = nvd_details['impact-subscore']
cve.bounty = Bounty()
cve.bounty.amount = float(row[2].replace('$', '').replace(',', ''))
session.add(cve)
try:
session.commit()
except sqlalchemy.exc.IntegrityError as e:
error('{} is a duplicate.'.format(cve.id))
session.rollback()
else:
warning('{} was not found in NVD.'.format(cve.id))
import argparse
import csv
import json
import operator
import os
import sys
from constants import *
from library import utilities
from logger import *
nvdxml = utilities.NvdXml()
def analyze_reports(is_output_enabled):
report_ids = [
filename.replace('.json', '')
for filename in os.listdir(REPORTS_DIRECTORY) if 'json' in filename
]
if not report_ids:
message = 'No reports to analyze in {}. Run get_reports.py.'. \
format(REPORTS_DIRECTORY)
error(message)
sys.exit(-1)
reports = dict() # Reports that have bounty and CVE
unearthed = dict() # ... bounty but CVE had to be unearthed from report
research = dict() # ... bounty but no CVE
for report_id in report_ids:
filepath = os.path.join(REPORTS_DIRECTORY, '{}.json'.format(report_id))
def test_get_details_exception(self):
# Arrange
nvdxml = utilities.NvdXml()
# Assert
self.assertRaises(Exception, nvdxml.get_details, 'CVE-201-9999')