def test_vendor_with_products():
vendor = Vendor(
name="Python",
products=[
Product(name="Requests"),
Product(name="Celery"),
Product(name="Virtualenv"),
],
)
assert len(vendor.products) == 3
assert [p.name
for p in vendor.products] == ["Requests", "Celery", "Virtualenv"]
def _create_vendor(vendor_name, product_name=None):
vendor = Vendor(name=vendor_name)
if product_name:
vendor.products.append(Product(name=product_name))
db.session.add(vendor)
db.session.commit()
return vendor
def test_product_with_users():
product = Product(
name="Requests",
vendor=Vendor(name="Python"),
users=[User(username="******"),
User(username="******")],
)
assert len(product.users) == 2
assert [u.username for u in product.users] == ["nicolas", "laurent"]
def _create_vendor(vendor_name, product_name=None):
vendor = Vendor.query.filter_by(name=vendor_name).first()
if not vendor:
vendor = Vendor(name=vendor_name)
if product_name:
vendor.products.append(Product(name=product_name))
db.session.add(vendor)
db.session.commit()
return vendor
def execute(self):
old = nested_lookup("cpe23Uri", self.cve_obj.json["configurations"])
new = nested_lookup("cpe23Uri", self.cve_json["configurations"])
payload = {
"added": list(set(new) - set(old)),
"removed": list(set(old) - set(new)),
}
# The CPEs list has been modified
if payload["added"] or payload["removed"]:
# Change the CVE's vendors attribute
self.cve_obj.vendors = flatten_vendors(
convert_cpes(self.cve_json["configurations"])
)
db.session.commit()
# Create the vendors and products objects if they don't exist
vendors_products = convert_cpes(payload["added"])
for vendor, products in vendors_products.items():
v_obj = Vendor.query.filter_by(name=vendor).first()
# Create the vendor and associate it to the CVE
if not v_obj:
v_obj = Vendor(name=vendor)
db.session.add(v_obj)
db.session.commit()
# Do the same for its products
for product in products:
p_obj = Product.query.filter_by(name=product, vendor=v_obj).first()
if not p_obj:
p_obj = Product(name=product, vendor=v_obj)
db.session.add(p_obj)
db.session.commit()
# Create the event
event = CveUtil.create_event(self.cve_obj, self.cve_json, "cpes", payload)
return event
return None
def test_new_product():
product = Product(name="Requests", vendor=Vendor(name="Python"))
assert str(product) == "<Product Requests>"
assert product.name == "Requests"
assert product.vendor.name == "Python"
def create_cve(cls, cve_json):
cvss2 = (cve_json["impact"]["baseMetricV2"]["cvssV2"]["baseScore"]
if "baseMetricV2" in cve_json["impact"] else None)
cvss3 = (cve_json["impact"]["baseMetricV3"]["cvssV3"]["baseScore"]
if "baseMetricV3" in cve_json["impact"] else None)
# Construct CWE and CPE lists
cwes = get_cwes(cve_json["cve"]["problemtype"]["problemtype_data"][0]
["description"])
cpes = convert_cpes(cve_json["configurations"])
vendors = flatten_vendors(cpes)
# Create the CVE
cve = Cve(
cve_id=cve_json["cve"]["CVE_data_meta"]["ID"],
summary=cve_json["cve"]["description"]["description_data"][0]
["value"],
json=cve_json,
vendors=vendors,
cwes=cwes,
cvss2=cvss2,
cvss3=cvss3,
created_at=arrow.get(cve_json["publishedDate"]).datetime,
updated_at=arrow.get(cve_json["lastModifiedDate"]).datetime,
)
db.session.add(cve)
db.session.commit()
# Add the CWE that not exists yet in database
for cwe in cwes:
cwe_obj = Cwe.query.filter_by(cwe_id=cwe).first()
if not cwe_obj:
info(
f"{cwe} detected in {cve.cve_id} but not existing in database, adding it..."
)
cwe_obj = Cwe(cwe_id=cwe)
db.session.add(cwe_obj)
db.session.commit()
# Add the CPEs
vendors_products = convert_cpes(
nested_lookup("cpe23Uri", cve_json["configurations"]))
for vendor, products in vendors_products.items():
v_obj = Vendor.query.filter_by(name=vendor).first()
# Create the vendor
if not v_obj:
v_obj = Vendor(name=vendor)
db.session.add(v_obj)
db.session.commit()
# Create the products
for product in products:
p_obj = Product.query.filter_by(name=product,
vendor=v_obj).first()
if not p_obj:
p_obj = Product(name=product, vendor=v_obj)
db.session.add(p_obj)
db.session.commit()
return cve