async def test_list_component_vulnerabilitites_return_vulnerabilities_for_each_component(
self):
components_version = {'plugin0': "1.2.3", 'plugin1': "1.4.0"}
plugin0_vuln_list = VulnerabilityList(
key="plugin0",
producer="",
vulnerabilities=[Vulnerability(id="1234")])
plugin1_vuln_list = VulnerabilityList(
key="plugin1",
producer="",
vulnerabilities=[Vulnerability(id="2345")])
vuln_list_group = MagicMock()
vuln_list_group.vulnerability_lists = [
plugin0_vuln_list, plugin1_vuln_list
]
def fake_list_vuln(self, version, vuln_list, no_version_match_all):
return vuln_list.vulnerabilities
with patch(
"vane.vulnerabilitylister.VulnerabilityLister.list_vulnerabilities",
fake_list_vuln):
vulns = self.vane.list_component_vulnerabilities(
components_version, vuln_list_group, no_version_match_all=True)
self.assertEqual(plugin0_vuln_list.vulnerabilities,
vulns['plugin0'])
self.assertEqual(plugin1_vuln_list.vulnerabilities,
vulns['plugin1'])
async def test_list_component_vulnerabilitites_call_list_vulnerabilities_for_each_component(
self):
components_version = {
'plugin0': "1.2.3",
'theme0': "3.2.1",
'plugin1': "1.4.0",
'theme1': "6.9"
}
plugin0_vuln_list = VulnerabilityList(key="plugin0", producer="")
plugin1_vuln_list = VulnerabilityList(key="plugin1", producer="")
theme0_vuln_list = VulnerabilityList(key="theme0", producer="")
theme1_vuln_list = VulnerabilityList(key="theme1", producer="")
vuln_list_group = MagicMock()
vuln_list_group.vulnerability_lists = [
plugin0_vuln_list, plugin1_vuln_list, theme1_vuln_list,
theme0_vuln_list
]
fake_list_vuln = MagicMock()
with patch(
"vane.vulnerabilitylister.VulnerabilityLister.list_vulnerabilities",
fake_list_vuln):
self.vane.list_component_vulnerabilities(components_version,
vuln_list_group,
no_version_match_all=True)
calls = [
call("1.2.3", plugin0_vuln_list, no_version_match_all=True),
call("1.4.0", plugin1_vuln_list, no_version_match_all=True),
call("3.2.1", theme0_vuln_list, no_version_match_all=True),
call("6.9", theme1_vuln_list, no_version_match_all=True)
]
fake_list_vuln.assert_has_calls(calls, any_order=True)
def test_list_vulnerabilities_return_vulnerabilities_with_introduced_in_lower_than_version_and_fixed_in_upper_than_version(
self):
vuln0 = Vulnerability(id="12345",
title="Vulnerability0",
affected_versions=[
VersionRange(introduced_in="2.5.9",
fixed_in="4.7.2")
])
vuln1 = Vulnerability(id="23456",
title="Vulnerability1",
affected_versions=[
VersionRange(introduced_in="1.6.2",
fixed_in="4.9")
])
vuln_list = VulnerabilityList(key="wordpress",
producer="producer",
vulnerabilities=[vuln0, vuln1])
applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities(
"4.7", vuln_list)
applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities(
"3.5.8", vuln_list)
applicable_vuln2 = self.vulnerability_lister.list_vulnerabilities(
"2.4.8", vuln_list)
self.assertIn(vuln0, applicable_vuln0)
self.assertIn(vuln1, applicable_vuln0)
self.assertIn(vuln0, applicable_vuln1)
self.assertIn(vuln1, applicable_vuln1)
self.assertNotIn(vuln0, applicable_vuln2)
self.assertIn(vuln1, applicable_vuln2)
def test_list_vulnerabilities_remove_affected_versions_ranges_not_including_target_version(
self):
vuln = Vulnerability(id="12345",
title="Vulnerability",
affected_versions=[
VersionRange(introduced_in="3.7",
fixed_in="3.7.5"),
VersionRange(introduced_in="4.0",
fixed_in="4.0.10"),
VersionRange(introduced_in="4.5",
fixed_in="4.5.2")
])
vuln_list = VulnerabilityList(key="wordpress",
producer="producer",
vulnerabilities=[vuln])
vuln_software0 = self.vulnerability_lister.list_vulnerabilities(
"3.7.3", vuln_list)
vuln_software1 = self.vulnerability_lister.list_vulnerabilities(
"4.0.9", vuln_list)
vuln_software2 = self.vulnerability_lister.list_vulnerabilities(
"4.5", vuln_list)
self.assertEqual(vuln_software0[0].affected_versions,
[VersionRange(introduced_in="3.7", fixed_in="3.7.5")])
self.assertEqual(
vuln_software1[0].affected_versions,
[VersionRange(introduced_in="4.0", fixed_in="4.0.10")])
self.assertEqual(vuln_software2[0].affected_versions,
[VersionRange(introduced_in="4.5", fixed_in="4.5.2")])
def _regroup_vulnerabilities_of_key_in_one_list(self, key):
vulnerability_list = VulnerabilityList(key=key,
producer="vane2_export")
for _vulnerability_list in self.storage.list_vulnerabilities(key):
vulnerability_list.vulnerabilities.extend(
_vulnerability_list.vulnerabilities)
return vulnerability_list
def test_regroup_vulnerabilities_of_key_in_one_list(self):
plugin_vuln0 = Vulnerability(id="0")
plugin_vuln1 = Vulnerability(id="1")
self.storage.vulnerability_lists[
'plugins/plugin/producer0'] = VulnerabilityList(
producer="producer0",
key="plugins/plugin",
vulnerabilities=[plugin_vuln0])
self.storage.vulnerability_lists[
'plugins/plugin/producer1'] = VulnerabilityList(
producer="producer1",
key="plugins/plugin",
vulnerabilities=[plugin_vuln1])
plugin_vuln_list = self.exporter._regroup_vulnerabilities_of_key_in_one_list(
"plugins/plugin")
self.assertIn(plugin_vuln0, plugin_vuln_list.vulnerabilities)
self.assertIn(plugin_vuln1, plugin_vuln_list.vulnerabilities)
async def test_list_component_vulnerabilitites_skip_component_with_no_vulnerability(
self):
components_version = {'plugin0': "1.2.3"}
plugin1_vuln_list = VulnerabilityList(key="plugin1", producer="")
vuln_list_group = MagicMock()
vuln_list_group.vulnerability_lists = [plugin1_vuln_list]
fake_list_vuln = MagicMock()
with patch(
"vane.vulnerabilitylister.VulnerabilityLister.list_vulnerabilities",
fake_list_vuln):
self.vane.list_component_vulnerabilities(components_version,
vuln_list_group,
no_version_match_all=True)
fake_list_vuln.assert_not_called()
def test_list_vulnerabilities_return_all_vulnerabilities_if_version_is_none_and_no_version_match_all_is_true(
self):
vuln0 = Vulnerability(
id="12345",
title="Vulnerability0",
affected_versions=[VersionRange(introduced_in="2.3.4")])
vuln1 = Vulnerability(
id="23456",
title="Vulnerability1",
affected_versions=[VersionRange(introduced_in="1.5.6")])
vuln_list = VulnerabilityList(key="wordpress",
producer="producer",
vulnerabilities=[vuln0, vuln1])
applicable_vuln = self.vulnerability_lister.list_vulnerabilities(
None, vuln_list, no_version_match_all=True)
self.assertEqual(len(applicable_vuln), 2)
def test_list_vulnerabilities_return_empty_list_if_no_vuln_applicable_to_version(
self):
vuln0 = Vulnerability(id="12345",
title="Vulnerability0",
affected_versions=[
VersionRange(introduced_in="4.4",
fixed_in="4.6")
])
vuln1 = Vulnerability(id="23456",
title="Vulnerability1",
affected_versions=[VersionRange(fixed_in="3.9")])
vuln_list = VulnerabilityList(key="wordpress",
producer="producer",
vulnerabilities=[vuln0, vuln1])
applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities(
"4.7", vuln_list)
applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities(
"4.3", vuln_list)
self.assertEqual(len(applicable_vuln0), 0)
self.assertEqual(len(applicable_vuln1), 0)
def test_serialize_vunlerability_list(self):
schema = VulnerabilityListSchema()
vuln_list = VulnerabilityList(
producer="Test Provider",
key="plugins/test-plugin",
copyright="2016- Delve Labs inc.",
license="GNU General Public License, version 2",
vulnerabilities=[
Vulnerability(id="1234", title="Multiple XSS"),
])
data = serialize(schema, vuln_list)[0]
self.assertIn('"producer": "Test Provider"', data)
self.assertIn('"key": "plugins/test-plugin"', data)
self.assertIn('"license": "GNU General Public License, version 2"',
data)
self.assertIn('"copyright": "2016- Delve Labs inc."', data)
self.assertIn('Multiple XSS', data)
out, errors = schema.loads(data)
self.assertEqual("1234", out.vulnerabilities[0].id)
def test_list_vulnerabilities_apply_vulnerabilities_with_multiple_affected_versions(
self):
vuln = Vulnerability(id="12345",
title="Vulnerability",
affected_versions=[
VersionRange(introduced_in="3.7",
fixed_in="3.7.5"),
VersionRange(introduced_in="4.0",
fixed_in="4.0.10"),
VersionRange(introduced_in="4.5",
fixed_in="4.5.2")
])
vuln_list = VulnerabilityList(key="wordpress",
producer="producer",
vulnerabilities=[vuln])
vuln_software0 = self.vulnerability_lister.list_vulnerabilities(
"4.1.5", vuln_list)
vuln_software1 = self.vulnerability_lister.list_vulnerabilities(
"4.0.9", vuln_list)
self.assertEqual(vuln_software0, [])
self.assertEqual(vuln_software1[0].id, vuln.id)
def test_list_vulnerabilities_return_all_vulnerabilities_with_no_introduced_nor_fixed_in(
self):
vuln0 = Vulnerability(id="12345", title="Vulnerability0")
vuln1 = Vulnerability(id="23456",
title="Vulnerability1",
affected_versions=[VersionRange()])
vuln_list = VulnerabilityList(key="wordpress",
producer="producer",
vulnerabilities=[vuln0, vuln1])
applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities(
"4.7", vuln_list)
applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities(
"0.1", vuln_list)
applicable_vuln2 = self.vulnerability_lister.list_vulnerabilities(
"100.2.3", vuln_list)
self.assertIn(vuln0, applicable_vuln0)
self.assertIn(vuln1, applicable_vuln0)
self.assertIn(vuln0, applicable_vuln1)
self.assertIn(vuln1, applicable_vuln1)
self.assertIn(vuln0, applicable_vuln2)
self.assertIn(vuln1, applicable_vuln2)
def test_export_vulnerabilities_export_all_vuln_lists_in_one_file(self):
plugin0_vuln0 = Vulnerability(id="0")
plugin0_vuln1 = Vulnerability(id="1")
plugin0_vuln_list = VulnerabilityList(
producer="test",
key="plugins/plugin0",
vulnerabilities=[plugin0_vuln0, plugin0_vuln1])
plugin1_vuln0 = Vulnerability(id="2")
plugin1_vuln1 = Vulnerability(id="3")
plugin1_vuln_list = VulnerabilityList(
producer="test",
key="plugins/plugin1",
vulnerabilities=[plugin1_vuln0, plugin1_vuln1])
theme_vuln0 = Vulnerability(id="4")
theme_vuln1 = Vulnerability(id="5")
theme_vuln_list = VulnerabilityList(
producer="test",
key="themes/theme",
vulnerabilities=[theme_vuln0, theme_vuln1])
wordpress_vuln0 = Vulnerability(id="6")
wordpress_vuln1 = Vulnerability(id="7")
wordpress_vuln_list = VulnerabilityList(
producer="test",
key="wordpress",
vulnerabilities=[wordpress_vuln0, wordpress_vuln1])
self.storage.add_vulnerability_lists({
'plugins/plugin0': plugin0_vuln_list,
'plugins/plugin1': plugin1_vuln_list,
'themes/theme': theme_vuln_list,
'wordpress': wordpress_vuln_list
})
self.exporter.export_vulnerabilities("path_to_dir")
args, kwargs = self.exporter._dump.call_args
vulnerability_list_group = args[1]
self.assertEqual(vulnerability_list_group.producer, "vane2_export")
vulnerability_lists = vulnerability_list_group.vulnerability_lists
self.assert_object_with_attribute_value_in_container(
"key", "plugins/plugin0", vulnerability_lists)
self.assert_object_with_attribute_value_in_container(
"key", "plugins/plugin1", vulnerability_lists)
self.assert_object_with_attribute_value_in_container(
"key", "themes/theme", vulnerability_lists)
self.assert_object_with_attribute_value_in_container(
"key", "wordpress", vulnerability_lists)
exported_plugin0_vuln_list = self.get_object_with_attribute_value_in_container(
"key", "plugins/plugin0", vulnerability_lists)
exported_plugin1_vuln_list = self.get_object_with_attribute_value_in_container(
"key", "plugins/plugin1", vulnerability_lists)
exported_theme_vuln_list = self.get_object_with_attribute_value_in_container(
"key", "themes/theme", vulnerability_lists)
exported_wordpress_vuln_list = self.get_object_with_attribute_value_in_container(
"key", "wordpress", vulnerability_lists)
self.assertIn(plugin0_vuln0,
exported_plugin0_vuln_list.vulnerabilities)
self.assertIn(plugin0_vuln1,
exported_plugin0_vuln_list.vulnerabilities)
self.assertIn(plugin1_vuln0,
exported_plugin1_vuln_list.vulnerabilities)
self.assertIn(plugin1_vuln1,
exported_plugin1_vuln_list.vulnerabilities)
self.assertIn(theme_vuln0, exported_theme_vuln_list.vulnerabilities)
self.assertIn(theme_vuln1, exported_theme_vuln_list.vulnerabilities)
self.assertIn(wordpress_vuln0,
exported_wordpress_vuln_list.vulnerabilities)
self.assertIn(wordpress_vuln1,
exported_wordpress_vuln_list.vulnerabilities)
