def cve_found(cve_items, cve):
"""Look for CVE in security node."""
for cve_item in cve_items:
check_attribute_presence(cve_item, "CVE")
if cve_item["CVE"] == cve:
return True
return False
def check_stack_analyses_request_status_attribute(context):
"""Check if the status is set to success in the JSON response."""
response = context.response
json_data = response.json()
check_attribute_presence(json_data, 'status')
assert json_data['status'] == "success"
def check_for_distinct_license(context, licenses):
"""Verify lisense analysis data."""
json_data = get_json_data(context)
check_attribute_presence(json_data, 'license_analysis')
license_analysis = json_data['license_analysis']
license_found = False
for lic in license_analysis['distinct_licenses']:
if lic == licenses:
license_found = True
assert license_found, "The Given License was not found."
def check_component_digest_data(context, package, version, ecosystem):
"""Check the digest data for the given package, version, and ecosystem."""
data = context.s3_data
check_audit_metadata(data)
check_release_attribute(data, ecosystem, package, version)
check_schema_attribute(data, "digests", "1-0-0")
check_status_attribute(data)
check_summary_attribute(data)
check_attribute_presence(data, "details")
def check_keywords_tagging_file(context, package, ecosystem):
"""Check that the tagging metadata are correct for given package and ecosystem."""
data = context.s3_data
check_audit_metadata(data)
check_release_attribute(data, ecosystem, package)
check_status_attribute(data)
details = get_details_node(context)
check_attribute_presence(details, "package_name")
check_attribute_presence(details, "repository_description")
def validate_result_post_registration(context):
"""Check that json response contains appropriate data."""
json_data = context.response.json()
assert context.response.status_code == 200
assert json_data
check_attribute_presence(json_data, "user_key")
endpoints = check_and_get_attribute(json_data, "endpoints")
prod_url = check_and_get_attribute(endpoints, "prod")
assert prod_url.startswith("https://")
def check_analyzed_packages_count_at_least(context, num=1):
"""Check number of analyzed packages."""
context_reponse_existence_check(context)
json_data = context.response.json()
check_attribute_presence(json_data, "result")
result = json_data["result"]
check_attribute_presence(result, "data")
data = result["data"]
assert len(data) >= num, \
"At least {} packages expected, but found {} instead".format(num, len(data))
def check_weight_for_word_in_keywords_tagging(context, word, where):
"""Check that the given word and its weight can be found in the tagging report."""
selector = S3Interface.selector_to_key(where)
assert selector in [
"package_name", "repository_description", "description"
]
details = get_details_node(context)
word_dict = check_and_get_attribute(details, selector)
check_attribute_presence(word_dict, word)
assert float(word_dict[word]) > 0.0
def check_github_details_file(context, package, ecosystem):
"""Check all relevant attributes stored in the JSON with GitHub details."""
data = context.s3_data
check_audit_metadata(data)
check_release_attribute(data, ecosystem, package)
check_status_attribute(data)
check_attribute_presence(data, "summary")
check_attribute_presence(data, "details")
check_schema_attribute(data, "github_details", "2-0-1")
def check_analyzed_packages(context, package, ecosystem):
"""Check the package in component analysis."""
context_reponse_existence_check(context)
json_data = context.response.json()
package_data = get_value_using_path(json_data, "result/data/0/package")
assert package_data is not None
check_attribute_presence(package_data, "ecosystem")
assert package_data["ecosystem"][0] == ecosystem
check_attribute_presence(package_data, "name")
assert package_data["name"][0] == package
def verify_premium_feilds(context):
"""I should verify the registered user feilds in result."""
json_data = get_json_data(context)
check_attribute_presence(json_data, 'analyzed_dependencies')
for dep in json_data['analyzed_dependencies']:
if dep['public_vulnerabilities'] != []:
for vuln in dep['public_vulnerabilities']:
check_vulenrability_attributes(vuln)
check_premium_vuln_attributes(vuln)
elif dep['private_vulnerabilities'] != []:
for vuln in dep['private_vulnerabilities']:
check_vulenrability_attributes(vuln)
check_premium_vuln_attributes(vuln)
def check_stack_analysis_id(context):
"""Check the ID of stack analysis."""
previous_id = context.stack_analysis_id
json_data = context.response.json()
assert json_data is not None
check_attribute_presence(json_data, "request_id")
request_id = json_data["request_id"]
assert previous_id is not None
assert request_id is not None
assert previous_id == request_id
def check_get_request_id(context):
"""Check the ID of stack analysis."""
previous_id = context.stack_analysis_id
assert previous_id is not None
json_data = get_json_data(context)
id_name = 'external_request_id'
check_attribute_presence(json_data, id_name)
request_id = json_data[id_name]
logger.debug('Post id: {} Get id: {}'.format(previous_id, request_id))
assert request_id is not None
assert previous_id == request_id
def verify_valid_data_companion(context, component, latest_version):
"""Check valid data in companion packages."""
json_data = get_json_data(context)
check_attribute_presence(json_data, 'recommendation')
is_component_present = False
for dep in json_data['recommendation']['companion']:
if dep['name'] == component:
is_component_present = True
actual_version = dep['latest_version']
assert actual_version == latest_version, \
'Component {} have {} but expected {}'.format(component, actual_version,
latest_version)
assert is_component_present, 'Component {} not present'.format(component)
def verify_vulnerability_count(context, component, vulnerability, expected):
"""Check vulnerabiltiy count for given type of vulnerability."""
json_data = get_json_data(context)
check_attribute_presence(json_data, 'analyzed_dependencies')
is_component_present = False
for dep in json_data['analyzed_dependencies']:
if dep['name'] == component:
is_component_present = True
actual = len(dep[vulnerability])
assert actual == expected, \
'Component {} have {} {} but expected {}'.format(component, actual,
vulnerability, expected)
assert is_component_present, 'Component {} not present'.format(component)
def perform_alternate_components_validation(json_data):
"""Check the user components and alternate components."""
user_components = get_user_components(json_data)
# in order to use the 'in' operator later we need to have a sequence
# of dictionaries with 'name' and 'version' keys
user_components = [{
"name": c["package"],
"version": c["version"]
} for c in user_components]
alternate_components = get_alternate_components(json_data)
for alternate_component in alternate_components:
check_attribute_presence(alternate_component, "name")
check_attribute_presence(alternate_component, "replaces")
replaces = alternate_component["replaces"]
for replace in replaces:
check_attribute_presence(replace, "name")
r_name = replace["name"]
check_attribute_presence(replace, "version")
r_version = replace["version"]
assert replace in user_components, \
"The component %s version %s does not replace any user " \
"component" % (r_name, r_version)
def check_recommended_version_if_cve_is_detected(context):
"""Check the existence of recommended version in case the CVE is detected."""
context_reponse_existence_check(context)
json_data = context.response.json()
check_attribute_presence(json_data, "result")
result = json_data["result"]
check_attribute_presence(result, "recommendation")
recommendation = result["recommendation"]
if "component_analyses" in recommendation:
assert "change_to" in recommendation, \
"The new version should be recommended for the component"
def verify_license_data(context, component, license_c):
"""Licenses check."""
json_data = get_json_data(context)
check_attribute_presence(json_data, 'analyzed_dependencies')
is_component_present = False
for dep in json_data['analyzed_dependencies']:
if dep['name'] == component:
is_component_present = True
assert "licenses" in dep, 'Licenses not found'
licenses = dep["licenses"]
for lic in licenses:
if lic == license_c:
assert lic == license_c
assert is_component_present, 'Component {} not present'.format(component)
def check_recommended_version_for_cve(context):
"""Check that all E/P/V with CVE detected also have recommended versions."""
# retrieve all components
components = get_analyzed_components(context)
# retrieve components with CVE record(s)
components_with_cve = get_components_with_cve(components)
# check if at least one recommendation is found for a component with CVE
for component_with_cve in components_with_cve:
check_attribute_presence(component_with_cve,
"recommended_latest_version")
recommended = component_with_cve["recommended_latest_version"]
assert len(recommended) >= 1
def verify_dependency_count(context, component, expected):
"""Check dependency count for given component."""
json_data = get_json_data(context)
check_attribute_presence(json_data, 'analyzed_dependencies')
is_component_present = False
for dep in json_data['analyzed_dependencies']:
if dep['name'] == component:
is_component_present = True
dependencies = dep['dependencies']
print(dep)
actual = len(dependencies)
assert actual == expected, \
'Component {} have {} deps but expected {}'.format(component, actual,
expected)
assert is_component_present, 'Component {} not present'.format(component)
def check_request_id_value_in_json_response(context, attribute_name):
"""Check the request ID attribute in the JSON response.
Check if ID is stored in a format like: '71769af6-0a39-4242-94be-1f84f04c8a56'
"""
response = context.response
assert response is not None
json_data = response.json()
assert json_data is not None
check_attribute_presence(json_data, attribute_name)
id_attribute = json_data[attribute_name]
assert id_attribute is not None
assert check_uuid(id_attribute)
def check_security_issue_nonexistence(context, package):
"""Check than none security issue can be found for the given analyzed package."""
components = get_analyzed_components(context)
for component in components:
if component["name"] == package:
check_attribute_presence(component, "security")
cve_items = component["security"]
if cve_items:
raise Exception(
'Found security issue(s) for the package {p}'.format(
p=package))
break
else:
raise Exception(
'Could not find the analyzed package {p}'.format(p=package))
def check_package_toplevel_file(context, package, ecosystem):
"""Check the content of package toplevel file."""
data = context.s3_data
check_attribute_presence(data, 'id')
assert int(data['id'])
check_attribute_presence(data, 'package_id')
assert int(data['package_id'])
check_attribute_presence(data, 'analyses')
check_attribute_presence(data, 'started_at')
check_timestamp(data['started_at'])
check_attribute_presence(data, 'finished_at')
check_timestamp(data['finished_at'])
def check_security_issue_existence(context, cve, package):
"""Check if the security issue CVE-yyyy-xxxx can be found for the given analyzed package."""
components = get_analyzed_components(context)
for component in components:
if component["name"] == package:
check_attribute_presence(component, "security")
cve_items = component["security"]
if cve_found(cve_items, cve):
# CVE for the component has been found - > let's finish this check
return
else:
raise Exception('Could not find the CVE {c} for the '
'package {p}'.format(c=cve, p=package))
else:
raise Exception(
'Could not find the analyzed package {p}'.format(p=package))
def check_id_value_in_json_response(context, id_attribute_name):
"""Check the ID attribute in the JSON response.
Check if ID is stored in a format like: '477e85660c504b698beae2b5f2a28b4e'
ie. it is a string with 32 characters containing 32 hexadecimal digits
"""
response = context.response
assert response is not None
json_data = response.json()
assert json_data is not None
check_attribute_presence(json_data, id_attribute_name)
id_attribute = json_data[id_attribute_name]
assert id_attribute is not None
assert isinstance(id_attribute, str) and len(id_attribute) == 32
assert all(char in string.hexdigits for char in id_attribute)
def check_unexpected_properties_in_results(context, properties):
"""Check if only given optional properties can be found in all packages returned by Gremlin."""
data, meta = get_results_from_gremlin(context)
expected_properties = split_comma_separated_list(properties)
for package in data:
check_attribute_presence(package, "properties")
properties = package["properties"].keys()
assert properties is not None
for prop in properties:
# check that the property is contained in a list of expected properties
if prop not in expected_properties:
raise Exception(
"Unexpected property has been found: {prop}".format(
prop=prop))
def check_latest_package_version_publication(context, version, date):
"""Check the latest package version and publication date."""
releases = _get_releases_node_from_libraries_io(context)
latest_release = check_and_get_attribute(releases, 'latest')
check_attribute_presence(latest_release, "version")
check_attribute_presence(latest_release, "published_at")
stored_version = latest_release["version"]
stored_date = latest_release["published_at"]
assert stored_version == version, \
"Package latest version differs, {v} is expected, but {f} is found instead".\
format(v=version, f=stored_version)
assert latest_release["published_at"] == date, \
"Package latest release data differs, {d} is expected, but {f} is found instead".\
format(d=date, f=stored_date)
def retrieve_stacks_from_report(context, num):
"""Retrieve stacks from Gemini stacks report."""
response = context.response.json()
assert not context.history
check_attribute_presence(response, "report")
stacks_details = check_and_get_attribute(response, "stacks_details")
i = 0
stacks = []
for stack_detail in stacks_details:
ecosystem = check_and_get_attribute(stack_detail, "ecosystem")
stack = stack_detail["stack"]
i += 1
if i > num:
break
item = {"ecosystem": ecosystem, "stack": stack}
stacks.append(item)
context.stacks = stacks
def verify_severity_analyzed_deps(context, component, title, severity,
vulenerability):
"""Check valid vulenerability title and severity."""
json_data = get_json_data(context)
check_attribute_presence(json_data, 'analyzed_dependencies')
is_component_present = False
for dep in json_data['analyzed_dependencies']:
if dep['name'] == component:
is_component_present = True
if vulenerability == 'public_vulnerabilities':
for vuln in dep['public_vulnerabilities']:
if vuln['title'] == title:
assert vuln[
'severity'] == severity, "severity not matched"
elif vulenerability == 'private_vulnerabilities':
for vuln in dep['private_vulnerabilities']:
if vuln['title'] == title:
assert vuln[
'severity'] == severity, "severity not matched"
assert is_component_present, 'Component {} not present'.format(component)
def check_properties_in_results(context, properties):
"""Check if all given properties can be found in all packages returned by Gremlin."""
data, meta = get_results_from_gremlin(context)
expected_properties = split_comma_separated_list(properties)
# we need to check if all expected properties are really returned by the Gremlin
for package in data:
check_attribute_presence(package, "properties")
properties = package["properties"].keys()
assert properties is not None
for expected_property in expected_properties:
if expected_property not in properties:
# print examined data so users would know what happened
formatted_data = pprint.pformat(package)
message = "Required property could not be found: {prop}\n" \
"Tested Gremlin results:\n{r}"
raise Exception(
message.format(prop=expected_property, r=formatted_data))
