Exemple #1
0
def test_add_cve_does_not_overwrite_existing_cve(db, client):
    resp = client.post(url_for('tracker.add_cve'), follow_redirects=True, data=default_issue_dict(dict(
                       cve=DEFAULT_ISSUE_ID,
                       issue_type=issue_types[1],
                       severity=Severity.critical.name,
                       remote=Remote.remote.name,
                       description='deadbeef',
                       reference='https://security.archlinux.org',
                       notes='very secret')))
    assert 200 == resp.status_code

    assert CVE_MERGED.format(DEFAULT_ISSUE_ID) in resp.data.decode()
    form = CVEForm()
    unmerged_fields = [form.issue_type.label.text,
                       form.severity.label.text,
                       form.remote.label.text,
                       form.description.label.text,
                       form.notes.label.text]
    assert CVE_MERGED_PARTIALLY.format(DEFAULT_ISSUE_ID, ', '.join(unmerged_fields)) in resp.data.decode()

    cve = CVE.query.get(DEFAULT_ISSUE_ID)
    assert DEFAULT_ISSUE_ID == cve.id
    assert issue_types[3] == cve.issue_type
    assert Severity.low == cve.severity
    assert Remote.local == cve.remote
    assert 'foobar' == cve.description
    assert 'https://archlinux.org\nhttps://security.archlinux.org' == cve.reference
    assert 'the cake is a lie' == cve.notes
Exemple #2
0
def test_add_cve_overwrites_existing_but_empty_cve(db, client):
    issue_type = issue_types[1]
    severity = Severity.critical
    remote = Remote.remote
    description = 'much wow'
    reference = 'https://security.archlinux.org'
    notes = 'very secret'
    resp = client.post(url_for('tracker.add_cve'), follow_redirects=True, data=default_issue_dict(dict(
                       cve=DEFAULT_ISSUE_ID,
                       issue_type=issue_type,
                       severity=severity.name,
                       remote=remote.name,
                       description=description,
                       reference=reference,
                       notes=notes)))
    assert 200 == resp.status_code
    assert CVE_MERGED.format(DEFAULT_ISSUE_ID) in resp.data.decode()
    assert CVE_MERGED_PARTIALLY.format(DEFAULT_ISSUE_ID, '') not in resp.data.decode()

    cve = CVE.query.get(DEFAULT_ISSUE_ID)
    assert DEFAULT_ISSUE_ID == cve.id
    assert issue_type == cve.issue_type
    assert severity == cve.severity
    assert remote == cve.remote
    assert description == cve.description
    assert reference == cve.reference
    assert notes == cve.notes
Exemple #3
0
def test_merge_issue_as_security_team_with_referenced_advisory(db, client):
    resp = client.post(url_for('tracker.add_cve', cve=DEFAULT_ISSUE_ID),
                       follow_redirects=True,
                       data=default_issue_dict(dict(description='changed')))
    assert 200 == resp.status_code

    data = resp.data.decode()
    assert CVE_MERGED.format(DEFAULT_ISSUE_ID) in data
    assert CVE_MERGED_PARTIALLY.format(DEFAULT_ISSUE_ID, '') not in data

    issue = CVE.query.get(DEFAULT_ISSUE_ID)
    assert 'changed' == issue.description
Exemple #4
0
def test_merge_issue_as_reporter_with_referenced_advisory_fails(db, client):
    resp = client.post(url_for('tracker.add_cve', cve=DEFAULT_ISSUE_ID),
                       follow_redirects=True,
                       data=default_issue_dict(dict(description='changed')))
    assert Forbidden.code == resp.status_code

    data = resp.data.decode()
    assert CVE_MERGED.format(DEFAULT_ISSUE_ID) not in data
    assert CVE_MERGED_PARTIALLY.format(DEFAULT_ISSUE_ID, '') not in data
    assert ERROR_ISSUE_REFERENCED_BY_ADVISORY.format(DEFAULT_ISSUE_ID) in data

    issue = CVE.query.get(DEFAULT_ISSUE_ID)
    assert 'changed' not in issue.description