def deriv():
d = Derive(name='test-0.2')
d.store_path = '/nix/store/zsawgflc1fq77ijjzb1369zi6kxnc36j-test-0.2'
return (d, {
V('CVE-2018-0001'),
V('CVE-2018-0002'),
V('CVE-2018-0003', cvssv3=9.8),
})
def test_load_json(json):
s = Store(requisites=False)
s.load_pkgs_json(json)
assert s.derivations == set([
Derive(name="acpitool-0.5.1", patches="ac.patch battery.patch"),
Derive(name="aespipe-2.4f"),
Derive(name="boolector-3.0.0", patches="CVE-2019-7560.patch")
])
def test_product_candidates():
assert ['linux-kernel', 'linux_kernel'
] == list(Derive(name='linux-kernel-4.0').product_candidates())
assert [
'Email-Address',
'Email_Address',
'email-address',
'email_address',
] == list(Derive(name='Email-Address-1').product_candidates())
def test_filter(whitelist):
# not filtered
d0 = Derive(name='cpio-2.12', affected_by={'CVE-2016-2037'})
# partially filtered
d1 = Derive(name='audiofile-0.3.6',
affected_by={'CVE-2017-6826', 'CVE-2017-6827'})
# fully filtered
d2 = Derive(name='unzip-6.0', affected_by={'CVE-2015-7696'})
# fully filtered w/o specific CVEs
d3 = Derive(name='audiofile-0.3.2', affected_by={'CVE-2018-2668'})
f = whitelist.filter([d0, d1, d2, d3])
assert f[0].report == {'CVE-2016-2037'}
assert f[1].report == {'CVE-2017-6826'}
assert f[2].report == set()
assert f[3].report == set()
def test_until(whitelist_toml):
rule = WhitelistRule(pname='libxslt', until='2018-04-12')
d = Derive(name='libxslt-2.0')
with freezegun.freeze_time('2018-04-11'):
assert rule.covers(d)
with freezegun.freeze_time('2018-04-12'):
assert not rule.covers(d)
def test_convert_derivs(whitelist):
# XXX unclear
before = len(whitelist)
whitelist.add_from(
Derive(name='ffmpeg-3.4.2',
affected_by={'CVE-2018-7557', 'CVE-2018-6912'}))
assert len(whitelist) == before + 1
assert whitelist['ffmpeg-3.4.2'].cve == {'CVE-2018-7557', 'CVE-2018-6912'}
def test_filter(whitelist):
affected = {
# not filtered
Derive(name='cpio-2.12'): {V('CVE-2016-2037')},
# partially filtered
Derive(name='audiofile-0.3.6'):
{V('CVE-2017-6826'), V('CVE-2017-6827')},
# fully filtered
Derive(name='unzip-6.0'): {V('CVE-2015-7696')},
# fully filtered w/o specific CVEs
Derive(name='audiofile-0.3.2'): {V('CVE-2018-2668')},
}
f = whitelist.filter(affected)
assert f[0].report == {V('CVE-2016-2037')}
assert f[1].report == {V('CVE-2017-6826')}
assert f[2].report == set()
assert f[3].report == set()
def test_should_not_load_arbitrary_code():
with tempfile.NamedTemporaryFile(prefix='security_breach') as b:
with tempfile.NamedTemporaryFile(prefix='evil_eval', mode='w') as f:
print("""
Derive(envVars={{'name': str((lambda: open('{}', 'w').write('shellcode'))())}})
""".format(b.name), file=f)
f.flush()
with pytest.raises(NameError):
load(f.name)
assert os.path.getsize(b.name) == 0
def test_dump_add_cve(whitelist):
whitelist.add_from(
Filtered(Derive(name='libxslt-2.0'), {
V('CVE-2019-13118'),
}))
assert """\
["libxslt-2.0"]
cve = [ "CVE-2015-9019", "CVE-2017-2477", "CVE-2019-13118" ]
until = "2018-03-01"
""" in str(whitelist)
def test_description_json(capsys):
d = Derive(name='test-0.2')
v = Vulnerability.parse(load('CVE-2010-0748'))
output_json([Filtered(d, {v})])
assert json.loads(capsys.readouterr().out) == [
{'affected_by': ['CVE-2010-0748'],
'cvssv3_basescore': {},
'derivation': None,
'description': {
'CVE-2010-0748': 'Transmission before 1.92 allows an '
'attacker to cause a denial of service '
'(crash) or possibly have other unspecified '
'impact via a large number of tr arguments '
'in a magnet link.'},
'name': 'test-0.2',
'pname': 'test',
'version': '0.2',
'whitelisted': []}
]
def test_split_nameversion():
d = Derive(envVars={'name': 'bundler-1.10.5-0'})
assert d.pname == 'bundler'
assert d.version == '1.10.5-0'
def test_split_name_noversion():
with pytest.raises(NoVersionError):
Derive(envVars={'name': 'hook'})
def deriv():
d = Derive(
name='test-0.2',
affected_by={'CVE-2018-0001', 'CVE-2018-0002', 'CVE-2018-0003'})
d.store_path = '/nix/store/zsawgflc1fq77ijjzb1369zi6kxnc36j-test-0.2'
return d
def test_match_partial():
rule = WhitelistRule(cve=['CVE-2015-1197', 'CVE-2016-2037'])
assert rule.covers(
Derive(name='cpio-2.12'),
{V('CVE-2015-1197'), V('CVE-2015-1198')})
def test_not_whitelisted(whitelist):
filtered = whitelist.find(Derive(name='cpio-2.12'), {V('CVE-2016-2037')})
assert filtered.rules == []
assert filtered.report == {V('CVE-2016-2037')}
def test_split_name_noversion():
with pytest.raises(SkipDrv):
Derive(envVars={'name': 'hook'})
def deriv2():
return (Derive(name='bar-2'), {V('CVE-2018-0006', cvssv3=5.0)})
def test_match_pname_version_cve():
rule = WhitelistRule(pname='cpio', version='2.12', cve=['CVE-2015-1197'])
d = Derive(name='cpio-2.12', affected_by={'CVE-2015-1197'})
assert rule.covers(d)
d = Derive(name='cpio-2.12', affected_by={'CVE-2015-1198'})
assert not rule.covers(d)
def test_match_cve_only():
rule = WhitelistRule(cve=['CVE-2015-1197', 'CVE-2016-2037'])
assert rule.covers(Derive(name='cpio-2.12'), {V('CVE-2015-1197')})
assert not rule.covers(Derive(name='cpio-2.12'), {V('CVE-2016-2038')})
def deriv1():
return (Derive(name='foo-1'), {V('CVE-2018-0004'), V('CVE-2018-0005')})
def deriv2():
return Derive(name='bar-2', affected_by={'CVE-2018-0006'})
def test_match_pname_only():
rule = WhitelistRule(pname='libxslt', version='*')
assert rule.covers(Derive(name='libxslt-2.0'))
assert rule.covers(Derive(name='libxslt-2.1'))
assert not rule.covers(Derive(name='libxml2-2.0'))
def test_not_whitelisted(whitelist):
d = Derive(name='cpio-2.12', affected_by={'CVE-2016-2037'})
filtered = whitelist.find(d)
assert filtered.rules == []
assert filtered.report == d.affected_by
def test_ordering():
assert Derive(name='python-2.7.14') == Derive(name='python-2.7.14')
assert Derive(name='python-2.7.14') != Derive(name='python-2.7.13')
assert Derive(
name='coreutils-8.29', affected_by={'CVE-2017-18018'}
) < Derive(
name='patch-2.7.6', affected_by={'CVE-2018-6952', 'CVE-2018-6951'})
assert Derive(name='python-2.7.14') > Derive(name='python-2.7.13')
assert not Derive(name='python-2.7.13') > Derive(name='python-2.7.14')
assert Derive(
name='patch-2.7.6', affected_by={'CVE-2018-6951', 'CVE-2018-6952'}
) > Derive(
name='patch-2.7.6', affected_by={'CVE-2018-6951'})
def test_ordering():
assert Derive(name='python-2.7.14') == Derive(name='python-2.7.14')
assert Derive(name='python-2.7.14') != Derive(name='python-2.7.13')
assert Derive(name='coreutils-8.29') < Derive(name='patch-2.7.6')
assert not Derive(name='python-2.7.5') < Derive(name='patch-2.7.6')
assert Derive(name='python-2.7.6') > Derive(name='patch-2.7.6')
assert Derive(name='python-2.7.14') > Derive(name='python-2.7.13')
assert not Derive(name='patch-2.7.14') > Derive(name='python-2.7.13')
assert not Derive(name='python-2.7.13') > Derive(name='python-2.7.14')
assert Derive(name='openssl-1.0.1d') < Derive(name='openssl-1.0.1e')
def deriv1():
return Derive(name='foo-1', affected_by={'CVE-2018-0004', 'CVE-2018-0005'})
def test_match_partial():
rule = WhitelistRule(cve=['CVE-2015-1197', 'CVE-2016-2037'])
d = Derive(name='cpio-2.12',
affected_by={'CVE-2015-1197', 'CVE-2015-1198'})
assert rule.covers(d)
def deriv():
d = Derive(name='test-0.2',
affected_by={'CVE-2018-0001', 'CVE-2018-0002', 'CVE-2018-0003'})
d.store_path = '/nix/store/zsawgflc1fq77ijjzb1369zi6kxnc36j-test-0.2'
return d
def test_match_pname_version_cve():
rule = WhitelistRule(pname='cpio', version='2.12', cve=['CVE-2015-1197'])
assert rule.covers(Derive(name='cpio-2.12'), {V('CVE-2015-1197')})
assert not rule.covers(Derive(name='cpio-2.12'), {V('CVE-2015-1198')})