def nvd_vulnerability():
"""
Returns a vulnerability similar to an NVD record but with an added fixed record, similar to how GitHub advisories have both vuln range and fix version
:return:
"""
v = Vulnerability()
v.id = "CVE-2"
v.created_at = v.updated_at = datetime.datetime.utcnow()
v.severity = "high"
v.namespace_name = "nvdv2:cves"
def test_non_comparable_versions(python_pkg1_100, python_pkg1_101,
monkeypatch_distros):
"""
Tests matching where fixed and vuln records use a version format that doesn't support comparators beyond equality (e.g CPEs)
:return:
"""
assert isinstance(python_pkg1_100, ImagePackage)
assert isinstance(python_pkg1_101, ImagePackage)
v1 = Vulnerability()
v1.id = "CVE-100"
v1.namespace_name = "nvdv2:cves"
v1.severity = "high"
v1.fixed_in = []
v1.vulnerable_in = []
v1.created_at = v1.updated_at = datetime.datetime.utcnow()
vuln1 = VulnerableArtifact()
vuln1.created_at = vuln1.updated_at = v1.created_at
vuln1.namespace_name = v1.namespace_name
vuln1.name = python_pkg1_100.name
vuln1.vulnerability_id = v1.id
vuln1.parent = v1
vuln1.version = python_pkg1_100.version
vuln1.include_previous_versions = True
vuln1.epochless_version = vuln1.version
vuln1.version_format = (
"static" # Random string, but not in set of ['semver', 'rpm', 'deb', 'apk']
)
v1.vulnerable_in.append(vuln1)
assert v1.vulnerable_in[0].match_and_vulnerable(python_pkg1_100)
assert not v1.vulnerable_in[0].match_and_vulnerable(python_pkg1_101)
def empty_semver_vulnerability():
v = Vulnerability()
v.id = "CVE-2000"
v.namespace_name = "github:npm"
v.description = "test vulnerability for semver handling"
v.metadata_json = {}
v.created_at = datetime.datetime.utcnow()
v.updated_at = datetime.datetime.utcnow()
v.fixed_in = []
v.vulnerable_in = []
v.severity = "high"
v.link = "somelink"
return v
def empty_vulnerability():
v = Vulnerability()
v.id = "CVE-1"
v.namespace_name = "rhel:8"
v.description = "test vulnerability"
v.metadata_json = {}
v.created_at = datetime.datetime.utcnow()
v.updated_at = datetime.datetime.utcnow()
v.fixed_in = []
v.vulnerable_in = []
v.severity = "high"
v.link = "somelink"
return v
def empty_vulnerability():
v = Vulnerability()
v.id = 'CVE-1'
v.namespace_name = 'rhel:8'
v.description = 'test vulnerability'
v.metadata_json = {}
v.created_at = datetime.datetime.utcnow()
v.updated_at = datetime.datetime.utcnow()
v.fixed_in = []
v.vulnerable_in = []
v.severity = 'high'
v.link = 'somelink'
return v
def empty_semver_vulnerability():
v = Vulnerability()
v.id = 'CVE-2000'
v.namespace_name = 'github:npm'
v.description = 'test vulnerability for semver handling'
v.metadata_json = {}
v.created_at = datetime.datetime.utcnow()
v.updated_at = datetime.datetime.utcnow()
v.fixed_in = []
v.vulnerable_in = []
v.severity = 'high'
v.link = 'somelink'
return v
from anchore_engine.db.entities.policy_engine import (
Vulnerability,
CpeV2Vulnerability,
ImageCpe,
DistroNamespace,
DistroTuple,
ImagePackage,
)
@pytest.mark.parametrize(
"record, expected",
[
(
Vulnerability(id="ALAS-123", metadata_json={"CVE": ["CVE-2021"]}),
["CVE-2021"],
),
(
Vulnerability(id="CVE-123", metadata_json={"CVE": ["CVE-2021"]}),
["CVE-123", "CVE-2021"],
),
(Vulnerability(id="CVE-123"), ["CVE-123"]),
],
)
def test_cve_ids_for_vuln_record(record, expected):
assert sorted(cve_ids_for_vuln_record(record)) == sorted(expected)
@pytest.mark.parametrize(
"matches, expected",