Esempio n. 1
0
def test_blackduck_graph():
    bl_list = []
    p = Package.load_from_json(serve_static_json)
    assert p.save() is not None

    v = Version.load_from_json(serve_static_json, package=p)
    v.save()
    p.create_version_edge(v)

    assert p.last_updated is not None
    assert v.last_updated is not None

    bl_list = bl.load_from_json(input_json['analyses'])
    assert len(bl_list) == 1

    objBlackduck = bl.add_blackduck_issue(bl_list[0])
    v.add_blackduck_cve_edge(objBlackduck.id)

    bl_criteria = {'vulnerability_name': 'CVE-2015-1164'}
    obj_fetch = SecurityDetails.find_by_criteria('CVE', bl_criteria)
    assert obj_fetch.last_updated == objBlackduck.last_updated

    SecurityDetails.delete_by_id(obj_fetch.id)
    Version.delete_by_id(v.id)
    Package.delete_by_id(p.id)
def add_blackduck_issue(issue):
    blcve_criteria = {'cve_id': issue['vulnerabilityName']}
    obj_returned = SecurityDetails.find_by_criteria('CVE', blcve_criteria)
    if obj_returned is None:
        obj_returned = SecurityDetails(issue['vulnerabilityName'])
        obj_returned.save()
    obj_returned.add_blackduck_data(issue)
    return obj_returned
Esempio n. 3
0
def test_security_object():
    bl_list = bl.load_from_json(input_json['analyses'])
    assert len(bl_list) == 1

    objBlackduck = bl.add_blackduck_issue(bl_list[0])
    assert objBlackduck.bl_base_score == 4.3
    assert objBlackduck.bl_description == 'Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.'
    assert objBlackduck.bl_exploitability_subscore == 8.6
    assert objBlackduck.bl_impact_subscore == 2.9
    assert objBlackduck.bl_remediation_status.lower() == 'new'
    assert objBlackduck.bl_remediation_updated_at == '2016-08-05T13:42:07.705Z'
    assert objBlackduck.bl_remediation_created_at == '2016-08-05T13:42:07.705Z'
    assert objBlackduck.bl_severity.lower() == 'medium'
    assert objBlackduck.bl_source.lower() == 'nvd'
    assert objBlackduck.bl_vulnerability_name == 'CVE-2015-1164'
    assert objBlackduck.bl_vulnerability_published_date == '2015-01-22T19:08:21.013Z'
    assert objBlackduck.bl_vulnerability_updated_date == '2015-01-23T21:11:11.353Z'
    assert objBlackduck.last_updated is not None

    SecurityDetails.delete_by_id(objBlackduck.id)
Esempio n. 4
0
def test_additional_data_as_attr():

    add_details = {}
    pck_obj = Package.load_from_json(serve_static_json)
    assert pck_obj.last_updated is None
    assert pck_obj.save() is not None

    ver_obj = Version.load_from_json(serve_static_json, package=pck_obj)
    assert ver_obj.last_updated is None
    ver_obj.save()
    v_ts1 = ver_obj.last_updated
    assert pck_obj.last_updated is not None
    assert v_ts1 is not None

    pck_obj.create_version_edge(ver_obj)
    code_metrics = CMR.load_from_json(
        npm_crumb_data["analyses"]["code_metrics"])

    security_data = serve_static_json["analyses"]["security_issues"]
    security_list, cvss_score, cve_ids = SD.load_from_json(security_data)

    if len(cvss_score) > 0 and len(cve_ids) > 0:
        cve_ids = cve_ids
        cvss = cvss_score

        add_details["cve_ids"] = cve_ids[0]
        add_details["cvss"] = cvss[0]

    ver_obj.add_additional_data_as_attr(code_metrics)

    ver_obj.add_cve_ids(add_details["cvss"], add_details["cve_ids"])
    assert ver_obj.last_updated >= v_ts1

    version_criteria = {
        'pecosystem': pck_obj.ecosystem,
        'pname': pck_obj.name,
        'version': ver_obj.version
    }

    present_version = Version.find_by_criteria(ver_obj.label, pck_obj,
                                               version_criteria)
    logger.info(present_version.__dict__)
    assert present_version.cm_loc == 1351
    assert present_version.cm_num_files == 16
    assert present_version.cm_avg_cyclomatic_complexity == -1
    assert present_version.cve_ids == ['CVE-2015-1164:7.5']
    assert present_version.last_updated == ver_obj.last_updated

    Version.delete_by_id(ver_obj.id)
    Package.delete_by_id(pck_obj.id)
def load_package_version_values(filename):

    input_json = gv.read_from_file(filename)

    objpackage = Package.load_from_json(input_json)

    objversion = Version.load_from_json(input_json, objpackage)

    github_data = input_json["analyses"]["github_details"]
    github_result = GithubResult.load_from_json(github_data)
    objversion.github_details = github_result

    authors_data = input_json["analyses"]["metadata"]
    authors_list = Author.load_from_json(authors_data)
    for objauthor in authors_list:
        objversion.version_authored_by(objauthor)

    contributors_data = input_json["analyses"]["metadata"]
    contributor_list = Contributor.load_from_json(contributors_data)
    for objcontributor in contributor_list:
        objversion.version_contributed_by(objcontributor)

    license_data = input_json["analyses"]["source_licenses"]
    license_details_list, license_counts_list, license_names = LicenseDetails.load_from_json(
        license_data)
    for objlicense, license_count in zip(license_details_list,
                                         license_counts_list):
        objversion.version_covered_under(objlicense, license_count)

    objversion.licenses = license_names

    dependency_data = input_json["analyses"]["dependency_snapshot"]
    _, dependency_ver_list, dependency_type = \
        vdv.load_dependencies(
            objversion.ecosystem_package.ecosystem, dependency_data)
    for d_ver, d_type in zip(dependency_ver_list, dependency_type):
        objversion.version_depends_on(d_ver, d_type)

    security_data = input_json["analyses"]["security_issues"]
    security_list, __, _ = SecurityDetails.load_from_json(security_data)
    for objsecurity in security_list:
        objversion.version_has_nvd_issues(objsecurity)

    return objversion
Esempio n. 6
0
    def populate_from_json(cls, input_json):

        # NPM packages with dependencies, versions i.e. Package version
        # insertion
        logger.info("Instantiating package ...")
        package = Package.load_from_json(input_json)
        logger.info("Saving package ...")
        pkg_id = package.save()
        logger.info(" Package node ID: %s" % pkg_id)
        if pkg_id is None:
            return
        version = Version.load_from_json(input_json, package=package)
        ver_id = version.save()
        logger.info(" Version node ID: %s" % ver_id)
        package.create_version_edge(version)

        analyses = input_json["analyses"]
        if "dependency_snapshot" in analyses:
            dependency_snapshot = analyses["dependency_snapshot"]
            dependency_pck_list, dependency_ver_list, dependency_type = vdv.load_dependencies(
                version.ecosystem_package.ecosystem, dependency_snapshot)
            for d_pck, d_ver, d_type in zip(dependency_pck_list,
                                            dependency_ver_list,
                                            dependency_type):
                d_pck.save()
                if d_pck is None:
                    continue
                d_ver.save()
                d_pck.create_version_edge(d_ver)
                version.add_edge_dependency(d_ver, d_type)

        if "metadata" in analyses:
            meta_data = analyses["metadata"]
            print("  Adding authors_list")
            authors_list = Author.load_from_json(meta_data)
            for author in authors_list:
                a_id = author.save()
                print("    author ID: %s" % a_id)
                version.add_edge_author(author)

            print("  Adding contributor_list")
            contributor_list = Contributor.load_from_json(meta_data)
            for contributor in contributor_list:
                c_id = contributor.save()
                print("    contributor ID: %s" % c_id)
                version.add_edge_author(contributor)

        # License Information
        if "source_licenses" in analyses:
            print("  Adding source_licenses")
            licenses = set()
            license_data = analyses["source_licenses"]
            license_details_list, license_counts_list, licenses = LicenseDetails.load_from_json(
                license_data)
            for used_license, license_count in zip(license_details_list,
                                                   license_counts_list):
                lic_id = used_license.save()
                print("    license_data ID: %s" % lic_id)
                version.add_license_edge(used_license, license_count)

            version.add_license_attribute(licenses)

        # NVD Security Information
        if "security_issues" in analyses:
            print("  Adding security_issues")
            security_data = analyses["security_issues"]
            security_list, cvss_score, cve_ids = SecurityDetails.load_from_json(
                security_data)
            for s, cvss, cve_id in zip(security_list, cvss_score, cve_ids):
                ss_id = s.save()
                print("    security_data ID: %s" % ss_id)
                version.add_security_edge(s, cvss)
                version.add_cve_ids(cvss, cve_id)

        # GitHub Details
        if "github_details" in analyses:
            print("  Adding github_details")
            github_data = analyses["github_details"]
            github_result = GithubResult.load_from_json(github_data)
            package.add_github_details_as_attr(github_result)
            version.add_edge_github_details(github_result)

        # Code Metrics
        if "code_metrics" in analyses:
            print("  Adding code_metrics")
            code_metrics_data = analyses["code_metrics"]
            code_metrics = CodeMetricsResult.load_from_json(code_metrics_data)
            version.add_code_metrics_edge(code_metrics)
            version.add_additional_data_as_attr(code_metrics)

        if "blackduck" in analyses:
            print("Adding extra security info via blackduck")
            blackduck_cve = analyses["blackduck"]
            issue_list = bl.load_from_json(blackduck_cve)
            for issue in issue_list:
                bl_obj = bl.add_blackduck_issue(issue)
                version.add_blackduck_cve_edge(bl_obj.id)
def test_support_vector_security():
    p = Package.load_from_json(serve_static_json)
    assert p.save() is not None

    v = Version.load_from_json(serve_static_json, package=p)
    v.save()
    p.create_version_edge(v)

    assert p.last_updated is not None
    assert v.last_updated is not None

    security_data = serve_static_json["analyses"]["security_issues"]
    security_list, cvss_score, cve_ids = SecurityDetails.load_from_json(
        security_data)
    ts_list = []
    for s, cvss, cve in zip(security_list, cvss_score, cve_ids):
        s.save()
        assert s.last_updated is not None
        ts_list.append(s.last_updated)
        v.add_security_edge(s, cvss)

    security_before = SecurityDetails.count()
    assert (security_before == 1)

    present_security = SecurityDetails.find_by_criteria(
        'CVE', {'cve_id': 'CVE-2015-1164'})
    assert (len(present_security.references) == 5)
    ref_list = [
        "https://github.com/expressjs/serve-static/issues/26",
        "https://bugzilla.redhat.com/show_bug.cgi?id=1181917",
        "http://xforce.iss.net/xforce/xfdb/99936",
        "http://www.securityfocus.com/bid/72064",
        "http://nodesecurity.io/advisories/serve-static-open-redirect"
    ]
    assert (all(r in ref_list for r in present_security.references))

    repeat_security_detail = SecurityDetails(cve_id='CVE-2015-1164',
                                             cvss=4.3,
                                             summary='')
    repeat_security_detail.issue_has_access('authentication', '')
    repeat_security_detail.issue_has_access('vector', 'NETWORK')
    repeat_security_detail.issue_has_access('complexity', 'MEDIUM')
    repeat_security_detail.issue_has_impact('integrity', 'partial')
    repeat_security_detail.issue_has_impact('confidentiality', '')
    repeat_security_detail.issue_has_impact('availability', '')

    repeat_security_detail.save()
    assert repeat_security_detail.id == s.id
    assert repeat_security_detail.last_updated >= ts_list[0]
    assert (SecurityDetails.count() == 1)

    for s in security_list:
        SecurityDetails.delete_by_id(s.id)

    SecurityDetails.delete_by_id(repeat_security_detail.id)
    Version.delete_by_id(v.id)
    Package.delete_by_id(p.id)