def test_create_host_vuln_without_tool(session, host):
no_tool_data = vuln_data.copy()
no_tool_data.pop('tool')
data = bc.VulnerabilitySchema().load(no_tool_data)
bc._create_hostvuln(host.workspace, host, data)
vuln = host.workspace.vulnerabilities[0]
assert vuln.tool == "Web UI"
def test_create_not_fail_with_cve(session, host):
with_erroneous_cve_list = vuln_data.copy()
with_erroneous_cve_list['cve'] = ['CVSS: 10.0', 'OSVDB:339, OSVDB:8750, OSVDB:11516', 'CVE-1999-0170, CVE-1999-0211, CVE-1999-0554', 'cve-1111-9988']
data = bc.VulnerabilitySchema().load(with_erroneous_cve_list)
bc._create_hostvuln(host.workspace, host, data)
vuln = host.workspace.vulnerabilities[0]
assert set(vuln.cve) == set(['CVE-1999-0170', 'CVE-1999-0211', 'CVE-1999-0554', 'CVE-1111-9988'] + vuln_data['refs'])
def test_create_host_vuln(session, host):
data = bc.VulnerabilitySchema(strict=True).load(vuln_data).data
bc._create_hostvuln(host.workspace, host, data)
assert count(VulnerabilityGeneric, host.workspace) == 1
assert count(Vulnerability, host.workspace) == 1
vuln = host.workspace.vulnerabilities[0]
assert vuln.name == 'sql injection'
assert vuln.description == 'test'
assert vuln.severity == 'high'
assert vuln.impact_accountability
assert not vuln.impact_availability
assert not vuln.impact_confidentiality
assert vuln.references == {u'CVE-1234'}
def test_create_service_vuln(session, service):
data = bc.VulnerabilitySchema().load(vuln_data)
bc._create_servicevuln(service.workspace, service, data)
assert count(VulnerabilityGeneric, service.workspace) == 1
assert count(Vulnerability, service.workspace) == 1
vuln = service.workspace.vulnerabilities[0]
assert vuln.service == service
assert vuln.name == 'sql injection'
assert vuln.description == 'test'
assert vuln.severity == 'high'
assert vuln.impact_accountability
assert not vuln.impact_availability
assert not vuln.impact_confidentiality
assert vuln.references == {u'CVE-1234'}
assert vuln.tool == "some_tool"
def test_create_host_vuln(session, host):
data = bc.VulnerabilitySchema().load(vuln_data)
bc._create_hostvuln(host.workspace, host, data)
assert count(VulnerabilityGeneric, host.workspace) == 1
assert count(Vulnerability, host.workspace) == 1
vuln = host.workspace.vulnerabilities[0]
assert vuln.name == 'sql injection'
assert vuln.description == 'test'
assert vuln.severity == 'high'
assert vuln.impact_accountability
assert not vuln.impact_availability
assert not vuln.impact_confidentiality
assert set(vuln.references) == set(vuln_data['refs'])
assert set(vuln.cve) == set(vuln_data['cve'] + vuln_data['refs'])
assert len(vuln.cve) == len(set(vuln_data['cve'] + vuln_data['refs']))
assert vuln.tool == "some_tool"
def test_create_existing_host_vuln(session, host, vulnerability_factory):
vuln = vulnerability_factory.create(
workspace=host.workspace, host=host, service=None)
session.add(vuln)
session.commit()
vuln.references = ['old']
session.add(vuln)
session.commit()
data = {
'name': vuln.name,
'desc': vuln.description,
'severity': vuln.severity,
'type': 'Vulnerability',
'refs': ['new']
}
data = bc.VulnerabilitySchema().load(data)
bc._create_hostvuln(host.workspace, host, data)
session.commit()
assert count(Vulnerability, host.workspace) == 1
vuln = Vulnerability.query.get(vuln.id) # just in case it isn't refreshed
assert 'old' in vuln.references # it must preserve the old references
