def test_list_cves_paginated(app, create_cves):
old = app.config["CVES_PER_PAGE"]
app.config["CVES_PER_PAGE"] = 3
create_cves([
"CVE-2018-18074",
"CVE-2020-9392",
"CVE-2020-26116",
"CVE-2020-27781",
"CVE-2019-17052",
])
with app.test_request_context():
cves = CveController.list_items()
assert sorted([cve.cve_id for cve in cves]) == [
"CVE-2019-17052",
"CVE-2020-26116",
"CVE-2020-27781",
]
cves = CveController.list_items({"page": 2})
assert sorted([cve.cve_id for cve in cves]) == [
"CVE-2018-18074",
"CVE-2020-9392",
]
with pytest.raises(NotFound):
cves = CveController.list_items({"page": 3})
app.config["CVES_PER_PAGE"] = old
def cve_associate_tags(cve_id):
cve = CveController.get({"cve_id": cve_id})
new_tags = request.form.getlist("tags")
# Check if all tags are declared by the user
user_tags = [
t.name
for t in UserTagController.list_items({"user_id": current_user.id})
]
for new_tag in new_tags:
if new_tag not in user_tags:
abort(404)
# Update the CVE tags
cve_tag = CveTag.query.filter_by(user_id=current_user.id,
cve_id=cve.id).first()
if not cve_tag:
cve_tag = CveTag(user_id=current_user.id, cve_id=cve.id)
cve_tag.tags = new_tags
db.session.add(cve_tag)
db.session.commit()
flash("The CVE tags have been updated.", "success")
return redirect(url_for("main.cve", cve_id=cve_id))
def cve(cve_id):
cve = CveController.get({"cve_id": cve_id})
vendors = convert_cpes(cve.json["configurations"])
cwes = get_cwes_details(
cve.json["cve"]["problemtype"]["problemtype_data"][0]["description"])
# Get the user tags
user_tags = []
if current_user.is_authenticated:
user_tags = UserTagController.list_items({"user_id": current_user.id})
# We have to pass an encoded list of tags for the modal box
cve_tags_encoded = json.dumps([t.name for t in cve.tags])
events = Event.query.filter_by(cve_id=cve.id).order_by(
Event.created_at.desc())
events_by_time = [(time, list(evs)) for time, evs in (
itertools.groupby(events, operator.attrgetter("created_at")))]
return render_template(
"cve.html",
cve=cve,
cve_dumped=json.dumps(cve.json),
vendors=vendors,
cwes=cwes,
user_tags=user_tags,
cve_tags_encoded=cve_tags_encoded,
events_by_time=events_by_time,
)
def cve_change(cve_id, change_id):
cve = CveController.get({"cve_id": cve_id})
if not is_valid_uuid(change_id):
abort(404)
change = Change.query.filter_by(cve_id=cve.id, id=change_id).first()
if not change:
abort(404)
previous = (Change.query.filter(
Change.created_at < change.created_at).filter(
Change.cve == change.cve).order_by(
Change.created_at.desc()).first())
previous_json = {}
if previous:
previous_json = previous.json
differ = CustomHtmlHTML()
diff = differ.make_table(
fromlines=json.dumps(previous_json, sort_keys=True,
indent=2).split("\n"),
tolines=json.dumps(change.json, sort_keys=True, indent=2).split("\n"),
context=True,
)
return render_template("change.html", change=change, diff=diff)
def test_filtered_by_cwe(app, create_cves, args, result):
create_cves([
"CVE-2018-18074", "CVE-2020-9392", "CVE-2020-26116", "CVE-2020-27781"
])
with app.test_request_context():
cves = CveController.list_items(args)
assert sorted([cve.cve_id for cve in cves]) == result
def cves():
objects, metas, pagination = CveController.list(request.args)
return render_template(
"cves.html",
cves=objects,
vendor=metas.get("vendor"),
product=metas.get("product"),
pagination=pagination,
)
def test_metas(app, create_cves):
create_cves(["CVE-2018-18074", "CVE-2020-9392", "CVE-2020-26116", "CVE-2020-27781"])
with app.test_request_context():
cves, metas, _ = CveController.list()
assert len(cves.items) == 4
assert metas == {"vendor": None, "product": None, "tag": None}
cves, metas, _ = CveController.list({"vendor": "python"})
assert len(cves.items) == 1
assert metas["vendor"].name == "python"
cves, metas, _ = CveController.list(
{"vendor": "redhat", "product": "ceph_storage"}
)
assert len(cves.items) == 1
assert metas["vendor"].name == "redhat"
assert metas["product"].name == "ceph_storage"
def cve(cve_id):
cve = CveController.get({"cve_id": cve_id})
vendors = convert_cpes(cve.json["configurations"])
cwes = get_cwes_details(
cve.json["cve"]["problemtype"]["problemtype_data"][0]["description"])
return render_template("cve.html",
cve=cve,
cve_dumped=json.dumps(cve.json),
vendors=vendors,
cwes=cwes)
def test_filtered_by_tags(app, create_cve, create_user):
cve_2018_18074 = create_cve("CVE-2018-18074")
cve_2020_9392 = create_cve("CVE-2020-9392")
cve_2020_26116 = create_cve("CVE-2020-26116")
create_cve("CVE-2020-27781")
user = create_user()
user.tags = [
UserTag(name="tag1", description="foo", color="#fff"),
UserTag(name="tag2", description="foo", color="#fff"),
]
db.session.add(CveTag(user_id=user.id, cve_id=cve_2018_18074.id, tags=["tag1"]))
db.session.add(
CveTag(user_id=user.id, cve_id=cve_2020_9392.id, tags=["tag1", "tag2"])
)
db.session.add(CveTag(user_id=user.id, cve_id=cve_2020_26116.id, tags=["tag2"]))
db.session.commit()
# Tag is not in user's list of tags
with pytest.raises(NotFound):
CveController.list_items({"user_id": user.id, "tag": "notfound"})
with app.test_request_context():
cves = CveController.list_items()
assert sorted([cve.cve_id for cve in cves]) == [
"CVE-2018-18074",
"CVE-2020-26116",
"CVE-2020-27781",
"CVE-2020-9392",
]
cves = CveController.list_items({"user_id": user.id, "tag": "tag1"})
assert sorted([cve.cve_id for cve in cves]) == [
"CVE-2018-18074",
"CVE-2020-9392",
]
cves = CveController.list_items({"user_id": user.id, "tag": "tag2"})
assert sorted([cve.cve_id for cve in cves]) == [
"CVE-2020-26116",
"CVE-2020-9392",
]
def test_list_cves(app, create_cves):
create_cves(["CVE-2018-18074", "CVE-2020-9392", "CVE-2020-26116", "CVE-2020-27781"])
with app.test_request_context():
cves = CveController.list_items()
assert len(cves) == 4
assert sorted([cve.cve_id for cve in cves]) == [
"CVE-2018-18074",
"CVE-2020-26116",
"CVE-2020-27781",
"CVE-2020-9392",
]
def cves():
args = request.args
user_tags = []
if current_user.is_authenticated:
args = {**request.args, "user_id": current_user.id}
user_tags = UserTagController.list_items({"user_id": current_user.id})
objects, metas, pagination = CveController.list(args)
return render_template(
"cves.html",
cves=objects,
vendor=metas.get("vendor"),
product=metas.get("product"),
tag=metas.get("tag"),
user_tags=user_tags,
pagination=pagination,
)
def get(self, name):
VendorController.get({"name": name})
return CveController.list_items({**request.args, "vendor": name})
def get(self, id):
return CveController.get({"cve_id": id})
def get(self):
return CveController.list_items(request.args)
def get(self, id):
CweController.get({"cwe_id": id})
return CveController.list_items({**request.args, "cwe": id})
def test_vendors_products_not_found(app):
with app.test_request_context():
with pytest.raises(NotFound):
CveController.list_items({"vendor": "foo"})
with pytest.raises(NotFound):
CveController.list_items({"vendor": "foo", "product": "bar"})
def test_filtered_by_vendors_products(app, create_cves, args, result):
create_cves(["CVE-2019-8075", "CVE-2019-17052", "CVE-2020-27781"])
with app.test_request_context():
cves = CveController.list_items(args)
assert sorted([cve.cve_id for cve in cves]) == result
def get(self, vendor, product):
ProductController.get({"vendor": vendor, "product": product})
return CveController.list_items(
{**request.args, "vendor": vendor, "product": product}
)
