def test_unknown_flow(_mock_license, _mock_gremlin, _mock_unknown):
"""Test unknown flow."""
with open("tests/v2/data/graph_response_2_public_vuln.json", "r") as fin:
_mock_gremlin.return_value = json.load(fin)
payload = _request_body()
# add unknown package as direct dependency
payload['packages'].append(_SIX.dict())
# add unknown packages as transitive dependency
payload['packages'][0]['dependencies'].append(_SIX.dict())
payload['packages'][0]['dependencies'].append(_FOO_UNKNOWN.dict())
resp = StackAggregator().execute(payload, persist=False)
_mock_license.assert_called_once()
_mock_gremlin.assert_called()
_mock_unknown.assert_called()
assert resp['aggregation'] == 'success'
assert resp['result'] is not None
result = resp['result']
assert result['external_request_id'] == 'test_id'
# check analyzed_dependencies
result = StackAggregatorResult(**result)
assert len(result.analyzed_dependencies) == 2
assert len(result.unknown_dependencies) == 1
assert _SIX in result.unknown_dependencies
# transitive shouldn't be part of unknown
assert _FOO_UNKNOWN not in result.unknown_dependencies
_mock_unknown.reset_mock()
_mock_unknown.side_effect = Exception('mocked exception')
resp = StackAggregator().execute(payload, persist=False)
# unknown ingestion failure is fine.
assert resp['aggregation'] == 'success'
def test_with_1_public_1_pvt_vuln(_mock_license, _mock_gremlin):
"""Test with 1 public and 1 private vulnerability."""
with open("tests/v2/data/graph_response_2_public_vuln.json", "r") as fin:
resp = json.load(fin)
# make one vulnerability private
resp['result']['data'][0]['vuln'][1]['snyk_pvt_vulnerability'] = [True]
_mock_gremlin.return_value = resp
resp = StackAggregator().execute(_request_body(), persist=False)
_mock_license.assert_called_once()
_mock_gremlin.assert_called()
assert resp['aggregation'] == 'success'
assert resp['result'] is not None
result = resp['result']
assert result['external_request_id'] == 'test_id'
# check analyzed_dependencies
result = StackAggregatorResult(**result)
assert 'registration_link' in result.dict()
assert len(result.analyzed_dependencies) == 2
assert _FLASK in result.analyzed_dependencies
assert _DJANGO in result.analyzed_dependencies
assert _SIX not in result.analyzed_dependencies
# check vuln
django_index = result.analyzed_dependencies.index(_DJANGO)
assert len(
result.analyzed_dependencies[django_index].public_vulnerabilities) == 1
assert len(result.analyzed_dependencies[django_index].
private_vulnerabilities) == 1
assert isinstance(
result.analyzed_dependencies[django_index].public_vulnerabilities[0],
VulnerabilityFields)
flask_index = result.analyzed_dependencies.index(_FLASK)
assert len(
result.analyzed_dependencies[flask_index].public_vulnerabilities) == 0
assert len(
result.analyzed_dependencies[flask_index].private_vulnerabilities) == 0
# check transitive vuln
assert len(
result.analyzed_dependencies[flask_index].vulnerable_dependencies) == 1
assert _DJANGO in result.analyzed_dependencies[
flask_index].vulnerable_dependencies
assert len(result.analyzed_dependencies[flask_index].
vulnerable_dependencies[0].public_vulnerabilities) == 1
def test_with_2_public_vuln_for_registered(_mock_license, _mock_gremlin):
"""Test basic request and response for registered user."""
with open("tests/v2/data/graph_response_2_public_vuln.json", "r") as fin:
_mock_gremlin.return_value = json.load(fin)
payload = _request_body()
payload['registration_status'] = 'REGISTERED'
resp = StackAggregator().execute(payload, persist=False)
_mock_license.assert_called_once()
_mock_gremlin.assert_called()
assert resp['aggregation'] == 'success'
assert resp['result'] is not None
result = resp['result']
assert result['external_request_id'] == 'test_id'
assert result['_audit'] is not None
assert result['_audit']['version'] == 'v2'
# check analyzed_dependencies
result = StackAggregatorResult(**result)
assert "registration_link" in result.dict()
assert len(result.analyzed_dependencies) == 2
assert _FLASK in result.analyzed_dependencies
assert _DJANGO in result.analyzed_dependencies
assert _SIX not in result.analyzed_dependencies
# check vuln
django_index = result.analyzed_dependencies.index(_DJANGO)
assert len(
result.analyzed_dependencies[django_index].public_vulnerabilities) == 2
assert isinstance(
result.analyzed_dependencies[django_index].public_vulnerabilities[0],
VulnerabilityFields)
flask_index = result.analyzed_dependencies.index(_FLASK)
assert len(
result.analyzed_dependencies[flask_index].public_vulnerabilities) == 0
# check transitive vuln
assert len(
result.analyzed_dependencies[flask_index].vulnerable_dependencies) == 1
assert _DJANGO in result.analyzed_dependencies[
flask_index].vulnerable_dependencies
assert len(result.analyzed_dependencies[flask_index].
vulnerable_dependencies[0].public_vulnerabilities) == 2
def test_with_2_public_vuln(_mock_license, _mock_gremlin, monkeypatch):
"""Test basic request and response."""
with open("tests/v2/data/graph_response_2_public_vuln.json", "r") as fin:
_mock_gremlin.return_value = json.load(fin)
monkeypatch.setenv('SNYK_PACKAGE_URL_FORMAT',
'https://abc.io/vuln/{ecosystem}:{package}')
monkeypatch.setenv('SNYK_SIGNIN_URL', 'https://abc.io/login')
resp = StackAggregator().execute(_request_body(), persist=False)
_mock_license.assert_called_once()
_mock_gremlin.assert_called()
assert resp['aggregation'] == 'success'
assert resp['result'] is not None
result = resp['result']
assert result['external_request_id'] == 'test_id'
# check _audit
assert result['_audit'] is not None
assert result['_audit']['version'] == 'v2'
# check manifest_name and manifest_file_path
assert result['manifest_name'] == 'requirements.txt'
assert result['manifest_file_path'] == '/foo/bar'
# check analyzed_dependencies
result = StackAggregatorResult(**result)
assert result.registration_link == 'https://abc.io/login'
assert len(result.analyzed_dependencies) == 2
assert _FLASK in result.analyzed_dependencies
assert _SIX not in result.analyzed_dependencies
# check vuln
django_index = result.analyzed_dependencies.index(_DJANGO)
assert result.analyzed_dependencies[
django_index].url == 'https://abc.io/vuln/pip:django'
assert len(
result.analyzed_dependencies[django_index].public_vulnerabilities) == 2
assert len(result.analyzed_dependencies[django_index].
private_vulnerabilities) == 0
assert isinstance(
result.analyzed_dependencies[django_index].public_vulnerabilities[0],
VulnerabilityFields)
flask_index = result.analyzed_dependencies.index(_FLASK)
assert len(
result.analyzed_dependencies[flask_index].public_vulnerabilities) == 0
# check transitive vuln
assert len(
result.analyzed_dependencies[flask_index].vulnerable_dependencies) == 1
assert _DJANGO in result.analyzed_dependencies[
flask_index].vulnerable_dependencies
assert len(result.analyzed_dependencies[flask_index].
vulnerable_dependencies[0].public_vulnerabilities) == 2
def get_result(self) -> StackAggregatorResult:
"""Aggregate stack data."""
# denormalize package details according to request.dependencies relations
package_details = self._get_denormalized_package_details()
unknown_dependencies = self._get_direct_unknown_packages()
started_at = time.time()
license_analysis = get_license_analysis_for_stack(package_details)
logger.info(
'%s took %0.2f secs for get_license_analysis_for_stack()',
self._request.external_request_id, time.time() - started_at)
return StackAggregatorResult(**self._request.dict(exclude={'packages'}),
analyzed_dependencies=package_details,
unknown_dependencies=unknown_dependencies,
license_analysis=license_analysis,
registration_link=AGGREGATOR_SETTINGS.snyk_signin_url)
def test_with_2_public_vuln(_mock_license, _mock_gremlin):
"""Test basic request and response."""
with open("tests/v2/data/graph_response_2_public_vuln.json", "r") as fin:
_mock_gremlin.return_value = json.load(fin)
resp = StackAggregator().execute(_request_body(), persist=False)
_mock_license.assert_called_once()
_mock_gremlin.assert_called()
assert resp['aggregation'] == 'success'
assert resp['result'] is not None
result = resp['result']
assert result['external_request_id'] == 'test_id'
# check _audit
assert result['_audit'] is not None
assert result['_audit']['version'] == 'v2'
# check manifest_name and manifest_file_path
assert result['manifest_name'] == 'requirements.txt'
assert result['manifest_file_path'] == '/foo/bar'
# check analyzed_dependencies
result = StackAggregatorResult(**result)
assert len(result.analyzed_dependencies) == 2
assert _FLASK in result.analyzed_dependencies
assert _SIX not in result.analyzed_dependencies
# check vuln
django_index = result.analyzed_dependencies.index(_DJANGO)
assert len(result.analyzed_dependencies[django_index].public_vulnerabilities) == 2
assert len(result.analyzed_dependencies[django_index].private_vulnerabilities) == 0
assert isinstance(result.analyzed_dependencies[django_index].public_vulnerabilities[0],
VulnerabilityFields)
flask_index = result.analyzed_dependencies.index(_FLASK)
assert len(result.analyzed_dependencies[flask_index].public_vulnerabilities) == 0
# check transitive vuln
assert len(result.analyzed_dependencies[flask_index].vulnerable_dependencies) == 0
assert _DJANGO not in result.analyzed_dependencies[flask_index].vulnerable_dependencies
assert len(result.analyzed_dependencies[flask_index].
vulnerable_dependencies) == 0