def test_vulnerability_report_incompatible_api_response(api, initialized_db):
with fake_security_scanner(incompatible=True) as security_scanner:
with pytest.raises(APIRequestFailure):
manifest = manifest_for("devtable", "simple", "latest")
layers = registry_model.list_manifest_layers(manifest, storage, True)
api.vulnerability_report(manifest.digest)
def test_vulnerability_report(api, initialized_db):
with fake_security_scanner() as security_scanner:
manifest = manifest_for("devtable", "simple", "latest")
layers = registry_model.list_manifest_layers(manifest, storage, True)
assert manifest.digest not in security_scanner.index_reports.keys()
assert api.vulnerability_report(manifest.digest) is None
api.index(manifest, layers)
report = api.vulnerability_report(manifest.digest)
assert manifest.digest in security_scanner.vulnerability_reports.keys()
assert report is not None
def test_notification(issue, initialized_db):
worker = SecurityScanningNotificationWorker(secscan_notification_queue)
secscan_model.configure(app, instance_keys, storage)
worker._secscan_model = secscan_model
hostname = urlparse(app.config["SECURITY_SCANNER_V4_ENDPOINT"]).netloc
with fake_security_scanner(hostname=hostname) as fake:
repository_ref = registry_model.lookup_repository("devtable", "simple")
# Add a security notification event to the repository.
if issue != "no_event_registered":
model.notification.create_repo_notification(
repository_ref.id,
"vulnerability_found",
"webhook",
{},
{
"vulnerability": {
"priority": "Low" if issue != "severity_too_low" else "Critical",
},
},
)
tag = registry_model.get_repo_tag(repository_ref, "latest")
manifest = registry_model.get_manifest_for_tag(tag)
# Add a notification to the scanner, matching the manifest.
notification_id = "somenotificationid"
fake.add_notification(
notification_id if issue != "wrong_id" else "wrongid",
manifest.digest if issue != "no_matching_manifest" else "sha256:incorrect",
"added",
{
"normalized_severity": "High",
"description": "Some description",
"package": {
"id": "42",
"name": "FooBar",
"version": "v0.0.1",
},
"name": "BarBaz",
"links": "http://example.com",
},
)
# Add the notification to the queue.
name = ["with_id", notification_id]
secscan_notification_queue.put(
name,
json.dumps({"notification_id": notification_id}),
)
# Process the notification via the worker.
worker.poll_queue()
# Ensure the repository notification was enqueued.
found = notification_queue.get()
if issue:
assert found is None
return
assert found is not None
body = json.loads(found["body"])
assert body["event_data"]["repository"] == "devtable/simple"
assert body["event_data"]["namespace"] == "devtable"
assert body["event_data"]["name"] == "simple"
assert body["event_data"]["tags"] == ["latest"]
assert body["event_data"]["vulnerability"]["id"] == "BarBaz"
assert body["event_data"]["vulnerability"]["description"] == "Some description"
assert body["event_data"]["vulnerability"]["priority"] == "High"
def test_index_report_incompatible_api_response(api, initialized_db):
with fake_security_scanner(incompatible=True) as security_scanner:
with pytest.raises(APIRequestFailure):
manifest = manifest_for("devtable", "simple", "latest")
api.index_report(manifest.digest)
def test_state_incompatible_response(api, initialized_db):
with fake_security_scanner(incompatible=True) as security_scanner:
with pytest.raises(APIRequestFailure):
api.state()
def test_state(api, initialized_db):
with fake_security_scanner() as security_scanner:
resp = api.state()
assert resp["state"] == security_scanner.indexer_state