def test_results_api_http_post(self, mock_http_request): """ Test the ResultsAPI http_post method """ with patch("veracode.api.get_app_id", return_value=constants.VALID_UPLOAD_API["app_id"]): results_api = ResultsAPI( app_name=constants.VALID_RESULTS_API["app_name"]) # Fail when attempting to call the http_post method with invalid # arguments self.assertRaises(KeyError, results_api.http_post, endpoint="removefile.do") # Succeed when calling the http_post method with valid arguments # # As of the writing of this Veracode's Results API doesn't have any # endpoints that take a POST so the constants and endpoints below don't # align with a real-world scenario (because one doesn't exist) mock_http_request.return_value = constants.VALID_RESULTS_API_GETAPPBUILDS_RESPONSE_XML_PASSING_POLICY_COMPLIANCE_STATUS[ "Element"] self.assertIsInstance( results_api.http_post(endpoint="detailedreport.do"), InsecureElementTree.Element, ) # Fail when attempting to delete the http_post method, because the # deleter is intentionally missing self.assertRaises(AttributeError, delattr, results_api, "http_post")
def test_results_api__validate(self, mock_is_valid_attribute): """ Test the ResultsAPI _validate method """ with patch("veracode.api.get_app_id", return_value=constants.VALID_UPLOAD_API["app_id"]): results_api = ResultsAPI( app_name=constants.VALID_RESULTS_API["app_name"]) # Mock all attributes are invalid mock_is_valid_attribute.return_value = False # Fail when attempting to call the _validate method, given that the # attributes are invalid self.assertRaises( ValueError, results_api._validate, # pylint: disable=protected-access key="key", value="patched to be invalid", ) # Mock all attributes are valid mock_is_valid_attribute.return_value = True # Succeed when calling the _validate method, given that the attributes # are valid self.assertTrue( results_api._validate( # pylint: disable=protected-access key="key", value="patched to be valid")) # Fail when attempting to delete the _validate method, because the # deleter is intentionally missing self.assertRaises(AttributeError, delattr, results_api, "_validate")
def test_results_api_version(self): """ Test the ResultsAPI version property """ with patch("veracode.api.get_app_id", return_value=constants.VALID_UPLOAD_API["app_id"]): results_api = ResultsAPI( app_name=constants.VALID_RESULTS_API["app_name"]) # Succeed when getting a valid version property self.assertIsInstance(results_api.version, dict) # Succeed when setting the version property to a valid value self.assertIsNone( setattr(results_api, "version", constants.VALID_RESULTS_API["version"])) # Fail when attempting to set the version property to an invalid value self.assertRaises( ValueError, setattr, results_api, "version", constants.INVALID_RESULTS_API_INCORRECT_VERSION_VALUES["version"], ) # Fail when attempting to get the version property when it contains an # invalid value results_api._version = constants.INVALID_RESULTS_API_INCORRECT_VERSION_VALUES[ # pylint: disable=protected-access "version"] self.assertRaises(ValueError, getattr, results_api, "version") # Fail when attempting to delete the version property, because the # deleter is intentionally missing self.assertRaises(AttributeError, delattr, results_api, "version")
def test_results_api_http_get(self, mock_http_request): """ Test the ResultsAPI http_get method """ with patch("veracode.api.get_app_id", return_value=constants.VALID_UPLOAD_API["app_id"]): results_api = ResultsAPI( app_name=constants.VALID_RESULTS_API["app_name"]) # Fail when attempting to call the http_get method with invalid # arguments self.assertRaises(KeyError, results_api.http_get, endpoint="getbuildlist.do") # Succeed when calling the http_get method with valid arguments mock_http_request.return_value = constants.VALID_RESULTS_API_GETAPPBUILDS_RESPONSE_XML_PASSING_POLICY_COMPLIANCE_STATUS[ "Element"] self.assertIsInstance( results_api.http_get(endpoint="getappbuilds.do"), InsecureElementTree.Element, ) # Fail when attempting to delete the http_get method, because the # deleter is intentionally missing self.assertRaises(AttributeError, delattr, results_api, "http_get")
def test_results_api_base_url(self): """ Test the ResultsAPI base_url property """ with patch("veracode.api.get_app_id", return_value=constants.VALID_UPLOAD_API["app_id"]): results_api = ResultsAPI( app_name=constants.VALID_RESULTS_API["app_name"]) # Succeed when getting a valid base_url property self.assertIsInstance(results_api.base_url, str) # Succeed when setting the base_url property to a valid value self.assertIsNone( setattr(results_api, "base_url", constants.VALID_RESULTS_API["base_url"])) # Fail when attempting to set the base_url property to an invalid value self.assertRaises( ValueError, setattr, results_api, "base_url", constants.INVALID_RESULTS_API_MISSING_DOMAIN["base_url"], ) # Fail when attempting to get the base_url property when it contains an # invalid value results_api._base_url = constants.INVALID_RESULTS_API_MISSING_DOMAIN[ # pylint: disable=protected-access "base_url"] self.assertRaises(ValueError, getattr, results_api, "base_url") # Fail when attempting to delete the base_url property, because the # deleter is intentionally missing self.assertRaises(AttributeError, delattr, results_api, "base_url")
def test_get_policy_compliance_status(self, mock_get_latest_completed_build): """ Test the get_policy_compliance_status function """ # Return a non-"Pass"ing string when calling the # get_policy_compliance_status function with a valid results_api and # get_latest_completed_build has a mocked response of "Did Not Pass" results_api = ResultsAPI( app_id=test_constants.VALID_RESULTS_API["app_id"]) mock_get_latest_completed_build.return_value = test_constants.VALID_RESULTS_API_GETAPPBUILDS_RESPONSE_XML_FAILING_POLICY_COMPLIANCE_STATUS[ "Element"] self.assertEqual( check_compliance.get_policy_compliance_status( results_api=results_api), "Did Not Pass", ) self.assertNotEqual( check_compliance.get_policy_compliance_status( results_api=results_api), "Pass", ) # Return a "Pass"ing string when calling the # get_policy_compliance_status function with a valid results_api and # get_latest_completed_build has a mocked response that returns None results_api = ResultsAPI( app_id=test_constants.VALID_RESULTS_API["app_id"]) mock_get_latest_completed_build.return_value = None self.assertNotEqual( check_compliance.get_policy_compliance_status( results_api=results_api), "Pass", ) # Return a non-"Pass"ing string when calling the # get_policy_compliance_status function with a valid results_api and # get_latest_completed_build has a mocked response that returns an # application with no build results_api = ResultsAPI( app_id=test_constants.VALID_RESULTS_API["app_id"]) mock_get_latest_completed_build.return_value = ( test_constants. VALID_RESULTS_API_GETAPPBUILDS_RESPONSE_XML_NO_BUILDS["Element"]) self.assertEqual( check_compliance.get_policy_compliance_status( results_api=results_api), "Unknown", ) self.assertNotEqual( check_compliance.get_policy_compliance_status( results_api=results_api), "Pass", )
def test_in_compliance(self, mock_get_policy_compliance_status): """ Test the in_compliance function """ # Succeed when calling the in_compliance function with a valid # results_api and compliance_status has a mocked response of "Pass" with patch("veracode.api.get_app_id", return_value="1337"): results_api = ResultsAPI( app_name=test_constants.VALID_RESULTS_API["app_name"]) mock_get_policy_compliance_status.return_value = "Pass" self.assertTrue( check_compliance.in_compliance(results_api=results_api)) # Return False when calling the in_compliance function with a valid # results_api and compliance_status has a mocked response of "Unknown" with patch("veracode.api.get_app_id", return_value="1337"): results_api = ResultsAPI( app_name=test_constants.VALID_RESULTS_API["app_name"]) mock_get_policy_compliance_status.return_value = "Unknown" self.assertRaises(ValueError, check_compliance.in_compliance, results_api=results_api) # Succeed when calling the in_compliance function with a valid # results_api and compliance_status has a mocked response of anything # but "Pass" # # https://analysiscenter.veracode.com/resource/2.0/applicationbuilds.xsd # and https://help.veracode.com/viewer/document/mo49_yYZJCUuKhwdE9WRFQ # for possible values with patch("veracode.api.get_app_id", return_value="1337"): results_api = ResultsAPI( app_name=test_constants.VALID_RESULTS_API["app_name"]) for value in [ "Calculating...", "Not Assessed", "Did Not Pass", "Conditional Pass", "Under Vendor Review", "UNKNOWN VALUE!()&@%", 300, 7.12, results_api, ]: mock_get_policy_compliance_status.return_value = value self.assertFalse( check_compliance.in_compliance(results_api=results_api))
def test_apply_config(self): """ Test the apply_config function """ configuration = copy.deepcopy(test_constants.CLEAN_EFFECTIVE_CONFIG) # Succeed when calling the apply_config function with a valid # Upload API object and config upload_api = UploadAPI(app_id="31337") applied_upload_api = config.apply_config(api=upload_api, config=configuration) self.assertEqual(applied_upload_api, upload_api) # Succeed when calling the apply_config function with a valid # Results API object and config results_api = ResultsAPI(app_id="31337") applied_results_api = config.apply_config(api=results_api, config=configuration) self.assertEqual(applied_results_api, results_api) # Succeed when calling the apply_config function with a valid # Sandbox API object and config sandbox_api = SandboxAPI( app_id="31337", sandbox_name="easy_sast/fb/jonzeolla/testing" ) applied_sandbox_api = config.apply_config(api=sandbox_api, config=configuration) self.assertEqual(applied_sandbox_api, sandbox_api) # Ensure calling the apply_config function with different `app_id`s # does not result in an object with the same version string (which is # unique per-API) upload_api = UploadAPI(app_id="31337") applied_upload_api = config.apply_config(api=upload_api, config=configuration) # Note: This must be different than the above app_id results_api = ResultsAPI(app_id="1337") applied_results_api = config.apply_config(api=results_api, config=configuration) self.assertNotEqual(applied_results_api.version, applied_upload_api.version) # Fail when calling the apply_config function with a string instead of # an API object astring = "wrong type" self.assertRaises( TypeError, config.apply_config, api=astring, config=configuration ) # Succeed when calling the apply_config function with a valid # Results API object and config configuration["apis"]["unknown"] = {"a": "b"} results_api = ResultsAPI(app_id="31337") self.assertEqual( config.apply_config(api=results_api, config=configuration), results_api )
def get_latest_completed_build( *, results_api: ResultsAPI, only_latest: Optional[bool] = True ) -> Union[InsecureElementTree.Element, bool]: """ Get the latest completed build build_id for a given app_id https://help.veracode.com/reader/LMv_dtSHyb7iIxAQznC~9w/Q8E6r4JDAN1lykB08oGDSA """ endpoint = "getappbuilds.do" params = {"only_latest": only_latest} try: appbuilds = results_api.http_get(endpoint=endpoint, params=params) if element_contains_error(parsed_xml=appbuilds): LOG.error("Veracode returned an error when attempting to call %s", endpoint) return False except ( HTTPError, ConnectionError, Timeout, TooManyRedirects, RequestException, ): LOG.error("Exception encountered when calling the Veracode API") return False # Filter on the provided app_id for app in appbuilds: if app.get("app_id") == results_api.app_id: LOG.debug("Found app_id %s, returning %s", results_api.app_id, app) return app LOG.error( "Unable to find a completed build for app_id %s", results_api.app_id, ) return False
def test_results_api_ignore_compliance_status(self): """ Test the ResultsAPI ignore_compliance_status property """ with patch("veracode.api.get_app_id", return_value=constants.VALID_UPLOAD_API["app_id"]): results_api = ResultsAPI( app_name=constants.VALID_RESULTS_API["app_name"]) # Succeed when getting a valid ignore_compliance_status property self.assertIsInstance(results_api.ignore_compliance_status, bool) # Succeed when setting the ignore_compliance_status property to a valid # value self.assertIsNone( setattr( results_api, "ignore_compliance_status", constants.VALID_RESULTS_API["ignore_compliance_status"], )) # Fail when attempting to set the ignore_compliance_status property to # an invalid value self.assertRaises( ValueError, setattr, results_api, "ignore_compliance_status", constants.INVALID_RESULTS_API_INCORRECT_COMPLIANCE_STATUS[ "ignore_compliance_status"], ) # Fail when attempting to get the ignore_compliance_status property # when it contains an invalid value results_api._ignore_compliance_status = constants.INVALID_RESULTS_API_INCORRECT_COMPLIANCE_STATUS[ # pylint: disable=protected-access "ignore_compliance_status"] self.assertRaises(ValueError, getattr, results_api, "ignore_compliance_status") # Fail when attempting to delete the ignore_compliance_status property, # because the deleter is intentionally missing self.assertRaises(AttributeError, delattr, results_api, "ignore_compliance_status")
def test_results_api_app_name(self): """ Test the ResultsAPI app_name property """ # Fail when attempting to create a ResultsAPI object when the app_name # property wasn't provided to the constructor self.assertRaises(TypeError, ResultsAPI) # Succeed when creating a ResultsAPI object when the app_name property is # properly provided to the constructor with patch("veracode.api.get_app_id", return_value=constants.VALID_UPLOAD_API["app_id"]): results_api = ResultsAPI( app_name=constants.VALID_RESULTS_API["app_name"]) self.assertIsInstance(getattr(results_api, "app_name"), str) # Succeed when setting the app_name property to a valid value self.assertIsNone( setattr(results_api, "app_name", constants.VALID_RESULTS_API["app_name"])) # Succeed when getting a valid app_name property self.assertIsInstance(results_api.app_name, str) # Fail when attempting to set the app_name property to an invalid value self.assertRaises( ValueError, setattr, results_api, "app_name", constants.INVALID_RESULTS_API_INCORRECT_APP_NAME["app_name"], ) # Fail when attempting to get the app_name property when it contains an # invalid value results_api._app_name = constants.INVALID_RESULTS_API_INCORRECT_APP_NAME[ # pylint: disable=protected-access "app_name"] self.assertRaises(ValueError, getattr, results_api, "app_name") # Fail when attempting to delete the app_name property, because the # deleter is intentionally missing self.assertRaises(AttributeError, delattr, results_api, "app_name")
def main() -> None: """ Integration with Veracode Static Analysis """ ## Setup logging # Format the logs as JSON for simplicity formatting = json.dumps( { "timestamp": "%(asctime)s", "namespace": "%(name)s", "loglevel": "%(levelname)s", "message": "%(message)s", } ) # Default to a log level of WARNING until the config is parsed logging.basicConfig(level="WARNING", format=formatting) log = logging.getLogger(__project_name__) # Get the effective config try: config = get_config() except ValueError: log.error("Unable to create a valid configuration") sys.exit(1) # Update the log level to whatever was set in the config logging.getLogger().setLevel(config["loglevel"]) # Create the API objects and apply the config try: results_api = apply_config( api=ResultsAPI(app_id=config["apis"]["results"]["app_id"]), config=config ) upload_api = apply_config( api=UploadAPI(app_id=config["apis"]["upload"]["app_id"]), config=config ) if "sandbox_name" in config["apis"]["sandbox"]: sandbox_api = apply_config( api=SandboxAPI( app_id=config["apis"]["sandbox"]["app_id"], sandbox_name=config["apis"]["sandbox"]["sandbox_name"], ), config=config, ) else: sandbox_api = None except (TypeError, NameError): log.error("Unable to create valid API objects") sys.exit(1) # Configure the environment for step in config["workflow"]: if step == "submit_artifacts": configure_environment( api_key_id=config["api_key_id"], api_key_secret=config["api_key_secret"] ) success = submit_artifacts(upload_api=upload_api, sandbox_api=sandbox_api) if success: log.info("Successfully submit build artifacts for scanning") else: log.error("Failed to submit build artifacts for scanning") sys.exit(1) elif step == "check_compliance": configure_environment( api_key_id=config["api_key_id"], api_key_secret=config["api_key_secret"] ) if not check_compliance(results_api=results_api): sys.exit(1)
def test_check_compliance(self, mock_in_compliance): """ Test the check_compliance function """ # Return True when calling the check_compliance function with a valid # results_api with ignore_compliance_status set to True and # ignore_compliance_status is True with patch("veracode.api.get_app_id", return_value="1337"): results_api = ResultsAPI( app_name=test_constants.VALID_RESULTS_API["app_name"]) results_api.ignore_compliance_status = True mock_in_compliance.return_value = True self.assertTrue( check_compliance.check_compliance(results_api=results_api)) # Return False when calling the check_compliance function with a valid # results_api with ignore_compliance_status set to False and # ignore_compliance_status is False with patch("veracode.api.get_app_id", return_value="1337"): results_api = ResultsAPI( app_name=test_constants.VALID_RESULTS_API["app_name"]) results_api.ignore_compliance_status = False mock_in_compliance.return_value = False self.assertFalse( check_compliance.check_compliance(results_api=results_api)) # Return True when calling the check_compliance function with a valid # results_api with ignore_compliance_status set to True and # ignore_compliance_status is False with patch("veracode.api.get_app_id", return_value="1337"): results_api = ResultsAPI( app_name=test_constants.VALID_RESULTS_API["app_name"]) results_api.ignore_compliance_status = True mock_in_compliance.return_value = False self.assertTrue( check_compliance.check_compliance(results_api=results_api)) # Return True when calling the check_compliance function with a valid # results_api with ignore_compliance_status set to False and # ignore_compliance_status is True with patch("veracode.api.get_app_id", return_value="1337"): results_api = ResultsAPI( app_name=test_constants.VALID_RESULTS_API["app_name"]) results_api.ignore_compliance_status = False mock_in_compliance.return_value = True self.assertTrue( check_compliance.check_compliance(results_api=results_api)) # Return False after calling the check_compliance function with a valid # results_api with ignore_compliance_status set to False and # ignore_compliance_status is True, but in_compliance's mock raises a # ValueError when called with patch("veracode.api.get_app_id", return_value="1337"): results_api = ResultsAPI( app_name=test_constants.VALID_RESULTS_API["app_name"]) results_api.ignore_compliance_status = False mock_in_compliance.return_value = True mock_in_compliance.side_effect = ValueError self.assertFalse( check_compliance.check_compliance(results_api=results_api))
def test_get_latest_completed_build(self): """ Test the get_latest_completed_build function """ # Succeed when calling the get_latest_completed_build function with a # valid results_api and the http_get method returns an # ElementTree.Element which contains the provided app_id with patch.object( ResultsAPI, "http_get", return_value=test_constants. VALID_RESULTS_API_GETAPPBUILDS_RESPONSE_XML_PASSING_POLICY_COMPLIANCE_STATUS[ "Element"], ): with patch("veracode.check_compliance.element_contains_error", return_value=False): with patch("veracode.api.get_app_id", return_value="1337"): results_api = ResultsAPI(app_name="TestApp") output = check_compliance.get_latest_completed_build( results_api=results_api) expected = ElementTree.fromstring( b'<ns0:application xmlns:ns0="https://analysiscenter.veracode.com/schema/2.0/applicationbuilds" app_name="TestApp" app_id="1337" industry_vertical="Manufacturing" assurance_level="Very High" business_criticality="Very High" origin="Not Specified" modified_date="2019-08-13T14:00:10-04:00" cots="false" business_unit="Not Specified" tags="">\n <ns0:customfield name="Custom 1" value="" />\n <ns0:customfield name="Custom 2" value="" />\n <ns0:customfield name="Custom 3" value="" />\n <ns0:customfield name="Custom 4" value="" />\n <ns0:customfield name="Custom 5" value="" />\n <ns0:customfield name="Custom 6" value="" />\n <ns0:customfield name="Custom 7" value="" />\n <ns0:customfield name="Custom 8" value="" />\n <ns0:customfield name="Custom 9" value="" />\n <ns0:customfield name="Custom 10" value="" />\n <ns0:build version="2019-10 Testing" build_id="1234321" submitter="Jon Zeolla" platform="Not Specified" lifecycle_stage="Deployed (In production and actively developed)" results_ready="true" policy_name="Veracode Recommended Medium" policy_version="1" policy_compliance_status="Pass" rules_status="Pass" grace_period_expired="false" scan_overdue="false">\n <ns0:analysis_unit analysis_type="Static" published_date="2019-10-13T16:20:30-04:00" published_date_sec="1570998030" status="Results Ready" />\n </ns0:build>\n </ns0:application>\n' ) self.assertEqual([output.tag, output.attrib], [expected.tag, expected.attrib]) # However, return False when the element_contains_error function # returns True with patch("veracode.check_compliance.element_contains_error", return_value=True): self.assertFalse( check_compliance.get_latest_completed_build( results_api=results_api)) # Return False when calling the get_latest_completed_build function # with a valid results_api and the http_get method returns an # ElementTree.Element which doesn't contain the provided app_id with patch.object( ResultsAPI, "http_get", return_value=test_constants. VALID_RESULTS_API_GETAPPBUILDS_RESPONSE_XML_PASSING_POLICY_COMPLIANCE_STATUS[ "Element"], ): with patch("veracode.check_compliance.element_contains_error", return_value=False): with patch("veracode.api.get_app_id", return_value="31337"): results_api = ResultsAPI(app_name="TestApp") output = check_compliance.get_latest_completed_build( results_api=results_api) self.assertFalse(output) # Return False when calling the get_latest_completed_build function # with a valid results_api and the http_get method raises one of a # series of exceptions with patch("veracode.api.get_app_id", return_value="1337"): results_api = ResultsAPI(app_name="TestApp") for err in [ HTTPError, ConnectionError, Timeout, TooManyRedirects, RequestException, ]: with patch( "veracode.check_compliance.element_contains_error", return_value=False, ): with patch.object(ResultsAPI, "http_get", side_effect=err): output = check_compliance.get_latest_completed_build( results_api=results_api) self.assertFalse(output)