def test_update_external_bts(self):
query_bts = '''
mutation {
updateClientDescription (
btsUrl: "new test btsUrl",
findingId: "436992569",
treatment: "NEW",
justification: ""
) {
success
finding {
btsUrl
historicTreatment
}
}
}
'''
testing_client = Client(SCHEMA)
request_loaders = {
'finding': FindingLoader(),
'vulnerability': VulnerabilityLoader()
}
result = self._get_result(query_bts, testing_client, request_loaders)
assert 'errors' not in result
assert result['data']['updateClientDescription']['success']
query_bts_empty = '''
mutation {
updateClientDescription (
btsUrl: "",
findingId: "436992569",
treatment: "NEW",
justification: ""
) {
success
finding {
btsUrl
historicTreatment
}
}
}
'''
testing_client = Client(SCHEMA)
request_loaders = {
'finding': FindingLoader(),
'vulnerability': VulnerabilityLoader()
}
result = self._get_result(query_bts_empty, testing_client,
request_loaders)
assert 'errors' not in result
assert result['data']['updateClientDescription']['success']
def test_update_treatment_accepted(self):
query = '''
mutation {
updateClientDescription (
btsUrl: "",
findingId: "463558592",
treatment: "ACCEPTED",
justification: "This is a treatment justification test",
acceptanceDate: "-"
) {
success
finding {
btsUrl
historicTreatment
}
}
}
'''
testing_client = Client(SCHEMA)
request_loaders = {
'finding': FindingLoader(),
'vulnerability': VulnerabilityLoader()
}
result = self._get_result(query, testing_client, request_loaders)
assert 'errors' not in result
assert result['data']['updateClientDescription']['success']
def test_update_severity(self):
query = '''
mutation {
updateSeverity (
findingId: "422286126",
data: {
attackComplexity: 0.77, attackVector: 0.62,
availabilityImpact: "0", availabilityRequirement: "1",
confidentialityImpact: "0", confidentialityRequirement: "1",
cvssVersion: "3.1", exploitability: 0.91, id: "422286126",
integrityImpact: "0.22", integrityRequirement: "1",
modifiedAttackComplexity: 0.77, modifiedAttackVector: 0.62,
modifiedAvailabilityImpact: "0",
modifiedConfidentialityImpact: "0",
modifiedIntegrityImpact: "0.22",
modifiedPrivilegesRequired: "0.62",
modifiedSeverityScope: 0, modifiedUserInteraction: 0.85,
privilegesRequired: "0.62", remediationLevel: "0.97",
reportConfidence: "0.92",
severity: "2.9", severityScope: 0, userInteraction: 0.85
}
) {
success
finding {
cvssVersion
severity
}
}
}
'''
testing_client = Client(SCHEMA)
request_loaders = {'finding': FindingLoader()}
result = self._get_result(query, testing_client, request_loaders)
assert 'errors' not in result
assert result['data']['updateSeverity']['success']
def get_context(self, request):
"""Appends dataloader instances to context"""
context = super(APIView, self).get_context(request)
context.loaders = {
'event': EventLoader(),
'finding': FindingLoader(),
'vulnerability': VulnerabilityLoader()
}
return context
def test_delete_finding(self):
query = '''
mutation {
deleteFinding(findingId: "560175507", justification: NOT_REQUIRED) {
success
}
}
'''
testing_client = Client(SCHEMA)
request_loaders = {'finding': FindingLoader()}
result = self._get_result(query, testing_client, request_loaders)
assert 'errors' not in result
assert result['data']['deleteFinding']['success']
with pytest.raises(FindingNotFound):
assert get_finding('560175507')
def test_verify_finding(self):
query = '''
mutation {
verifyFinding(
findingId: "463461507",
justification: "This is a commenting test, of the verifying of a request."
) {
success
}
}
'''
testing_client = Client(SCHEMA)
request_loaders = {'finding': FindingLoader()}
result = self._get_result(query, testing_client, request_loaders)
assert 'errors' in result
assert result['errors'][0]['message'] == str(
NotVerificationRequested())
def test_get_finding(self):
""" Check for finding """
query = '''{
finding(identifier: "422286126"){
id
vulnerabilities {
findingId
id
historicState
specific
vulnType
where
}
}
}'''
request_loaders = {
'finding': FindingLoader(),
'vulnerability': VulnerabilityLoader()
}
result = self._get_result(query, False, request_loaders)
assert not result.errors
assert result.data.get('finding')['id'] == '422286126'
test_data = OrderedDict([('findingId', '422286126'),
('id',
'80d6a69f-a376-46be-98cd-2fdedcffdcc0'),
('historicState', [{
'date':
'2018-09-28 10:32:58',
'state':
'open',
'analyst':
'*****@*****.**'
}, {
'date':
'2019-01-08 16:01:26',
'state':
'open',
'analyst':
'*****@*****.**'
}]), ('specific', 'phone'),
('vulnType', 'inputs'),
('where', 'https://example.com')])
assert test_data in result.data.get('finding')['vulnerabilities']
def test_get_project(self):
""" Check for project resources """
query = '''
query {
project(projectName: "unittesting"){
name,
hasForces,
totalFindings,
description,
subscription,
lastClosingVuln,
}
}
'''
testing_client = Client(SCHEMA)
request = RequestFactory().get('/')
middleware = SessionMiddleware()
middleware.process_request(request)
request.session.save()
request.session['username'] = '******'
request.session['company'] = 'unittest'
request.session['role'] = 'admin'
request.COOKIES[settings.JWT_COOKIE_NAME] = jwt.encode(
{
'user_email': 'unittest',
'user_role': 'admin',
'company': 'unittest'
},
algorithm='HS512',
key=settings.JWT_SECRET,
)
request.loaders = {'finding': FindingLoader()}
result = testing_client.execute(query, context=request)
assert 'errors' not in result
assert result['data']['project']
assert result['data']['project']['hasForces'] == True
assert result['data']['project']['lastClosingVuln'] == 23
def test_get_vulnerability(self):
"""Check for vulnerabilities"""
query = '''
query {
finding(identifier: "422286126") {
id
releaseDate
portsVulns: vulnerabilities(
vulnType: "ports") {
...vulnInfo
}
linesVulns: vulnerabilities(
vulnType: "lines") {
...vulnInfo
}
inputsVulns: vulnerabilities(
vulnType: "inputs") {
...vulnInfo
}
}
}
fragment vulnInfo on Vulnerability {
vulnType
where
specific
currentState
id
findingId
treatment
treatmentManager
treatmentJustification
externalBts
}'''
request = RequestFactory().get('/')
middleware = SessionMiddleware()
middleware.process_request(request)
request.session.save()
request.session['username'] = '******'
request.session['company'] = 'unittest'
request.session['role'] = 'admin'
request.COOKIES[settings.JWT_COOKIE_NAME] = jwt.encode(
{
'user_email': 'unittest',
'user_role': 'admin',
'company': 'unittest'
},
algorithm='HS512',
key=settings.JWT_SECRET,
)
request.loaders = {
'finding': FindingLoader(),
'vulnerability': VulnerabilityLoader()
}
result = SCHEMA.execute(query, context=request)
assert not result.errors
assert result.data.get('finding')['id'] == '422286126'
test_data = OrderedDict([
('vulnType', 'inputs'), ('where', 'https://example.com'),
('specific', 'phone'), ('currentState', 'open'),
('id', '80d6a69f-a376-46be-98cd-2fdedcffdcc0'),
('findingId', '422286126'), ('treatment', 'In progress'),
('treatmentManager', '*****@*****.**'),
('treatmentJustification',
'This is a treatment justification test'), ('externalBts', '')
])
assert test_data in result.data.get('finding')['inputsVulns']