async def test_list_component_vulnerabilitites_return_vulnerabilities_for_each_component( self): components_version = {'plugin0': "1.2.3", 'plugin1': "1.4.0"} plugin0_vuln_list = VulnerabilityList( key="plugin0", producer="", vulnerabilities=[Vulnerability(id="1234")]) plugin1_vuln_list = VulnerabilityList( key="plugin1", producer="", vulnerabilities=[Vulnerability(id="2345")]) vuln_list_group = MagicMock() vuln_list_group.vulnerability_lists = [ plugin0_vuln_list, plugin1_vuln_list ] def fake_list_vuln(self, version, vuln_list, no_version_match_all): return vuln_list.vulnerabilities with patch( "vane.vulnerabilitylister.VulnerabilityLister.list_vulnerabilities", fake_list_vuln): vulns = self.vane.list_component_vulnerabilities( components_version, vuln_list_group, no_version_match_all=True) self.assertEqual(plugin0_vuln_list.vulnerabilities, vulns['plugin0']) self.assertEqual(plugin1_vuln_list.vulnerabilities, vulns['plugin1'])
def test_list_vulnerabilities_return_vulnerabilities_with_introduced_in_lower_than_version_and_fixed_in_upper_than_version( self): vuln0 = Vulnerability(id="12345", title="Vulnerability0", affected_versions=[ VersionRange(introduced_in="2.5.9", fixed_in="4.7.2") ]) vuln1 = Vulnerability(id="23456", title="Vulnerability1", affected_versions=[ VersionRange(introduced_in="1.6.2", fixed_in="4.9") ]) vuln_list = VulnerabilityList(key="wordpress", producer="producer", vulnerabilities=[vuln0, vuln1]) applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities( "4.7", vuln_list) applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities( "3.5.8", vuln_list) applicable_vuln2 = self.vulnerability_lister.list_vulnerabilities( "2.4.8", vuln_list) self.assertIn(vuln0, applicable_vuln0) self.assertIn(vuln1, applicable_vuln0) self.assertIn(vuln0, applicable_vuln1) self.assertIn(vuln1, applicable_vuln1) self.assertNotIn(vuln0, applicable_vuln2) self.assertIn(vuln1, applicable_vuln2)
def test_multiple_ranges(self): v = Vulnerability(id="1") v.add_affected_version(VersionRange(fixed_in="1.2")) v.add_affected_version(VersionRange(fixed_in="1.3")) self.assertEqual(v.affected_versions, [ VersionRange(fixed_in="1.2"), VersionRange(fixed_in="1.3"), ])
def test_added_fix_conflicts_with_known_information(self): v = Vulnerability(id="1") v.add_affected_version(VersionRange(fixed_in="1.5")) v.add_affected_version( VersionRange(introduced_in="2.0", fixed_in="2.5")) v.add_affected_version(VersionRange(fixed_in="1.3")) v.add_affected_version(VersionRange(fixed_in="2.3")) v.add_affected_version(VersionRange(introduced_in="2.3")) self.assertEqual(v.affected_versions, [ VersionRange(fixed_in="1.5"), VersionRange(introduced_in="2.0", fixed_in="2.5"), ])
def test_list_vulnerabilities_remove_affected_versions_ranges_not_including_target_version( self): vuln = Vulnerability(id="12345", title="Vulnerability", affected_versions=[ VersionRange(introduced_in="3.7", fixed_in="3.7.5"), VersionRange(introduced_in="4.0", fixed_in="4.0.10"), VersionRange(introduced_in="4.5", fixed_in="4.5.2") ]) vuln_list = VulnerabilityList(key="wordpress", producer="producer", vulnerabilities=[vuln]) vuln_software0 = self.vulnerability_lister.list_vulnerabilities( "3.7.3", vuln_list) vuln_software1 = self.vulnerability_lister.list_vulnerabilities( "4.0.9", vuln_list) vuln_software2 = self.vulnerability_lister.list_vulnerabilities( "4.5", vuln_list) self.assertEqual(vuln_software0[0].affected_versions, [VersionRange(introduced_in="3.7", fixed_in="3.7.5")]) self.assertEqual( vuln_software1[0].affected_versions, [VersionRange(introduced_in="4.0", fixed_in="4.0.10")]) self.assertEqual(vuln_software2[0].affected_versions, [VersionRange(introduced_in="4.5", fixed_in="4.5.2")])
def test_serialize_vulnerability_cvss(self): schema = VulnerabilitySchema() vuln = Vulnerability(id="1234", title="Multiple XSS", cvss=4.5) expect = '{"id": "1234", "title": "Multiple XSS", "cvss": 4.5}' self.assertEqual(expect, serialize(schema, vuln, indent=None)[0]) data, err = schema.loads(expect) self.assertEqual(4.5, data.cvss)
def test_list_vulnerabilities_return_all_vulnerabilities_if_version_is_none_and_no_version_match_all_is_true( self): vuln0 = Vulnerability( id="12345", title="Vulnerability0", affected_versions=[VersionRange(introduced_in="2.3.4")]) vuln1 = Vulnerability( id="23456", title="Vulnerability1", affected_versions=[VersionRange(introduced_in="1.5.6")]) vuln_list = VulnerabilityList(key="wordpress", producer="producer", vulnerabilities=[vuln0, vuln1]) applicable_vuln = self.vulnerability_lister.list_vulnerabilities( None, vuln_list, no_version_match_all=True) self.assertEqual(len(applicable_vuln), 2)
def test_vulnerability_introduced_in_only(self): v = Vulnerability(id="1") v.add_affected_version(VersionRange(introduced_in="2.0")) self.assertFalse(v.applies_to("1.0")) self.assertFalse(v.applies_to("1.9")) self.assertFalse(v.applies_to("2.0-beta3")) self.assertTrue(v.applies_to("2.0")) self.assertTrue(v.applies_to("2.1"))
def test_unaffected_versions(self): v = Vulnerability(id="1") v.unaffected_versions = [ VersionRange(introduced_in="6.0", fixed_in="6.1.2"), VersionRange(introduced_in="7.0", fixed_in="7.0.7"), ] v.add_affected_version(VersionRange(fixed_in="1.5")) v.add_affected_version( VersionRange(introduced_in="6.0", fixed_in="6.1.2")) v.add_affected_version(VersionRange(fixed_in="6.1.1")) self.assertEqual(v.affected_versions, [ VersionRange(fixed_in="1.5"), ])
def test_regroup_vulnerabilities_of_key_in_one_list(self): plugin_vuln0 = Vulnerability(id="0") plugin_vuln1 = Vulnerability(id="1") self.storage.vulnerability_lists[ 'plugins/plugin/producer0'] = VulnerabilityList( producer="producer0", key="plugins/plugin", vulnerabilities=[plugin_vuln0]) self.storage.vulnerability_lists[ 'plugins/plugin/producer1'] = VulnerabilityList( producer="producer1", key="plugins/plugin", vulnerabilities=[plugin_vuln1]) plugin_vuln_list = self.exporter._regroup_vulnerabilities_of_key_in_one_list( "plugins/plugin") self.assertIn(plugin_vuln0, plugin_vuln_list.vulnerabilities) self.assertIn(plugin_vuln1, plugin_vuln_list.vulnerabilities)
def test_serialize_all_values(self): reference_date = datetime.now() schema = VulnerabilitySchema() vuln = Vulnerability(id="1234", title="Multiple XSS", reported_type="XSS", created_at=reference_date, updated_at=reference_date + timedelta(days=6)) vuln.add_affected_version(VersionRange(fixed_in="1.3")) vuln.add_unaffected_version(VersionRange(fixed_in="2.4")) vuln.references.append( Reference(type="other", url="http://example.com/test")) data = serialize(schema, vuln, indent=None)[0] self.assertIn(reference_date.strftime("%Y-%m-%d"), data) self.assertIn( (reference_date + timedelta(days=6)).strftime("%Y-%m-%d"), data) self.assertIn('"reported_type": "XSS"', data) self.assertIn('1.3', data) self.assertIn('example.com', data) out, errors = schema.loads(data) self.assertEqual("1.3", out.affected_versions[0].fixed_in) self.assertEqual("2.4", out.unaffected_versions[0].fixed_in) self.assertEqual("other", out.references[0].type)
def test_list_vulnerabilities_return_empty_list_if_no_vuln_applicable_to_version( self): vuln0 = Vulnerability(id="12345", title="Vulnerability0", affected_versions=[ VersionRange(introduced_in="4.4", fixed_in="4.6") ]) vuln1 = Vulnerability(id="23456", title="Vulnerability1", affected_versions=[VersionRange(fixed_in="3.9")]) vuln_list = VulnerabilityList(key="wordpress", producer="producer", vulnerabilities=[vuln0, vuln1]) applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities( "4.7", vuln_list) applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities( "4.3", vuln_list) self.assertEqual(len(applicable_vuln0), 0) self.assertEqual(len(applicable_vuln1), 0)
def test_list_vulnerabilities_return_all_vulnerabilities_with_no_introduced_nor_fixed_in( self): vuln0 = Vulnerability(id="12345", title="Vulnerability0") vuln1 = Vulnerability(id="23456", title="Vulnerability1", affected_versions=[VersionRange()]) vuln_list = VulnerabilityList(key="wordpress", producer="producer", vulnerabilities=[vuln0, vuln1]) applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities( "4.7", vuln_list) applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities( "0.1", vuln_list) applicable_vuln2 = self.vulnerability_lister.list_vulnerabilities( "100.2.3", vuln_list) self.assertIn(vuln0, applicable_vuln0) self.assertIn(vuln1, applicable_vuln0) self.assertIn(vuln0, applicable_vuln1) self.assertIn(vuln1, applicable_vuln1) self.assertIn(vuln0, applicable_vuln2) self.assertIn(vuln1, applicable_vuln2)
def test_serialize_vunlerability_list(self): schema = VulnerabilityListSchema() vuln_list = VulnerabilityList( producer="Test Provider", key="plugins/test-plugin", copyright="2016- Delve Labs inc.", license="GNU General Public License, version 2", vulnerabilities=[ Vulnerability(id="1234", title="Multiple XSS"), ]) data = serialize(schema, vuln_list)[0] self.assertIn('"producer": "Test Provider"', data) self.assertIn('"key": "plugins/test-plugin"', data) self.assertIn('"license": "GNU General Public License, version 2"', data) self.assertIn('"copyright": "2016- Delve Labs inc."', data) self.assertIn('Multiple XSS', data) out, errors = schema.loads(data) self.assertEqual("1234", out.vulnerabilities[0].id)
def test_list_vulnerabilities_apply_vulnerabilities_with_multiple_affected_versions( self): vuln = Vulnerability(id="12345", title="Vulnerability", affected_versions=[ VersionRange(introduced_in="3.7", fixed_in="3.7.5"), VersionRange(introduced_in="4.0", fixed_in="4.0.10"), VersionRange(introduced_in="4.5", fixed_in="4.5.2") ]) vuln_list = VulnerabilityList(key="wordpress", producer="producer", vulnerabilities=[vuln]) vuln_software0 = self.vulnerability_lister.list_vulnerabilities( "4.1.5", vuln_list) vuln_software1 = self.vulnerability_lister.list_vulnerabilities( "4.0.9", vuln_list) self.assertEqual(vuln_software0, []) self.assertEqual(vuln_software1[0].id, vuln.id)
def test_vulnerability_fixed_in_only(self): v = Vulnerability(id="1") v.add_affected_version(VersionRange(fixed_in="1.0")) self.assertFalse(v.applies_to("1.1")) self.assertFalse(v.applies_to("1.0")) self.assertTrue(v.applies_to("0.9"))
def test_export_vulnerabilities_export_all_vuln_lists_in_one_file(self): plugin0_vuln0 = Vulnerability(id="0") plugin0_vuln1 = Vulnerability(id="1") plugin0_vuln_list = VulnerabilityList( producer="test", key="plugins/plugin0", vulnerabilities=[plugin0_vuln0, plugin0_vuln1]) plugin1_vuln0 = Vulnerability(id="2") plugin1_vuln1 = Vulnerability(id="3") plugin1_vuln_list = VulnerabilityList( producer="test", key="plugins/plugin1", vulnerabilities=[plugin1_vuln0, plugin1_vuln1]) theme_vuln0 = Vulnerability(id="4") theme_vuln1 = Vulnerability(id="5") theme_vuln_list = VulnerabilityList( producer="test", key="themes/theme", vulnerabilities=[theme_vuln0, theme_vuln1]) wordpress_vuln0 = Vulnerability(id="6") wordpress_vuln1 = Vulnerability(id="7") wordpress_vuln_list = VulnerabilityList( producer="test", key="wordpress", vulnerabilities=[wordpress_vuln0, wordpress_vuln1]) self.storage.add_vulnerability_lists({ 'plugins/plugin0': plugin0_vuln_list, 'plugins/plugin1': plugin1_vuln_list, 'themes/theme': theme_vuln_list, 'wordpress': wordpress_vuln_list }) self.exporter.export_vulnerabilities("path_to_dir") args, kwargs = self.exporter._dump.call_args vulnerability_list_group = args[1] self.assertEqual(vulnerability_list_group.producer, "vane2_export") vulnerability_lists = vulnerability_list_group.vulnerability_lists self.assert_object_with_attribute_value_in_container( "key", "plugins/plugin0", vulnerability_lists) self.assert_object_with_attribute_value_in_container( "key", "plugins/plugin1", vulnerability_lists) self.assert_object_with_attribute_value_in_container( "key", "themes/theme", vulnerability_lists) self.assert_object_with_attribute_value_in_container( "key", "wordpress", vulnerability_lists) exported_plugin0_vuln_list = self.get_object_with_attribute_value_in_container( "key", "plugins/plugin0", vulnerability_lists) exported_plugin1_vuln_list = self.get_object_with_attribute_value_in_container( "key", "plugins/plugin1", vulnerability_lists) exported_theme_vuln_list = self.get_object_with_attribute_value_in_container( "key", "themes/theme", vulnerability_lists) exported_wordpress_vuln_list = self.get_object_with_attribute_value_in_container( "key", "wordpress", vulnerability_lists) self.assertIn(plugin0_vuln0, exported_plugin0_vuln_list.vulnerabilities) self.assertIn(plugin0_vuln1, exported_plugin0_vuln_list.vulnerabilities) self.assertIn(plugin1_vuln0, exported_plugin1_vuln_list.vulnerabilities) self.assertIn(plugin1_vuln1, exported_plugin1_vuln_list.vulnerabilities) self.assertIn(theme_vuln0, exported_theme_vuln_list.vulnerabilities) self.assertIn(theme_vuln1, exported_theme_vuln_list.vulnerabilities) self.assertIn(wordpress_vuln0, exported_wordpress_vuln_list.vulnerabilities) self.assertIn(wordpress_vuln1, exported_wordpress_vuln_list.vulnerabilities)
def test_vulnerability_has_no_applicable_ranges(self): v = Vulnerability(id="1") self.assertTrue(v.applies_to("1.0"))
def test_multiple_ranges(self): v = Vulnerability(id="1") v.add_affected_version( VersionRange(introduced_in="1.0", fixed_in="1.2")) v.add_affected_version( VersionRange(introduced_in="2.0", fixed_in="2.3")) v.add_affected_version( VersionRange(introduced_in="3.0", fixed_in="3.1")) self.assertFalse(v.applies_to("0.9")) self.assertTrue(v.applies_to("2.1")) self.assertTrue(v.applies_to("3.0")) self.assertFalse(v.applies_to("3.1"))
def test_serialize_vulnerability_minimal(self): schema = VulnerabilitySchema() vuln = Vulnerability(id="1234", title="Multiple XSS") self.assertEqual('{"id": "1234", "title": "Multiple XSS"}', serialize(schema, vuln, indent=None)[0])