def test_ensure_is_affected(doc: Any, package_name: str, package_version: str,
is_vulnerable: bool) -> None:
obj = GemnasiumSecurityAdvisory.using(doc)
assert obj.package_name == "package"
assert len(obj.vulnerable_version_range) == len(
doc["affected_range"].split("||"))
assert obj.is_affected(package_version) is is_vulnerable
def test_ensure_gemnasium_advisory_from_yaml() -> None:
"""Ensure that we are able to create GemnasiumSecurityAdvisories from a given YAML document."""
obj = GemnasiumSecurityAdvisory.using(
gemnasium_advisory_yml("multiple.yml"))
assert obj.package_name == "Django"
assert obj.identifier == "CVE-2019-19844"
assert obj.source == "gemnasium"
assert obj.severity == "UNKNOWN"
assert obj.url == "https://nvd.nist.gov/vuln/detail/CVE-2019-19844"
assert obj.references == [
"https://nvd.nist.gov/vuln/detail/CVE-2019-19844",
"https://docs.djangoproject.com/en/dev/releases/security/",
"https://www.djangoproject.com/weblog/2019/dec/18/security-releases/",
]
assert obj.vulnerable_versions == "<1.11.27,>=2.2,<2.2.9,3.0"
assert obj.summary.startswith(
"Weak Password Recovery Mechanism for Forgotten Password")
def test_ensure_gemnasium_advisory_from_yaml_with_cvss2_only() -> None:
obj = GemnasiumSecurityAdvisory.using(
gemnasium_advisory_yml("CVE-2014-1932.yml"))
assert "cvss_v2" in obj._json
obj._json.pop("cvss_v3", None)
assert obj.package_name == "Pillow"
assert obj.identifier == "CVE-2014-1932"
assert obj.source == "gemnasium"
assert obj.severity == "MEDIUM"
assert obj.url == "http://seclists.org/oss-sec/2014/q1/310"
assert obj.references == [
"http://seclists.org/oss-sec/2014/q1/310",
"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059",
]
assert obj.vulnerable_versions == "<2.3.1"
assert obj.summary.startswith(
"Insecure use of tempfile.mktemp. In JpegImagePlugin.py,")
def test_ensure_gemnasium_advisory_from_yaml_with_empty_affected_range_string(
) -> None:
obj = GemnasiumSecurityAdvisory.using(
gemnasium_advisory_yml("CVE-2020-28476.yml"))
assert "cvss_v2" in obj._json
obj._json.pop("cvss_v3", None)
assert obj.package_name == "tornado"
assert obj.identifier == "CVE-2020-28476"
assert obj.source == "gemnasium"
assert obj.severity == "MEDIUM"
assert obj.url == "https://nvd.nist.gov/vuln/detail/CVE-2020-28476"
assert obj.references == [
"https://nvd.nist.gov/vuln/detail/CVE-2020-28476",
]
assert obj.vulnerable_versions == ">=0.0.0"
assert obj.summary.startswith(
"Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)"
)