def test_cve_penalization(self) -> None: """Make sure a CVE affects stack score.""" flexmock(GraphDatabase) GraphDatabase.should_receive("get_python_cve_records_all").with_args( package_name="flask", package_version="0.12.0").and_return([self._FLASK_CVE]).once() package_version = PackageVersion( name="flask", version="==0.12.0", index=Source("https://pypi.org/simple"), develop=False, ) context = flexmock(graph=GraphDatabase(), recommendation_type=RecommendationType.TESTING) with CvePenalizationStep.assigned_context(context): step = CvePenalizationStep() result = step.run(None, package_version) assert result is not None assert isinstance(result, tuple) and len(result) == 2 assert isinstance(result[0], float) assert result[0] == 1 * CvePenalizationStep.CONFIGURATION_DEFAULT[ "cve_penalization"] assert isinstance(result[1], list) assert result[1] == [self._FLASK_CVE] assert self.verify_justification_schema(result[1])
def test_cve_not_acceptable(self) -> None: """Test raising an exception if a secure software stack should be resolved.""" flexmock(GraphDatabase) GraphDatabase.should_receive("get_python_cve_records_all").with_args( package_name="flask", package_version="0.12.0").and_return([self._FLASK_CVE]).once() package_version = PackageVersion( name="flask", version="==0.12.0", index=Source("https://pypi.org/simple"), develop=False, ) context = flexmock(graph=GraphDatabase(), recommendation_type=RecommendationType.SECURITY, stack_info=[]) step = CvePenalizationStep() with CvePenalizationStep.assigned_context(context): assert not step._messages_logged with pytest.raises(NotAcceptable): step.run(None, package_version) assert len(step._messages_logged) == 1 assert ("flask", "0.12.0", "https://pypi.org/simple") in step._messages_logged assert len(context.stack_info) == 1 assert set(context.stack_info[0].keys()) == {"message", "link", "type"} assert self.verify_justification_schema(context.stack_info)
def test_no_cve_record(self, recommendation_type: RecommendationType) -> None: """Make sure no CVEs do not affect CVE scoring.""" flexmock(GraphDatabase) GraphDatabase.should_receive("get_python_cve_records_all").with_args( package_name="flask", package_version="0.12.0").and_return([]).once() package_version = PackageVersion( name="flask", version="==0.12.0", index=Source("https://pypi.org/simple"), develop=False, ) context = flexmock(graph=GraphDatabase(), recommendation_type=recommendation_type) with CvePenalizationStep.assigned_context(context): step = CvePenalizationStep() result = step.run(None, package_version) assert isinstance(result, tuple) assert len(result) == 2 assert result[0] == 0.0 assert result[1] == [{ "link": "https://thoth-station.ninja/j/no_cve", "message": "No known CVE known for 'flask' in version '0.12.0'", "package_name": "flask", "type": "INFO", }]
def test_cve_penalization(self, recommendation_type: RecommendationType) -> None: """Make sure a CVE affects stack score.""" flexmock(GraphDatabase) GraphDatabase.should_receive("get_python_cve_records_all").with_args( package_name="flask", package_version="0.12.0").and_return([self._FLASK_CVE]).once() package_version = PackageVersion( name="flask", version="==0.12.0", index=Source("https://pypi.org/simple"), develop=False, ) context = flexmock(graph=GraphDatabase(), recommendation_type=recommendation_type) with CvePenalizationStep.assigned_context(context): step = CvePenalizationStep() result = step.run(None, package_version) assert result is not None assert isinstance(result, tuple) and len(result) == 2 assert isinstance(result[0], float) assert result[0] == 1 * CvePenalizationStep.CONFIGURATION_DEFAULT[ "cve_penalization"] assert isinstance(result[1], list) assert result[1] == [{ "link": "https://thoth-station.ninja/j/cve", "message": "Package ('flask', '0.12.0', 'https://pypi.org/simple') has a CVE 'CVE-ID'", "advisory": "flask version Before 0.12.3 contains a CWE-20: Improper Input Validation " "vulnerability in flask that can result in Large amount of memory usage " "possibly leading to denial of service.", "package_name": "flask", "type": "WARNING", }] assert self.verify_justification_schema(result[1])
def test_no_cve_record(self) -> None: """Make sure no CVEs do not affect CVE scoring.""" flexmock(GraphDatabase) GraphDatabase.should_receive("get_python_cve_records_all").with_args( package_name="flask", package_version="0.12.0").and_return([]).once() package_version = PackageVersion( name="flask", version="==0.12.0", index=Source("https://pypi.org/simple"), develop=False, ) context = flexmock(graph=GraphDatabase()) with CvePenalizationStep.assigned_context(context): step = CvePenalizationStep() result = step.run(None, package_version) assert result is None