def test_schedule_multiple_pkgs_advisory(db, client):
resp = client.post(url_for('tracker.schedule_advisory',
avg=DEFAULT_GROUP_NAME),
follow_redirects=True,
data={'advisory_type': issue_types[1]})
assert 200 == resp.status_code
assert_advisory_data(advisory_get_label(number=1))
assert_advisory_data(advisory_get_label(number=2))
assert 2 == advisory_count()
def test_switch_issue_type_changes_multi_package_advisory_to_single_type(db, client):
data = default_group_dict(dict(
cve='\n'.join(['CVE-1111-1111']),
pkgnames='\n'.join(['foo', 'bar']),
))
resp = client.post(url_for('tracker.edit_group', avg=DEFAULT_GROUP_NAME), follow_redirects=True, data=data)
assert 200 == resp.status_code
assert_advisory_data(advisory_get_label(number=1), advisory_type=issue_types[2])
assert_advisory_data(advisory_get_label(number=2), advisory_type=issue_types[2])
assert 2 == advisory_count()
def test_cant_schedule_already_existing_advisory(db, client):
resp = client.post(url_for('tracker.schedule_advisory',
avg=DEFAULT_GROUP_NAME),
follow_redirects=True,
data={'advisory_type': issue_types[1]})
assert 200 == resp.status_code
assert ERROR_ADVISORY_ALREADY_EXISTS in resp.data.decode()
assert None is get_advisory(advisory_get_label(number=2))
assert 1 == advisory_count()
def schedule_advisory(avg):
avg_id = avg.replace('AVG-', '')
form = AdvisoryForm()
if not form.validate_on_submit():
flash('Form validation failed', 'error')
return redirect('/{}'.format(avg))
entries = (db.session.query(
CVEGroup, CVE,
CVEGroupPackage, Advisory).filter(CVEGroup.id == avg_id).join(
CVEGroupEntry, CVEGroup.issues).join(CVE, CVEGroupEntry.cve).join(
CVEGroupPackage, CVEGroup.packages).outerjoin(
Advisory,
and_(Advisory.group_package_id == CVEGroupPackage.id))
).all()
if not entries:
return not_found()
pkgs = set()
advisories = set()
for group_entry, cve, pkg, advisory in entries:
pkgs.add(pkg)
if advisory:
advisories.add(advisory)
if Status.fixed != group_entry.status:
flash(ERROR_ADVISORY_GROUP_NOT_FIXED, 'error')
return redirect('/{}'.format(avg))
if 0 < len(advisories):
flash(ERROR_ADVISORY_ALREADY_EXISTS, 'error')
return redirect('/{}'.format(avg))
last_advisory_date = advisory_get_date_label()
last_advisory_num = 0
last_advisory = (db.session.query(Advisory).order_by(
Advisory.created.desc()).limit(1)).first()
if last_advisory:
m = match(advisory_regex, last_advisory.id)
if last_advisory_date == m.group(2):
last_advisory_num = int(m.group(3))
for pkg in pkgs:
last_advisory_num += 1
asa = advisory_get_label(last_advisory_date, last_advisory_num)
db.create(Advisory,
id=asa,
advisory_type=form.advisory_type.data,
publication=Publication.scheduled,
group_package=pkg)
db.session.commit()
flash('Scheduled {}'.format(asa))
return redirect('/{}'.format(asa))
fixed='1.2.3-4')
@create_group(id=456,
issues=['CVE-1111-2222'],
packages=['foo', 'bar'],
affected='1.2.3-3')
@create_group(id=789,
issues=['CVE-1111-2222'],
packages=['foo', 'bar'],
affected='1.2.3-3',
status=Status.unknown)
@create_group(id=4242,
issues=['CVE-1111-2222'],
packages=['foo', 'bar'],
affected='1.2.3-4')
@create_advisory(id=DEFAULT_ADVISORY_ID, advisory_type='multiple issues')
@create_advisory(id=advisory_get_label(number=2),
group_package_id=2,
advisory_type='multiple issues',
publication=Publication.published)
def test_todo_json_success(db, client):
resp = client.get(url_for('tracker.todo_json', postfix='.json'))
assert 200 == resp.status_code
data = resp.get_json()
assert data['advisories']['scheduled']
assert data['advisories']['incomplete']
assert data['advisories']['unhandled']
assert data['groups']['unknown']
assert data['groups']['bumped']
from tracker.model.cvegroup import CVEGroup
from tracker.model.cvegroupentry import CVEGroupEntry
from tracker.model.cvegrouppackage import CVEGroupPackage
from tracker.model.enum import Affected
from tracker.model.enum import Publication
from tracker.model.enum import Remote
from tracker.model.enum import Severity
from tracker.model.enum import UserRole
from tracker.model.enum import affected_to_status
from tracker.model.enum import highest_severity
from tracker.model.package import Package
from tracker.model.user import User
from tracker.user import hash_password
from tracker.user import random_string
DEFAULT_ADVISORY_ID = advisory_get_label()
DEFAULT_USERNAME = '******'
ERROR_LOGIN_REQUIRED = 'Please log in to access this page.'
ERROR_INVALID_CHOICE = 'Not a valid choice'
@pytest.fixture(scope="session")
def app(request):
flask_app = create_app()
flask_app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///:memory:'
flask_app.config['TESTING'] = True
flask_app.config['WTF_CSRF_ENABLED'] = False
flask_app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
flask_app.config['SERVER_NAME'] = 'cyber.local'
with flask_app.app_context():
yield flask_app
@create_advisory(id=DEFAULT_ADVISORY_ID, advisory_type=issue_types[1])
@logged_in
def test_switch_issue_type_changes_single_issue_advisory_to_multiple(db, client):
data = default_issue_dict(dict(issue_type=issue_types[2]))
resp = client.post(url_for('tracker.edit_cve', cve='CVE-1111-2222'), follow_redirects=True, data=data)
assert 200 == resp.status_code
assert_advisory_data(DEFAULT_ADVISORY_ID, advisory_type='multiple issues')
assert 1 == advisory_count()
@create_issue(id='CVE-1111-1111', issue_type=issue_types[2])
@create_issue(id='CVE-1111-2222', issue_type=issue_types[3])
@create_package(name='foo', base='lol', version='1.2.3-4')
@create_package(name='bar', base='lol', version='1.2.3-4')
@create_group(id=DEFAULT_GROUP_ID, issues=['CVE-1111-1111'], packages=['foo', 'bar'], affected='1.2.3-3', fixed='1.2.3-4')
@create_advisory(id=advisory_get_label(number=1), group_package_id=1, advisory_type=issue_types[2])
@create_advisory(id=advisory_get_label(number=2), group_package_id=2, advisory_type=issue_types[2])
@logged_in
def test_switch_issue_type_changes_multi_package_advisory_to_multiple(db, client):
data = default_group_dict(dict(
cve='\n'.join(['CVE-1111-1111', 'CVE-1111-2222']),
pkgnames='\n'.join(['foo', 'bar']),
))
resp = client.post(url_for('tracker.edit_group', avg=DEFAULT_GROUP_NAME), follow_redirects=True, data=data)
assert 200 == resp.status_code
assert_advisory_data(advisory_get_label(number=1), advisory_type='multiple issues')
assert_advisory_data(advisory_get_label(number=2), advisory_type='multiple issues')
assert 2 == advisory_count()
@create_issue(id='CVE-1111-1111', issue_type=issue_types[2])
