def test_positive_multi_categories_multi_keywords(self):
# First, make sure that the CWE does not exist.
self.assertRaises(CWE.DoesNotExist, CWE.objects.get, code=101)
# Second, try to add the CWE to the database
cat1 = Category.objects.get(name=self.CATEGORY_NAMES[0])
kw1 = Keyword.objects.get(name=self.STEMMED_NAMES[0])
cat2 = Category.objects.get(name=self.CATEGORY_NAMES[1])
kw2 = Keyword.objects.get(name=self.STEMMED_NAMES[1])
cwe = CWE(code=101, name="cwe-101", description="cwe description")
cwe.save()
cwe.categories.add(cat1, cat2)
cwe.keywords.add(kw1, kw2)
# Third, verify that the CWE was added successfully.
cwe2 = CWE.objects.get(code=101)
self.assertEqual(cwe.code, cwe2.code)
self.assertEqual(cwe.name, cwe2.name)
self.assertEqual(cwe.description, cwe2.description)
self.assertEqual(cwe.categories.count(), 2)
self.assertEqual(cwe.keywords.count(), 2)
self.assertEqual(cwe.categories.get(name=self.CATEGORY_NAMES[0]), cat1)
self.assertEqual(cwe.categories.get(name=self.CATEGORY_NAMES[1]), cat2)
self.assertEqual(cwe.keywords.get(name=self.STEMMED_NAMES[0]), kw1)
self.assertEqual(cwe.keywords.get(name=self.STEMMED_NAMES[1]), kw2)
def test_negative_add_duplicated(self):
# First, make sure that the CWE does not exist.
self.assertRaises(CWE.DoesNotExist, CWE.objects.get, code=105)
# Second, add the CWE to the database, and it should succeed.
# Because we want to test the prevention of duplication, we can ignore the
# CWE category and keyword for now and focus on the CWE code.
cwe = CWE(code=105, name="cwe-105", description="cwe description")
cwe.save()
cwe2 = CWE.objects.get(code=105)
self.assertEqual(cwe.code, cwe2.code)
# Thrid, try to add a CWE with the same code, and an exception should
# be thrown.
cwe_dup = CWE(code=105,
name="cwe-duplicated",
description="cwe duplicated description")
# In Django 1.5/1.6, each test is wrapped in a transaction, so if an exception occurs,
# it breaks the transaction until you explicitly roll it back. Therefore, any further
# ORM operations in that transaction, will fail with that django.db.transaction.TransactionManagementError
# exception. We need to capture the exception with transaction.atomic().
# See the Django document: https://docs.djangoproject.com/en/1.8/topics/db/transactions/
with transaction.atomic():
self.assertRaises(IntegrityError, cwe_dup.save)
def _add_cwe_referring_to_category_1(self):
"""
Create a CWE that refers to "category_1"
"""
category_1 = Category.objects.get(name="category_1")
cwe = CWE(code=1, name="cwe_1")
cwe.save()
cwe.categories.add(category_1)
def _db_op__cwe__add(self):
cat = Category(name="category_1")
cat.save()
kw1 = Keyword.objects.get(name="keyword_1")
cwe = CWE(code=1, name="cwe_name")
cwe.save()
cwe.categories.add(cat)
cwe.keywords.add(kw1)
self.assertEqual(CWE.objects.all().count(), 1)
def setUp(self):
"""
This method does the general setup needed for the test methods.
For now it just creates a custom MUOContainer object
"""
test_user = User(username='******', is_active=True)
test_user.save()
self.user = test_user
cwe1 = CWE(code=1, name='CWE-1')
cwe1.save()
cwe2 = CWE(code=2, name='CWE-2')
cwe2.save()
misuse_case = MisuseCase()
misuse_case.save()
misuse_case.cwes.add(*[cwe1, cwe2])
muo_container = MUOContainer.objects.create(misuse_case=misuse_case,
is_custom=True,
status='draft')
muo_container.save()
muo_container.cwes.add(*[cwe1, cwe2])
# The id field is auto incremental and we need to know the id of the currently created object
self.current_id = muo_container.id
use_case = UseCase(muo_container=muo_container,
misuse_case=misuse_case)
use_case.save()
def test_point_03_keyword_suggestion_works_correctly(self):
# Create a CWE.
kw1 = Keyword(name="bypass")
kw1.save()
cat_1 = Category(name="category_1")
cat_1.save()
cwe_obj = CWE(code=1234, name="cwe_1")
cwe_obj.save()
cwe_obj.keywords.add(kw1)
cwe_obj.categories.add(cat_1)
# Open the created CWE.
self.browser.get("%s%s%s/" % (self.live_server_url, "/app/cwe/cwe/", str(cwe_obj.id)))
# Verify: "Get Keywords Suggestions" area is shown.
elm_title_keyword_suggestions = self.browser.find_elements_by_xpath("//h3")[3]
self.assertEqual(elm_title_keyword_suggestions.get_attribute("textContent").strip(), "Get Keywords Suggestions")
# Enter Text: "Suggest Text Area": "This is a CWE about authentication bypass"
self.browser.find_element_by_id("suggest_textarea").send_keys("This is a CWE about authentication bypass")
# Click Button: "Request Suggestions"
self.browser.find_element_by_id("suggest_button").click()
# Verify: Suggested keywords are listed.
self.assertTrue(self.browser.find_elements_by_xpath("//span[@data-value='cwe']") is not None)
self.assertTrue(self.browser.find_elements_by_xpath("//span[@data-value='bypass']") is not None)
self.assertTrue(self.browser.find_elements_by_xpath("//span[@data-value='authent']") is not None)
# Click Button: "Add Keywords"
self.browser.find_element_by_id("add_keywords_button").click()
# Verify: Keywords are added.
added_keywords = self.browser.find_elements_by_xpath("//span[@id='id_keywords-deck']/span")
# Only three keywords, which means we do not add "bypass" again because it's already there.
self.assertEqual(len(added_keywords), 3)
# Because the "textContent" contains a non-ASCII character, we need to hold it in Unicode.
self.assertTrue(unicode(added_keywords[0].get_attribute("textContent")).rfind("bypass") != -1)
self.assertTrue(unicode(added_keywords[1].get_attribute("textContent")).rfind("cwe") != -1)
self.assertTrue(unicode(added_keywords[2].get_attribute("textContent")).rfind("authent") != -1)
# Click Button: "Save"
self.browser.find_element_by_name("_save").click()
# Verify: The new keywords are added successfully.
keywords = cwe_obj.keywords
self.assertEqual(keywords.count(), 3)
self.assertTrue(keywords.get(name="bypass") is not None)
self.assertTrue(keywords.get(name="cwe") is not None)
self.assertTrue(keywords.get(name="authent") is not None)
def setUp(self):
test_user = User(username='******')
test_user.save()
self.user = test_user
cwe1 = CWE(code=1, name='CWE-1')
cwe1.save()
misuse_case = MisuseCase()
misuse_case.save()
misuse_case.cwes.add(*[cwe1])
muo_container = MUOContainer.objects.create(misuse_case=misuse_case, created_by=self.user)
muo_container.save()
muo_container.cwes.add(*[cwe1])
use_case = UseCase(muo_container=muo_container) # Usecase cannot be created without MUOContainer
use_case.save() # save in the database
self.muo_container = muo_container
def construct_test_database(self):
""" This function creates the temporary database
:param text: None
:return: None
"""
from cwe.models import Keyword, Category, CWE
xml = Keyword(name='xml') # 1
xml.save()
execut = Keyword(name='execut') # 2
execut.save()
remot = Keyword(name='remot') # 3
remot.save()
scripting = Keyword(name='scripting') # 4
scripting.save()
cross = Keyword(name='cross') # 5
cross.save()
upload = Keyword(name='upload') # 6
upload.save()
file = Keyword(name='file') # 7
file.save()
cod = Keyword(name='cod') # 8
cod.save()
javascript = Keyword(name='javascript') # 9
javascript.save()
ver = Keyword(name='ver') # 10
ver.save()
lack = Keyword(name='lack') # 11
lack.save()
valid = Keyword(name='valid') # 12
valid.save()
unauth = Keyword(name='unauth') # 13
unauth.save()
bypass = Keyword(name='bypass') # 14
bypass.save()
auth = Keyword(name='auth') # 15
auth.save()
inject = Keyword(name='inject') # 16
inject.save()
sql = Keyword(name='sql') # 17
sql.save()
cwe = CWE(code=106, name='XML Injection')
cwe.save()
cwe.keywords.add(xml)
cwe.keywords.add(inject)
cwe.save()
cwe = CWE(code=105, name='Remote Code Execution')
cwe.save()
cwe.keywords.add(execut)
cwe.keywords.add(remot)
cwe.keywords.add(cod)
cwe.save()
cwe = CWE(code=104, name='Cross site scripting')
cwe.save()
cwe.keywords.add(scripting)
cwe.keywords.add(cross)
cwe.save()
cwe = CWE(code=103, name='File Upload Vulnerability')
cwe.save()
cwe.keywords.add(upload)
cwe.keywords.add(file)
cwe.save()
cwe = CWE(code=102, name='Code Injection')
cwe.save()
cwe.keywords.add(cod)
cwe.keywords.add(javascript)
cwe.keywords.add(inject)
cwe.save()
cwe = CWE(code=101, name='Authentication bypass')
cwe.save()
cwe.keywords.add(ver)
cwe.keywords.add(lack)
cwe.keywords.add(valid)
cwe.keywords.add(unauth)
cwe.keywords.add(bypass)
cwe.keywords.add(auth)
cwe.save()
cwe = CWE(code=100, name='SQL Injection')
cwe.save()
cwe.keywords.add(inject)
cwe.keywords.add(sql)
cwe.save()
def _set_up_test_data(self):
# Create some CWEs. These CWEs will be used by all the test methods.
cwe101 = CWE(code=101, name="101")
cwe101.save()
def construct_test_database(self):
# Create the first keyword
kw1 = Keyword(name=self.KEYWORD_NAMES[0])
kw1.save()
# Create the second keyword
kw2 = Keyword(name=self.KEYWORD_NAMES[1])
kw2.save()
# Create the first category
cat1 = Category(name=self.CATEGORY_NAMES[0])
cat1.save()
# Create the second category
cat2 = Category(name=self.CATEGORY_NAMES[1])
cat2.save()
# Create multiple CWEs to test multiplicity.
# Create CWE with (kw1, cat1)
cwe1 = CWE(code=101, name="cwe-101", description="")
cwe1.save()
cwe1.keywords.add(kw1)
cwe1.categories.add(cat1)
# Create CWE with (kw1, cat2)
cwe2 = CWE(code=102, name="cwe-102", description="")
cwe2.save()
cwe2.keywords.add(kw1)
cwe2.categories.add(cat2)
# Create CWE with (kw2, cat1)
cwe3 = CWE(code=103, name="cwe-103", description="")
cwe3.save()
cwe3.keywords.add(kw2)
cwe3.categories.add(cat1)
# Create CWE with (kw2, cat2)
cwe4 = CWE(code=104, name="cwe-104", description="")
cwe4.save()
cwe4.keywords.add(kw2)
cwe4.categories.add(cat2)
def _construct_test_database(self):
cwe101 = CWE(code=101, name="CWE #101")
cwe101.save()
cwe102 = CWE(code=102, name="CWE #102")
cwe102.save()