def test_column_order_is_flexible(self): content1 = """\ Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified 11/7/2015,Title,0,http://localhost,Severity,Description,Mitigation,Impact,References,True,True """ content2 = """\ Verified,Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active True,11/7/2015,Title,0,http://localhost,Severity,Description,Mitigation,Impact,References,True """ file1 = TestFile("findings.csv", content1) file2 = TestFile("findings.csv", content2) parser1 = GenericParser() findings1 = parser1.get_findings(file1, self.test, True, True) for finding in findings1: for endpoint in finding.unsaved_endpoints: endpoint.clean() parser2 = GenericParser() findings2 = parser2.get_findings(file2, self.test, True, True) for finding in findings2: for endpoint in finding.unsaved_endpoints: endpoint.clean() finding1 = findings1[0] finding2 = findings2[0] fields1 = {k: v for k, v in finding1.__dict__.items() if k != '_state'} fields2 = {k: v for k, v in finding2.__dict__.items() if k != '_state'} self.assertEqual(fields1, fields2)
def test_parse_json(self): file = open("dojo/unittests/scans/generic/generic_report1.json") parser = GenericParser() findings = parser.get_findings(file, Test()) for finding in findings: for endpoint in finding.unsaved_endpoints: endpoint.clean() self.assertEqual(2, len(findings)) with self.subTest(i=0): finding = findings[0] self.assertEqual("test title", finding.title) self.assertEqual(True, finding.active) self.assertEqual(True, finding.verified) self.assertEqual(False, finding.duplicate) self.assertIn(finding.severity, Finding.SEVERITIES) self.assertEqual("CVE-2020-36234", finding.cve) self.assertEqual(261, finding.cwe) self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", finding.cvssv3) self.assertIn("security", finding.tags) self.assertIn("network", finding.tags) self.assertEqual("3287f2d0-554f-491b-8516-3c349ead8ee5", finding.unique_id_from_tool) self.assertEqual("TEST1", finding.vuln_id_from_tool) with self.subTest(i=1): finding = findings[1] self.assertEqual("test title2", finding.title) self.assertEqual(True, finding.active) self.assertEqual(False, finding.verified) self.assertEqual(False, finding.duplicate) self.assertIn(finding.severity, Finding.SEVERITIES)
def test_parse_host_csv(self): file = open("dojo/unittests/scans/generic/generic_report4.csv") parser = GenericParser() findings = parser.get_findings(file, Test()) self.assertEqual(4, len(findings)) finding = findings[0] finding.clean() self.assertEqual(1, len(finding.unsaved_endpoints)) endpoint = finding.unsaved_endpoints[0] endpoint.clean() self.assertEqual("www.example.com", endpoint.host) finding = findings[1] finding.clean() self.assertEqual(1, len(finding.unsaved_endpoints)) endpoint = finding.unsaved_endpoints[0] endpoint.clean() self.assertEqual("localhost", endpoint.host) finding = findings[2] finding.clean() self.assertEqual(1, len(finding.unsaved_endpoints)) endpoint = finding.unsaved_endpoints[0] endpoint.clean() self.assertEqual("127.0.0.1", endpoint.host) self.assertEqual(80, endpoint.port) finding = findings[3] finding.clean() self.assertEqual(1, len(finding.unsaved_endpoints)) endpoint = finding.unsaved_endpoints[0] endpoint.clean() self.assertEqual("foo.bar", endpoint.host) self.assertEqual("path", endpoint.path)
def test_parsed_finding_with_invalid_severity_has_info_severity(self): content = """Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified 11/7/2015,Potential XSS Vulnerability,79,"http://localhost/default.aspx",Unknown,"FileName: default.aspx.cs Description: Potential XSS Vulnerability Line:18 Code Line: Response.Write(output);",None,,,TRUE,FALSE """ file = TestFile("findings.csv", content) parser = GenericParser() findings = parser.get_findings(file, self.test, True, True) self.assertEqual('Info', findings[0].severity)
def test_parsed_finding_has_date(self): content = """Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified 11/7/2015,Potential XSS Vulnerability,79,,High,"FileName: default.aspx.cs Description: Potential XSS Vulnerability Line:18 Code Line: Response.Write(output);",None,,,TRUE,FALSE """ file = TestFile("findings.csv", content) parser = GenericParser() findings = parser.get_findings(file, self.test, True, True) self.assertEqual(datetime.date(2015, 11, 7), findings[0].date)
def test_parsed_finding_is_duplicate_has_negative_value(self): content = """Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified,FalsePositive,Duplicate 11/7/2015,Potential XSS Vulnerability,79,"http://localhost/default.aspx",High,"FileName: default.aspx.cs Description: Potential XSS Vulnerability Line:18 Code Line: Response.Write(output);","None Currently Available","Impact is currently unknown","Finding has references.",FALSE,FALSE,FALSE,FALSE """ file = TestFile("findings.csv", content) parser = GenericParser() findings = parser.get_findings(file, self.test, True, True) self.assertEqual(False, findings[0].duplicate)
def test_parsed_finding_has_mitigation(self): content = """Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified 11/7/2015,Potential XSS Vulnerability,79,"http://localhost/default.aspx",High,"FileName: default.aspx.cs Description: Potential XSS Vulnerability Line:18 Code Line: Response.Write(output);","None Currently Available",,,TRUE,FALSE """ file = TestFile("findings.csv", content) parser = GenericParser() findings = parser.get_findings(file, self.test, True, True) self.assertEqual('None Currently Available', findings[0].mitigation)
def test_parse_csv_with_single_vulnerability_results_in_single_finding( self): content = """Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified 11/7/16,Potential XSS Vulnerability,79,,High,"FileName: default.aspx.cs Description: Potential XSS Vulnerability Line:18 Code Line: Response.Write(output);",None,,,TRUE,FALSE """ file = TestFile("findings.csv", content) parser = GenericParser() findings = parser.get_findings(file, self.test, True, True) self.assertEqual(1, len(findings))
def test_parse_json_with_image(self): file = open("unittests/scans/generic/test_with_image.json") parser = GenericParser() findings = parser.get_findings(file, Test()) self.assertEqual(1, len(findings)) finding = findings[0] finding.clean() self.assertEqual(1, len(finding.unsaved_files)) image = finding.unsaved_files[0] self.assertEqual("Screenshot from 2017-04-10 16-54-19.png", image.get("title")) self.assertIn("data", image)
def test_parse_report1(self): file = open("dojo/unittests/scans/generic/generic_report1.csv") parser = GenericParser() findings = parser.get_findings(file, self.test, True, True) self.assertEqual(1, len(findings)) finding = findings[0] self.assertEqual(5, len(finding.unsaved_endpoints)) endpoint = finding.unsaved_endpoints[0] self.assertEqual("vulnerable.endpoint.com:443", endpoint.host) self.assertEqual("resource1/asdf", endpoint.path) endpoint = finding.unsaved_endpoints[1] self.assertEqual("vulnerable.endpoint.com:443", endpoint.host) self.assertEqual("resource2/qwerty", endpoint.path) self.assertEqual("https", endpoint.protocol)
def test_parsed_finding_has_severity(self): content = """Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified 11/7/2015,Potential XSS Vulnerability,79,"http://localhost/default.aspx",High,"FileName: default.aspx.cs Description: Potential XSS Vulnerability Line:18 Code Line: Response.Write(output);",None,,,TRUE,FALSE """ file = TestFile("findings.csv", content) parser = GenericParser() findings = parser.get_findings(file, self.test, True, True) for finding in findings: for endpoint in finding.unsaved_endpoints: endpoint.clean() self.assertEqual('High', findings[0].severity)
def test_parsed_finding_has_positive_false_positive_status(self): content = """Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified,FalsePositive 11/7/2015,Potential XSS Vulnerability,79,"http://localhost/default.aspx",High,"FileName: default.aspx.cs Description: Potential XSS Vulnerability Line:18 Code Line: Response.Write(output);","None Currently Available","Impact is currently unknown","Finding has references.",FALSE,FALSE,TRUE """ file = TestFile("findings.csv", content) parser = GenericParser() findings = parser.get_findings(file, self.test, True, True) for finding in findings: for endpoint in finding.unsaved_endpoints: endpoint.clean() self.assertEqual(True, findings[0].false_p)
def test_parse_csv_with_multiple_vulnerabilities_results_in_multiple_findings( self): content = """Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified 11/7/16,Potential XSS Vulnerability,79,,High,"FileName: default.aspx.cs Description: Potential XSS Vulnerability Line:18 Code Line: Response.Write(output);",None,,,TRUE,FALSE 11/7/16,Potential SQL Injection,112,,High,"FileName: UserData.cs Description: Potential SQL Injection Vulnerability Line:42 Code Line: strSQL=""SELECT * FROM users WHERE user_id="" + request_user_id",None,,,TRUE,FALSE """ file = TestFile("findings.csv", content) parser = GenericParser() findings = parser.get_findings(file, self.test, True, True) self.assertEqual(2, len(findings))
def test_parsed_finding_has_url(self): """Test url management as an EndPoint""" content = """Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified 11/7/2015,Potential XSS Vulnerability,79,"http://localhost/default.aspx",High,"FileName: default.aspx.cs Description: Potential XSS Vulnerability Line:18 Code Line: Response.Write(output);",None,,,TRUE,FALSE """ file = TestFile("findings.csv", content) parser = GenericParser() findings = parser.get_findings(file, self.test, True, True) self.assertEqual(1, len(findings)) finding = findings[0] self.assertEqual(1, len(finding.unsaved_endpoints)) endpoint = finding.unsaved_endpoints[0] self.assertEqual('localhost:80', endpoint.host) self.assertEqual('http', endpoint.protocol) self.assertEqual('default.aspx', endpoint.path) self.assertIsNone(endpoint.query) self.assertIsNone(endpoint.fragment)
def test_parse_json3(self): file = open("dojo/unittests/scans/generic/generic_report3.json") parser = GenericParser() findings = parser.get_findings(file, Test()) self.assertEqual(3, len(findings)) with self.subTest(i=0): finding = findings[0] finding.clean() self.assertEqual("test title with endpoints as dict", finding.title) self.assertIn(finding.severity, Finding.SEVERITIES) self.assertEqual("CVE-2020-36234", finding.cve) self.assertEqual(261, finding.cwe) self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", finding.cvssv3) self.assertEqual("Some mitigation", finding.mitigation) self.assertEqual(1, len(finding.unsaved_endpoints)) endpoint = finding.unsaved_endpoints[0] endpoint.clean() self.assertEqual("exemple.com", endpoint.host) with self.subTest(i=1): finding = findings[1] self.assertEqual("test title with endpoints as strings", finding.title) self.assertIn(finding.severity, Finding.SEVERITIES) self.assertEqual("Some mitigation", finding.mitigation) self.assertEqual(2, len(finding.unsaved_endpoints)) endpoint = finding.unsaved_endpoints[0] endpoint.clean() self.assertEqual("http", endpoint.protocol) self.assertEqual("urlfiltering.paloaltonetworks.com", endpoint.host) self.assertEqual(80, endpoint.port) self.assertEqual("test-command-and-control", endpoint.path) endpoint = finding.unsaved_endpoints[1] endpoint.clean() self.assertEqual("https", endpoint.protocol) self.assertEqual("urlfiltering.paloaltonetworks.com", endpoint.host) self.assertEqual(2345, endpoint.port) self.assertEqual("test-pest", endpoint.path)
def test_parse_json2(self): file = open("dojo/unittests/scans/generic/generic_report2.json") parser = GenericParser() findings = parser.get_findings(file, Test()) for finding in findings: for endpoint in finding.unsaved_endpoints: endpoint.clean() self.assertEqual(2, len(findings)) with self.subTest(i=0): finding = findings[0] self.assertEqual("test title3", finding.title) self.assertIn(finding.severity, Finding.SEVERITIES) self.assertEqual("CVE-2020-36234", finding.cve) self.assertEqual(261, finding.cwe) self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", finding.cvssv3) self.assertEqual("Some mitigation", finding.mitigation) with self.subTest(i=1): finding = findings[1] self.assertEqual("test title4", finding.title) self.assertIn(finding.severity, Finding.SEVERITIES) self.assertEqual("Some mitigation", finding.mitigation)
def test_parse_csv_with_only_headers_results_in_no_findings(self): content = "Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified" file = TestFile("findings.csv", content) parser = GenericParser() findings = parser.get_findings(file, self.test, True, True) self.assertEqual(0, len(findings))
def test_parse_no_csv_content_no_findings(self): findings = "" file = TestFile("findings.csv", findings) parser = GenericParser() findings = parser.get_findings(file, self.test, True, True) self.assertEqual(0, len(findings))
def test_missing_columns_is_fine(self): content = """Date,Title,Url,Severity,Description,References,Active,Verified""" file = TestFile("findings.csv", content) parser = GenericParser() findings = parser.get_findings(file, self.test, True, True)