def test_create_host_vuln_without_tool(session, host): no_tool_data = vuln_data.copy() no_tool_data.pop('tool') data = bc.VulnerabilitySchema().load(no_tool_data) bc._create_hostvuln(host.workspace, host, data) vuln = host.workspace.vulnerabilities[0] assert vuln.tool == "Web UI"
def test_create_not_fail_with_cve(session, host): with_erroneous_cve_list = vuln_data.copy() with_erroneous_cve_list['cve'] = ['CVSS: 10.0', 'OSVDB:339, OSVDB:8750, OSVDB:11516', 'CVE-1999-0170, CVE-1999-0211, CVE-1999-0554', 'cve-1111-9988'] data = bc.VulnerabilitySchema().load(with_erroneous_cve_list) bc._create_hostvuln(host.workspace, host, data) vuln = host.workspace.vulnerabilities[0] assert set(vuln.cve) == set(['CVE-1999-0170', 'CVE-1999-0211', 'CVE-1999-0554', 'CVE-1111-9988'] + vuln_data['refs'])
def test_create_host_vuln(session, host): data = bc.VulnerabilitySchema(strict=True).load(vuln_data).data bc._create_hostvuln(host.workspace, host, data) assert count(VulnerabilityGeneric, host.workspace) == 1 assert count(Vulnerability, host.workspace) == 1 vuln = host.workspace.vulnerabilities[0] assert vuln.name == 'sql injection' assert vuln.description == 'test' assert vuln.severity == 'high' assert vuln.impact_accountability assert not vuln.impact_availability assert not vuln.impact_confidentiality assert vuln.references == {u'CVE-1234'}
def test_create_service_vuln(session, service): data = bc.VulnerabilitySchema().load(vuln_data) bc._create_servicevuln(service.workspace, service, data) assert count(VulnerabilityGeneric, service.workspace) == 1 assert count(Vulnerability, service.workspace) == 1 vuln = service.workspace.vulnerabilities[0] assert vuln.service == service assert vuln.name == 'sql injection' assert vuln.description == 'test' assert vuln.severity == 'high' assert vuln.impact_accountability assert not vuln.impact_availability assert not vuln.impact_confidentiality assert vuln.references == {u'CVE-1234'} assert vuln.tool == "some_tool"
def test_create_host_vuln(session, host): data = bc.VulnerabilitySchema().load(vuln_data) bc._create_hostvuln(host.workspace, host, data) assert count(VulnerabilityGeneric, host.workspace) == 1 assert count(Vulnerability, host.workspace) == 1 vuln = host.workspace.vulnerabilities[0] assert vuln.name == 'sql injection' assert vuln.description == 'test' assert vuln.severity == 'high' assert vuln.impact_accountability assert not vuln.impact_availability assert not vuln.impact_confidentiality assert set(vuln.references) == set(vuln_data['refs']) assert set(vuln.cve) == set(vuln_data['cve'] + vuln_data['refs']) assert len(vuln.cve) == len(set(vuln_data['cve'] + vuln_data['refs'])) assert vuln.tool == "some_tool"
def test_create_existing_host_vuln(session, host, vulnerability_factory): vuln = vulnerability_factory.create( workspace=host.workspace, host=host, service=None) session.add(vuln) session.commit() vuln.references = ['old'] session.add(vuln) session.commit() data = { 'name': vuln.name, 'desc': vuln.description, 'severity': vuln.severity, 'type': 'Vulnerability', 'refs': ['new'] } data = bc.VulnerabilitySchema().load(data) bc._create_hostvuln(host.workspace, host, data) session.commit() assert count(Vulnerability, host.workspace) == 1 vuln = Vulnerability.query.get(vuln.id) # just in case it isn't refreshed assert 'old' in vuln.references # it must preserve the old references