def test_cve_penalization(self) -> None:
"""Make sure a CVE affects stack score."""
flexmock(GraphDatabase)
GraphDatabase.should_receive("get_python_cve_records_all").with_args(
package_name="flask",
package_version="0.12.0").and_return([self._FLASK_CVE]).once()
package_version = PackageVersion(
name="flask",
version="==0.12.0",
index=Source("https://pypi.org/simple"),
develop=False,
)
context = flexmock(graph=GraphDatabase(),
recommendation_type=RecommendationType.TESTING)
with CvePenalizationStep.assigned_context(context):
step = CvePenalizationStep()
result = step.run(None, package_version)
assert result is not None
assert isinstance(result, tuple) and len(result) == 2
assert isinstance(result[0], float)
assert result[0] == 1 * CvePenalizationStep.CONFIGURATION_DEFAULT[
"cve_penalization"]
assert isinstance(result[1], list)
assert result[1] == [self._FLASK_CVE]
assert self.verify_justification_schema(result[1])
def test_cve_not_acceptable(self) -> None:
"""Test raising an exception if a secure software stack should be resolved."""
flexmock(GraphDatabase)
GraphDatabase.should_receive("get_python_cve_records_all").with_args(
package_name="flask",
package_version="0.12.0").and_return([self._FLASK_CVE]).once()
package_version = PackageVersion(
name="flask",
version="==0.12.0",
index=Source("https://pypi.org/simple"),
develop=False,
)
context = flexmock(graph=GraphDatabase(),
recommendation_type=RecommendationType.SECURITY,
stack_info=[])
step = CvePenalizationStep()
with CvePenalizationStep.assigned_context(context):
assert not step._messages_logged
with pytest.raises(NotAcceptable):
step.run(None, package_version)
assert len(step._messages_logged) == 1
assert ("flask", "0.12.0",
"https://pypi.org/simple") in step._messages_logged
assert len(context.stack_info) == 1
assert set(context.stack_info[0].keys()) == {"message", "link", "type"}
assert self.verify_justification_schema(context.stack_info)
def test_no_cve_record(self,
recommendation_type: RecommendationType) -> None:
"""Make sure no CVEs do not affect CVE scoring."""
flexmock(GraphDatabase)
GraphDatabase.should_receive("get_python_cve_records_all").with_args(
package_name="flask",
package_version="0.12.0").and_return([]).once()
package_version = PackageVersion(
name="flask",
version="==0.12.0",
index=Source("https://pypi.org/simple"),
develop=False,
)
context = flexmock(graph=GraphDatabase(),
recommendation_type=recommendation_type)
with CvePenalizationStep.assigned_context(context):
step = CvePenalizationStep()
result = step.run(None, package_version)
assert isinstance(result, tuple)
assert len(result) == 2
assert result[0] == 0.0
assert result[1] == [{
"link": "https://thoth-station.ninja/j/no_cve",
"message": "No known CVE known for 'flask' in version '0.12.0'",
"package_name": "flask",
"type": "INFO",
}]
def test_cve_penalization(self,
recommendation_type: RecommendationType) -> None:
"""Make sure a CVE affects stack score."""
flexmock(GraphDatabase)
GraphDatabase.should_receive("get_python_cve_records_all").with_args(
package_name="flask",
package_version="0.12.0").and_return([self._FLASK_CVE]).once()
package_version = PackageVersion(
name="flask",
version="==0.12.0",
index=Source("https://pypi.org/simple"),
develop=False,
)
context = flexmock(graph=GraphDatabase(),
recommendation_type=recommendation_type)
with CvePenalizationStep.assigned_context(context):
step = CvePenalizationStep()
result = step.run(None, package_version)
assert result is not None
assert isinstance(result, tuple) and len(result) == 2
assert isinstance(result[0], float)
assert result[0] == 1 * CvePenalizationStep.CONFIGURATION_DEFAULT[
"cve_penalization"]
assert isinstance(result[1], list)
assert result[1] == [{
"link":
"https://thoth-station.ninja/j/cve",
"message":
"Package ('flask', '0.12.0', 'https://pypi.org/simple') has a CVE 'CVE-ID'",
"advisory":
"flask version Before 0.12.3 contains a CWE-20: Improper Input Validation "
"vulnerability in flask that can result in Large amount of memory usage "
"possibly leading to denial of service.",
"package_name":
"flask",
"type":
"WARNING",
}]
assert self.verify_justification_schema(result[1])
def test_no_cve_record(self) -> None:
"""Make sure no CVEs do not affect CVE scoring."""
flexmock(GraphDatabase)
GraphDatabase.should_receive("get_python_cve_records_all").with_args(
package_name="flask",
package_version="0.12.0").and_return([]).once()
package_version = PackageVersion(
name="flask",
version="==0.12.0",
index=Source("https://pypi.org/simple"),
develop=False,
)
context = flexmock(graph=GraphDatabase())
with CvePenalizationStep.assigned_context(context):
step = CvePenalizationStep()
result = step.run(None, package_version)
assert result is None