def test_security_indicator_scoring(self) -> None:
"""Make sure we do score security indicators when the info is available."""
flexmock(GraphDatabase)
GraphDatabase.should_receive(
"get_si_aggregated_python_package_version").with_args(
package_name="flask",
package_version="0.12.0",
index_url="https://pypi.org/simple").and_return(
self._SECURITY_INFO_EXISTS).once()
package_version = PackageVersion(
name="flask",
version="==0.12.0",
index=Source("https://pypi.org/simple"),
develop=False,
)
context = flexmock(graph=GraphDatabase())
context.recommendation_type = RecommendationType.STABLE
with SecurityIndicatorStep.assigned_context(context):
step = SecurityIndicatorStep()
result = step.run(None, package_version)
assert result is not None
assert isinstance(result, tuple) and len(result) == 2
assert isinstance(result[0], float)
assert self.verify_justification_schema(result[1])
def test_security_indicator_with_high_confidence(self) -> None:
"""Make sure we don't accept package if si info is missing when recommendation is secure."""
flexmock(GraphDatabase)
GraphDatabase.should_receive(
"get_si_aggregated_python_package_version").with_args(
package_name="flask",
package_version="0.12.0",
index_url="https://pypi.org/simple").and_return(
self._HIGH_HIGH_SECURITY_INFO).once()
package_version = PackageVersion(
name="flask",
version="==0.12.0",
index=Source("https://pypi.org/simple"),
develop=False,
)
context = flexmock(graph=GraphDatabase(), stack_info=[])
context.recommendation_type = RecommendationType.SECURITY
with pytest.raises(NotAcceptable):
with SecurityIndicatorStep.assigned_context(context):
step = SecurityIndicatorStep()
step.run(None, package_version)
assert len(context.stack_info) == 1
assert self.verify_justification_schema(context.stack_info)
def test_security_indicator_scoring_missing_stable(
self, recommendation_type) -> None:
"""Make sure package is kept even if no score exists for security indicators and add justification."""
flexmock(GraphDatabase)
GraphDatabase.should_receive(
"get_si_aggregated_python_package_version").with_args(
package_name="flask",
package_version="0.12.0",
index_url="https://pypi.org/simple").and_raise(
NotFoundError).once()
package_version = PackageVersion(
name="flask",
version="==0.12.0",
index=Source("https://pypi.org/simple"),
develop=False,
)
context = flexmock(graph=GraphDatabase())
context.recommendation_type = recommendation_type
with SecurityIndicatorStep.assigned_context(context):
step = SecurityIndicatorStep()
result = step.run(None, package_version)
assert result is not None
assert isinstance(result, tuple) and len(result) == 2
assert result[0] == 0
assert len(result[1]) == 1
assert self.verify_justification_schema(result[1])
assert result[1][0]["type"] == "WARNING"
assert (result[1][0]["message"] ==
"flask===0.12.0 on https://pypi.org/simple has no "
"gathered information regarding security.")
def test_security_indicator_scoring_missing_secure(
self, recommendation_type) -> None:
"""Make sure we don't accept package if si info is missing when recommendation is secure."""
flexmock(GraphDatabase)
GraphDatabase.should_receive(
"get_si_aggregated_python_package_version").with_args(
package_name="flask",
package_version="0.12.0",
index_url="https://pypi.org/simple").and_raise(
NotFoundError).once()
package_version = PackageVersion(
name="flask",
version="==0.12.0",
index=Source("https://pypi.org/simple"),
develop=False,
)
context = flexmock(graph=GraphDatabase(), stack_info=[])
context.recommendation_type = recommendation_type
with pytest.raises(NotAcceptable):
with SecurityIndicatorStep.assigned_context(context):
step = SecurityIndicatorStep()
step.run(None, package_version)
assert len(context.stack_info) == 1
assert set(context.stack_info[0].keys()) == {"message", "type", "link"}
def test_include(self, builder_context: PipelineBuilderContext,
recommendation_type: RecommendationType) -> None:
"""Test including this pipeline unit."""
builder_context.decision_type = None
builder_context.recommendation_type = recommendation_type
assert builder_context.is_adviser_pipeline()
assert SecurityIndicatorStep.should_include(builder_context) == {}
def test_no_include(
self,
builder_context: PipelineBuilderContext,
recommendation_type,
) -> None:
"""Test not including this pipeline unit step."""
builder_context.decision_type = None
builder_context.recommendation_type = recommendation_type
assert list(SecurityIndicatorStep.should_include(builder_context)) == []