Exemplo n.º 1
0
    async def test_list_component_vulnerabilitites_return_vulnerabilities_for_each_component(
            self):
        components_version = {'plugin0': "1.2.3", 'plugin1': "1.4.0"}
        plugin0_vuln_list = VulnerabilityList(
            key="plugin0",
            producer="",
            vulnerabilities=[Vulnerability(id="1234")])
        plugin1_vuln_list = VulnerabilityList(
            key="plugin1",
            producer="",
            vulnerabilities=[Vulnerability(id="2345")])
        vuln_list_group = MagicMock()
        vuln_list_group.vulnerability_lists = [
            plugin0_vuln_list, plugin1_vuln_list
        ]

        def fake_list_vuln(self, version, vuln_list, no_version_match_all):
            return vuln_list.vulnerabilities

        with patch(
                "vane.vulnerabilitylister.VulnerabilityLister.list_vulnerabilities",
                fake_list_vuln):
            vulns = self.vane.list_component_vulnerabilities(
                components_version, vuln_list_group, no_version_match_all=True)

            self.assertEqual(plugin0_vuln_list.vulnerabilities,
                             vulns['plugin0'])
            self.assertEqual(plugin1_vuln_list.vulnerabilities,
                             vulns['plugin1'])
Exemplo n.º 2
0
    def test_list_vulnerabilities_return_vulnerabilities_with_introduced_in_lower_than_version_and_fixed_in_upper_than_version(
            self):
        vuln0 = Vulnerability(id="12345",
                              title="Vulnerability0",
                              affected_versions=[
                                  VersionRange(introduced_in="2.5.9",
                                               fixed_in="4.7.2")
                              ])
        vuln1 = Vulnerability(id="23456",
                              title="Vulnerability1",
                              affected_versions=[
                                  VersionRange(introduced_in="1.6.2",
                                               fixed_in="4.9")
                              ])
        vuln_list = VulnerabilityList(key="wordpress",
                                      producer="producer",
                                      vulnerabilities=[vuln0, vuln1])

        applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities(
            "4.7", vuln_list)
        applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities(
            "3.5.8", vuln_list)
        applicable_vuln2 = self.vulnerability_lister.list_vulnerabilities(
            "2.4.8", vuln_list)

        self.assertIn(vuln0, applicable_vuln0)
        self.assertIn(vuln1, applicable_vuln0)
        self.assertIn(vuln0, applicable_vuln1)
        self.assertIn(vuln1, applicable_vuln1)
        self.assertNotIn(vuln0, applicable_vuln2)
        self.assertIn(vuln1, applicable_vuln2)
Exemplo n.º 3
0
    def test_multiple_ranges(self):
        v = Vulnerability(id="1")
        v.add_affected_version(VersionRange(fixed_in="1.2"))
        v.add_affected_version(VersionRange(fixed_in="1.3"))

        self.assertEqual(v.affected_versions, [
            VersionRange(fixed_in="1.2"),
            VersionRange(fixed_in="1.3"),
        ])
Exemplo n.º 4
0
    def test_added_fix_conflicts_with_known_information(self):
        v = Vulnerability(id="1")
        v.add_affected_version(VersionRange(fixed_in="1.5"))
        v.add_affected_version(
            VersionRange(introduced_in="2.0", fixed_in="2.5"))
        v.add_affected_version(VersionRange(fixed_in="1.3"))
        v.add_affected_version(VersionRange(fixed_in="2.3"))
        v.add_affected_version(VersionRange(introduced_in="2.3"))

        self.assertEqual(v.affected_versions, [
            VersionRange(fixed_in="1.5"),
            VersionRange(introduced_in="2.0", fixed_in="2.5"),
        ])
Exemplo n.º 5
0
    def test_list_vulnerabilities_remove_affected_versions_ranges_not_including_target_version(
            self):
        vuln = Vulnerability(id="12345",
                             title="Vulnerability",
                             affected_versions=[
                                 VersionRange(introduced_in="3.7",
                                              fixed_in="3.7.5"),
                                 VersionRange(introduced_in="4.0",
                                              fixed_in="4.0.10"),
                                 VersionRange(introduced_in="4.5",
                                              fixed_in="4.5.2")
                             ])
        vuln_list = VulnerabilityList(key="wordpress",
                                      producer="producer",
                                      vulnerabilities=[vuln])

        vuln_software0 = self.vulnerability_lister.list_vulnerabilities(
            "3.7.3", vuln_list)
        vuln_software1 = self.vulnerability_lister.list_vulnerabilities(
            "4.0.9", vuln_list)
        vuln_software2 = self.vulnerability_lister.list_vulnerabilities(
            "4.5", vuln_list)

        self.assertEqual(vuln_software0[0].affected_versions,
                         [VersionRange(introduced_in="3.7", fixed_in="3.7.5")])
        self.assertEqual(
            vuln_software1[0].affected_versions,
            [VersionRange(introduced_in="4.0", fixed_in="4.0.10")])
        self.assertEqual(vuln_software2[0].affected_versions,
                         [VersionRange(introduced_in="4.5", fixed_in="4.5.2")])
    def test_serialize_vulnerability_cvss(self):
        schema = VulnerabilitySchema()
        vuln = Vulnerability(id="1234", title="Multiple XSS", cvss=4.5)

        expect = '{"id": "1234", "title": "Multiple XSS", "cvss": 4.5}'
        self.assertEqual(expect, serialize(schema, vuln, indent=None)[0])
        data, err = schema.loads(expect)
        self.assertEqual(4.5, data.cvss)
Exemplo n.º 7
0
    def test_list_vulnerabilities_return_all_vulnerabilities_if_version_is_none_and_no_version_match_all_is_true(
            self):
        vuln0 = Vulnerability(
            id="12345",
            title="Vulnerability0",
            affected_versions=[VersionRange(introduced_in="2.3.4")])
        vuln1 = Vulnerability(
            id="23456",
            title="Vulnerability1",
            affected_versions=[VersionRange(introduced_in="1.5.6")])
        vuln_list = VulnerabilityList(key="wordpress",
                                      producer="producer",
                                      vulnerabilities=[vuln0, vuln1])

        applicable_vuln = self.vulnerability_lister.list_vulnerabilities(
            None, vuln_list, no_version_match_all=True)

        self.assertEqual(len(applicable_vuln), 2)
Exemplo n.º 8
0
 def test_vulnerability_introduced_in_only(self):
     v = Vulnerability(id="1")
     v.add_affected_version(VersionRange(introduced_in="2.0"))
     self.assertFalse(v.applies_to("1.0"))
     self.assertFalse(v.applies_to("1.9"))
     self.assertFalse(v.applies_to("2.0-beta3"))
     self.assertTrue(v.applies_to("2.0"))
     self.assertTrue(v.applies_to("2.1"))
Exemplo n.º 9
0
    def test_unaffected_versions(self):
        v = Vulnerability(id="1")
        v.unaffected_versions = [
            VersionRange(introduced_in="6.0", fixed_in="6.1.2"),
            VersionRange(introduced_in="7.0", fixed_in="7.0.7"),
        ]

        v.add_affected_version(VersionRange(fixed_in="1.5"))
        v.add_affected_version(
            VersionRange(introduced_in="6.0", fixed_in="6.1.2"))
        v.add_affected_version(VersionRange(fixed_in="6.1.1"))

        self.assertEqual(v.affected_versions, [
            VersionRange(fixed_in="1.5"),
        ])
Exemplo n.º 10
0
    def test_regroup_vulnerabilities_of_key_in_one_list(self):
        plugin_vuln0 = Vulnerability(id="0")
        plugin_vuln1 = Vulnerability(id="1")
        self.storage.vulnerability_lists[
            'plugins/plugin/producer0'] = VulnerabilityList(
                producer="producer0",
                key="plugins/plugin",
                vulnerabilities=[plugin_vuln0])
        self.storage.vulnerability_lists[
            'plugins/plugin/producer1'] = VulnerabilityList(
                producer="producer1",
                key="plugins/plugin",
                vulnerabilities=[plugin_vuln1])

        plugin_vuln_list = self.exporter._regroup_vulnerabilities_of_key_in_one_list(
            "plugins/plugin")

        self.assertIn(plugin_vuln0, plugin_vuln_list.vulnerabilities)
        self.assertIn(plugin_vuln1, plugin_vuln_list.vulnerabilities)
    def test_serialize_all_values(self):
        reference_date = datetime.now()
        schema = VulnerabilitySchema()
        vuln = Vulnerability(id="1234",
                             title="Multiple XSS",
                             reported_type="XSS",
                             created_at=reference_date,
                             updated_at=reference_date + timedelta(days=6))
        vuln.add_affected_version(VersionRange(fixed_in="1.3"))
        vuln.add_unaffected_version(VersionRange(fixed_in="2.4"))
        vuln.references.append(
            Reference(type="other", url="http://example.com/test"))

        data = serialize(schema, vuln, indent=None)[0]
        self.assertIn(reference_date.strftime("%Y-%m-%d"), data)
        self.assertIn(
            (reference_date + timedelta(days=6)).strftime("%Y-%m-%d"), data)
        self.assertIn('"reported_type": "XSS"', data)
        self.assertIn('1.3', data)
        self.assertIn('example.com', data)

        out, errors = schema.loads(data)
        self.assertEqual("1.3", out.affected_versions[0].fixed_in)
        self.assertEqual("2.4", out.unaffected_versions[0].fixed_in)
        self.assertEqual("other", out.references[0].type)
Exemplo n.º 12
0
    def test_list_vulnerabilities_return_empty_list_if_no_vuln_applicable_to_version(
            self):
        vuln0 = Vulnerability(id="12345",
                              title="Vulnerability0",
                              affected_versions=[
                                  VersionRange(introduced_in="4.4",
                                               fixed_in="4.6")
                              ])
        vuln1 = Vulnerability(id="23456",
                              title="Vulnerability1",
                              affected_versions=[VersionRange(fixed_in="3.9")])
        vuln_list = VulnerabilityList(key="wordpress",
                                      producer="producer",
                                      vulnerabilities=[vuln0, vuln1])

        applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities(
            "4.7", vuln_list)
        applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities(
            "4.3", vuln_list)

        self.assertEqual(len(applicable_vuln0), 0)
        self.assertEqual(len(applicable_vuln1), 0)
Exemplo n.º 13
0
    def test_list_vulnerabilities_return_all_vulnerabilities_with_no_introduced_nor_fixed_in(
            self):
        vuln0 = Vulnerability(id="12345", title="Vulnerability0")
        vuln1 = Vulnerability(id="23456",
                              title="Vulnerability1",
                              affected_versions=[VersionRange()])
        vuln_list = VulnerabilityList(key="wordpress",
                                      producer="producer",
                                      vulnerabilities=[vuln0, vuln1])

        applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities(
            "4.7", vuln_list)
        applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities(
            "0.1", vuln_list)
        applicable_vuln2 = self.vulnerability_lister.list_vulnerabilities(
            "100.2.3", vuln_list)

        self.assertIn(vuln0, applicable_vuln0)
        self.assertIn(vuln1, applicable_vuln0)
        self.assertIn(vuln0, applicable_vuln1)
        self.assertIn(vuln1, applicable_vuln1)
        self.assertIn(vuln0, applicable_vuln2)
        self.assertIn(vuln1, applicable_vuln2)
    def test_serialize_vunlerability_list(self):
        schema = VulnerabilityListSchema()

        vuln_list = VulnerabilityList(
            producer="Test Provider",
            key="plugins/test-plugin",
            copyright="2016- Delve Labs inc.",
            license="GNU General Public License, version 2",
            vulnerabilities=[
                Vulnerability(id="1234", title="Multiple XSS"),
            ])

        data = serialize(schema, vuln_list)[0]
        self.assertIn('"producer": "Test Provider"', data)
        self.assertIn('"key": "plugins/test-plugin"', data)
        self.assertIn('"license": "GNU General Public License, version 2"',
                      data)
        self.assertIn('"copyright": "2016- Delve Labs inc."', data)
        self.assertIn('Multiple XSS', data)

        out, errors = schema.loads(data)
        self.assertEqual("1234", out.vulnerabilities[0].id)
Exemplo n.º 15
0
    def test_list_vulnerabilities_apply_vulnerabilities_with_multiple_affected_versions(
            self):
        vuln = Vulnerability(id="12345",
                             title="Vulnerability",
                             affected_versions=[
                                 VersionRange(introduced_in="3.7",
                                              fixed_in="3.7.5"),
                                 VersionRange(introduced_in="4.0",
                                              fixed_in="4.0.10"),
                                 VersionRange(introduced_in="4.5",
                                              fixed_in="4.5.2")
                             ])
        vuln_list = VulnerabilityList(key="wordpress",
                                      producer="producer",
                                      vulnerabilities=[vuln])

        vuln_software0 = self.vulnerability_lister.list_vulnerabilities(
            "4.1.5", vuln_list)
        vuln_software1 = self.vulnerability_lister.list_vulnerabilities(
            "4.0.9", vuln_list)

        self.assertEqual(vuln_software0, [])
        self.assertEqual(vuln_software1[0].id, vuln.id)
Exemplo n.º 16
0
 def test_vulnerability_fixed_in_only(self):
     v = Vulnerability(id="1")
     v.add_affected_version(VersionRange(fixed_in="1.0"))
     self.assertFalse(v.applies_to("1.1"))
     self.assertFalse(v.applies_to("1.0"))
     self.assertTrue(v.applies_to("0.9"))
Exemplo n.º 17
0
    def test_export_vulnerabilities_export_all_vuln_lists_in_one_file(self):
        plugin0_vuln0 = Vulnerability(id="0")
        plugin0_vuln1 = Vulnerability(id="1")
        plugin0_vuln_list = VulnerabilityList(
            producer="test",
            key="plugins/plugin0",
            vulnerabilities=[plugin0_vuln0, plugin0_vuln1])
        plugin1_vuln0 = Vulnerability(id="2")
        plugin1_vuln1 = Vulnerability(id="3")
        plugin1_vuln_list = VulnerabilityList(
            producer="test",
            key="plugins/plugin1",
            vulnerabilities=[plugin1_vuln0, plugin1_vuln1])
        theme_vuln0 = Vulnerability(id="4")
        theme_vuln1 = Vulnerability(id="5")
        theme_vuln_list = VulnerabilityList(
            producer="test",
            key="themes/theme",
            vulnerabilities=[theme_vuln0, theme_vuln1])
        wordpress_vuln0 = Vulnerability(id="6")
        wordpress_vuln1 = Vulnerability(id="7")
        wordpress_vuln_list = VulnerabilityList(
            producer="test",
            key="wordpress",
            vulnerabilities=[wordpress_vuln0, wordpress_vuln1])
        self.storage.add_vulnerability_lists({
            'plugins/plugin0': plugin0_vuln_list,
            'plugins/plugin1': plugin1_vuln_list,
            'themes/theme': theme_vuln_list,
            'wordpress': wordpress_vuln_list
        })

        self.exporter.export_vulnerabilities("path_to_dir")

        args, kwargs = self.exporter._dump.call_args
        vulnerability_list_group = args[1]
        self.assertEqual(vulnerability_list_group.producer, "vane2_export")
        vulnerability_lists = vulnerability_list_group.vulnerability_lists
        self.assert_object_with_attribute_value_in_container(
            "key", "plugins/plugin0", vulnerability_lists)
        self.assert_object_with_attribute_value_in_container(
            "key", "plugins/plugin1", vulnerability_lists)
        self.assert_object_with_attribute_value_in_container(
            "key", "themes/theme", vulnerability_lists)
        self.assert_object_with_attribute_value_in_container(
            "key", "wordpress", vulnerability_lists)
        exported_plugin0_vuln_list = self.get_object_with_attribute_value_in_container(
            "key", "plugins/plugin0", vulnerability_lists)
        exported_plugin1_vuln_list = self.get_object_with_attribute_value_in_container(
            "key", "plugins/plugin1", vulnerability_lists)
        exported_theme_vuln_list = self.get_object_with_attribute_value_in_container(
            "key", "themes/theme", vulnerability_lists)
        exported_wordpress_vuln_list = self.get_object_with_attribute_value_in_container(
            "key", "wordpress", vulnerability_lists)
        self.assertIn(plugin0_vuln0,
                      exported_plugin0_vuln_list.vulnerabilities)
        self.assertIn(plugin0_vuln1,
                      exported_plugin0_vuln_list.vulnerabilities)
        self.assertIn(plugin1_vuln0,
                      exported_plugin1_vuln_list.vulnerabilities)
        self.assertIn(plugin1_vuln1,
                      exported_plugin1_vuln_list.vulnerabilities)
        self.assertIn(theme_vuln0, exported_theme_vuln_list.vulnerabilities)
        self.assertIn(theme_vuln1, exported_theme_vuln_list.vulnerabilities)
        self.assertIn(wordpress_vuln0,
                      exported_wordpress_vuln_list.vulnerabilities)
        self.assertIn(wordpress_vuln1,
                      exported_wordpress_vuln_list.vulnerabilities)
Exemplo n.º 18
0
 def test_vulnerability_has_no_applicable_ranges(self):
     v = Vulnerability(id="1")
     self.assertTrue(v.applies_to("1.0"))
Exemplo n.º 19
0
 def test_multiple_ranges(self):
     v = Vulnerability(id="1")
     v.add_affected_version(
         VersionRange(introduced_in="1.0", fixed_in="1.2"))
     v.add_affected_version(
         VersionRange(introduced_in="2.0", fixed_in="2.3"))
     v.add_affected_version(
         VersionRange(introduced_in="3.0", fixed_in="3.1"))
     self.assertFalse(v.applies_to("0.9"))
     self.assertTrue(v.applies_to("2.1"))
     self.assertTrue(v.applies_to("3.0"))
     self.assertFalse(v.applies_to("3.1"))
    def test_serialize_vulnerability_minimal(self):
        schema = VulnerabilitySchema()
        vuln = Vulnerability(id="1234", title="Multiple XSS")

        self.assertEqual('{"id": "1234", "title": "Multiple XSS"}',
                         serialize(schema, vuln, indent=None)[0])