def test_mixed(self) -> None:
runner = CliRunner()
files = [
packages.Package("c", "1.1"),
packages.Package("d", "2.2"),
]
installed = [
packages.Package("a", "1.1"),
packages.Package("b", "2.2"),
]
with patch("ossaudit.packages.get_from_files") as get_from_files:
get_from_files.return_value = files
with patch("ossaudit.packages.get_installed") as get_installed:
get_installed.return_value = installed
with patch("ossaudit.audit.components") as components:
components.return_value = []
with tempfile.NamedTemporaryFile() as tmp:
result = runner.invoke(
cli.cli, ["--installed", "--file", tmp.name])
self.assertEqual(result.exit_code, 0)
components.assert_called_with(
installed + files,
None,
None,
False,
)
def test_installed(self) -> None:
runner = CliRunner()
pkgs = [
packages.Package("a", "1.1"),
packages.Package("b", "2.2"),
]
with patch("ossaudit.packages.get_installed") as get_installed:
get_installed.return_value = pkgs
with patch("ossaudit.audit.components") as components:
components.return_value = []
result = runner.invoke(cli.cli, ["--installed"])
self.assertEqual(result.exit_code, 0)
components.assert_called_with(pkgs, None, None, False)
def test_files(self) -> None:
runner = CliRunner()
pkgs = [
packages.Package("a", "1.1"),
packages.Package("b", "2.2"),
]
with patch("ossaudit.packages.get_from_files") as get_from_files:
get_from_files.return_value = pkgs
with patch("ossaudit.audit.components") as components:
components.return_value = []
with tempfile.NamedTemporaryFile() as tmp:
result = runner.invoke(cli.cli, ["--file", tmp.name])
self.assertEqual(result.exit_code, 0)
components.assert_called_with(pkgs, None, None)
def test_missing_fields(self) -> None:
with patch("requests.post") as mock:
mock.return_value.status_code = 200
pkgs = [{"vulnerabilities": [{}]}] # type: list
mock.return_value.json.return_value = pkgs
vulns = audit.components([packages.Package("a", "1")])
self.assertEqual(len(vulns), 1)
self.assertEqual(vulns[0].name, "unknown")
self.assertEqual(vulns[0].version, "0")
def test_credentials(self) -> None:
with const.CONFIG.open("w") as f:
f.write("[{}]\n username=abc \n token=xyz".format(__project__))
runner = CliRunner()
with patch("ossaudit.packages.get_installed") as get_installed:
get_installed.return_value = [packages.Package("a", "1.1")]
with patch("ossaudit.audit.components") as components:
components.return_value = []
result = runner.invoke(cli.cli, ["--installed"])
self.assertEqual(result.exit_code, 0)
components.assert_called_with(ANY, "abc", "xyz", False)
def test_dont_save_cache(self) -> None:
pkgs = [
packages.Package(n, v) for n, v in [
("django", "2.2"),
("pyyaml", "3.13"),
("requests", "0.10.0"),
]
]
with patch("requests.post") as post:
post.return_value.status_code = 200
with open(os.path.join("tests", "data", "vulns01.json")) as f:
post.return_value.json.return_value = json.load(f)
with patch("ossaudit.cache.save") as save:
audit.components(pkgs, ignore_cache=True)
self.assertEqual(save.call_count, 0)
def test_from_cache(self) -> None:
pkgs = [
packages.Package(n, v) for n, v in [
("django", "2.2"),
("pylint", "4.1"),
("pyyaml", "3.13"),
("requests", "0.10.0"),
("yapf", "1.2.3"),
]
]
with patch("requests.post") as post:
post.return_value.status_code = 200
def getfun(coordinate: str) -> Optional[Dict]:
return {
"coordinates": "pkg:pypi/[email protected]",
"time": time.time(),
"vulnerabilities": [{
"id": "123",
}]
} if coordinate == "pkg:pypi/[email protected]" else None
with patch("ossaudit.cache.get", wraps=getfun) as get:
with patch("ossaudit.const.MAX_PACKAGES", 1):
vulns = audit.components(pkgs)
self.assertEqual(len(vulns), 1)
self.assertEqual(get.call_count, len(pkgs))
self.assertEqual(post.call_count, len(pkgs) - 1)
calls = [(
ANY, {
"auth": None,
"json": {
"coordinates": [p.coordinate]
}
}
) for p in pkgs if p.coordinate != "pkg:pypi/[email protected]"]
self.assertEqual(post.call_args_list, calls)
def test_max_packages(self) -> None:
pkgs = [
packages.Package(n, v) for n, v in [
("django", "2.2"),
("pylint", "4.1"),
("pyyaml", "3.13"),
("requests", "0.10.0"),
("yapf", "1.2.3"),
]
]
max_packages = 2
with patch("requests.post") as mock:
mock.return_value.status_code = 200
with patch("ossaudit.const.MAX_PACKAGES", max_packages):
audit.components(pkgs)
self.assertEqual(mock.call_count, 3)
calls = []
for i in range(0, len(pkgs), max_packages):
coords = [p.coordinate for p in pkgs[i:i + max_packages]]
kw = {"auth": None, "json": {"coordinates": coords}}
calls.append((ANY, kw))
self.assertEqual(mock.call_args_list, calls)
def test_ok(self) -> None:
pkgs = [
("django", "2.2", ()),
("requests", "0.10.0", ("CVE-2014-1830", "CVE-2014-1829")),
("pyyaml", "3.13", ("CVE-2017-18342", )),
] # type: list
with patch("requests.post") as mock:
mock.return_value.status_code = 200
with open(os.path.join("tests", "data", "vulns01.json")) as f:
mock.return_value.json.return_value = json.load(f)
vulns = audit.components([
packages.Package(n, v) for n, v, _ in pkgs
])
self.assertEqual(len(vulns), 3)
for name, version, cves in pkgs:
for cve in cves:
vuln = next(
v for v in vulns if v.name == name
and v.version == version and v.cve == cve
)
self.assertIsInstance(vuln, audit.Vulnerability)
def test_unknown_status(self) -> None:
with patch("requests.post") as mock:
mock.return_value.status_code = 501
with self.assertRaises(audit.AuditError):
audit.components([packages.Package("a", "1")])
def test_missing_token(self) -> None:
with patch("requests.post") as post:
post.return_value.status_code = 200
audit.components([packages.Package("x", "1")], "usr", None)
calls = [(ANY, {"auth": None, "json": ANY})]
self.assertEqual(post.call_args_list, calls)
def test_invalid_credentials(self) -> None:
with patch("requests.post") as post:
post.return_value.status_code = 401
with self.assertRaises(audit.AuditError) as ctx:
audit.components([packages.Package("x", "1")])
self.assertTrue("credentials" in str(ctx.exception))
def test_downcase(self) -> None:
p = packages.Package("NAMe", "1.2.3")
self.assertEqual(p.coordinate, "pkg:pypi/[email protected]")
