def test_write_results_vulns():
"""Test parsing results and writing test-output.xml"""
# Open the Veracode SCA JSON results
with open("example-dotnet.json", "r") as sca_results:
data = json.load(sca_results)
# Include all CVSS in the output
parsed_data = parse_sca_json(data, 0)
# Create the test-output.xml
write_output("dotnet vulns", parsed_data, 0)
# Get test-output.xml
xml = JUnitXml.fromfile("test-output.xml")
# Assert there are 15 vulnerabilities in the output
case_counter = 0
for suite in xml:
for case in suite:
case_counter += 1
assert case_counter == 15
# Assert there are 15 failures reported in the Test Suite
assert xml.failures == 15
def test_parse_python_results():
"""Test parsing a fork of the srcclr/example-python repo
To generate results:
srcclr scan --url https://github.com/gattjoe/example-python3-pip --json example-python.json"""
# Open the Veracode SCA JSON results
with open("example-python.json", "r") as sca_results:
data = json.load(sca_results)
# Include all CVSS in the output
parsed_data = parse_sca_json(data, 0)
# As of srcclr 3.7.1 there are 41 detected vulns in this example
assert len(parsed_data) == 41
flaw_counter = 0
for flaw in parsed_data:
if flaw["CVSS"] >= 5:
flaw_counter += 1
# As of srcclr 3.7.1 there are 27 CVSS >= 5 vulnerabilities in this example
assert flaw_counter == 27
actual_high_vulns = []
expected_high_vulns = ["PyJWT", "PyJWT", "Django", "pycrypto", "Django"]
for flaw in parsed_data:
if flaw["CVSS"] >= 7.5:
actual_high_vulns.append(flaw["Vulnerable Library"])
# As of srcclr 3.7.1 there are 5 CVSS >= 7.5 vulnerabilities in this example
assert expected_high_vulns.sort() == actual_high_vulns.sort()
def test_parse_javascript_results():
""" Test parsing a fork of the srcclr/example-javascript repo
To generate results:
srcclr scan --url https://github.com/gattjoe/example-javascript --json example-javascript.json
"""
# Open the Veracode SCA JSON results
with open("example-javascript.json", "r") as sca_results:
data = json.load(sca_results)
# Include all CVSS in the output
parsed_data = parse_sca_json(data, 0)
# As of srcclr 3.7.1 there are 75 detected vulns in this example
assert len(parsed_data) == 75
flaw_counter = 0
for flaw in parsed_data:
if flaw["CVSS"] >= 5:
flaw_counter += 1
# As of srcclr 3.7.1 there are 59 CVSS >= 5 vulnerabilities in this example
assert flaw_counter == 59
actual_high_vulns = []
expected_high_vulns = [
"console-io", "ms", "moment", "sequelize", "sequelize", "lodash",
"send"
]
for flaw in parsed_data:
if flaw["CVSS"] >= 7.5:
actual_high_vulns.append(flaw["Vulnerable Library"])
# As of srcclr 3.7.1 there are 7 CVSS >= 7.5 vulnerabilities in this example
assert expected_high_vulns.sort() == actual_high_vulns.sort()
def test_parse_dotnet_results():
""" Test parsing a fork of the srcclr/example-dotnet repo
To generate results:
srcclr scan --url https://github.com/gattjoe/example-dotnet --json example-dotnet.json """
# Open the Veracode SCA JSON results
with open("example-dotnet.json", "r") as sca_results:
data = json.load(sca_results)
# Include all CVSS in the output
parsed_data = parse_sca_json(data, 0)
# As of srcclr 3.7.1 there are 15 detected vulns in this example
assert len(parsed_data) == 15
flaw_counter = 0
for flaw in parsed_data:
if flaw["CVSS"] >= 5:
flaw_counter += 1
# As of srcclr 3.7.1 there are 11 CVSS >= 5 vulnerabilities in this example
assert flaw_counter == 11
actual_high_vulns = []
expected_high_vulns = [
"log4net", "GSF.Core", "GSF.Security", "recurly-api-client",
"recurly-api-client"
]
for flaw in parsed_data:
if flaw["CVSS"] >= 7.5:
actual_high_vulns.append(flaw["Vulnerable Library"])
# As of srcclr 3.7.1 there are 5 CVSS >= 7.5 vulnerabilities in this example
assert expected_high_vulns.sort() == actual_high_vulns.sort()
def test_parse_jsnpm_results():
""" Test parsing a fork of the srcclr/test-js-npm repo
To generate results:
srcclr scan --url https://github.com/gattjoe/test-js-npm --json example-jsnpm.json """
# Open the Veracode SCA JSON results
with open("example-jsnpm.json", "r") as sca_results:
data = json.load(sca_results)
# Include all CVSS in the output
parsed_data = parse_sca_json(data, 0)
# As of srcclr 3.7.1 there are 35 detected vulns in this example
assert len(parsed_data) == 35
flaw_counter = 0
for flaw in parsed_data:
if flaw["CVSS"] >= 5:
flaw_counter += 1
# As of srcclr 3.7.1 there are 31 CVSS >= 5 vulnerabilities in this example
assert flaw_counter == 31
actual_high_vulns = []
expected_high_vulns = [
"semver", "ms", "uglify-js", "semver", "ms", "lodash", "lodash",
"morgan", "extend", "lodash"
]
for flaw in parsed_data:
if flaw["CVSS"] >= 7.5:
actual_high_vulns.append(flaw["Vulnerable Library"])
# As of srcclr 3.7.1 there are 10 CVSS >= 7.5 vulnerabilities in this example
assert expected_high_vulns.sort() == actual_high_vulns.sort()
def test_parse_ruby_results():
"""Test parsing a fork of the srcclr/example-ruby repo
To generate results:
srcclr scan --url https://github.com/gattjoe/example-ruby --json example-ruby.json"""
# Open the Veracode SCA JSON results
with open("example-ruby.json", "r") as sca_results:
data = json.load(sca_results)
# Include all CVSS in the output
parsed_data = parse_sca_json(data, 0)
# As of srcclr 3.7.1 there are 80 detected vulns in this example
assert len(parsed_data) == 80
flaw_counter = 0
for flaw in parsed_data:
if flaw["CVSS"] >= 5:
flaw_counter += 1
# As of srcclr 3.7.1 there are 58 CVSS >= 5 vulnerabilities in this example
assert flaw_counter == 58
actual_high_vulns = []
expected_high_vulns = [
"nokogiri",
"nokogiri",
"nokogiri",
"nokogiri",
"nokogiri",
"nokogiri",
"actionpack",
"actionview",
"devise",
"paperclip",
"festivaltts4r"
"lingq",
]
for flaw in parsed_data:
if flaw["CVSS"] >= 7.5:
actual_high_vulns.append(flaw["Vulnerable Library"])
# As of srcclr 3.7.1 there are 12 CVSS >= 7.5 vulnerabilities in this example
assert expected_high_vulns.sort() == actual_high_vulns.sort()
def test_parse_zero_results():
"""Test parsing a fork of the srcclr/example-dotnet repo
To generate results:
srcclr scan --url https://github.com/gattjoe/example-dotnet --json example-dotnet.json"""
# Open the Veracode SCA JSON results
with open("example-dotnet.json", "r") as sca_results:
data = json.load(sca_results)
min_CVSS = 8
# Include CVSS >= 8 in the output (expect 0)
parsed_data = parse_sca_json(data, min_CVSS)
# As of srcclr 3.7.1 there are 15 detected vulns in this example
assert parsed_data == [{
"Results":
f"No vulnerabilities >= the min CVSS score {min_CVSS}."
}]
def test_write_results_no_vulns():
"""Test parsing results and writing test-output.xml"""
# Open the Veracode SCA JSON results
with open("example-novulns.json", "r") as sca_results:
data = json.load(sca_results)
# Include all CVSS in the output
parsed_data = parse_sca_json(data, 0)
# Create the test-output.xml
write_output("No vulns", parsed_data, 0)
# Get test-output.xml
xml = JUnitXml.fromfile("test-output.xml")
# Assert there are no vulnerabilities in the output
for suite in xml:
for case in suite:
assert case.name == "No vulnerabilities"
def test_multi_instance_of_vuln():
"""Test parsing of results that have multiple instances
of a vulnerability but in two or more different libraries"""
# Open the Veracode SCA JSON results
with open("example-dotnet.json", "r") as sca_results:
data = json.load(sca_results)
# Include all CVSS in the output
parsed_data = parse_sca_json(data, 0)
actual_dupe_vulns = []
# SQL Injection vulnerability is in both of these libraries
expected_dupe_vulns = ["GSF.Core", "GSF.Security"]
for flaw in parsed_data:
if flaw["Vulnerable Library"] in expected_dupe_vulns:
actual_dupe_vulns.append(flaw["Vulnerable Library"])
assert expected_dupe_vulns.sort() == actual_dupe_vulns.sort()
def test_write_results_no_vulns_min_CVSS():
"""Test parsing results and writing test-output.xml with no vulns"""
# Open the Veracode SCA JSON results
with open("example-dotnet.json", "r") as sca_results:
data = json.load(sca_results)
min_CVSS = 8
# Include CVSS >= 8 in the output (expect 0)
parsed_data = parse_sca_json(data, min_CVSS)
# Create the test-output.xml
write_output("dotnet vulns", parsed_data, min_CVSS)
# Get test-output.xml
xml = JUnitXml.fromfile("test-output.xml")
# Assert there are no vulnerabilities in the output
for suite in xml:
for case in suite:
assert case.name == "No vulnerabilities"