def test_nagios_warning_all():
    opt = MockOpt()
    opt.priority = "all"

    sr = [ScanResult("CVE-2020-1000", "medium", "pkg1", None, None)]

    nof = NagiosOutputFormatter(opt, None)
    (results_msg, return_code) = nof.format_output(sr, None)

    assert "priority" not in results_msg
    assert return_code == const.NAGIOS_WARNING_RETURN_CODE
def test_nagios_critical_medium():
    opt = MockOpt()
    opt.priority = "medium"

    sr = [
        ScanResult("CVE-2020-1000", "medium", "pkg1", "1.2.3-2",
                   const.UBUNTU_ARCHIVE)
    ]

    nof = NagiosOutputFormatter(opt, None)
    (results_msg, return_code) = nof.format_output(sr, None)

    assert '"medium" or higher priority' in results_msg
    assert return_code == const.NAGIOS_CRITICAL_RETURN_CODE
def test_vulnerable_patch_available_repository(cve_output_formatter):
    sr = filter_scan_results_by_cve_ids(["CVE-2020-1001", "CVE-2020-1003"])
    sr.append(
        ScanResult("CVE-2020-1000", "low", "pkg3", "1.2.3-4", const.UBUNTU_ARCHIVE),
    )
    msg, rc = cve_output_formatter.format_output(sr, MockSysInfo())

    expected_msg = (
        "Vulnerable to CVE-2020-1000, but fixes are available from "
        "the Ubuntu Archive."
    )

    assert msg == expected_msg
    assert rc == 4
Пример #4
0
def priority_scan_results():
    return [
        ScanResult("CVE-2020-1000", const.MEDIUM, "pkg4", None, None),
        ScanResult("CVE-2020-1001", const.NEGLIGIBLE, "pkg5", None, None),
        ScanResult("CVE-2020-1002", const.CRITICAL, "pkg6", None, None),
        ScanResult("CVE-2020-1003", const.UNTRIAGED, "pkg7", None, None),
        ScanResult("CVE-2020-1004", const.LOW, "pkg1", None, None),
        ScanResult("CVE-2020-1005", const.HIGH, "pkg2", None, None),
    ]
Пример #5
0
    def _filter_on_experimental(self, scan_results):
        if self.opt.experimental_mode:
            return scan_results

        filtered_scan_results = []

        for sr in scan_results:
            if sr.repository in {const.UA_APPS, const.UA_INFRA}:
                new_sr = ScanResult(sr.cve_id, sr.priority, sr.package_name,
                                    None, None)
                filtered_scan_results.append(new_sr)
            else:
                filtered_scan_results.append(sr)

        return filtered_scan_results
Пример #6
0
def shuffled_scan_results():
    return [
        ScanResult(
            "CVE-2020-1002", const.CRITICAL, "pkg4", "2.0.0-1+deb9u1", const.UA_INFRA
        ),
        ScanResult("CVE-2020-1000", const.MEDIUM, "pkg4", "1.2.3-4", const.UA_APPS),
        ScanResult(
            "CVE-2020-1005", const.HIGH, "pkg2", "2.0.0-2", const.UBUNTU_ARCHIVE
        ),
        ScanResult(
            "CVE-2020-1002", const.CRITICAL, "pkg6", "2.0.0-1+deb9u1", const.UA_APPS
        ),
        ScanResult("CVE-2020-1001", const.MEDIUM, "pkg4", None, None),
        ScanResult(
            "CVE-2020-10000", const.UNTRIAGED, "pkg7", "2.2.19-1", const.UA_APPS
        ),
        ScanResult(
            "CVE-2020-1002", const.CRITICAL, "pkg3", "2.0.0-1+deb9u1", const.UA_APPS
        ),
        ScanResult("CVE-2020-1003", const.NEGLIGIBLE, "pkg5", None, None),
        ScanResult("CVE-2020-2000", const.LOW, "pkg1", "1.0.0-2", const.UBUNTU_ARCHIVE),
    ]
Пример #7
0
    def _scan_for_single_cve(self, cve_id, uct_record, codename, installed_pkgs):
        affected_cves = list()

        for src_pkg_details in uct_record["releases"][codename].values():
            if src_pkg_details["status"][0] in {"DNE", "not-affected"}:
                continue

            # TODO: This is a temporary measure. The entire JSON should be
            #       validated prior to scanning. The "binaries" key should
            #       not be missing.
            if "binaries" not in src_pkg_details.keys():
                continue

            installed_binaries = [
                (b, installed_pkgs[b])
                for b in src_pkg_details["binaries"]
                if b in installed_pkgs
            ]
            vulnerable_binaries = self._find_vulnerable_binaries(
                src_pkg_details, installed_binaries
            )

            for vb in vulnerable_binaries:
                repo = vb[2]
                # TODO: This is a hack to work around the fact that the UA
                #       product names (presentation layer) are provided by the
                #       JSON database (data layer). Fix the root cause of this
                #       issue instead of working around it like this.
                if repo == "UA Apps":
                    repo = const.UA_APPS
                elif repo == "UA Infra":
                    repo = const.UA_INFRA
                affected_cves.append(
                    ScanResult(cve_id, uct_record["priority"], vb[0], vb[1], repo)
                )

        return affected_cves
Пример #8
0
def misc_scan_results():
    return [
        ScanResult("CVE-2020-1000", "low", "pkg3", None, None),
        ScanResult(
            "CVE-2020-1001",
            "high",
            "pkg1",
            "1:1.2.3-4+deb9u2ubuntu0.2",
            const.UBUNTU_ARCHIVE,
        ),
        ScanResult(
            "CVE-2020-1001",
            "high",
            "pkg2",
            "1:1.2.3-4+deb9u2ubuntu0.2",
            const.UBUNTU_ARCHIVE,
        ),
        ScanResult(
            "CVE-2020-1002", "low", "pkg4", "2.0.0+dfsg-1ubuntu1.1", const.UA_APPS
        ),
        ScanResult(
            "CVE-2020-1002", "low", "pkg5", "2.0.0+dfsg-1ubuntu1.1", const.UA_APPS
        ),
        ScanResult(
            "CVE-2020-1002", "low", "pkg6", "2.0.0+dfsg-1ubuntu1.1", const.UA_APPS
        ),
        ScanResult("CVE-2020-1003", "medium", "pkg4", None, None),
        ScanResult("CVE-2020-1003", "medium", "pkg5", None, None),
        ScanResult("CVE-2020-1003", "medium", "pkg6", None, None),
        ScanResult("CVE-2020-1004", "medium", "pkg7", None, None),
        ScanResult("CVE-2020-1005", "low", "pkg1", "1:1.2.3-4+deb9u3", const.UA_APPS),
        ScanResult("CVE-2020-1005", "low", "pkg2", "1:1.2.3-4+deb9u3", const.UA_APPS),
        ScanResult("CVE-2020-1005", "low", "pkg3", "10.2.3-2ubuntu0.1", const.UA_INFRA),
        ScanResult("CVE-2020-1006", "untriaged", "pkg5", None, None),
        ScanResult("CVE-2020-1007", "critical", "pkg4", None, None),
        ScanResult("CVE-2020-1008", "negligible", "pkg1", None, None),
        ScanResult("CVE-2020-1009", "low", "pkg2", "1:1.2.3-4+deb9u3", const.UA_APPS),
        ScanResult("CVE-2020-1010", "low", "pkg3", "10.2.3-2ubuntu0.1", const.UA_INFRA),
        ScanResult(
            "CVE-2020-1011", "low", "pkg3", "10.2.3-2ubuntu0.1", "INVALID_ARCHIVE"
        ),
    ]
Пример #9
0
def test_whole_uct_json_file(default_cve_scanner, uct_data,
                             default_installed_pkgs):
    expected_results = [
        ScanResult("CVE-2020-1000", "low", "pkg3", None, None),
        ScanResult(
            "CVE-2020-1001",
            "high",
            "pkg1",
            "1:1.2.3-4+deb9u2ubuntu0.2",
            const.UBUNTU_ARCHIVE,
        ),
        ScanResult(
            "CVE-2020-1001",
            "high",
            "pkg2",
            "1:1.2.3-4+deb9u2ubuntu0.2",
            const.UBUNTU_ARCHIVE,
        ),
        ScanResult("CVE-2020-1002", "low", "pkg4", "2.0.0+dfsg-1ubuntu1.1",
                   const.UA_APPS),
        ScanResult("CVE-2020-1002", "low", "pkg5", "2.0.0+dfsg-1ubuntu1.1",
                   const.UA_APPS),
        ScanResult("CVE-2020-1002", "low", "pkg6", "2.0.0+dfsg-1ubuntu1.1",
                   const.UA_APPS),
        ScanResult("CVE-2020-1003", "medium", "pkg4", None, None),
        ScanResult("CVE-2020-1003", "medium", "pkg5", None, None),
        ScanResult("CVE-2020-1003", "medium", "pkg6", None, None),
        ScanResult("CVE-2020-1004", "medium", "pkg7", None, None),
        ScanResult("CVE-2020-1005", "low", "pkg1", "1:1.2.3-4+deb9u3",
                   const.UA_APPS),
        ScanResult("CVE-2020-1005", "low", "pkg2", "1:1.2.3-4+deb9u3",
                   const.UA_APPS),
        ScanResult("CVE-2020-1005", "low", "pkg3", "10.2.3-2ubuntu0.1",
                   const.UA_INFRA),
    ]

    results = default_cve_scanner.scan("bionic", uct_data,
                                       default_installed_pkgs)

    assert results == expected_results