def check_for_update(cve_json, task):
cve_id = cve_json["cve"]["CVE_data_meta"]["ID"]
cve_obj = Cve.query.filter_by(cve_id=cve_id).first()
events = []
# A new CVE has been added
if not cve_obj:
cve_obj = CveUtil.create_cve(cve_json)
logger.info("{} created (ID: {})".format(cve_id, cve_obj.id))
events = [CveUtil.create_event(cve_obj, cve_json, "new_cve", {})]
# Existing CVE has changed
elif CveUtil.cve_has_changed(cve_obj, cve_json):
logger.info("{} has changed, parsing it...".format(cve_obj.cve_id))
events = []
checks = BaseCheck.__subclasses__()
# Loop on each kind of check
for check in checks:
c = check(cve_obj, cve_json)
event = c.execute()
if event:
events.append(event)
# Change the last updated date
cve_obj.updated_at = arrow.get(cve_json["lastModifiedDate"]).datetime
cve_obj.json = cve_json
db.session.commit()
# Create the change
if events:
CveUtil.create_change(cve_obj, cve_json, task, events)
def test_has_changed(app, open_file):
cve_json = open_file("cves/CVE-2020-26116.json")
cve_db = CveUtil.create_cve(cve_json)
cve_db.updated_at = datetime.datetime.now() - datetime.timedelta(days=1)
db.session.commit()
assert CveUtil.cve_has_changed(cve_db, cve_json)
def test_create_event(app, open_file):
cve_json = open_file("cves/CVE-2020-26116.json")
cve = CveUtil.create_cve(cve_json)
event = CveUtil.create_event(cve, cve_json, "new_cve", {"foo": "bar"})
assert Event.query.first().id == event.id
assert event.type == "new_cve"
assert event.details == {"foo": "bar"}
assert event.review == False
assert event.cve_id == cve.id
assert event.cve.id == cve.id
assert event.change == None
assert event.change_id == None
assert event.alerts == []
def test_create_change(open_file):
task = Task()
db.session.add(task)
db.session.commit()
cve_json = open_file("cves/CVE-2020-26116.json")
cve = CveUtil.create_cve(cve_json)
change = CveUtil.create_change(cve, cve_json, task, [])
assert Change.query.first().id == change.id
assert change.json == cve_json
assert change.cve_id == cve.id
assert change.cve.id == cve.id
assert change.task_id == task.id
assert change.task.id == task.id
assert change.events == []
def test_create_cve(app, open_file):
cve = CveUtil.create_cve(open_file("cves/CVE-2020-26116.json"))
cves = Cve.query.all()
assert len(cves) == 1
# The CVE has been created
assert cve.id == cves[0].id
assert cve.cve_id == "CVE-2020-26116"
assert cve.cwes == ["CWE-116"]
assert sorted(cve.vendors) == sorted(
[
"fedoraproject",
f"fedoraproject{PRODUCT_SEPARATOR}fedora",
"python",
f"python{PRODUCT_SEPARATOR}python",
]
)
assert (
cve.summary
== "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request."
)
assert cve.cvss2 == 6.4
assert cve.cvss3 == 7.2
assert cve.events == []
assert cve.changes == []
assert cve.alerts == []
assert round(cve.cvss_weight, 1) == 13.6
# The CWE has been created
cwes = Cwe.query.all()
assert len(cwes) == 1
cwe = cwes[0]
assert cwe.cwe_id == "CWE-116"
# The vendors and products has been created
vendors = Vendor.query.all()
assert len(vendors) == 2
vendor_1 = Vendor.query.filter_by(name="fedoraproject").first()
assert len(vendor_1.products) == 1
assert vendor_1.products[0].name == "fedora"
vendor_2 = Vendor.query.filter_by(name="python").first()
assert len(vendor_2.products) == 1
assert vendor_2.products[0].name == "python"
def _create_cve(cve_id):
CveUtil.create_cve(open_file(f"cves/{cve_id}.json"))
return Cve.query.filter_by(cve_id=cve_id).first()