def test_mixed(self) -> None: runner = CliRunner() files = [ packages.Package("c", "1.1"), packages.Package("d", "2.2"), ] installed = [ packages.Package("a", "1.1"), packages.Package("b", "2.2"), ] with patch("ossaudit.packages.get_from_files") as get_from_files: get_from_files.return_value = files with patch("ossaudit.packages.get_installed") as get_installed: get_installed.return_value = installed with patch("ossaudit.audit.components") as components: components.return_value = [] with tempfile.NamedTemporaryFile() as tmp: result = runner.invoke( cli.cli, ["--installed", "--file", tmp.name]) self.assertEqual(result.exit_code, 0) components.assert_called_with( installed + files, None, None, False, )
def test_installed(self) -> None: runner = CliRunner() pkgs = [ packages.Package("a", "1.1"), packages.Package("b", "2.2"), ] with patch("ossaudit.packages.get_installed") as get_installed: get_installed.return_value = pkgs with patch("ossaudit.audit.components") as components: components.return_value = [] result = runner.invoke(cli.cli, ["--installed"]) self.assertEqual(result.exit_code, 0) components.assert_called_with(pkgs, None, None, False)
def test_files(self) -> None: runner = CliRunner() pkgs = [ packages.Package("a", "1.1"), packages.Package("b", "2.2"), ] with patch("ossaudit.packages.get_from_files") as get_from_files: get_from_files.return_value = pkgs with patch("ossaudit.audit.components") as components: components.return_value = [] with tempfile.NamedTemporaryFile() as tmp: result = runner.invoke(cli.cli, ["--file", tmp.name]) self.assertEqual(result.exit_code, 0) components.assert_called_with(pkgs, None, None)
def test_missing_fields(self) -> None: with patch("requests.post") as mock: mock.return_value.status_code = 200 pkgs = [{"vulnerabilities": [{}]}] # type: list mock.return_value.json.return_value = pkgs vulns = audit.components([packages.Package("a", "1")]) self.assertEqual(len(vulns), 1) self.assertEqual(vulns[0].name, "unknown") self.assertEqual(vulns[0].version, "0")
def test_credentials(self) -> None: with const.CONFIG.open("w") as f: f.write("[{}]\n username=abc \n token=xyz".format(__project__)) runner = CliRunner() with patch("ossaudit.packages.get_installed") as get_installed: get_installed.return_value = [packages.Package("a", "1.1")] with patch("ossaudit.audit.components") as components: components.return_value = [] result = runner.invoke(cli.cli, ["--installed"]) self.assertEqual(result.exit_code, 0) components.assert_called_with(ANY, "abc", "xyz", False)
def test_dont_save_cache(self) -> None: pkgs = [ packages.Package(n, v) for n, v in [ ("django", "2.2"), ("pyyaml", "3.13"), ("requests", "0.10.0"), ] ] with patch("requests.post") as post: post.return_value.status_code = 200 with open(os.path.join("tests", "data", "vulns01.json")) as f: post.return_value.json.return_value = json.load(f) with patch("ossaudit.cache.save") as save: audit.components(pkgs, ignore_cache=True) self.assertEqual(save.call_count, 0)
def test_from_cache(self) -> None: pkgs = [ packages.Package(n, v) for n, v in [ ("django", "2.2"), ("pylint", "4.1"), ("pyyaml", "3.13"), ("requests", "0.10.0"), ("yapf", "1.2.3"), ] ] with patch("requests.post") as post: post.return_value.status_code = 200 def getfun(coordinate: str) -> Optional[Dict]: return { "coordinates": "pkg:pypi/[email protected]", "time": time.time(), "vulnerabilities": [{ "id": "123", }] } if coordinate == "pkg:pypi/[email protected]" else None with patch("ossaudit.cache.get", wraps=getfun) as get: with patch("ossaudit.const.MAX_PACKAGES", 1): vulns = audit.components(pkgs) self.assertEqual(len(vulns), 1) self.assertEqual(get.call_count, len(pkgs)) self.assertEqual(post.call_count, len(pkgs) - 1) calls = [( ANY, { "auth": None, "json": { "coordinates": [p.coordinate] } } ) for p in pkgs if p.coordinate != "pkg:pypi/[email protected]"] self.assertEqual(post.call_args_list, calls)
def test_max_packages(self) -> None: pkgs = [ packages.Package(n, v) for n, v in [ ("django", "2.2"), ("pylint", "4.1"), ("pyyaml", "3.13"), ("requests", "0.10.0"), ("yapf", "1.2.3"), ] ] max_packages = 2 with patch("requests.post") as mock: mock.return_value.status_code = 200 with patch("ossaudit.const.MAX_PACKAGES", max_packages): audit.components(pkgs) self.assertEqual(mock.call_count, 3) calls = [] for i in range(0, len(pkgs), max_packages): coords = [p.coordinate for p in pkgs[i:i + max_packages]] kw = {"auth": None, "json": {"coordinates": coords}} calls.append((ANY, kw)) self.assertEqual(mock.call_args_list, calls)
def test_ok(self) -> None: pkgs = [ ("django", "2.2", ()), ("requests", "0.10.0", ("CVE-2014-1830", "CVE-2014-1829")), ("pyyaml", "3.13", ("CVE-2017-18342", )), ] # type: list with patch("requests.post") as mock: mock.return_value.status_code = 200 with open(os.path.join("tests", "data", "vulns01.json")) as f: mock.return_value.json.return_value = json.load(f) vulns = audit.components([ packages.Package(n, v) for n, v, _ in pkgs ]) self.assertEqual(len(vulns), 3) for name, version, cves in pkgs: for cve in cves: vuln = next( v for v in vulns if v.name == name and v.version == version and v.cve == cve ) self.assertIsInstance(vuln, audit.Vulnerability)
def test_unknown_status(self) -> None: with patch("requests.post") as mock: mock.return_value.status_code = 501 with self.assertRaises(audit.AuditError): audit.components([packages.Package("a", "1")])
def test_missing_token(self) -> None: with patch("requests.post") as post: post.return_value.status_code = 200 audit.components([packages.Package("x", "1")], "usr", None) calls = [(ANY, {"auth": None, "json": ANY})] self.assertEqual(post.call_args_list, calls)
def test_invalid_credentials(self) -> None: with patch("requests.post") as post: post.return_value.status_code = 401 with self.assertRaises(audit.AuditError) as ctx: audit.components([packages.Package("x", "1")]) self.assertTrue("credentials" in str(ctx.exception))
def test_downcase(self) -> None: p = packages.Package("NAMe", "1.2.3") self.assertEqual(p.coordinate, "pkg:pypi/[email protected]")