def test_osv_advisory_with_vulnerable_package_via_osv_api() -> None:
vulnerabilities = _osv_dev_api_request("jinja2", "2.11.2")
assert vulnerabilities[0]
obj = OSVSecurityAdvisory.using(vulnerabilities[0])
assert obj.identifier == "PYSEC-2021-66"
assert obj.package_name == "jinja2"
assert obj.summary.startswith(
"This affects the package jinja2 from 0.0.0 and before 2.11.3.")
assert obj.is_affected("0.0.0")
assert obj.is_affected("2.11.2")
assert not obj.is_affected("2.11.3")
def test_osv_advisory_with_introduced_and_fixed() -> None:
obj = OSVSecurityAdvisory.using(
osv_advisory_yml("introduced-and-fixed.yaml"))
assert obj.package_name == "package"
assert obj.identifier == "PYSEC-0000-0"
assert obj.source == "osv"
assert obj.severity == "UNKNOWN"
assert obj.url == "https://www.pypi.org"
assert obj.references == ["https://www.pypi.org", "https://www.python.org"]
assert obj.vulnerable_versions == "<1.1.0,>=1.0.0"
assert obj.summary == "Too much cheese in the cheeseshop!"
assert obj.is_affected("1.0.0")
assert obj.is_affected("1.0.20")
assert not obj.is_affected("0.9.0")
assert not obj.is_affected("1.1.0")
assert not obj.is_affected("2.0.0")
def populate_from_cache(self) -> None:
self._advisories = defaultdict(list)
with tarfile.TarFile.open(self.path, mode="r:gz") as archive:
pypi_advisories = filter(
lambda obj: "/vulns/" in obj.name and obj.name.endswith(".yaml"
),
archive.getmembers(),
)
for obj in list(pypi_advisories):
obj_fh = archive.extractfile(obj.name)
if obj_fh:
doc = yaml.load(obj_fh, Loader=yaml.SafeLoader)
advisory = OSVSecurityAdvisory.using(doc)
self._advisories[advisory.package_name.lower()].append(
advisory)
else: # pragma: no cover
raise SkjoldException(
f"Unable to extract '{obj.name}' from source archive.")
def test_ensure_osv_advisory_from_yaml_with_no_cvss_vector() -> None:
obj = OSVSecurityAdvisory.using(osv_advisory_yml("PYSEC-2021-54.yaml"))
assert obj.package_name == "salt"
assert obj.identifier == "PYSEC-2021-54"
assert obj.source == "osv"
assert obj.severity == "UNKNOWN"
assert obj.url == "https://github.com/saltstack/salt/releases"
assert obj.references == [
"https://github.com/saltstack/salt/releases",
"https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/",
"https://security.gentoo.org/glsa/202103-01",
]
assert (
obj.vulnerable_versions ==
"<2015.8.10||<2015.8.13,>=2015.8.11||<2016.3.4,>=2016.3.0||<2016.3.6,>=2016.3.5||<2016.3.8,>=2016.3.7||<2016.11.3,>=2016.11.0||<2016.11.5,>=2016.11.4||<2016.11.10,>=2016.11.7||<2017.7.8,>=2017.7.0||<2019.2.0rc1,>=2018.3.0rc1||<2019.2.5,>=2019.2.0||<2019.2.8,>=2019.2.6||<3000.6,>=3000||<3001.4,>=3001||<3002.5,>=3002"
)
assert obj.summary.startswith(
"In SaltStack Salt before 3002.5, eauth tokens")
def test_osv_advisory_ensure_marked_affected_by_default(
package_version: str) -> None:
obj = OSVSecurityAdvisory.using({"package": {"name": "package"}})
assert obj.package_name == "package"
assert obj.is_affected(package_version)
def test_ensure_is_affected(doc: Any, package_name: str, package_version: str,
is_vulnerable: bool) -> None:
obj = OSVSecurityAdvisory.using(doc)
assert obj.package_name == "package"
assert len(obj.vulnerable_version_range) == len(doc["affects"]["versions"])
assert obj.is_affected(package_version) is is_vulnerable