示例#1
0
    async def test_list_component_vulnerabilitites_return_vulnerabilities_for_each_component(
            self):
        components_version = {'plugin0': "1.2.3", 'plugin1': "1.4.0"}
        plugin0_vuln_list = VulnerabilityList(
            key="plugin0",
            producer="",
            vulnerabilities=[Vulnerability(id="1234")])
        plugin1_vuln_list = VulnerabilityList(
            key="plugin1",
            producer="",
            vulnerabilities=[Vulnerability(id="2345")])
        vuln_list_group = MagicMock()
        vuln_list_group.vulnerability_lists = [
            plugin0_vuln_list, plugin1_vuln_list
        ]

        def fake_list_vuln(self, version, vuln_list, no_version_match_all):
            return vuln_list.vulnerabilities

        with patch(
                "vane.vulnerabilitylister.VulnerabilityLister.list_vulnerabilities",
                fake_list_vuln):
            vulns = self.vane.list_component_vulnerabilities(
                components_version, vuln_list_group, no_version_match_all=True)

            self.assertEqual(plugin0_vuln_list.vulnerabilities,
                             vulns['plugin0'])
            self.assertEqual(plugin1_vuln_list.vulnerabilities,
                             vulns['plugin1'])
示例#2
0
    async def test_list_component_vulnerabilitites_call_list_vulnerabilities_for_each_component(
            self):
        components_version = {
            'plugin0': "1.2.3",
            'theme0': "3.2.1",
            'plugin1': "1.4.0",
            'theme1': "6.9"
        }
        plugin0_vuln_list = VulnerabilityList(key="plugin0", producer="")
        plugin1_vuln_list = VulnerabilityList(key="plugin1", producer="")
        theme0_vuln_list = VulnerabilityList(key="theme0", producer="")
        theme1_vuln_list = VulnerabilityList(key="theme1", producer="")
        vuln_list_group = MagicMock()
        vuln_list_group.vulnerability_lists = [
            plugin0_vuln_list, plugin1_vuln_list, theme1_vuln_list,
            theme0_vuln_list
        ]

        fake_list_vuln = MagicMock()

        with patch(
                "vane.vulnerabilitylister.VulnerabilityLister.list_vulnerabilities",
                fake_list_vuln):
            self.vane.list_component_vulnerabilities(components_version,
                                                     vuln_list_group,
                                                     no_version_match_all=True)

            calls = [
                call("1.2.3", plugin0_vuln_list, no_version_match_all=True),
                call("1.4.0", plugin1_vuln_list, no_version_match_all=True),
                call("3.2.1", theme0_vuln_list, no_version_match_all=True),
                call("6.9", theme1_vuln_list, no_version_match_all=True)
            ]
            fake_list_vuln.assert_has_calls(calls, any_order=True)
    def test_list_vulnerabilities_return_vulnerabilities_with_introduced_in_lower_than_version_and_fixed_in_upper_than_version(
            self):
        vuln0 = Vulnerability(id="12345",
                              title="Vulnerability0",
                              affected_versions=[
                                  VersionRange(introduced_in="2.5.9",
                                               fixed_in="4.7.2")
                              ])
        vuln1 = Vulnerability(id="23456",
                              title="Vulnerability1",
                              affected_versions=[
                                  VersionRange(introduced_in="1.6.2",
                                               fixed_in="4.9")
                              ])
        vuln_list = VulnerabilityList(key="wordpress",
                                      producer="producer",
                                      vulnerabilities=[vuln0, vuln1])

        applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities(
            "4.7", vuln_list)
        applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities(
            "3.5.8", vuln_list)
        applicable_vuln2 = self.vulnerability_lister.list_vulnerabilities(
            "2.4.8", vuln_list)

        self.assertIn(vuln0, applicable_vuln0)
        self.assertIn(vuln1, applicable_vuln0)
        self.assertIn(vuln0, applicable_vuln1)
        self.assertIn(vuln1, applicable_vuln1)
        self.assertNotIn(vuln0, applicable_vuln2)
        self.assertIn(vuln1, applicable_vuln2)
    def test_list_vulnerabilities_remove_affected_versions_ranges_not_including_target_version(
            self):
        vuln = Vulnerability(id="12345",
                             title="Vulnerability",
                             affected_versions=[
                                 VersionRange(introduced_in="3.7",
                                              fixed_in="3.7.5"),
                                 VersionRange(introduced_in="4.0",
                                              fixed_in="4.0.10"),
                                 VersionRange(introduced_in="4.5",
                                              fixed_in="4.5.2")
                             ])
        vuln_list = VulnerabilityList(key="wordpress",
                                      producer="producer",
                                      vulnerabilities=[vuln])

        vuln_software0 = self.vulnerability_lister.list_vulnerabilities(
            "3.7.3", vuln_list)
        vuln_software1 = self.vulnerability_lister.list_vulnerabilities(
            "4.0.9", vuln_list)
        vuln_software2 = self.vulnerability_lister.list_vulnerabilities(
            "4.5", vuln_list)

        self.assertEqual(vuln_software0[0].affected_versions,
                         [VersionRange(introduced_in="3.7", fixed_in="3.7.5")])
        self.assertEqual(
            vuln_software1[0].affected_versions,
            [VersionRange(introduced_in="4.0", fixed_in="4.0.10")])
        self.assertEqual(vuln_software2[0].affected_versions,
                         [VersionRange(introduced_in="4.5", fixed_in="4.5.2")])
 def _regroup_vulnerabilities_of_key_in_one_list(self, key):
     vulnerability_list = VulnerabilityList(key=key,
                                            producer="vane2_export")
     for _vulnerability_list in self.storage.list_vulnerabilities(key):
         vulnerability_list.vulnerabilities.extend(
             _vulnerability_list.vulnerabilities)
     return vulnerability_list
    def test_regroup_vulnerabilities_of_key_in_one_list(self):
        plugin_vuln0 = Vulnerability(id="0")
        plugin_vuln1 = Vulnerability(id="1")
        self.storage.vulnerability_lists[
            'plugins/plugin/producer0'] = VulnerabilityList(
                producer="producer0",
                key="plugins/plugin",
                vulnerabilities=[plugin_vuln0])
        self.storage.vulnerability_lists[
            'plugins/plugin/producer1'] = VulnerabilityList(
                producer="producer1",
                key="plugins/plugin",
                vulnerabilities=[plugin_vuln1])

        plugin_vuln_list = self.exporter._regroup_vulnerabilities_of_key_in_one_list(
            "plugins/plugin")

        self.assertIn(plugin_vuln0, plugin_vuln_list.vulnerabilities)
        self.assertIn(plugin_vuln1, plugin_vuln_list.vulnerabilities)
示例#7
0
    async def test_list_component_vulnerabilitites_skip_component_with_no_vulnerability(
            self):
        components_version = {'plugin0': "1.2.3"}
        plugin1_vuln_list = VulnerabilityList(key="plugin1", producer="")
        vuln_list_group = MagicMock()
        vuln_list_group.vulnerability_lists = [plugin1_vuln_list]

        fake_list_vuln = MagicMock()

        with patch(
                "vane.vulnerabilitylister.VulnerabilityLister.list_vulnerabilities",
                fake_list_vuln):
            self.vane.list_component_vulnerabilities(components_version,
                                                     vuln_list_group,
                                                     no_version_match_all=True)

            fake_list_vuln.assert_not_called()
    def test_list_vulnerabilities_return_all_vulnerabilities_if_version_is_none_and_no_version_match_all_is_true(
            self):
        vuln0 = Vulnerability(
            id="12345",
            title="Vulnerability0",
            affected_versions=[VersionRange(introduced_in="2.3.4")])
        vuln1 = Vulnerability(
            id="23456",
            title="Vulnerability1",
            affected_versions=[VersionRange(introduced_in="1.5.6")])
        vuln_list = VulnerabilityList(key="wordpress",
                                      producer="producer",
                                      vulnerabilities=[vuln0, vuln1])

        applicable_vuln = self.vulnerability_lister.list_vulnerabilities(
            None, vuln_list, no_version_match_all=True)

        self.assertEqual(len(applicable_vuln), 2)
    def test_list_vulnerabilities_return_empty_list_if_no_vuln_applicable_to_version(
            self):
        vuln0 = Vulnerability(id="12345",
                              title="Vulnerability0",
                              affected_versions=[
                                  VersionRange(introduced_in="4.4",
                                               fixed_in="4.6")
                              ])
        vuln1 = Vulnerability(id="23456",
                              title="Vulnerability1",
                              affected_versions=[VersionRange(fixed_in="3.9")])
        vuln_list = VulnerabilityList(key="wordpress",
                                      producer="producer",
                                      vulnerabilities=[vuln0, vuln1])

        applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities(
            "4.7", vuln_list)
        applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities(
            "4.3", vuln_list)

        self.assertEqual(len(applicable_vuln0), 0)
        self.assertEqual(len(applicable_vuln1), 0)
    def test_serialize_vunlerability_list(self):
        schema = VulnerabilityListSchema()

        vuln_list = VulnerabilityList(
            producer="Test Provider",
            key="plugins/test-plugin",
            copyright="2016- Delve Labs inc.",
            license="GNU General Public License, version 2",
            vulnerabilities=[
                Vulnerability(id="1234", title="Multiple XSS"),
            ])

        data = serialize(schema, vuln_list)[0]
        self.assertIn('"producer": "Test Provider"', data)
        self.assertIn('"key": "plugins/test-plugin"', data)
        self.assertIn('"license": "GNU General Public License, version 2"',
                      data)
        self.assertIn('"copyright": "2016- Delve Labs inc."', data)
        self.assertIn('Multiple XSS', data)

        out, errors = schema.loads(data)
        self.assertEqual("1234", out.vulnerabilities[0].id)
    def test_list_vulnerabilities_apply_vulnerabilities_with_multiple_affected_versions(
            self):
        vuln = Vulnerability(id="12345",
                             title="Vulnerability",
                             affected_versions=[
                                 VersionRange(introduced_in="3.7",
                                              fixed_in="3.7.5"),
                                 VersionRange(introduced_in="4.0",
                                              fixed_in="4.0.10"),
                                 VersionRange(introduced_in="4.5",
                                              fixed_in="4.5.2")
                             ])
        vuln_list = VulnerabilityList(key="wordpress",
                                      producer="producer",
                                      vulnerabilities=[vuln])

        vuln_software0 = self.vulnerability_lister.list_vulnerabilities(
            "4.1.5", vuln_list)
        vuln_software1 = self.vulnerability_lister.list_vulnerabilities(
            "4.0.9", vuln_list)

        self.assertEqual(vuln_software0, [])
        self.assertEqual(vuln_software1[0].id, vuln.id)
    def test_list_vulnerabilities_return_all_vulnerabilities_with_no_introduced_nor_fixed_in(
            self):
        vuln0 = Vulnerability(id="12345", title="Vulnerability0")
        vuln1 = Vulnerability(id="23456",
                              title="Vulnerability1",
                              affected_versions=[VersionRange()])
        vuln_list = VulnerabilityList(key="wordpress",
                                      producer="producer",
                                      vulnerabilities=[vuln0, vuln1])

        applicable_vuln0 = self.vulnerability_lister.list_vulnerabilities(
            "4.7", vuln_list)
        applicable_vuln1 = self.vulnerability_lister.list_vulnerabilities(
            "0.1", vuln_list)
        applicable_vuln2 = self.vulnerability_lister.list_vulnerabilities(
            "100.2.3", vuln_list)

        self.assertIn(vuln0, applicable_vuln0)
        self.assertIn(vuln1, applicable_vuln0)
        self.assertIn(vuln0, applicable_vuln1)
        self.assertIn(vuln1, applicable_vuln1)
        self.assertIn(vuln0, applicable_vuln2)
        self.assertIn(vuln1, applicable_vuln2)
    def test_export_vulnerabilities_export_all_vuln_lists_in_one_file(self):
        plugin0_vuln0 = Vulnerability(id="0")
        plugin0_vuln1 = Vulnerability(id="1")
        plugin0_vuln_list = VulnerabilityList(
            producer="test",
            key="plugins/plugin0",
            vulnerabilities=[plugin0_vuln0, plugin0_vuln1])
        plugin1_vuln0 = Vulnerability(id="2")
        plugin1_vuln1 = Vulnerability(id="3")
        plugin1_vuln_list = VulnerabilityList(
            producer="test",
            key="plugins/plugin1",
            vulnerabilities=[plugin1_vuln0, plugin1_vuln1])
        theme_vuln0 = Vulnerability(id="4")
        theme_vuln1 = Vulnerability(id="5")
        theme_vuln_list = VulnerabilityList(
            producer="test",
            key="themes/theme",
            vulnerabilities=[theme_vuln0, theme_vuln1])
        wordpress_vuln0 = Vulnerability(id="6")
        wordpress_vuln1 = Vulnerability(id="7")
        wordpress_vuln_list = VulnerabilityList(
            producer="test",
            key="wordpress",
            vulnerabilities=[wordpress_vuln0, wordpress_vuln1])
        self.storage.add_vulnerability_lists({
            'plugins/plugin0': plugin0_vuln_list,
            'plugins/plugin1': plugin1_vuln_list,
            'themes/theme': theme_vuln_list,
            'wordpress': wordpress_vuln_list
        })

        self.exporter.export_vulnerabilities("path_to_dir")

        args, kwargs = self.exporter._dump.call_args
        vulnerability_list_group = args[1]
        self.assertEqual(vulnerability_list_group.producer, "vane2_export")
        vulnerability_lists = vulnerability_list_group.vulnerability_lists
        self.assert_object_with_attribute_value_in_container(
            "key", "plugins/plugin0", vulnerability_lists)
        self.assert_object_with_attribute_value_in_container(
            "key", "plugins/plugin1", vulnerability_lists)
        self.assert_object_with_attribute_value_in_container(
            "key", "themes/theme", vulnerability_lists)
        self.assert_object_with_attribute_value_in_container(
            "key", "wordpress", vulnerability_lists)
        exported_plugin0_vuln_list = self.get_object_with_attribute_value_in_container(
            "key", "plugins/plugin0", vulnerability_lists)
        exported_plugin1_vuln_list = self.get_object_with_attribute_value_in_container(
            "key", "plugins/plugin1", vulnerability_lists)
        exported_theme_vuln_list = self.get_object_with_attribute_value_in_container(
            "key", "themes/theme", vulnerability_lists)
        exported_wordpress_vuln_list = self.get_object_with_attribute_value_in_container(
            "key", "wordpress", vulnerability_lists)
        self.assertIn(plugin0_vuln0,
                      exported_plugin0_vuln_list.vulnerabilities)
        self.assertIn(plugin0_vuln1,
                      exported_plugin0_vuln_list.vulnerabilities)
        self.assertIn(plugin1_vuln0,
                      exported_plugin1_vuln_list.vulnerabilities)
        self.assertIn(plugin1_vuln1,
                      exported_plugin1_vuln_list.vulnerabilities)
        self.assertIn(theme_vuln0, exported_theme_vuln_list.vulnerabilities)
        self.assertIn(theme_vuln1, exported_theme_vuln_list.vulnerabilities)
        self.assertIn(wordpress_vuln0,
                      exported_wordpress_vuln_list.vulnerabilities)
        self.assertIn(wordpress_vuln1,
                      exported_wordpress_vuln_list.vulnerabilities)