def test_ecosystem_bridge(self, mock_publish):
"""Test ecosystem pub/sub publishing."""
self.source_repo.key.delete()
self.source_repo = osv.SourceRepository(
type=osv.SourceRepositoryType.GIT,
id='PyPI',
name='PyPI',
repo_url='file://' + self.remote_source_repo_path,
repo_username='')
self.source_repo.put()
self.mock_repo.add_file(
'PYSEC-2021-1.yaml', 'id: PYSEC-2021-1\n'
'package:\n'
' name: pkg\n'
' ecosystem: PyPI\n')
self.mock_repo.commit('User', 'user@email')
imp = importer.Importer('fake_public_key', 'fake_private_key', self.tmp_dir,
'bucket')
imp.run()
mock_publish.assert_has_calls([
mock.call(
'projects/oss-vdb/topics/tasks',
data=b'',
type='update',
source='PyPI',
path='PYSEC-2021-1.yaml',
original_sha256=('cb700a08fa26d2e494670b9edd49d66e'
'957ef4c9a1f7a4c4975c888e6d9da4f7'),
deleted='false'),
mock.call(
'projects/oss-vdb/topics/pypi-bridge',
data=b'{"id": "PYSEC-2021-1", "package": '
b'{"name": "pkg", "ecosystem": "PyPI"}}')
])
def setUp(self):
tests.reset_emulator()
self.maxDiff = None # pylint: disable=invalid-name
self.tmp_dir = tempfile.mkdtemp()
tests.mock_datetime(self)
self.source_repo = osv.SourceRepository(
type=osv.SourceRepositoryType.BUCKET,
id='bucket',
name='bucket',
bucket=TEST_BUCKET,
extension='.json')
self.source_repo.put()
def setUp(self):
self.maxDiff = None
tests.reset_emulator()
self.original_clone = pygit2.clone_repository
tests.mock_clone(self, func=self.mock_clone)
tests.mock_datetime(self)
repo = tests.mock_repository(self)
self.remote_source_repo_path = repo.path
# Initialise fake source_repo.
self.tmp_dir = tempfile.TemporaryDirectory()
self.mock_repo = tests.mock_repository(self)
self.mock_repo.add_file(
'BLAH-123.yaml',
self._load_test_data(os.path.join(TEST_DATA_DIR, 'BLAH-123.yaml')))
self.mock_repo.add_file(
'BLAH-124.yaml',
self._load_test_data(os.path.join(TEST_DATA_DIR, 'BLAH-124.yaml')))
self.mock_repo.add_file(
'BLAH-125.yaml',
self._load_test_data(os.path.join(TEST_DATA_DIR, 'BLAH-125.yaml')))
self.mock_repo.commit('User', 'user@email')
osv.SourceRepository(id='source',
name='source',
repo_url='file://' + self.remote_source_repo_path,
repo_username='').put()
osv.Bug(id='BLAH-123',
project='blah.com/package',
ecosystem='golang',
source_id='source:BLAH-123.yaml',
source_of_truth=osv.SourceOfTruth.SOURCE_REPO).put()
osv.Bug(id='BLAH-124',
regressed='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd',
project='blah.com/package',
ecosystem='golang',
source_id='source:BLAH-124.yaml',
source_of_truth=osv.SourceOfTruth.SOURCE_REPO).put()
osv.Bug(id='BLAH-125',
regressed='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd',
fixed='8d8242f545e9cec3e6d0d2e3f5bde8be1c659735',
project='blah.com/package',
ecosystem='golang',
source_id='source:BLAH-125.yaml',
source_of_truth=osv.SourceOfTruth.SOURCE_REPO).put()
def setUp(self):
self.maxDiff = None # pylint: disable=invalid-name
self.tmp_dir = tempfile.mkdtemp()
tests.mock_datetime(self)
self.mock_repo = tests.mock_repository(self)
storage_patcher = mock.patch('google.cloud.storage.Client')
self.addCleanup(storage_patcher.stop)
self.mock_storage_client = storage_patcher.start()
self.remote_source_repo_path = self.mock_repo.path
self.source_repo = osv.SourceRepository(id='oss-fuzz',
name='oss-fuzz',
repo_url='file://' +
self.remote_source_repo_path,
repo_username='')
self.source_repo.put()
osv.Bug(
id='2017-134',
affected=['FILE5_29', 'FILE5_30'],
affected_fuzzy=['5-29', '5-30'],
details=(
'OSS-Fuzz report: '
'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1064\n\n'
'Crash type: Heap-buffer-overflow READ 1\n'
'Crash state:\ncdf_file_property_info\ncdf_file_summary_info\n'
'cdf_check_summary_info\n'),
ecosystem='OSS-Fuzz',
fixed='19ccebafb7663c422c714e0c67fa4775abf91c43',
has_affected=True,
issue_id='1064',
project='file',
public=True,
reference_urls=[
'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1064'
],
regressed='17ee4cf670c363de8d2ea4a4897d7a699837873f',
repo_url='https://github.com/file/file.git',
search_indices=['file', '2017-134', '2017', '134'],
severity='MEDIUM',
sort_key='2017-0000134',
source_id='oss-fuzz:5417710252982272',
source_of_truth=osv.SourceOfTruth.INTERNAL,
status=1,
summary='Heap-buffer-overflow in cdf_file_property_info',
timestamp=datetime.datetime(2021, 1, 15, 0, 0, 24, 559102)).put()
def setUp(self):
self.maxDiff = None # pylint: disable=invalid-name
self.tmp_dir = tempfile.mkdtemp()
self.remote_source_repo_path = os.path.join(self.tmp_dir, 'source_repo')
# Initialise fake source_repo.
repo = pygit2.init_repository(self.remote_source_repo_path, True)
tree = repo.TreeBuilder().write()
author = pygit2.Signature('OSV', '*****@*****.**')
repo.create_commit('HEAD', author, author, 'Initial commit', tree, [])
osv.SourceRepository(
id='oss-fuzz',
name='oss-fuzz',
repo_url='file://' + self.remote_source_repo_path,
repo_username='').put()
osv.Bug(
id='2017-134',
affected=['FILE5_29', 'FILE5_30'],
affected_fuzzy=['5-29', '5-30'],
confidence=100,
details=(
'OSS-Fuzz report: '
'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1064\n\n'
'Crash type: Heap-buffer-overflow READ 1\n'
'Crash state:\ncdf_file_property_info\ncdf_file_summary_info\n'
'cdf_check_summary_info\n'),
ecosystem='',
fixed='19ccebafb7663c422c714e0c67fa4775abf91c43',
has_affected=True,
issue_id='1064',
project='file',
public=True,
reference_urls=[
'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1064'
],
regressed='17ee4cf670c363de8d2ea4a4897d7a699837873f',
repo_url='https://github.com/file/file.git',
search_indices=['file', '2017-134', '2017', '134'],
severity='MEDIUM',
sort_key='2017-0000134',
source_id='oss-fuzz:5417710252982272',
status=1,
summary='Heap-buffer-overflow in cdf_file_property_info',
timestamp=datetime.datetime(2021, 1, 15, 0, 0, 24, 559102)).put()
def setUp(self):
tests.reset_emulator()
self.maxDiff = None # pylint: disable=invalid-name
self.tmp_dir = tempfile.mkdtemp()
tests.mock_datetime(self)
self.mock_repo = tests.mock_repository(self)
storage_patcher = mock.patch('google.cloud.storage.Client')
self.addCleanup(storage_patcher.stop)
self.mock_storage_client = storage_patcher.start()
self.remote_source_repo_path = self.mock_repo.path
self.source_repo = osv.SourceRepository(
id='oss-fuzz',
name='oss-fuzz',
repo_url='file://' + self.remote_source_repo_path,
repo_username='')
self.source_repo.put()
def setUp(self):
self.maxDiff = None
tests.reset_emulator()
# TODO(ochang): Refactor out into common test utilities.
self.original_clone = pygit2.clone_repository
self.clone_repository_patcher = mock.patch('pygit2.clone_repository')
mock_clone = self.clone_repository_patcher.start()
mock_clone.side_effect = self.mock_clone
patcher = mock.patch('osv.types.utcnow')
mock_utcnow = patcher.start()
mock_utcnow.return_value = datetime.datetime(2021, 1, 1)
self.addCleanup(patcher.stop)
# Initialise fake source_repo.
self.tmp_dir = tempfile.TemporaryDirectory()
self.remote_source_repo_path = os.path.join(self.tmp_dir.name,
'source_repo')
repo = pygit2.init_repository(self.remote_source_repo_path, True)
tree = repo.TreeBuilder().write()
author = pygit2.Signature('OSV', '*****@*****.**')
repo.create_commit('HEAD', author, author, 'Initial commit', tree, [])
# Add a source.
oid = repo.write(
pygit2.GIT_OBJ_BLOB,
self._load_test_data(os.path.join(TEST_DATA_DIR, 'BLAH-123.yaml')))
repo.index.add(
pygit2.IndexEntry('BLAH-123.yaml', oid, pygit2.GIT_FILEMODE_BLOB))
repo.index.write()
tree = repo.index.write_tree()
repo.create_commit('HEAD', author, author, 'Changes', tree,
[repo.head.peel().oid])
osv.SourceRepository(id='source',
name='source',
repo_url='file://' + self.remote_source_repo_path,
repo_username='').put()
osv.Bug(id='BLAH-123', project='blah.com/package',
ecosystem='golang').put()
def test_mark_bug_invalid(self):
"""Test mark_bug_invalid."""
osv.SourceRepository(id='oss-fuzz', name='oss-fuzz',
db_prefix='OSV-').put()
osv.Bug(db_id='OSV-2021-1', source_id='oss-fuzz:1337').put()
osv.AffectedCommit(bug_id='OSV-2021-1').put()
osv.AffectedCommit(bug_id='OSV-2021-1').put()
message = mock.Mock()
message.attributes = {
'type': 'invalid',
'testcase_id': '1337',
'source_id': '',
}
worker.mark_bug_invalid(message)
bug = ndb.Key(osv.Bug, 'OSV-2021-1').get()
self.assertEqual(osv.BugStatus.INVALID, bug.status)
commits = list(osv.AffectedCommit.query())
self.assertEqual(0, len(commits))
def setUp(self):
tests.reset_emulator()
self.maxDiff = None
tests.mock_clone(self, return_value=pygit2.Repository('osv-test'))
tests.mock_datetime(self)
osv.SourceRepository(id='oss-fuzz', name='oss-fuzz',
db_prefix='OSV-').put()
allocated_bug = osv.Bug(db_id='OSV-2020-1337',
timestamp=datetime.datetime(2020, 1, 1),
source_id='oss-fuzz:123',
status=osv.BugStatus.UNPROCESSED,
public=False)
allocated_bug.put()
should_be_deleted = osv.AffectedCommit(id='OSV-2020-1337-abcd',
bug_id='OSV-2020-1337',
commit='abcd',
project='project',
ecosystem='ecosystem',
public=False)
should_be_deleted.put()
def setUp(self):
self.maxDiff = None # pylint: disable=invalid-name
self.tmp_dir = tempfile.mkdtemp()
self.remote_source_repo_path = os.path.join(self.tmp_dir,
'source_repo')
patcher = mock.patch('osv.types.utcnow')
mock_utcnow = patcher.start()
mock_utcnow.return_value = datetime.datetime(2021, 1, 1)
self.addCleanup(patcher.stop)
# Initialise fake source_repo.
repo = pygit2.init_repository(self.remote_source_repo_path, True)
tree = repo.TreeBuilder().write()
author = pygit2.Signature('OSV', '*****@*****.**')
repo.create_commit('HEAD', author, author, 'Initial commit', tree, [])
# Add a fake user change.
with open(os.path.join(self.remote_source_repo_path, '2021-111.yaml'),
'w') as f:
f.write('')
oid = repo.write(pygit2.GIT_OBJ_BLOB, '')
repo.index.add(
pygit2.IndexEntry('2021-111.yaml', oid, pygit2.GIT_FILEMODE_BLOB))
repo.index.write()
tree = repo.index.write_tree()
author = pygit2.Signature('User', 'user@email')
repo.create_commit('HEAD', author, author, 'Changes', tree,
[repo.head.peel().oid])
osv.SourceRepository(id='oss-fuzz',
name='oss-fuzz',
repo_url='file://' + self.remote_source_repo_path,
repo_username='').put()
osv.Bug(
id='2017-134',
affected=['FILE5_29', 'FILE5_30'],
affected_fuzzy=['5-29', '5-30'],
confidence=100,
details=(
'OSS-Fuzz report: '
'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1064\n\n'
'Crash type: Heap-buffer-overflow READ 1\n'
'Crash state:\ncdf_file_property_info\ncdf_file_summary_info\n'
'cdf_check_summary_info\n'),
ecosystem='',
fixed='19ccebafb7663c422c714e0c67fa4775abf91c43',
has_affected=True,
issue_id='1064',
project='file',
public=True,
reference_urls=[
'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1064'
],
regressed='17ee4cf670c363de8d2ea4a4897d7a699837873f',
repo_url='https://github.com/file/file.git',
search_indices=['file', '2017-134', '2017', '134'],
severity='MEDIUM',
sort_key='2017-0000134',
source_id='oss-fuzz:5417710252982272',
status=1,
summary='Heap-buffer-overflow in cdf_file_property_info',
timestamp=datetime.datetime(2021, 1, 15, 0, 0, 24, 559102)).put()
def test_scheduled_updates(self, mock_publish):
"""Test scheduled updates."""
self.mock_repo.add_file('proj/OSV-2021-1337.yaml', '')
self.mock_repo.add_file('proj/OSV-2021-1339.yaml', '')
self.mock_repo.add_file('OSV-2021-1338.yaml', '')
self.mock_repo.commit('OSV', '*****@*****.**')
osv.SourceRepository(type=osv.SourceRepositoryType.GIT,
id='source',
name='source',
repo_url='file://' + self.remote_source_repo_path,
repo_username='').put()
osv.Bug(db_id='OSV-2021-1337',
project='proj',
ecosystem='OSS-Fuzz',
status=1,
source_id='oss-fuzz:123',
source_of_truth=osv.SourceOfTruth.SOURCE_REPO,
timestamp=datetime.datetime(2020, 1, 1, 0, 0, 0, 0)).put()
osv.Bug(db_id='OSV-2021-1338',
project='proj',
source_id='source:OSV-2021-1338.yaml',
status=1,
source_of_truth=osv.SourceOfTruth.SOURCE_REPO,
timestamp=importer.utcnow(),
affected_ranges=[{
'fixed': 'fix',
'repo_url': 'repo',
'type': 'GIT',
}]).put()
osv.Bug(db_id='OSV-2021-1339',
project='proj',
ecosystem='OSS-Fuzz',
status=1,
source_id='oss-fuzz:124',
source_of_truth=osv.SourceOfTruth.INTERNAL,
timestamp=datetime.datetime(2020, 1, 1, 0, 0, 0, 0)).put()
imp = importer.Importer('fake_public_key', 'fake_private_key',
self.tmp_dir, 'bucket')
imp.run()
mock_publish.assert_has_calls([
mock.call('projects/oss-vdb/topics/tasks',
data=b'',
deleted='false',
original_sha256=('e3b0c44298fc1c149afbf4c8996fb924'
'27ae41e4649b934ca495991b7852b855'),
path='proj/OSV-2021-1337.yaml',
source='oss-fuzz',
type='update'),
mock.call('projects/oss-vdb/topics/tasks',
allocated_id='OSV-2021-1339',
data=b'',
source_id='oss-fuzz:124',
type='impact'),
])
source_repo = osv.SourceRepository.get_by_id('oss-fuzz')
self.assertEqual(datetime.date(2021, 1, 1),
source_repo.last_update_date)
def test_scheduled_updates(self, mock_publish):
"""Test scheduled updates."""
self.mock_repo.add_file('proj/OSV-2021-1337.yaml', _EMPTY_VULNERABILITY)
self.mock_repo.add_file('proj/OSV-2021-1339.yaml', _EMPTY_VULNERABILITY)
self.mock_repo.add_file('OSV-2021-1338.yaml', _EMPTY_VULNERABILITY)
self.mock_repo.commit('OSV', '*****@*****.**')
osv.SourceRepository(
type=osv.SourceRepositoryType.GIT,
id='source',
name='source',
repo_url='file://' + self.remote_source_repo_path,
repo_username='').put()
osv.Bug(
db_id='OSV-2021-1337',
affected_packages=[
osv.AffectedPackage(
package=osv.Package(ecosystem='OSS-Fuzz', name='proj'))
],
status=1,
source_id='oss-fuzz:123',
source_of_truth=osv.SourceOfTruth.SOURCE_REPO,
timestamp=datetime.datetime(2020, 1, 1, 0, 0, 0, 0)).put()
osv.Bug(
db_id='OSV-2021-1338',
affected_packages=[
osv.AffectedPackage(
package=osv.Package(ecosystem='ecosystem', name='proj'),
ranges=[
osv.AffectedRange2(
type='GIT',
events=[
osv.AffectedEvent(type='introduced', value='0'),
osv.AffectedEvent(type='fixed', value='fix'),
])
])
],
source_id='source:OSV-2021-1338.yaml',
status=1,
source_of_truth=osv.SourceOfTruth.SOURCE_REPO,
timestamp=importer.utcnow()).put()
osv.Bug(
db_id='OSV-2021-1339',
affected_packages=[
osv.AffectedPackage(
package=osv.Package(ecosystem='OSS-Fuzz', name='proj'))
],
status=1,
source_id='oss-fuzz:124',
source_of_truth=osv.SourceOfTruth.INTERNAL,
timestamp=datetime.datetime(2020, 1, 1, 0, 0, 0, 0)).put()
imp = importer.Importer('fake_public_key', 'fake_private_key', self.tmp_dir,
'bucket')
imp.run()
mock_publish.assert_has_calls([
mock.call(
'projects/oss-vdb/topics/tasks',
data=b'',
deleted='false',
original_sha256=('bd3cc48676794308a58a19c97972a5e5'
'42abcc9eb948db5701421616432cc0b9'),
path='proj/OSV-2021-1337.yaml',
source='oss-fuzz',
type='update'),
mock.call(
'projects/oss-vdb/topics/tasks',
allocated_id='OSV-2021-1339',
data=b'',
source_id='oss-fuzz:124',
type='impact'),
])
source_repo = osv.SourceRepository.get_by_id('oss-fuzz')
self.assertEqual(datetime.date(2021, 1, 1), source_repo.last_update_date)
