def test_get_python_vulnerabilities_found(self, mock_popen, app_config):
app = self.get_app(app_config)
# See https://github.com/pyupio/safety#--json for an example
# of safety's JSON output
output = json.dumps([
[
'mylibrary', # Dependency name
'<1.0.0', # Affected version
'0.9.0', # Installed version
'This is an error', # Vulnerability summary
'654', # Advisory ID
],
[
'otherlib',
'<2.0.0',
'1.4.0',
'This is also an error',
'123',
],
])
mock_popen(255, output=output)
assert set(app.get_python_vulnerabilities()) == set([
Vulnerability(
type='python',
dependency='mylibrary',
installed_version='0.9.0',
affected_versions='<1.0.0',
description='This is an error',
),
Vulnerability(
type='python',
dependency='otherlib',
installed_version='1.4.0',
affected_versions='<2.0.0',
description='This is also an error',
),
])
def test_run_log(self, app_config):
"""Alert via logging if there's no Sentry DSN configured."""
app = self.get_app(app_config)
vuln = Vulnerability(
type='python',
dependency='mylibrary',
installed_version='0.9.0',
affected_versions='<1.0.0',
description='This is an error',
)
with mock.patch.object(app, 'get_python_vulnerabilities', return_value=[vuln]):
with mock.patch.object(app, 'get_javascript_vulnerabilities', return_value=[]):
with mock.patch.object(app, 'alert_log'):
app.run()
app.alert_log.assert_called_with([vuln])
def test_run_raven(self, app_config):
"""Alert via Raven if there's a Sentry DSN configured."""
dsn = 'https://*****:*****@example.com/123456'
app_config['sentry.dsn'] = dsn
app = self.get_app(app_config)
vuln = Vulnerability(
type='python',
dependency='mylibrary',
installed_version='0.9.0',
affected_versions='<1.0.0',
description='This is an error',
)
with mock.patch.object(app, 'get_python_vulnerabilities', return_value=[vuln]):
with mock.patch.object(app, 'get_javascript_vulnerabilities', return_value=[]):
with mock.patch.object(app, 'alert_sentry'):
app.run()
app.alert_sentry.assert_called_with(dsn, [vuln])
def test_get_javascript_vulnerabilities_found(self, mock_popen, app_config):
app = self.get_app(app_config)
# Adapated from nsp output for a jquery issue
output = json.dumps([
{
'id': 328,
'updated_at': '2017-04-20T04:19:42.040Z',
'created_at': '2017-03-20T21:50:28.000Z',
'publish_date': '2017-03-21T18:23:53.000Z',
'overview': 'This is an error',
'recommendation': 'Upgrade to v3.0.0 or greater.',
'cvss_vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N',
'cvss_score': 7.2,
'module': 'mylibrary',
'version': '0.9.0',
'vulnerable_versions': '<1.0.0',
'patched_versions': '>=3.0.0',
'title': 'Cross-Site Scripting (XSS)',
'path': [
'[email protected]',
'[email protected]',
],
'advisory': 'https://nodesecurity.io/advisories/328',
},
{
'id': 327,
'updated_at': '2017-04-20T04:19:42.040Z',
'created_at': '2017-03-20T21:50:28.000Z',
'publish_date': '2017-03-21T18:23:53.000Z',
'overview': 'This is also an error',
'recommendation': 'Upgrade to v3.0.0 or greater.',
'cvss_vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N',
'cvss_score': 7.2,
'module': 'otherlib',
'version': '1.4.0',
'vulnerable_versions': '<2.0.0',
'patched_versions': '>=3.0.0',
'title': 'Cross-Site Scripting (XSS)',
'path': [
'[email protected]',
'[email protected]',
],
'advisory': 'https://nodesecurity.io/advisories/327',
},
])
mock_popen(1, output=output)
assert set(app.get_javascript_vulnerabilities()) == set([
Vulnerability(
type='javascript',
dependency='mylibrary',
installed_version='0.9.0',
affected_versions='<1.0.0',
description='https://nodesecurity.io/advisories/328',
),
Vulnerability(
type='javascript',
dependency='otherlib',
installed_version='1.4.0',
affected_versions='<2.0.0',
description='https://nodesecurity.io/advisories/327',
),
])
def test_get_javascript_vulnerabilities_found(self, mock_popen, app_config):
app = self.get_app(app_config)
# Adapated from npm audit output for a jest issue
output = json.dumps({
"actions": [
# Skipping actions because we don't do anything with them.
],
"advisories": {
"111": {
"findings": [
{
"version": "1.0.0",
"paths": [
"foo>foo-cli>pants"
],
"dev": True,
"optional": False,
"bundled": False
}
],
"id": 722,
"created": "2018-11-05T17:04:20.221Z",
"updated": "2018-11-05T17:04:20.221Z",
"deleted": None,
"title": "Prototype pollution",
"found_by": {
"link": "",
"name": "jeff"
},
"reported_by": {
"link": "",
"name": "jeff"
},
"module_name": "pants",
"cves": [
"CVE-2018-42"
],
"vulnerable_versions": "<=1.0.0",
"patched_versions": ">=1.0.1",
"overview": "Versions of `pants` before 1.0.0 have problems.",
"recommendation": "Update to version 1.0.1 or later.",
"references": "- [report](https://example.com/)",
"access": "public",
"severity": "low",
"cwe": "CWE-42",
"metadata": {
"module_type": "",
"exploitability": 2,
"affected_components": "recursive leggings"
},
"url": "https://example.com/advisories/42"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 9,
"moderate": 0,
"high": 0,
"critical": 0
},
"dependencies": 271,
"devDependencies": 29443,
"optionalDependencies": 550,
"totalDependencies": 29714
},
"runId": "6eaec258-cf71-43b7-95df-7ba256ecf1c2"
})
mock_popen(1, output=output)
assert set(app.get_javascript_vulnerabilities()) == set([
Vulnerability(
type='javascript',
dependency='pants',
installed_version='1.0.0',
affected_versions='<=1.0.0',
description='https://example.com/advisories/42',
),
])