def test_add_cve_does_not_overwrite_existing_cve(db, client):
resp = client.post(url_for('tracker.add_cve'), follow_redirects=True, data=default_issue_dict(dict(
cve=DEFAULT_ISSUE_ID,
issue_type=issue_types[1],
severity=Severity.critical.name,
remote=Remote.remote.name,
description='deadbeef',
reference='https://security.archlinux.org',
notes='very secret')))
assert 200 == resp.status_code
assert CVE_MERGED.format(DEFAULT_ISSUE_ID) in resp.data.decode()
form = CVEForm()
unmerged_fields = [form.issue_type.label.text,
form.severity.label.text,
form.remote.label.text,
form.description.label.text,
form.notes.label.text]
assert CVE_MERGED_PARTIALLY.format(DEFAULT_ISSUE_ID, ', '.join(unmerged_fields)) in resp.data.decode()
cve = CVE.query.get(DEFAULT_ISSUE_ID)
assert DEFAULT_ISSUE_ID == cve.id
assert issue_types[3] == cve.issue_type
assert Severity.low == cve.severity
assert Remote.local == cve.remote
assert 'foobar' == cve.description
assert 'https://archlinux.org\nhttps://security.archlinux.org' == cve.reference
assert 'the cake is a lie' == cve.notes
def test_add_cve_overwrites_existing_but_empty_cve(db, client):
issue_type = issue_types[1]
severity = Severity.critical
remote = Remote.remote
description = 'much wow'
reference = 'https://security.archlinux.org'
notes = 'very secret'
resp = client.post(url_for('tracker.add_cve'), follow_redirects=True, data=default_issue_dict(dict(
cve=DEFAULT_ISSUE_ID,
issue_type=issue_type,
severity=severity.name,
remote=remote.name,
description=description,
reference=reference,
notes=notes)))
assert 200 == resp.status_code
assert CVE_MERGED.format(DEFAULT_ISSUE_ID) in resp.data.decode()
assert CVE_MERGED_PARTIALLY.format(DEFAULT_ISSUE_ID, '') not in resp.data.decode()
cve = CVE.query.get(DEFAULT_ISSUE_ID)
assert DEFAULT_ISSUE_ID == cve.id
assert issue_type == cve.issue_type
assert severity == cve.severity
assert remote == cve.remote
assert description == cve.description
assert reference == cve.reference
assert notes == cve.notes
def test_merge_issue_as_security_team_with_referenced_advisory(db, client):
resp = client.post(url_for('tracker.add_cve', cve=DEFAULT_ISSUE_ID),
follow_redirects=True,
data=default_issue_dict(dict(description='changed')))
assert 200 == resp.status_code
data = resp.data.decode()
assert CVE_MERGED.format(DEFAULT_ISSUE_ID) in data
assert CVE_MERGED_PARTIALLY.format(DEFAULT_ISSUE_ID, '') not in data
issue = CVE.query.get(DEFAULT_ISSUE_ID)
assert 'changed' == issue.description
def test_merge_issue_as_reporter_with_referenced_advisory_fails(db, client):
resp = client.post(url_for('tracker.add_cve', cve=DEFAULT_ISSUE_ID),
follow_redirects=True,
data=default_issue_dict(dict(description='changed')))
assert Forbidden.code == resp.status_code
data = resp.data.decode()
assert CVE_MERGED.format(DEFAULT_ISSUE_ID) not in data
assert CVE_MERGED_PARTIALLY.format(DEFAULT_ISSUE_ID, '') not in data
assert ERROR_ISSUE_REFERENCED_BY_ADVISORY.format(DEFAULT_ISSUE_ID) in data
issue = CVE.query.get(DEFAULT_ISSUE_ID)
assert 'changed' not in issue.description