Skip to content

Commit

Permalink
Update postgresql importer and testing #969
Browse files Browse the repository at this point in the history 
Reference: #969

Signed-off-by: John M. Horan <[email protected]>
  • Loading branch information
@johnmhoran
johnmhoran committed Nov 8, 2022
1 parent fe09441 commit b6c09ba
Show file tree
Hide file tree
Showing 2 changed files with 63 additions and 173 deletions.
58 changes: 57 additions & 1 deletion vulnerabilities/importers/postgresql.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,10 +54,15 @@ def updated_advisories(self):


def to_advisories(data):
print("\n\n>> This is a test.")
print("\n=====")
advisories = []
soup = BeautifulSoup(data, features="lxml")
table = soup.select("table")[0]
test_row_count = 0
for row in table.select("tbody tr"):
test_row_count += 1
print("\ntest_row_count = {}".format(test_row_count))
ref_col, affected_col, fixed_col, severity_score_col, desc_col = row.select("td")
summary = desc_col.text
pkg_qualifiers = {}
Expand Down Expand Up @@ -89,10 +94,15 @@ def to_advisories(data):

# This will replace the affected_packages and fixed_packages lists above. ============
affected_packages = []
# do I need to trim these? e.g., affected_version_list = [x.strip() for x in affected_col.text.split(',')]
affected_version_list = affected_col.text.split(",")
fixed_version_list = fixed_col.text.split(",")
package_count = len(affected_version_list)

print("\naffected_version_list = {}".format(affected_version_list))
print("\nfixed_version_list = {}".format(fixed_version_list))
print("\npackage_count = {}".format(package_count))

while package_count > 0:
summary = summary

Expand All @@ -105,7 +115,7 @@ def to_advisories(data):

fixed = fixed_version_list[0]
fixed_version_list.pop(0)
# Do we need "if affected else None"?
# Do we need "if fixed else None"?
fixed_version = GenericVersion(fixed) if fixed else None

package_count -= 1
Expand All @@ -115,18 +125,31 @@ def to_advisories(data):
name="postgresql",
type="generic",
namespace="postgresql",
qualifiers=pkg_qualifiers,
),
affected_version_range=affected_version_range,
fixed_version=fixed_version,
)
affected_packages.append(affected_package)

print("\naffected_package = {}".format(affected_package))
print("\n\taffected_package.package = {}".format(affected_package.package))
print(
"\n\taffected_package.affected_version_range = {}".format(
affected_package.affected_version_range
)
)
print("\n\taffected_package.fixed_version = {}".format(affected_package.fixed_version))

print("\ninterim package_count = {}".format(package_count))

# end of initial draft insert ===================================

try:
cve_id = ref_col.select("nobr")[0].text
# This is for the anomaly in https://www.postgresql.org/support/security/8.1/ 's
# last entry
# Note: in this example and others, final entry/entries have no CVE in the 1st column
except IndexError:
pass

Expand Down Expand Up @@ -167,6 +190,39 @@ def to_advisories(data):
)
)

print("\n------------------------------------")

print("\ntotal test_advisories (i.e., AdvisoryData objects) = {}".format(len(advisories)))
print("\nadvisories = {}".format(advisories))

test_advisory_count = 0
for test_advisory in advisories:
test_advisory_count += 1
print("\ntest_advisory #{} = {}".format(test_advisory_count, test_advisory))
print("\n\ttest_advisory.aliases = {}".format(test_advisory.aliases))
print("\n\ttest_advisory.summary = {}".format(test_advisory.summary))
print("\n\ttest_advisory.affected_packages = {}".format(test_advisory.affected_packages))
for test_affected_package in test_advisory.affected_packages:
print("\n\ttest_affected_package = {}".format(test_affected_package))
print("\n\t\ttest_affected_package.package = {}".format(test_affected_package.package))
print(
"\n\t\ttest_affected_package.affected_version_range = {}".format(
test_affected_package.affected_version_range
)
)
print(
"\n\t\ttest_affected_package.fixed_version = {}".format(
test_affected_package.fixed_version
)
)
print("\n\ttest_advisory.references = {}".format(test_advisory.references))
for test_reference in test_advisory.references:
print("\n\ttest_test_reference = {}".format(test_reference))

print("\n------------------------------------")

print("\n>> This is the end of the test.\n")

return advisories


Expand Down
178 changes: 6 additions & 172 deletions vulnerabilities/tests/test_postgresql.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@


class TestPostgreSQLImporter(TestCase):
# This is the original test. When it first failed I began correcting the obvious errors,
# but quickly concluded I needed to revise postgresql.py instead and left this as is.
def test_to_advisories(self):

with open(TEST_DATA) as f:
Expand Down Expand Up @@ -201,181 +203,13 @@ def test_to_advisories(self):
expected_advisories = list(map(AdvisoryData, expected_advisories))
assert sorted(found_advisories) == sorted(expected_advisories)

# 10/27/2022 Thursday 6:40:04 PM. This is intended to be an updated test -- but I have barely started to work on it!
# Focusing instead on postgresql.py for now.
def test_to_advisories_updated(self):
# My new, skeletal test, designed only to run the to_advisories() print statements
# on the original advisories.html test input file.
def test_to_advisories_simple(self):

with open(TEST_DATA) as f:
raw_data = f.read()

expected_advisories = [
AdvisoryData(
summary="ALTER ... DEPENDS ON EXTENSION is missing authorization checks.more details",
# 10/26/2022 Wednesday 6:40:01 PM. Throws error: TypeError: __init__() got an unexpected keyword argument 'vulnerability_id'
# vulnerability_id="CVE-2020-1720",
aliases=["CVE-2020-1720"],
affected_packages=[
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="10",
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="10.12",
),
),
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="11",
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="11.7",
),
),
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="12",
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="12.2",
),
),
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="9.6",
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="9.6.17",
),
),
],
references=[
Reference(
reference_id="",
url="https://www.postgresql.org/about/news/postgresql-122-117-1012-9617-9521-and-9426-released-2011/",
),
Reference(
reference_id="",
url="https://www.postgresql.org/support/security/CVE-2020-1720/",
severities=[
VulnerabilitySeverity(
system=severity_systems.CVSSV3,
value="3.1",
),
VulnerabilitySeverity(
system=severity_systems.CVSSV3_VECTOR,
value=["AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"],
),
],
),
],
),
AdvisoryData(
summary="Windows installer runs executables from uncontrolled directoriesmore details",
# 10/26/2022 Wednesday 6:40:01 PM. Throws error: TypeError: __init__() got an unexpected keyword argument 'vulnerability_id'
# vulnerability_id="CVE-2020-10733",
aliases=["CVE-2020-10733"],
affected_packages=[
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="10",
qualifiers={"os": "windows"},
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="10.13",
qualifiers={"os": "windows"},
),
),
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="11",
qualifiers={"os": "windows"},
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="11.8",
qualifiers={"os": "windows"},
),
),
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="12",
qualifiers={"os": "windows"},
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="12.3",
qualifiers={"os": "windows"},
),
),
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="9.6",
qualifiers={"os": "windows"},
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="9.6.18",
qualifiers={"os": "windows"},
),
),
],
references=[
Reference(
reference_id="",
url="https://www.postgresql.org/about/news/postgresql-123-118-1013-9618-and-9522-released-2038/",
),
Reference(
reference_id="",
url="https://www.postgresql.org/support/security/CVE-2020-10733/",
severities=[
VulnerabilitySeverity(
system=severity_systems.CVSSV3,
value="6.7",
),
VulnerabilitySeverity(
system=severity_systems.CVSSV3_VECTOR,
value=["AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"],
),
],
),
],
),
]

found_advisories = to_advisories(raw_data)

# 10/26/2022 Wednesday 7:07:13 PM. Throws error: AttributeError: type object 'AdvisoryData' has no attribute 'normalized'
# found_advisories = list(map(AdvisoryData.normalized, found_advisories))
# found_advisories = list(map(AdvisoryData, found_advisories))
# expected_advisories = list(map(AdvisoryData.normalized, expected_advisories))
# expected_advisories = list(map(AdvisoryData, expected_advisories))
assert sorted(found_advisories) == sorted(expected_advisories)
# do nothing more -- we're just trying to trigger print statements in to_advisories()

0 comments on commit b6c09ba

Please sign in to comment.