-
Notifications
You must be signed in to change notification settings - Fork 201
/
test_npm.py
158 lines (128 loc) · 5.81 KB
/
test_npm.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# Author: Navonil Das (@NavonilDas)
# Copyright (c) 2017 nexB Inc. and others. All rights reserved.
# http://nexb.com and https://github.com/nexB/vulnerablecode/
# The VulnerableCode software is licensed under the Apache License version 2.0.
# Data generated with VulnerableCode require an acknowledgment.
#
# You may not use this software except in compliance with the License.
# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode
# derivative work, you must accompany this data with the following acknowledgment:
#
# Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
# VulnerableCode should be considered or used as legal advice. Consult an Attorney
# for any legal advice.
# VulnerableCode is a free software code scanning tool from nexB Inc. and others.
# Visit https://github.com/nexB/vulnerablecode/ for support and download.
import os
import shutil
import tempfile
from unittest.mock import patch
import zipfile
from django.test import TestCase
from vulnerabilities import models
from vulnerabilities.import_runner import ImportRunner
from vulnerabilities.package_managers import NpmVersionAPI
from vulnerabilities.package_managers import Version
from vulnerabilities.importers.npm import categorize_versions
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
TEST_DATA = os.path.join(BASE_DIR, "test_data/")
MOCK_VERSION_API = NpmVersionAPI(
cache={
"jquery": {Version("3.4.0"), Version("3.8.0")},
"kerberos": {Version("0.5.8"), Version("1.2.0")},
"@hapi/subtext": {
Version("3.7.0"),
Version("4.1.1"),
Version("6.1.3"),
Version("7.0.0"),
Version("7.0.5"),
},
}
)
@patch("vulnerabilities.importers.NpmDataSource._update_from_remote")
class NpmImportTest(TestCase):
tempdir = None
@classmethod
def setUpClass(cls) -> None:
cls.tempdir = tempfile.mkdtemp()
zip_path = os.path.join(TEST_DATA, "npm.zip")
with zipfile.ZipFile(zip_path, "r") as zip_ref:
zip_ref.extractall(cls.tempdir)
cls.importer = models.Importer.objects.create(
name="npm_unittests",
license="",
last_run=None,
data_source="NpmDataSource",
data_source_cfg={
"repository_url": "https://example.git",
"working_directory": os.path.join(cls.tempdir, "npm/npm_test"),
"create_working_directory": False,
"remove_working_directory": False,
},
)
@classmethod
def tearDownClass(cls) -> None:
# Make sure no requests for unexpected package names have been made during the tests.
shutil.rmtree(cls.tempdir)
assert len(MOCK_VERSION_API.cache) == 3, MOCK_VERSION_API.cache
def test_import(self, _):
runner = ImportRunner(self.importer, 5)
with patch("vulnerabilities.importers.NpmDataSource.versions", new=MOCK_VERSION_API):
with patch("vulnerabilities.importers.NpmDataSource.set_api"):
runner.run()
assert models.Vulnerability.objects.count() == 3
assert models.VulnerabilityReference.objects.count() == 3
assert models.PackageRelatedVulnerability.objects.all().count() == 4
assert models.Package.objects.count() == 8
self.assert_for_package(
"jquery", {"3.4.0"}, {"3.8.0"}, "1518", vulnerability_id="CVE-2020-11022"
) # nopep8
self.assert_for_package("kerberos", {"0.5.8"}, {"1.2.0"}, "1514")
self.assert_for_package("subtext", {"4.1.1", "7.0.0"}, {"6.1.3", "7.0.5"}, "1476")
def assert_for_package(
self,
package_name,
impacted_versions,
resolved_versions,
vuln_id,
vulnerability_id=None,
):
vuln = None
for version in impacted_versions:
pkg = models.Package.objects.get(name=package_name, version=version)
assert pkg.vulnerabilities.count() == 1
vuln = pkg.vulnerabilities.first()
if vulnerability_id:
assert vuln.vulnerability_id == vulnerability_id
ref_url = f"https://registry.npmjs.org/-/npm/v1/advisories/{vuln_id}"
assert models.VulnerabilityReference.objects.get(url=ref_url, vulnerability=vuln)
for version in resolved_versions:
pkg = models.Package.objects.get(name=package_name, version=version)
assert models.PackageRelatedVulnerability.objects.filter(
patched_package=pkg, vulnerability=vuln
)
def test_categorize_versions_simple_ranges():
all_versions = {"3.4.0", "3.8.0"}
impacted_ranges = "<3.5.0"
resolved_ranges = ">=3.5.0"
impacted_versions, resolved_versions = categorize_versions(
all_versions, impacted_ranges, resolved_ranges
)
assert impacted_versions == {"3.4.0"}
assert resolved_versions == {"3.8.0"}
def test_categorize_versions_complex_ranges():
all_versions = {"3.7.0", "4.1.1", "6.1.3", "7.0.0", "7.0.5"}
impacted_ranges = ">=4.1.0 <6.1.3 || >= 7.0.0 <7.0.3"
resolved_ranges = ">=6.1.3 <7.0.0 || >=7.0.3"
impacted_versions, resolved_versions = categorize_versions(
all_versions, impacted_ranges, resolved_ranges
)
assert impacted_versions == {"4.1.1", "7.0.0"}
assert resolved_versions == {"3.7.0", "6.1.3", "7.0.5"}