mirror of
https://github.com/cve-search/PyVulnerabilityLookup.git
synced 2025-01-18 18:46:19 +00:00
397 lines
17 KiB
Python
397 lines
17 KiB
Python
#!/usr/bin/env python3
|
|
|
|
import unittest
|
|
import uuid
|
|
import time
|
|
import os
|
|
|
|
from datetime import datetime, timezone, timedelta
|
|
|
|
from pyvulnerabilitylookup import PyVulnerabilityLookup
|
|
|
|
# NOTE:
|
|
# * to run the tests with a pre-configured admin key:
|
|
# API_KEY="<APIKEY>" pytest tests/test_web.py
|
|
# * to run the test against a local instance (fallback to public):
|
|
# INSTANCE_URL="http://0.0.0.0:10001" pytest tests/test_web.py
|
|
|
|
|
|
class TestPublic(unittest.TestCase):
|
|
|
|
def setUp(self) -> None:
|
|
self.admin_token = os.getenv("API_KEY", '').strip()
|
|
instance_url = os.getenv("INSTANCE_URL", 'https://vulnerability.circl.lu').strip()
|
|
self.public_test = instance_url == 'https://vulnerability.circl.lu'
|
|
self.client = PyVulnerabilityLookup(root_url=instance_url, token=self.admin_token)
|
|
|
|
def test_up(self) -> None:
|
|
self.assertTrue(self.client.is_up)
|
|
self.assertTrue(self.client.redis_up())
|
|
|
|
def test_get_vulnerability(self) -> None:
|
|
while True:
|
|
if vuln := self.client.get_vulnerability('PYSEC-2024-4'):
|
|
self.assertEqual(vuln['id'], 'PYSEC-2024-4')
|
|
break
|
|
print('waiting for pysec to be imported')
|
|
time.sleep(1)
|
|
|
|
def test_get_info(self) -> None:
|
|
info = self.client.get_info()
|
|
self.assertTrue(info['last_updates'])
|
|
self.assertTrue(info['db_sizes'])
|
|
|
|
def test_get_last(self) -> None:
|
|
last = self.client.get_last()
|
|
self.assertTrue(last)
|
|
self.assertTrue(isinstance(last, list))
|
|
last = self.client.get_last(number=1)
|
|
self.assertTrue(isinstance(last, list))
|
|
self.assertEqual(len(last), 1)
|
|
last = self.client.get_last(source='pysec')
|
|
for vuln in last:
|
|
self.assertTrue(vuln['id'].startswith('PYSEC'))
|
|
last = self.client.get_last(source='pysec', number=1)
|
|
self.assertEqual(len(last), 1)
|
|
self.assertTrue(last[-1]['id'].startswith('PYSEC'))
|
|
|
|
# TODO: POST Vulnerability / Delete vulnerability
|
|
# Test API
|
|
|
|
def test_get_vendors(self) -> None:
|
|
vendors = self.client.get_vendors()
|
|
self.assertTrue(isinstance(vendors, list))
|
|
|
|
def test_get_vendor_products(self) -> None:
|
|
if not self.public_test:
|
|
return None
|
|
products = self.client.get_vendor_products('misp')
|
|
self.assertTrue(isinstance(products, list))
|
|
self.assertTrue('misp' in products)
|
|
|
|
def test_get_vendor_product_vulnerabilities(self) -> None:
|
|
if not self.public_test:
|
|
return None
|
|
vulns = self.client.get_vendor_product_vulnerabilities('misp', 'misp')
|
|
self.assertTrue(isinstance(vulns, dict))
|
|
self.assertTrue('cvelistv5' in vulns)
|
|
|
|
# Test comments
|
|
|
|
def test_get_comments_public(self) -> None:
|
|
if not self.public_test:
|
|
return None
|
|
comments = self.client.get_comments()
|
|
self.assertTrue('metadata' in comments)
|
|
self.assertTrue('data' in comments)
|
|
self.assertTrue(len(comments['data']) > 0)
|
|
|
|
comments = self.client.get_comments(uuid='a309d024-2714-4a81-a425-60f83f6d5740')
|
|
self.assertTrue(len(comments['data']) == 1)
|
|
self.assertEqual(comments['data'][0]['uuid'], 'a309d024-2714-4a81-a425-60f83f6d5740')
|
|
|
|
comments = self.client.get_comments(vuln_id='CVE-2024-20401')
|
|
self.assertTrue(len(comments['data']) >= 1)
|
|
for comment in comments['data']:
|
|
self.assertEqual(comment['vulnerability'], 'CVE-2024-20401')
|
|
|
|
comments = self.client.get_comments(author='adulau')
|
|
self.assertTrue(len(comments['data']) >= 1)
|
|
for comment in comments['data']:
|
|
self.assertEqual(comment['author']['login'], 'adulau')
|
|
|
|
comments = self.client.get_comments(uuid='a309d024-2714-4a81-a425-60f83f6d5740',
|
|
vuln_id='CVE-2024-20401',
|
|
author='adulau')
|
|
self.assertTrue(len(comments['data']) == 1)
|
|
self.assertEqual(comments['data'][0]['uuid'], 'a309d024-2714-4a81-a425-60f83f6d5740')
|
|
self.assertEqual(comments['data'][0]['vulnerability'], 'CVE-2024-20401')
|
|
self.assertEqual(comments['data'][0]['author']['login'], 'adulau')
|
|
|
|
def test_comments_local(self) -> None:
|
|
if not self.admin_token:
|
|
# this test is only working if the admin token is set
|
|
return None
|
|
# Makes sure the userkey is set to the right one
|
|
self.client.set_apikey(self.admin_token)
|
|
comments = self.client.get_comments()
|
|
self.assertTrue("metadata" in comments)
|
|
self.assertTrue("data" in comments)
|
|
self.assertTrue(len(comments['data']) == 0)
|
|
self.assertEqual(comments['metadata']['count'], 0)
|
|
|
|
comment = {
|
|
"uuid": "a309d024-2714-4a81-a425-60f83f6d5740",
|
|
"title": "Comment",
|
|
"description": "Comment",
|
|
"description_format": "markdown",
|
|
"vulnerability": "CVE-2024-20401",
|
|
"related_vulnerabilities": ["ghsa-4rcj-fmjg-q9fv"],
|
|
}
|
|
comments = self.client.create_comment(comment=comment)
|
|
self.assertTrue(len(comments["data"]) == 1)
|
|
self.assertEqual(
|
|
comments["data"][0]["uuid"], "a309d024-2714-4a81-a425-60f83f6d5740"
|
|
)
|
|
|
|
comment = self.client.get_comment("a309d024-2714-4a81-a425-60f83f6d5740")
|
|
self.assertEqual(
|
|
comment["uuid"], "a309d024-2714-4a81-a425-60f83f6d5740"
|
|
)
|
|
comments = self.client.get_comments(uuid="a309d024-2714-4a81-a425-60f83f6d5740")
|
|
self.assertTrue(len(comments["data"]) == 1)
|
|
self.assertEqual(
|
|
comments["data"][0]["uuid"], "a309d024-2714-4a81-a425-60f83f6d5740"
|
|
)
|
|
|
|
comments = self.client.get_comments(vuln_id="CVE-2024-20401")
|
|
self.assertTrue(len(comments["data"]) >= 1)
|
|
for comment in comments["data"]:
|
|
self.assertEqual(comment["vulnerability"], "CVE-2024-20401")
|
|
|
|
# comments = self.client.get_comments(author='admin')
|
|
# self.assertTrue(len(comments['data']) >= 1)
|
|
# for comment in comments['data']:
|
|
# self.assertEqual(comment['author']['login'], 'admin') # type: ignore[call-overload]
|
|
|
|
comments = self.client.get_comments(
|
|
uuid="a309d024-2714-4a81-a425-60f83f6d5740", vuln_id="CVE-2024-20401"
|
|
)
|
|
self.assertTrue(len(comments["data"]) == 1)
|
|
self.assertEqual(
|
|
comments["data"][0]["uuid"], "a309d024-2714-4a81-a425-60f83f6d5740"
|
|
)
|
|
self.assertEqual(comments["data"][0]["vulnerability"], "CVE-2024-20401")
|
|
# self.assertEqual(comments['data'][0]['author']['login'], 'admin')
|
|
|
|
status_code = self.client.delete_comment("a309d024-2714-4a81-a425-60f83f6d5740")
|
|
self.assertTrue(status_code == 204)
|
|
comments = self.client.get_comments(uuid="a309d024-2714-4a81-a425-60f83f6d5740")
|
|
self.assertTrue(len(comments["data"]) == 0)
|
|
|
|
# Test bundles
|
|
|
|
def test_get_bundles_public(self) -> None:
|
|
if not self.public_test:
|
|
return None
|
|
bundles = self.client.get_bundles()
|
|
self.assertTrue('metadata' in bundles)
|
|
self.assertTrue('data' in bundles)
|
|
self.assertTrue(len(bundles['data']) > 0)
|
|
|
|
bundles = self.client.get_bundles(uuid='a23cbcad-e890-4df8-8736-9332ed4c3d47')
|
|
self.assertTrue(len(bundles['data']) == 1)
|
|
self.assertEqual(bundles['data'][0]['uuid'], 'a23cbcad-e890-4df8-8736-9332ed4c3d47')
|
|
|
|
bundles = self.client.get_bundles(vuln_id='CVE-2024-39573')
|
|
self.assertTrue(len(bundles['data']) >= 1)
|
|
for bundle in bundles['data']:
|
|
self.assertTrue('CVE-2024-39573' in bundle['related_vulnerabilities'])
|
|
|
|
bundles = self.client.get_bundles(author='adulau')
|
|
self.assertTrue(len(bundles['data']) >= 1)
|
|
for bundle in bundles['data']:
|
|
self.assertEqual(bundle['author']['login'], 'adulau')
|
|
|
|
bundles = self.client.get_bundles(uuid='a23cbcad-e890-4df8-8736-9332ed4c3d47',
|
|
vuln_id='CVE-2024-39573',
|
|
author='adulau')
|
|
self.assertTrue(len(bundles['data']) == 1)
|
|
self.assertEqual(bundles['data'][0]['uuid'], 'a23cbcad-e890-4df8-8736-9332ed4c3d47')
|
|
self.assertTrue('CVE-2024-39573' in bundles['data'][0]['related_vulnerabilities'])
|
|
self.assertEqual(bundles['data'][0]['author']['login'], 'adulau')
|
|
|
|
def test_bundles_local(self) -> None:
|
|
if not self.admin_token:
|
|
# this test is only working if the admin token is set
|
|
return None
|
|
# Makes sure the userkey is set to the right one
|
|
self.client.set_apikey(self.admin_token)
|
|
bundles = self.client.get_bundles()
|
|
self.assertTrue("metadata" in bundles)
|
|
self.assertTrue("data" in bundles)
|
|
self.assertTrue(len(bundles['data']) == 0)
|
|
self.assertEqual(bundles['metadata']['count'], 0)
|
|
|
|
bundle = {
|
|
"uuid": "a23cbcad-e890-4df8-8736-9332ed4c3d47",
|
|
"name": "Bundle",
|
|
"description": "Bundle",
|
|
"description_format": "markdown",
|
|
"related_vulnerabilities": ["ghsa-4rcj-fmjg-q9fv", "CVE-2024-39573"],
|
|
}
|
|
bundles = self.client.create_bundle(bundle=bundle)
|
|
self.assertTrue(len(bundles["data"]) == 1)
|
|
self.assertEqual(
|
|
bundles["data"][0]["uuid"], "a23cbcad-e890-4df8-8736-9332ed4c3d47"
|
|
)
|
|
|
|
bundles = self.client.get_bundles(uuid="a23cbcad-e890-4df8-8736-9332ed4c3d47")
|
|
self.assertTrue(len(bundles["data"]) == 1)
|
|
self.assertEqual(
|
|
bundles["data"][0]["uuid"], "a23cbcad-e890-4df8-8736-9332ed4c3d47"
|
|
)
|
|
|
|
bundles = self.client.get_bundles(vuln_id="CVE-2024-39573")
|
|
self.assertTrue(len(bundles["data"]) >= 1)
|
|
for bundle in bundles["data"]:
|
|
self.assertTrue("CVE-2024-39573" in bundle["related_vulnerabilities"])
|
|
|
|
# bundles = self.client.get_bundles(author='admin')
|
|
# self.assertTrue(len(bundles['data']) >= 1)
|
|
# for bundle in bundles['data']:
|
|
# self.assertEqual(bundle['author']['login'], 'admin') # type: ignore[call-overload]
|
|
|
|
bundles = self.client.get_bundles(
|
|
uuid="a23cbcad-e890-4df8-8736-9332ed4c3d47", vuln_id="CVE-2024-39573"
|
|
)
|
|
self.assertTrue(len(bundles["data"]) == 1)
|
|
self.assertEqual(
|
|
bundles["data"][0]["uuid"], "a23cbcad-e890-4df8-8736-9332ed4c3d47"
|
|
)
|
|
self.assertTrue(
|
|
"CVE-2024-39573" in bundles["data"][0]["related_vulnerabilities"]
|
|
)
|
|
# self.assertEqual(bundles['data'][0]['author']['login'], 'admin')
|
|
|
|
status_code = self.client.delete_bundle("a23cbcad-e890-4df8-8736-9332ed4c3d47")
|
|
self.assertTrue(status_code == 204)
|
|
comments = self.client.get_comments(uuid="a23cbcad-e890-4df8-8736-9332ed4c3d47")
|
|
self.assertTrue(len(comments["data"]) == 0)
|
|
|
|
# Test User
|
|
def test_create_user_not_allowed_login(self) -> None:
|
|
if self.public_test:
|
|
# Do not run that test against the public instance, it would create users.
|
|
return None
|
|
instance_config = self.client.get_config_info()
|
|
if not instance_config.get('registration'):
|
|
return None
|
|
for login in ['login', 'user', 'username', 'help', 'test', 'about', 'administration', 'account']:
|
|
user = self.client.create_user(name='test Name', login=login,
|
|
organisation='test Organization', email='test@testorg.local')
|
|
self.assertEqual(user['message'], 'Username not allowed.')
|
|
|
|
def test_users_info(self) -> None:
|
|
if not self.admin_token:
|
|
# this test is only working if the admin token is set
|
|
return None
|
|
# Makes sure the userkey is set to the right one
|
|
self.client.set_apikey(self.admin_token)
|
|
user_info = self.client.get_user_information()
|
|
self.assertTrue(isinstance(user_info, dict))
|
|
self.assertTrue('login' in user_info)
|
|
self.assertTrue('apikey' in user_info)
|
|
self.assertEqual(user_info['apikey'], self.admin_token)
|
|
|
|
def test_list_users(self) -> None:
|
|
if not self.admin_token:
|
|
# this test is only working if the admin token is set
|
|
return None
|
|
# Makes sure the userkey is set to the right one
|
|
self.client.set_apikey(self.admin_token)
|
|
users = self.client.list_users()
|
|
self.assertTrue(isinstance(users, dict))
|
|
self.assertTrue(len(users['data']) > 0)
|
|
got_admin = False
|
|
for user in users['data']:
|
|
self.assertTrue('login' in user)
|
|
self.assertTrue('apikey' in user)
|
|
if user['apikey'] == self.admin_token:
|
|
self.assertTrue(user['is_admin'])
|
|
got_admin = True
|
|
self.assertTrue(got_admin)
|
|
|
|
def test_create_user_comment(self) -> None:
|
|
if self.public_test:
|
|
# Do not run that test against the public instance, it would create users.
|
|
return None
|
|
instance_config = self.client.get_config_info()
|
|
if not instance_config.get('registration'):
|
|
return None
|
|
|
|
user = self.client.create_user(name='test Name', login='alan',
|
|
organisation='test Organization', email='test@testorg.local')
|
|
self.assertTrue(user)
|
|
self.assertTrue('id' in user, user)
|
|
uid = user['id']
|
|
self.assertTrue('login' in user, user)
|
|
self.assertTrue('apikey' in user, user)
|
|
self.assertTrue('is_commenter' in user, user)
|
|
self.assertTrue(user['is_commenter'])
|
|
self.client.set_apikey(user['apikey'])
|
|
comment = {'title': 'test', 'description': 'test',
|
|
'vulnerability': 'CVE-2024-20401',
|
|
'related_vulnerabilities': ['CVE-2024-20402']}
|
|
created_comment = self.client.create_comment(comment=comment)
|
|
new_comment_uuid = created_comment['data'][0]['uuid']
|
|
comment = self.client.get_comment(new_comment_uuid)
|
|
self.assertEqual(comment['title'], 'test', comment)
|
|
deleted_comment = self.client.delete_comment(new_comment_uuid)
|
|
self.assertTrue(deleted_comment < 300)
|
|
|
|
self.client.set_apikey(self.admin_token)
|
|
deleted_user = self.client.delete_user(str(uid))
|
|
self.assertTrue(deleted_user < 300)
|
|
|
|
# test Sightings
|
|
def test_sightings_public(self) -> None:
|
|
if not self.public_test:
|
|
return None
|
|
sighting_cve = self.client.get_sighting('6febe45d-d8de-4df7-b3ba-6cf7acd2e2b5')
|
|
self.assertTrue(sighting_cve)
|
|
self.assertTrue('uuid' in sighting_cve)
|
|
self.assertEqual(sighting_cve['uuid'], '6febe45d-d8de-4df7-b3ba-6cf7acd2e2b5')
|
|
|
|
sighting_cve_list = self.client.get_sightings(sighting_uuid='6febe45d-d8de-4df7-b3ba-6cf7acd2e2b5')
|
|
self.assertTrue(sighting_cve_list)
|
|
self.assertTrue('data' in sighting_cve_list)
|
|
self.assertTrue(len(sighting_cve_list['data']) == 1)
|
|
self.assertEqual(sighting_cve_list['data'][0], sighting_cve)
|
|
|
|
sighting_cve_list = self.client.get_sightings(vuln_id='CVE-2020-3532')
|
|
self.assertTrue(sighting_cve_list)
|
|
self.assertTrue('data' in sighting_cve_list)
|
|
self.assertTrue(len(sighting_cve_list['data']) > 0)
|
|
|
|
sighting_cve_list = self.client.get_sightings(author='automation')
|
|
self.assertTrue(sighting_cve_list)
|
|
self.assertTrue('data' in sighting_cve_list)
|
|
self.assertTrue(len(sighting_cve_list['data']) > 0)
|
|
|
|
sighting_cve_list = self.client.get_sightings(author='automation', vuln_id='CVE-2020-3532')
|
|
self.assertTrue(sighting_cve_list)
|
|
self.assertTrue('data' in sighting_cve_list)
|
|
self.assertTrue(len(sighting_cve_list['data']) > 0)
|
|
|
|
sighting_cve_list = self.client.get_sightings(author='automation', date_from=datetime.now(tz=timezone.utc) - timedelta(days=1), date_to=datetime.now(tz=timezone.utc))
|
|
self.assertTrue(sighting_cve_list)
|
|
self.assertTrue('data' in sighting_cve_list)
|
|
self.assertTrue(len(sighting_cve_list['data']) > 0)
|
|
|
|
def test_sightings_local(self) -> None:
|
|
if not self.admin_token:
|
|
# this test is only working if the admin token is set
|
|
return None
|
|
|
|
u1 = str(uuid.uuid4())
|
|
sighting = self.client.create_sighting(
|
|
sighting={
|
|
"vulnerability": "CVE-2024-20401",
|
|
"source": u1,
|
|
"type": "seen"
|
|
}
|
|
)
|
|
self.assertTrue(sighting)
|
|
print(sighting)
|
|
s = self.client.get_sighting(sighting['data'][0]['uuid'])
|
|
self.assertTrue('uuid' in s)
|
|
self.assertTrue('vulnerability' in s)
|
|
self.assertTrue('source' in s)
|
|
self.assertTrue('type' in s)
|
|
self.assertEqual(s['source'], u1)
|
|
|
|
u2 = str(uuid.uuid4())
|
|
sighting = self.client.create_sighting(source=u2, sighting_type='seen', vulnerability='CVE-2024-20401')
|
|
s = self.client.get_sighting(sighting['data'][0]['uuid'])
|
|
self.assertEqual(s['source'], u2)
|