In [1]:
import commons


# this is a list of features which are used in the Unpatched Vulnerability Score
features = [
    'Info about vulnerabilities in open-source project',
    'When first commit was done',
    'When a project started'
]

class TestVector(commons.BaseTestVector):
        
    def __init__(self, alias = ''):
        super().__init__(features, alias)

    def vulnerabilities(self, value):
        return self.set('Info about vulnerabilities in open-source project', value)
    
    def when_project_started(self, value):
        return self.set('When a project started', value)
    
    def when_first_commit_was_done(self, value):
        return self.set('When first commit was done', value)


test_vector_list = commons.TestVectorList(features)

In [2]:
# common constants
from datetime import datetime
from datetime import timedelta

today = datetime.today()
five_years_ago = today - timedelta(days = 5 * 365)

In [3]:
# info about vulnerabilities

vuln_id_major = 123
vuln_id_minor = 1

# generates a unique vulnerability ID
def vuln_id():
    global vuln_id_major
    global vuln_id_minor
    id = 'VULN-{}-{}'.format(vuln_id_major, vuln_id_minor)
    vuln_id_major = vuln_id_major + 1
    vuln_id_minor = vuln_id_minor + 1
    return id

# creates a vulnerability with a unique ID and specified parameters
def vulnerability(description = '', cvss_version = 'v3', cvss = '', 
                  resolution = 'patched', introduced = '', fixed = ''):
    return {
        'id': vuln_id(),
        'description': description,
        'cvss': {
            'version': cvss_version.upper(),
            'value': cvss,
        },
        'introduced': introduced,
        'fixed': fixed,
        'resolution': resolution.upper(),
        'references': []
    }

def vulnerabilities(entries):
    result = { 'entries': [] }
    for entry in entries:
        result['entries'].append(entry)
    return result

no_vulnerabilities = vulnerabilities([])

all_vulnerabilities_fixed_very_fast = vulnerabilities([
    vulnerability(cvss = 10.0, introduced = '2019-01-01', fixed = '2019-01-03'),
    vulnerability(cvss = 9.0, introduced = '2018-11-28', fixed = '2018-12-02'),
    vulnerability(cvss = 8.0, introduced = '2017-07-04', fixed = '2017-07-08')
])

all_vulnerabilities_fixed_fast = vulnerabilities([
    vulnerability(cvss = 10.0, introduced = '2019-01-01', fixed = '2019-01-12'),
    vulnerability(cvss = 9.0, introduced = '2018-11-28', fixed = '2018-12-10'),
    vulnerability(cvss = 8.0, introduced = '2017-07-04', fixed = '2017-07-10')
])

all_vulnerabilities_fixed_slow = vulnerabilities([
    vulnerability(cvss = 10.0, introduced = '2017-01-01', fixed = '2019-05-02'),
    vulnerability(cvss = 9.0, introduced = '2016-11-28', fixed = '2018-12-31'),
    vulnerability(cvss = 8.0, introduced = '2015-02-04', fixed = '2017-05-28')
])

In [4]:
test_vector_list.register(
    TestVector()
        .vulnerabilities('unknown')
        .when_project_started('unknown')
        .when_first_commit_was_done('unknown')
        .score_from(0.0)
        .score_to(1.0)
)

test_vector_list.register(
    TestVector()
        .vulnerabilities('unknown')
        .when_project_started(five_years_ago)
        .when_first_commit_was_done(five_years_ago)
        .score_from(0.0)
        .score_to(3.0)
)

test_vector_list.register(
    TestVector()
        .vulnerabilities(no_vulnerabilities)
        .when_project_started(five_years_ago)
        .when_first_commit_was_done(five_years_ago)
        .score_from(9.0)
        .score_to(10.0)
)

test_vector_list.register(
    TestVector()
        .vulnerabilities(all_vulnerabilities_fixed_very_fast)
        .when_project_started(five_years_ago)
        .when_first_commit_was_done(five_years_ago)
        .score_from(9.0)
        .score_to(10.0)
)

test_vector_list.register(
    TestVector()
        .vulnerabilities(all_vulnerabilities_fixed_fast)
        .when_project_started(five_years_ago)
        .when_first_commit_was_done(five_years_ago)
        .score_from(8.0)
        .score_to(10.0)
)

# TODO: 9.5 is too high
test_vector_list.register(
    TestVector()
        .vulnerabilities(all_vulnerabilities_fixed_slow)
        .when_project_started(five_years_ago)
        .when_first_commit_was_done(five_years_ago)
        .score_from(5.0)
        .score_to(9.5)
)

# TODO: add more test vectors
# TODO: add test vectors for unpatched vulnerabilities

registered: test_vector_0
registered: test_vector_1
registered: test_vector_2
registered: test_vector_3
registered: test_vector_4
registered: test_vector_5


In [5]:
test_vector_list.check()

In [6]:
# define test vectors
test_vectors = test_vector_list.make_data_frame()

# store the test vectors to a CSV file
filename = '../../../resources/com/sap/sgs/phosphor/fosstars/model/score/oss/VulnerabilityLifetimeScoreTestVectors.csv'
test_vectors.to_csv(filename)

# print out the test vectors
test_vectors

Unnamed: 0,alias,score_from,score_to,label,Info about vulnerabilities in open-source project,When first commit was done,When a project started
0,test_vector_0,0.0,1.0,,unknown,unknown,unknown
1,test_vector_1,0.0,3.0,,unknown,2015-02-14 15:18:38.821263,2015-02-14 15:18:38.821263
2,test_vector_2,9.0,10.0,,{'entries': []},2015-02-14 15:18:38.821263,2015-02-14 15:18:38.821263
3,test_vector_3,9.0,10.0,,"{'entries': [{'id': 'VULN-123-1', 'description...",2015-02-14 15:18:38.821263,2015-02-14 15:18:38.821263
4,test_vector_4,8.0,10.0,,"{'entries': [{'id': 'VULN-126-4', 'description...",2015-02-14 15:18:38.821263,2015-02-14 15:18:38.821263
5,test_vector_5,5.0,9.5,,"{'entries': [{'id': 'VULN-129-7', 'description...",2015-02-14 15:18:38.821263,2015-02-14 15:18:38.821263
