In [1]:
import commons


# this is a list of features which are used in the Unpatched Vulnerability Score
features = [
    'Info about vulnerabilities in open-source project',
    'When first commit was done',
    'When a project started'
]

class TestVector(commons.BaseTestVector):
        
    def __init__(self, alias = ''):
        super().__init__(features, alias)

    def vulnerabilities(self, entries):
        if entries == 'unknown':
            value = 'unknown'
        else:
            value = { 'entries': [] }
            for entry in entries:
                value['entries'].append(entry)
        return self.set('Info about vulnerabilities in open-source project', value)
    
    def when_project_started(self, value):
        return self.set('When a project started', value)
    
    def when_first_commit_was_done(self, value):
        return self.set('When first commit was done', value)


test_vector_list = commons.TestVectorList(features)

In [2]:
# common constants
from datetime import datetime
from datetime import timedelta

today = datetime.today()
five_years_ago = today - timedelta(days = 5 * 365)

In [3]:
# info about vulnerabilities

vuln_id_major = 123
vuln_id_minor = 1

# generates a unique vulnerability ID
def vuln_id():
    global vuln_id_major
    global vuln_id_minor
    id = 'VULN-{}-{}'.format(vuln_id_major, vuln_id_minor)
    vuln_id_major = vuln_id_major + 1
    vuln_id_minor = vuln_id_minor + 1
    return id

# creates a vulnerability with a unique ID and specified parameters
def vulnerability(description = '', cvss_version = 'v3', cvss = '', 
                  resolution = 'patched', introduced = '', fixed = ''):
    return {
        'id': vuln_id(),
        'description': description,
        'cvss': {
            'version': cvss_version.upper(),
            'value': cvss,
        },
        'introduced': introduced,
        'fixed': fixed,
        'resolution': resolution.upper(),
        'references': []
    }

In [4]:
# all feature are unknown
test_vector_list.register(
    TestVector()
        .vulnerabilities('unknown')
        .when_project_started('unknown')
        .when_first_commit_was_done('unknown')
        .score_from(0.0)
        .score_to(1.0)
)

# no info about vulnerabilities
test_vector_list.register(
    TestVector()
        .vulnerabilities('unknown')
        .when_project_started(five_years_ago)
        .when_first_commit_was_done(five_years_ago)
        .score_from(0.0)
        .score_to(3.0)
)

# no vulnerabilities
test_vector_list.register(
    TestVector()
        .vulnerabilities([])
        .when_project_started(five_years_ago)
        .when_first_commit_was_done(five_years_ago)
        .score_from(9.0)
        .score_to(10.0)
)

# all vulnerabilities are fixed within a week (good)
test_vector_list.register(
    TestVector()
        .vulnerabilities([
            vulnerability(cvss = 10.0, introduced = '2019-01-01', fixed = '2019-01-07'),
            vulnerability(cvss = 9.0,  introduced = '2018-02-01', fixed = '2018-02-07'),
            vulnerability(cvss = 8.0,  introduced = '2017-03-01', fixed = '2017-03-07'),
            vulnerability(cvss = 7.0,  introduced = '2016-04-01', fixed = '2016-04-07'),
            vulnerability(cvss = 6.0,  introduced = '2015-05-01', fixed = '2015-05-07'),
            vulnerability(cvss = 5.0,  introduced = '2019-06-01', fixed = '2019-06-07'),
            vulnerability(cvss = 4.0,  introduced = '2018-07-01', fixed = '2018-07-07'),
            vulnerability(cvss = 3.0,  introduced = '2017-01-01', fixed = '2017-01-07'),
            vulnerability(cvss = 2.0,  introduced = '2016-02-01', fixed = '2016-02-07'),
            vulnerability(cvss = 1.0,  introduced = '2015-03-01', fixed = '2015-03-07'),
        ])
        .when_project_started(five_years_ago)
        .when_first_commit_was_done(five_years_ago)
        .score_from(9.0)
        .score_to(10.0)
)

# all vulnerabilities are fixed within a month (not bad)
test_vector_list.register(
    TestVector()
        .vulnerabilities([
            vulnerability(cvss = 10.0, introduced = '2019-01-01', fixed = '2019-02-01'),
            vulnerability(cvss = 9.0,  introduced = '2018-02-01', fixed = '2018-03-01'),
            vulnerability(cvss = 8.0,  introduced = '2017-03-01', fixed = '2017-04-01'),
            vulnerability(cvss = 7.0,  introduced = '2016-04-01', fixed = '2016-05-01'),
            vulnerability(cvss = 6.0,  introduced = '2019-05-01', fixed = '2019-06-01'),
            vulnerability(cvss = 5.0,  introduced = '2018-06-01', fixed = '2018-07-01'),
            vulnerability(cvss = 4.0,  introduced = '2017-07-01', fixed = '2017-08-01'),
            vulnerability(cvss = 3.0,  introduced = '2016-01-01', fixed = '2016-02-01'),
            vulnerability(cvss = 2.0,  introduced = '2019-02-01', fixed = '2019-03-01'),
            vulnerability(cvss = 1.0,  introduced = '2018-03-01', fixed = '2018-04-01'),
        ])
        .when_project_started(five_years_ago)
        .when_first_commit_was_done(five_years_ago)
        .score_from(7.0)
        .score_to(9.0)
)

# all vulnerabilities are fixed within 3 month (not too bad)
test_vector_list.register(
    TestVector()
        .vulnerabilities([
            vulnerability(cvss = 10.0, introduced = '2019-01-01', fixed = '2019-04-01'),
            vulnerability(cvss = 9.0,  introduced = '2018-02-01', fixed = '2018-05-01'),
            vulnerability(cvss = 8.0,  introduced = '2017-03-01', fixed = '2017-06-01'),
            vulnerability(cvss = 7.0,  introduced = '2016-04-01', fixed = '2016-07-01'),
            vulnerability(cvss = 6.0,  introduced = '2019-05-01', fixed = '2019-08-01'),
            vulnerability(cvss = 5.0,  introduced = '2018-06-01', fixed = '2018-09-01'),
            vulnerability(cvss = 4.0,  introduced = '2017-07-01', fixed = '2017-10-01'),
            vulnerability(cvss = 3.0,  introduced = '2016-01-01', fixed = '2016-04-01'),
            vulnerability(cvss = 2.0,  introduced = '2019-02-01', fixed = '2019-05-01'),
            vulnerability(cvss = 1.0,  introduced = '2018-03-01', fixed = '2018-06-01'),
        ])
        .when_project_started(five_years_ago)
        .when_first_commit_was_done(five_years_ago)
        .score_from(4.0)
        .score_to(6.0)
)

# all vulnerabilities are fixed within 6 month (not good)
test_vector_list.register(
    TestVector()
        .vulnerabilities([
            vulnerability(cvss = 10.0, introduced = '2019-01-01', fixed = '2019-07-01'),
            vulnerability(cvss = 9.0,  introduced = '2018-02-01', fixed = '2018-08-01'),
            vulnerability(cvss = 8.0,  introduced = '2017-03-01', fixed = '2017-09-01'),
            vulnerability(cvss = 7.0,  introduced = '2016-04-01', fixed = '2016-10-01'),
            vulnerability(cvss = 6.0,  introduced = '2019-05-01', fixed = '2019-11-01'),
            vulnerability(cvss = 5.0,  introduced = '2018-06-01', fixed = '2018-12-01'),
            vulnerability(cvss = 4.0,  introduced = '2017-01-01', fixed = '2017-07-01'),
            vulnerability(cvss = 3.0,  introduced = '2016-02-01', fixed = '2016-08-01'),
            vulnerability(cvss = 2.0,  introduced = '2019-03-01', fixed = '2019-09-01'),
            vulnerability(cvss = 1.0,  introduced = '2018-04-01', fixed = '2018-10-01'),
        ])
        .when_project_started(five_years_ago)
        .when_first_commit_was_done(five_years_ago)
        .score_from(1.0)
        .score_to(4.0)
)

# all vulnerabilities are fixed within a year (bad)
test_vector_list.register(
    TestVector()
        .vulnerabilities([
            vulnerability(cvss = 10.0, introduced = '2019-01-01', fixed = '2020-01-01'),
            vulnerability(cvss = 9.0,  introduced = '2018-02-01', fixed = '2019-02-01'),
            vulnerability(cvss = 8.0,  introduced = '2017-03-01', fixed = '2018-03-01'),
            vulnerability(cvss = 7.0,  introduced = '2015-04-01', fixed = '2016-04-01'),
            vulnerability(cvss = 6.0,  introduced = '2016-05-01', fixed = '2017-05-01'),
            vulnerability(cvss = 5.0,  introduced = '2016-06-01', fixed = '2017-06-01'),
            vulnerability(cvss = 4.0,  introduced = '2018-07-01', fixed = '2019-07-01'),
            vulnerability(cvss = 3.0,  introduced = '2017-01-01', fixed = '2018-01-01'),
            vulnerability(cvss = 2.0,  introduced = '2016-02-01', fixed = '2017-02-01'),
            vulnerability(cvss = 1.0,  introduced = '2018-03-01', fixed = '2019-03-01'),
        ])
        .when_project_started(five_years_ago)
        .when_first_commit_was_done(five_years_ago)
        .score_from(0.0)
        .score_to(2.0)
)

# TODO: add test vectors for unpatched vulnerabilities

registered: test_vector_0
registered: test_vector_1
registered: test_vector_2
registered: test_vector_3
registered: test_vector_4
registered: test_vector_5
registered: test_vector_6
registered: test_vector_7


In [5]:
test_vector_list.check()

In [6]:
# define test vectors
test_vectors = test_vector_list.make_data_frame()

# store the test vectors to a CSV file
filename = '../../../resources/com/sap/sgs/phosphor/fosstars/model/score/oss/VulnerabilityLifetimeScoreTestVectors.csv'
test_vectors.to_csv(filename)

# print out the test vectors
test_vectors

Unnamed: 0,alias,score_from,score_to,label,Info about vulnerabilities in open-source project,When first commit was done,When a project started
0,test_vector_0,0.0,1.0,,unknown,unknown,unknown
1,test_vector_1,0.0,3.0,,unknown,2015-03-21 19:19:51.706010,2015-03-21 19:19:51.706010
2,test_vector_2,9.0,10.0,,{'entries': []},2015-03-21 19:19:51.706010,2015-03-21 19:19:51.706010
3,test_vector_3,9.0,10.0,,"{'entries': [{'id': 'VULN-123-1', 'description...",2015-03-21 19:19:51.706010,2015-03-21 19:19:51.706010
4,test_vector_4,7.0,9.0,,"{'entries': [{'id': 'VULN-133-11', 'descriptio...",2015-03-21 19:19:51.706010,2015-03-21 19:19:51.706010
5,test_vector_5,4.0,6.0,,"{'entries': [{'id': 'VULN-143-21', 'descriptio...",2015-03-21 19:19:51.706010,2015-03-21 19:19:51.706010
6,test_vector_6,1.0,4.0,,"{'entries': [{'id': 'VULN-153-31', 'descriptio...",2015-03-21 19:19:51.706010,2015-03-21 19:19:51.706010
7,test_vector_7,0.0,2.0,,"{'entries': [{'id': 'VULN-163-41', 'descriptio...",2015-03-21 19:19:51.706010,2015-03-21 19:19:51.706010
