Add a test for vex with affected and fixed package

Add package purl string as a bom ref Signed-off-by: ziadhany <ziadhany2016@gmail.com>
nexB · May 10, 2024 · ef028dc · ef028dc
1 parent d87b983
commit ef028dc
Show file tree

Hide file tree

Showing 5 changed files with 455 additions and 69 deletions.
diff --git a/dejacode_toolkit/tests/test_vex.py b/dejacode_toolkit/tests/test_vex.py
@@ -17,9 +17,10 @@
 from serializable import _SerializableJsonEncoder
 
 from component_catalog.models import Package
-from dejacode_toolkit import vex
-from dejacode_toolkit.vex import VEXCycloneDX
-from dejacode_toolkit.vex import vulnerability_format_vcic_to_cyclonedx
+from dejacode_toolkit.vex import create_auto_vex
+from dejacode_toolkit.vex import get_references_and_rating
+from dejacode_toolkit.vex import get_vex_document
+from dejacode_toolkit.vex import vulnerability_format_vcio_to_cyclonedx
 from dje.models import Dataspace
 from dje.tests import create_user
 from product_portfolio.models import Product
@@ -40,6 +41,10 @@ def setUp(self):
             name="Product1 With Space", version="1.0", dataspace=self.nexb_dataspace
         )
         self.package1 = Package.objects.create(filename="package1", dataspace=self.nexb_dataspace)
+        self.package1.type = "pypi"
+        self.package1.namespace = ""
+        self.package1.name = "flask"
+        self.package1.version = "2.3.2"
 
         self.productpacakge1 = ProductPackage.objects.create(
             product=self.product1, package=self.package1, dataspace=self.nexb_dataspace
@@ -56,6 +61,13 @@ def setUp(self):
                 " either directly or indirectly."
             ),
         )
+        self.vex2 = ProductPackageVEX.objects.create(
+            dataspace=self.productpacakge1.dataspace,
+            productpackage=self.productpacakge1,
+            vulnerability_id="VCID-z6fe-2j8a-aaak",
+            state="R",  # resolved
+            detail="This version of Product DEF has been fixed.",
+        )
 
     def test_create_auto_vex1(self):
         vulnerabilities = [
@@ -76,13 +88,13 @@ def test_create_auto_vex1(self):
                 ]
             },
         ]
-        assert ProductPackageVEX.objects.count() == 1
-        vex.create_auto_vex(self.package1, vulnerabilities)
         assert ProductPackageVEX.objects.count() == 2
+        create_auto_vex(self.package1, vulnerabilities)
+        assert ProductPackageVEX.objects.count() == 3
 
         # run create_auto_vex agian and make sure that the databse ignore errors
-        vex.create_auto_vex(self.package1, vulnerabilities)
-        assert ProductPackageVEX.objects.count() == 2
+        create_auto_vex(self.package1, vulnerabilities)
+        assert ProductPackageVEX.objects.count() == 3
 
     def test_create_auto_vex2(self):
         # duplicated vulnerability
@@ -104,9 +116,9 @@ def test_create_auto_vex2(self):
                 ]
             },
         ]
-        assert ProductPackageVEX.objects.count() == 1
-        vex.create_auto_vex(self.package1, vulnerabilities)
-        assert ProductPackageVEX.objects.count() == 1
+        assert ProductPackageVEX.objects.count() == 2
+        create_auto_vex(self.package1, vulnerabilities)
+        assert ProductPackageVEX.objects.count() == 2
 
     def test_get_references_and_rating(self):
         references = [
@@ -128,7 +140,7 @@ def test_get_references_and_rating(self):
                 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000136",
             }
         ]
-        ref, rate = vex.get_references_and_rating(references)
+        ref, rate = get_references_and_rating(references)
 
         assert json.dumps(
             ref,
@@ -169,7 +181,7 @@ def test_vulnerability_format_vcic_to_cyclonedx1(self):
         with open(vul_data_path) as f:
             vcio_vulnerability = json.load(f)
 
-        vulnerability = vulnerability_format_vcic_to_cyclonedx(vcio_vulnerability, self.vex1)
+        vulnerability = vulnerability_format_vcio_to_cyclonedx(vcio_vulnerability, self.vex1)
 
         cyclonedx_vul_data_path = os.path.join(
             os.path.dirname(__file__), "testfiles", "cyclonedx_vul1.json"
@@ -188,7 +200,7 @@ def test_vulnerability_format_vcic_to_cyclonedx2(self):
         with open(vul_data_path) as f:
             vcio_vulnerability = json.load(f)
 
-        vulnerability = vulnerability_format_vcic_to_cyclonedx(vcio_vulnerability, self.vex1)
+        vulnerability = vulnerability_format_vcio_to_cyclonedx(vcio_vulnerability, self.vex1)
 
         cyclonedx_vul_data_path = os.path.join(
             os.path.dirname(__file__), "testfiles", "cyclonedx_vul2.json"
@@ -202,7 +214,7 @@ def test_vulnerability_format_vcic_to_cyclonedx2(self):
             view_=SchemaVersion1Dot4,
         ) == json.dumps(cyclonedx_vul)
 
-    def test_vex_cyclonedx_export(self):
+    def test_get_vex_document1(self):
         vul_data_path = os.path.join(os.path.dirname(__file__), "testfiles", "vcio_vul1.json")
         with open(vul_data_path) as f:
             vcio_vulnerability = json.load(f)
@@ -211,4 +223,17 @@ def test_vex_cyclonedx_export(self):
         with open(vex_data_path) as f:
             vex_data = json.load(f)
 
-        assert VEXCycloneDX().export([vcio_vulnerability], [self.vex1]) == json.dumps(vex_data)
+        assert get_vex_document([vcio_vulnerability], [self.vex1]) == json.dumps(vex_data)
+
+    def test_get_vex_document2(self):
+        vul_data_path = os.path.join(os.path.dirname(__file__), "testfiles", "vcio_vul2.json")
+        with open(vul_data_path) as f:
+            vcio_vulnerability = json.load(f)
+
+        vex_data_path = os.path.join(os.path.dirname(__file__), "testfiles", "vex2.json")
+        with open(vex_data_path) as f:
+            vex_data = json.load(f)
+
+        assert get_vex_document(
+            [vcio_vulnerability], [self.vex2], spec_version="1.5"
+        ) == json.dumps(vex_data)
diff --git a/dejacode_toolkit/tests/testfiles/cyclonedx_vul2.json b/dejacode_toolkit/tests/testfiles/cyclonedx_vul2.json
@@ -1,7 +1,7 @@
 {
   "affects": [
     {
-      "ref": "urn:cdx:serialNumber/version#bom-ref",
+      "ref": "pkg:pypi/flask@2.3.2",
       "versions": [
         {
           "status": "affected",
@@ -123,6 +123,14 @@
           "status": "affected",
           "version": "1.0.2-3"
         },
+        {
+          "status": "unaffected",
+          "version": "1.0.2-3"
+        },
+        {
+          "status": "unaffected",
+          "version": "1.0.2-3+deb10u1"
+        },
         {
           "status": "affected",
           "version": "1.0.3"
@@ -147,6 +155,14 @@
           "status": "affected",
           "version": "1.1.2-2"
         },
+        {
+          "status": "unaffected",
+          "version": "1.1.2-2"
+        },
+        {
+          "status": "unaffected",
+          "version": "1.1.2-2+deb11u1"
+        },
         {
           "status": "affected",
           "version": "1.1.3"
@@ -227,6 +243,10 @@
           "status": "affected",
           "version": "2.2.2-2"
         },
+        {
+          "status": "unaffected",
+          "version": "2.2.2-3"
+        },
         {
           "status": "affected",
           "version": "2.2.3"
@@ -235,6 +255,14 @@
           "status": "affected",
           "version": "2.2.4"
         },
+        {
+          "status": "unaffected",
+          "version": "2.2.5"
+        },
+        {
+          "status": "unaffected",
+          "version": "2.2.5-1"
+        },
         {
           "status": "affected",
           "version": "2.3.0"
@@ -243,9 +271,21 @@
           "status": "affected",
           "version": "2.3.1"
         },
+        {
+          "status": "unaffected",
+          "version": "2.3.2"
+        },
         {
           "status": "affected",
           "version": "2:2.0.1-4.el9"
+        },
+        {
+          "status": "unaffected",
+          "version": "3.0.2-1"
+        },
+        {
+          "status": "unaffected",
+          "version": "3.0.3-1"
         }
       ]
     }