vunnel/tests/unit/providers/nvd/test_overrides.py at de3bdaecb9f7cb2fe4d73daf4baf40d35471ed84 · anchore/vunnel · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
from __future__ import annotations

import tarfile
from unittest.mock import patch, MagicMock

import pytest
from vunnel import workspace
from vunnel.providers.nvd import overrides


@pytest.fixture
def overrides_tar(tmpdir):
    tar = tmpdir.join("overrides.tar.gz")

    with tarfile.open(tar, "w:gz") as f:
        f.add("tests/unit/providers/nvd/test-fixtures/single-entry.json", arcname="data/CVE-2011-0022.json")

    return tar


@pytest.fixture
def path_traversal_tar(tmpdir):
    tar = tmpdir.join("overrides.tar.gz")

    with tarfile.open(tar, "w:gz") as f:
        f.add("tests/unit/providers/nvd/test-fixtures/single-entry.json", arcname="data/../../CVE-2011-0022.json")

    return tar


@patch("vunnel.providers.nvd.overrides.http.get")
def test_overrides_disabled(mock_requests, tmpdir):
    subject = overrides.NVDOverrides(
        enabled=False,
        url="http://localhost:8080/failed",
        workspace=workspace.Workspace(tmpdir, "test", create=True),
    )
    subject.__data_by_cve__ = {"CVE-2020-0000": {"fail": True}}

    # ensure requests.get is not called
    subject.download()
    mock_requests.get.assert_not_called()

    # ensure cve returns None
    assert subject.cve("CVE-2020-0000") is None
    assert subject.cves() == []


@patch("vunnel.providers.nvd.overrides.http.get")
def test_overrides_enabled(mock_requests, overrides_tar, tmpdir):
    mock_requests.return_value = MagicMock(status_code=200, iter_content=lambda: [open(overrides_tar, "rb").read()])
    subject = overrides.NVDOverrides(
        enabled=True,
        url="http://localhost:8080/failed",
        workspace=workspace.Workspace(tmpdir, "test", create=True),
    )

    subject.download()

    assert subject.cve("CVE-2011-0022") is not None
    assert subject.cves() == ["CVE-2011-0022"]

    # verify the data is cached in memory — subsequent calls must not re-read files
    assert subject.__data_by_cve__ is not None
    assert "CVE-2011-0022" in subject.__data_by_cve__
    first_call_data = subject.cve("CVE-2011-0022")
    second_call_data = subject.cve("CVE-2011-0022")
    assert first_call_data is second_call_data  # same object, no re-parse