diff --git a/tests/auxiliary/test_vex/bom.json b/tests/auxiliary/test_vex/bom.json deleted file mode 100644 index e38d3dd8..00000000 --- a/tests/auxiliary/test_vex/bom.json +++ /dev/null @@ -1,166 +0,0 @@ -{ - "bomFormat": "CycloneDX", - "specVersion": "1.3", - "version": 1, - "metadata": { - "timestamp": "2022-09-03T01:06:14", - "authors": [ - { - "name": "automated" - } - ], - "component": { - "type": "library", - "bom-ref": "some program", - "supplier": { - "name": "Company Legal" - }, - "group": "com.company.internal", - "name": "some program", - "version": "T5.0.1.25", - "licenses": [ - { - "license": { - "name": "company internal" - } - } - ], - "copyright": "Company Legal 2022, all rights reserved" - } - }, - "components": [ - { - "type": "library", - "bom-ref": "11231231", - "supplier": { - "name": "Company Legal" - }, - "group": "com.company.internal", - "name": "some name", - "copyright": "Company Legal 2022, all rights reserved", - "version": "1.0" - }, - { - "type": "library", - "bom-ref": "first_component", - "supplier": { - "name": "Company Legal" - }, - "group": "com.company.internal", - "name": "first_component", - "copyright": "Company Legal 2022, all rights reserved", - "version": "1.0a" - }, - { - "type": "library", - "bom-ref": "ref_first_component@1.3.3", - "publisher": "some publisher", - "name": "first_component", - "version": "1.3.2", - "cpe": "", - "description": "first_component some description", - "scope": "required", - "hashes": [ - { - "alg": "MD5", - "content": "3942447fac867ae5cdb3229b658f4d48" - } - ], - "licenses": [ - { - "license": { - "id": "MIT" - } - } - ], - "copyright": "Copyright 2000-2021 first_component Contributors", - "purl": "pkg:nuget/first_component@1.3.2" - } - ], - "dependencies": [ - { - "ref": "some program", - "dependsOn": [ - "first_component", - "second_component", - "third_component", - "fourth_component", - "fifth_component", - "sixth_component", - "seventh_component", - "eight_component", - "ninth_component", - "tenth_component", - "eleventh_component", - "twelfth_component" - ] - }, - { - "ref": "first_component", - "dependsOn": [] - }, - { - "ref": "second_component", - "dependsOn": [] - }, - { - "ref": "third_component", - "dependsOn": [] - }, - { - "ref": "fourth_component", - "dependsOn": [] - }, - { - "ref": "fifth_component", - "dependsOn": [] - }, - { - "ref": "sixth_component", - "dependsOn": [] - }, - { - "ref": "seventh_component", - "dependsOn": [] - }, - { - "ref": "eight_component", - "dependsOn": [] - }, - { - "ref": "ninth_component", - "dependsOn": [] - }, - { - "ref": "tenth_component", - "dependsOn": [] - }, - { - "ref": "eleventh_component", - "dependsOn": [] - }, - { - "ref": "twelfth_component", - "dependsOn": [] - } - ], - "compositions": [ - { - "aggregate": "incomplete", - "assemblies": [ - "first_component", - "second_component", - "third_component", - "fourth_component", - "fifth_component", - "sixth_component", - "seventh_component", - "eight_component", - "ninth_component", - "tenth_component", - "eleventh_component", - "twelfth_component" - ] - } - ] -} diff --git a/tests/auxiliary/test_vex/embedded_vex.json b/tests/auxiliary/test_vex/embedded_vex.json index aed069a6..0f03f3be 100644 --- a/tests/auxiliary/test_vex/embedded_vex.json +++ b/tests/auxiliary/test_vex/embedded_vex.json @@ -1,6 +1,6 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.3", + "specVersion": "1.4", "version": 1, "metadata": { "timestamp": "2022-09-03T01:06:14", @@ -165,426 +165,93 @@ ], "vulnerabilities": [ { - "description": "some description of a vulnerability", - "id": "CVE-1012-0001", - "ratings": [ - { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - }, - { - "score": 7.5, - "severity": "high", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" - } - ], - "published": "1012-01-01T01:01Z", - "updated": "1012-02-04T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 2", - "id": "CVE-1013-0002", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:02Z", - "updated": "1013-03-02T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 3", - "id": "CVE-1013-0003", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:02Z", - "updated": "1013-03-02T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 4", - "id": "CVE-1013-0004", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:02Z", - "updated": "1013-03-02T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 5", - "id": "CVE-1013-0005", - "ratings": [ - { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:03Z", - "updated": "1013-03-03T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 5", - "id": "CVE-1013-0006", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:03Z", - "updated": "1013-03-04T12:24Z", - "affects": [ + "id": "CVE-2020-25649", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" + }, + "references": [ { - "ref": "11231231" + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", + "source": { + "name": "SNYK", + "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302" + } } ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 6", - "id": "CVE-1012-0007", "ratings": [ { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - }, - { + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1" + }, "score": 7.5, "severity": "high", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" - } - ], - "published": "1012-01-01T01:04Z", - "updated": "1013-03-05T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 7", - "id": "CVE-1013-0008", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:05Z", - "updated": "1013-03-07T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 8", - "id": "CVE-1013-0009", - "ratings": [ - { - "score": 7.2, - "severity": "high", "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:05Z", - "updated": "1013-03-07T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 9", - "id": "CVE-1013-0010", - "ratings": [ + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, { - "score": 7.2, + "source": { + "name": "SNYK", + "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302" + }, + "score": 8.2, "severity": "high", "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:06Z", - "updated": "1013-03-08T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 10", - "id": "CVE-1013-0011", - "ratings": [ + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, { - "score": 7.2, - "severity": "high", + "source": { + "name": "Acme Inc", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" + }, + "score": 0.0, + "severity": "none", "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" } ], - "published": "1013-01-01T01:06Z", - "updated": "1013-03-09T12:24Z", - "affects": [ - { - "ref": "11231231" - } + "cwes": [ + 611 ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 11", - "id": "CVE-1012-0012", - "ratings": [ + "description": "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the DOMDeserializer class. The highest threat from this vulnerability is data integrity.", + "detail": "XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.", + "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.", + "advisories": [ { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + "title": "GitHub Commit", + "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59" }, { - "score": 7.5, - "severity": "high", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" - } - ], - "published": "1012-01-01T01:07Z", - "updated": "1013-03-10T12:24Z", - "affects": [ - { - "ref": "ref_first_component@1.3.3" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 12", - "id": "CVE-1012-0013", - "ratings": [ - { - "score": 5.3, - "severity": "medium", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + "title": "GitHub Issue", + "url": "https://github.com/FasterXML/jackson-databind/issues/2589" }, { - "score": 5.0, - "severity": "medium", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N" - } - ], - "published": "1012-01-01T01:08Z", - "updated": "1013-03-12T12:24Z", - "affects": [ - { - "ref": "ref_first_component@1.3.3" + "title": "RedHat Bugzilla Bug", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664" } ], + "created": "2020-12-03T00:00:00.000Z", + "published": "2020-12-03T00:00:00.000Z", + "updated": "2021-10-26T00:00:00.000Z", + "credits": { + "individuals": [ + { + "name": "Bartosz Baranowski" + } + ] + }, "analysis": { "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 13", - "id": "CVE-1012-0014", - "ratings": [ - { - "score": 5.3, - "severity": "medium", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" - }, - { - "score": 5.0, - "severity": "medium", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N" - } - ], - "published": "1012-01-01T01:07Z", - "updated": "1013-03-12T12:24Z", + "justification": "code_not_reachable", + "response": ["will_not_fix", "update"], + "detail": "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly." + }, "affects": [ { - "ref": "ref_first_component@1.3.3" + "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0?type=jar" } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } + ] } ] } diff --git a/tests/auxiliary/test_vex/list_default.csv b/tests/auxiliary/test_vex/list_default.csv deleted file mode 100644 index e4c4ed0d..00000000 --- a/tests/auxiliary/test_vex/list_default.csv +++ /dev/null @@ -1,15 +0,0 @@ -ID,RefID,Description,Status -CVE-1012-0001,-,some description of a vulnerability,exploitable -CVE-1013-0002,-,some description of a vulnerability 2,not_affected -CVE-1013-0003,-,some description of a vulnerability 3,exploitable -CVE-1013-0004,-,some description of a vulnerability 4,exploitable -CVE-1013-0005,-,some description of a vulnerability 5,not_affected -CVE-1013-0006,-,some description of a vulnerability 5,not_affected -CVE-1012-0007,-,some description of a vulnerability 6,exploitable -CVE-1013-0008,-,some description of a vulnerability 7,not_affected -CVE-1013-0009,-,some description of a vulnerability 8,not_affected -CVE-1013-0010,-,some description of a vulnerability 9,not_affected -CVE-1013-0011,-,some description of a vulnerability 10,not_affected -CVE-1012-0012,-,some description of a vulnerability 11,exploitable -CVE-1012-0013,-,some description of a vulnerability 12,not_affected -CVE-1012-0014,-,some description of a vulnerability 13,exploitable diff --git a/tests/auxiliary/test_vex/list_default_missing_data.csv b/tests/auxiliary/test_vex/list_default_missing_data.csv deleted file mode 100644 index 8324d8fc..00000000 --- a/tests/auxiliary/test_vex/list_default_missing_data.csv +++ /dev/null @@ -1,15 +0,0 @@ -ID,RefID,Description,Status -CVE-1012-0001,-,some description of a vulnerability,exploitable -CVE-1013-0002,-,some description of a vulnerability 2,not_affected -CVE-1013-0003,-,some description of a vulnerability 3,- -CVE-1013-0004,-,some description of a vulnerability 4,exploitable --,CVE-1013-0005,some description of a vulnerability 5,not_affected -CVE-1013-0006,-,some description of a vulnerability 5,not_affected --,-,some description of a vulnerability 6,exploitable -CVE-1013-0008,-,some description of a vulnerability 7,not_affected -CVE-1013-0009,-,some description of a vulnerability 8,- -CVE-1013-0010,-,some description of a vulnerability 9,not_affected -CVE-1013-0011,-,some description of a vulnerability 10,not_affected --,-,some description of a vulnerability 11,exploitable -CVE-1012-0013,-,-,not_affected --,-,-,exploitable diff --git a/tests/auxiliary/test_vex/list_lightweight.csv b/tests/auxiliary/test_vex/list_lightweight.csv deleted file mode 100644 index 3694104f..00000000 --- a/tests/auxiliary/test_vex/list_lightweight.csv +++ /dev/null @@ -1,15 +0,0 @@ -ID,RefID -CVE-1012-0001, - -CVE-1013-0002, - -CVE-1013-0003, - -CVE-1013-0004, - -CVE-1013-0005, - -CVE-1013-0006, - -CVE-1012-0007, - -CVE-1013-0008, - -CVE-1013-0009, - -CVE-1013-0010, - -CVE-1013-0011, - -CVE-1012-0012, - -CVE-1012-0013, - -CVE-1012-0014, - diff --git a/tests/auxiliary/test_vex/list_lightweight_missing_data.csv b/tests/auxiliary/test_vex/list_lightweight_missing_data.csv deleted file mode 100644 index f75708f5..00000000 --- a/tests/auxiliary/test_vex/list_lightweight_missing_data.csv +++ /dev/null @@ -1,15 +0,0 @@ -ID,RefID -CVE-1012-0001, - -CVE-1013-0002, - -CVE-1013-0003, - -CVE-1013-0004, - --, CVE-1013-0005 -CVE-1013-0006, - --, - -CVE-1013-0008, - -CVE-1013-0009, - -CVE-1013-0010, - -CVE-1013-0011, - --, - -CVE-1012-0013, - --, - diff --git a/tests/auxiliary/test_vex/searched_vex.json b/tests/auxiliary/test_vex/searched_vex.json deleted file mode 100644 index 2311f24c..00000000 --- a/tests/auxiliary/test_vex/searched_vex.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "bomFormat": "CycloneDX", - "specVersion": "1.3", - "version": 1, - "vulnerabilities": [ - { - "description": "some description of a vulnerability 2", - "id": "CVE-1013-0002", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:02Z", - "updated": "1013-03-02T12:24Z", - "affects": [{"ref": "11231231"}], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - } - ] -} \ No newline at end of file diff --git a/tests/auxiliary/test_vex/searched_vex_missing_data.json b/tests/auxiliary/test_vex/searched_vex_missing_data.json deleted file mode 100644 index 2f3629f7..00000000 --- a/tests/auxiliary/test_vex/searched_vex_missing_data.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "bomFormat": "CycloneDX", - "specVersion": "1.3", - "version": 1, - "vulnerabilities": [ - { - "description": "some description of a vulnerability 5", - "references": { - "id": "CVE-1013-0005" - }, - "ratings": [ - { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:03Z", - "updated": "1013-03-03T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - } - ] -} \ No newline at end of file diff --git a/tests/auxiliary/test_vex/trimmed_vex.json b/tests/auxiliary/test_vex/trimmed_vex.json deleted file mode 100644 index 9e8c2ae8..00000000 --- a/tests/auxiliary/test_vex/trimmed_vex.json +++ /dev/null @@ -1,205 +0,0 @@ -{ - "bomFormat": "CycloneDX", - "specVersion": "1.3", - "version": 1, - "vulnerabilities": [ - { - "description": "some description of a vulnerability 2", - "id": "CVE-1013-0002", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:02Z", - "updated": "1013-03-02T12:24Z", - "affects": [{"ref": "11231231"}], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 5", - "id": "CVE-1013-0005", - "ratings": [ - { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:03Z", - "updated": "1013-03-03T12:24Z", - "affects": [{"ref": "11231231"}], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 5", - "id": "CVE-1013-0006", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:03Z", - "updated": "1013-03-04T12:24Z", - "affects": [{"ref": "11231231"}], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 7", - "id": "CVE-1013-0008", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:05Z", - "updated": "1013-03-07T12:24Z", - "affects": [{"ref": "11231231"}], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 8", - "id": "CVE-1013-0009", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:05Z", - "updated": "1013-03-07T12:24Z", - "affects": [{"ref": "11231231"}], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 9", - "id": "CVE-1013-0010", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:06Z", - "updated": "1013-03-08T12:24Z", - "affects": [{"ref": "11231231"}], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 10", - "id": "CVE-1013-0011", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:06Z", - "updated": "1013-03-09T12:24Z", - "affects": [{"ref": "11231231"}], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 12", - "id": "CVE-1012-0013", - "ratings": [ - { - "score": 5.3, - "severity": "medium", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" - }, - { - "score": 5.0, - "severity": "medium", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N" - } - ], - "published": "1012-01-01T01:08Z", - "updated": "1013-03-12T12:24Z", - "affects": [{"ref": "ref_first_component@1.3.3"}], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - } - ] -} \ No newline at end of file diff --git a/tests/auxiliary/test_vex/vex.json b/tests/auxiliary/test_vex/vex.json index aad6fa77..14c5067b 100644 --- a/tests/auxiliary/test_vex/vex.json +++ b/tests/auxiliary/test_vex/vex.json @@ -1,429 +1,96 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.3", + "specVersion": "1.4", "version": 1, "vulnerabilities": [ { - "description": "some description of a vulnerability", - "id": "CVE-1012-0001", - "ratings": [ - { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - }, - { - "score": 7.5, - "severity": "high", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" - } - ], - "published": "1012-01-01T01:01Z", - "updated": "1012-02-04T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 2", - "id": "CVE-1013-0002", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:02Z", - "updated": "1013-03-02T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 3", - "id": "CVE-1013-0003", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:02Z", - "updated": "1013-03-02T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 4", - "id": "CVE-1013-0004", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:02Z", - "updated": "1013-03-02T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 5", - "id": "CVE-1013-0005", - "ratings": [ - { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:03Z", - "updated": "1013-03-03T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 5", - "id": "CVE-1013-0006", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:03Z", - "updated": "1013-03-04T12:24Z", - "affects": [ + "id": "CVE-2020-25649", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" + }, + "references": [ { - "ref": "11231231" + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", + "source": { + "name": "SNYK", + "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302" + } } ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 6", - "id": "CVE-1012-0007", "ratings": [ { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - }, - { + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1" + }, "score": 7.5, "severity": "high", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" - } - ], - "published": "1012-01-01T01:04Z", - "updated": "1013-03-05T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 7", - "id": "CVE-1013-0008", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:05Z", - "updated": "1013-03-07T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 8", - "id": "CVE-1013-0009", - "ratings": [ - { - "score": 7.2, - "severity": "high", "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:05Z", - "updated": "1013-03-07T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 9", - "id": "CVE-1013-0010", - "ratings": [ + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, { - "score": 7.2, + "source": { + "name": "SNYK", + "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302" + }, + "score": 8.2, "severity": "high", "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:06Z", - "updated": "1013-03-08T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 10", - "id": "CVE-1013-0011", - "ratings": [ + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, { - "score": 7.2, - "severity": "high", + "source": { + "name": "Acme Inc", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N&version=3.1" + }, + "score": 0.0, + "severity": "none", "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:N/MI:N/MA:N" } ], - "published": "1013-01-01T01:06Z", - "updated": "1013-03-09T12:24Z", - "affects": [ - { - "ref": "11231231" - } + "cwes": [ + 611 ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 11", - "id": "CVE-1012-0012", - "ratings": [ + "description": "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the DOMDeserializer class. The highest threat from this vulnerability is data integrity.", + "detail": "XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.", + "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.", + "advisories": [ { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + "title": "GitHub Commit", + "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59" }, { - "score": 7.5, - "severity": "high", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" - } - ], - "published": "1012-01-01T01:07Z", - "updated": "1013-03-10T12:24Z", - "affects": [ - { - "ref": "ref_first_component@1.3.3" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 12", - "id": "CVE-1012-0013", - "ratings": [ - { - "score": 5.3, - "severity": "medium", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + "title": "GitHub Issue", + "url": "https://github.com/FasterXML/jackson-databind/issues/2589" }, { - "score": 5.0, - "severity": "medium", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N" - } - ], - "published": "1012-01-01T01:08Z", - "updated": "1013-03-12T12:24Z", - "affects": [ - { - "ref": "ref_first_component@1.3.3" + "title": "RedHat Bugzilla Bug", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664" } ], + "created": "2020-12-03T00:00:00.000Z", + "published": "2020-12-03T00:00:00.000Z", + "updated": "2021-10-26T00:00:00.000Z", + "credits": { + "individuals": [ + { + "name": "Bartosz Baranowski" + } + ] + }, "analysis": { "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 13", - "id": "CVE-1012-0014", - "ratings": [ - { - "score": 5.3, - "severity": "medium", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" - }, - { - "score": 5.0, - "severity": "medium", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N" - } - ], - "published": "1012-01-01T01:07Z", - "updated": "1013-03-12T12:24Z", + "justification": "code_not_reachable", + "response": ["will_not_fix", "update"], + "detail": "Automated dataflow analysis and manual code review indicates that the vulnerable code is not reachable, either directly or indirectly." + }, "affects": [ { - "ref": "ref_first_component@1.3.3" + "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0?type=jar" } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } + ] } ] -} +} \ No newline at end of file diff --git a/tests/auxiliary/test_vex/vex_missing_data.json b/tests/auxiliary/test_vex/vex_missing_data.json deleted file mode 100644 index f776bb22..00000000 --- a/tests/auxiliary/test_vex/vex_missing_data.json +++ /dev/null @@ -1,417 +0,0 @@ -{ - "bomFormat": "CycloneDX", - "specVersion": "1.3", - "version": 1, - "vulnerabilities": [ - { - "description": "some description of a vulnerability", - "id": "CVE-1012-0001", - "ratings": [ - { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - }, - { - "score": 7.5, - "severity": "high", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" - } - ], - "published": "1012-01-01T01:01Z", - "updated": "1012-02-04T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 2", - "id": "CVE-1013-0002", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:02Z", - "updated": "1013-03-02T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 3", - "id": "CVE-1013-0003", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:02Z", - "updated": "1013-03-02T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 4", - "id": "CVE-1013-0004", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:02Z", - "updated": "1013-03-02T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 5", - "references": - { - "id": "CVE-1013-0005" - }, - "ratings": [ - { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:03Z", - "updated": "1013-03-03T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 5", - "id": "CVE-1013-0006", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:03Z", - "updated": "1013-03-04T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 6", - "ratings": [ - { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - }, - { - "score": 7.5, - "severity": "high", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" - } - ], - "published": "1012-01-01T01:04Z", - "updated": "1013-03-05T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 7", - "id": "CVE-1013-0008", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:05Z", - "updated": "1013-03-07T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 8", - "id": "CVE-1013-0009", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:05Z", - "updated": "1013-03-07T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ] - }, - { - "description": "some description of a vulnerability 9", - "id": "CVE-1013-0010", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:06Z", - "updated": "1013-03-08T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 10", - "id": "CVE-1013-0011", - "ratings": [ - { - "score": 7.2, - "severity": "high", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" - } - ], - "published": "1013-01-01T01:06Z", - "updated": "1013-03-09T12:24Z", - "affects": [ - { - "ref": "11231231" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "description": "some description of a vulnerability 11", - "ratings": [ - { - "score": 9.8, - "severity": "critical", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - }, - { - "score": 7.5, - "severity": "high", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" - } - ], - "published": "1012-01-01T01:07Z", - "updated": "1013-03-10T12:24Z", - "affects": [ - { - "ref": "ref_first_component@1.3.3" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "id": "CVE-1012-0013", - "ratings": [ - { - "score": 5.3, - "severity": "medium", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" - }, - { - "score": 5.0, - "severity": "medium", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N" - } - ], - "published": "1012-01-01T01:08Z", - "updated": "1013-03-12T12:24Z", - "affects": [ - { - "ref": "ref_first_component@1.3.3" - } - ], - "analysis": { - "state": "not_affected", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - }, - { - "ratings": [ - { - "score": 5.3, - "severity": "medium", - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" - }, - { - "score": 5.0, - "severity": "medium", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N" - } - ], - "published": "1012-01-01T01:07Z", - "updated": "1013-03-12T12:24Z", - "affects": [ - { - "ref": "ref_first_component@1.3.3" - } - ], - "analysis": { - "state": "exploitable", - "justification": "add justification here", - "response": [ - "add response here", - "more than one response is possible" - ], - "detail": "the fields state, justification and response are enums, please see CycloneDX specification" - } - } - ] -} diff --git a/tests/integration/test_integration.py b/tests/integration/test_integration.py index 24e249c3..e167811d 100644 --- a/tests/integration/test_integration.py +++ b/tests/integration/test_integration.py @@ -15,7 +15,7 @@ from cdxev.__main__ import Status from cdxev.amend.operations import AddLicenseText from tests.auxiliary.helper import search_entry -from tests.integration.helper import load_list, load_sbom, run_main +from tests.integration.helper import load_sbom, run_main def test_help(argv: Callable[..., None], capsys: pytest.CaptureFixture[str]): @@ -1220,132 +1220,18 @@ class DataFixture(TypedDict): @pytest.fixture( scope="class", - params=[ - { - "input": "vex.embedded.json", - "expected": [ - "vex.expected_list_default.csv", - "vex.expected_list_lightweight.csv", - "vex.expected_trim.json", - "vex.expected_search.json", - "vex.json", - ], - } - ], + params=[{"input": "vex.embedded.json", "expected": "vex.json"}], ) def data(self, data_dir: Path, request: pytest.FixtureRequest) -> DataFixture: input_path = data_dir / request.param["input"] - expected_paths = [data_dir / p for p in request.param["expected"]] - + expected_path = data_dir / request.param["expected"] input_vex_embedded_path = input_path - - expected_list_default = load_list(expected_paths[0]) - expected_list_lightweight = load_list(expected_paths[1]) - expected_trim_json = load_sbom(expected_paths[2]) - expected_search_json = load_sbom(expected_paths[3]) - expected_extract_json = load_sbom(expected_paths[4]) + expected_vex = load_sbom(expected_path) return self.DataFixture( - input_vex_embedded_path=input_vex_embedded_path, - expected_list_default=expected_list_default, - expected_list_lightweight=expected_list_lightweight, - expected_trim_json=expected_trim_json, - expected_search_json=expected_search_json, - expected_extract_json=expected_extract_json, + input_vex_embedded_path=input_vex_embedded_path, expected_vex=expected_vex ) - def test_list_no_state_vulnerabilities_from_embedded_file( - self, - data: DataFixture, - argv: Callable[..., None], - capsys: pytest.CaptureFixture[str], - ) -> None: - argv("vex", "list", str(data["input_vex_embedded_path"])) - exit_code, actual, _ = run_main(capsys) - - # Verify that command completed successfully - assert exit_code == Status.OK - - # Verify that output matches what is expected - expected_output = data["expected_list_default"] - assert actual == expected_output - - def test_list_default_vulnerabilities_from_embedded_file( - self, - data: DataFixture, - argv: Callable[..., None], - capsys: pytest.CaptureFixture[str], - ) -> None: - argv("vex", "list", "--scheme", "default", str(data["input_vex_embedded_path"])) - exit_code, actual, _ = run_main(capsys) - - # Verify that command completed successfully - assert exit_code == Status.OK - - # Verify that output matches what is expected - expected_output = data["expected_list_default"] - assert actual == expected_output - - def test_list_lightweight_vulnerabilities_from_embedded_file( - self, - data: DataFixture, - argv: Callable[..., None], - capsys: pytest.CaptureFixture[str], - ) -> None: - argv( - "vex", - "list", - "--scheme", - "lightweight", - str(data["input_vex_embedded_path"]), - ) - exit_code, actual, _ = run_main(capsys) - - # Verify that command completed successfully - assert exit_code == Status.OK - - # Verify that output matches what is expected - expected_output = data["expected_list_lightweight"] - assert actual == expected_output - - def test_trim_vulnerabilities_from_embedded_file( - self, - data: DataFixture, - argv: Callable[..., None], - capsys: pytest.CaptureFixture[str], - ) -> None: - argv( - "vex", - "trim", - "--state", - "not_affected", - str(data["input_vex_embedded_path"]), - ) - exit_code, actual, _ = run_main(capsys) - - # Verify that command completed successfully - assert exit_code == Status.OK - - # Verify that output matches what is expected - expected_output = data["expected_trim_json"] - assert json.loads(actual) == expected_output - - def test_search_vulnerability_from_embedded_file( - self, - data: DataFixture, - argv: Callable[..., None], - capsys: pytest.CaptureFixture[str], - ) -> None: - argv("vex", "search", "CVE-1013-0002", str(data["input_vex_embedded_path"])) - exit_code, actual, _ = run_main(capsys) - - # Verify that command completed successfully - assert exit_code == Status.OK - - # Verify that output matches what is expected - expected_output = data["expected_search_json"] - assert json.loads(actual) == expected_output - def test_extract_vex_from_sbom_from_embedded_file( self, data: DataFixture, @@ -1359,5 +1245,5 @@ def test_extract_vex_from_sbom_from_embedded_file( assert exit_code == Status.OK # Verify that output matches what is expected - expected_output = data["expected_extract_json"] + expected_output = data["expected_vex"] assert json.loads(actual) == expected_output diff --git a/tests/test_vex.py b/tests/test_vex.py index 115f26a7..3298fdcc 100644 --- a/tests/test_vex.py +++ b/tests/test_vex.py @@ -1,155 +1,114 @@ import json import unittest +from pathlib import Path import cdxev.vex as vex path_to_test_folder = "tests/auxiliary/test_vex/" +def load_file(file_path: Path) -> dict: + with open(path_to_test_folder + file_path, "r", encoding="utf-8-sig") as my_file: + vex_file = json.load(my_file) + return vex_file + + class TestVulnerabilityFunctions(unittest.TestCase): def test_init_vex_header(self): - expected_output = {"bomFormat": "CycloneDX", "specVersion": "1.3", "version": 1} + expected_output = {"bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1} - with open( - path_to_test_folder + "bom.json", "r", encoding="utf-8-sig" - ) as my_file: - sbom = json.load(my_file) - result = vex.init_vex_header(sbom) + file = load_file("embedded_vex.json") + result = vex.init_vex_header(file) self.assertEquals(result, expected_output) def test_get_list_of_ids_default(self): - with open( - path_to_test_folder + "list_default.csv", "r", encoding="utf-8-sig" - ) as my_file: - expected_output = my_file.read() - with open( - path_to_test_folder + "vex.json", "r", encoding="utf-8-sig" - ) as my_file: - vex_file = json.load(my_file) - result = vex.get_list_of_ids(vex_file, "default") + file = load_file("vex.json") + result = vex.get_list_of_ids(file, "default") + expected_output = ( + "ID,RefID,Description,Status\n" + + file.get("vulnerabilities", [])[0].get("id", "-") + + "," + + file.get("vulnerabilities", [])[0].get("references", [])[0].get("id", "-") + + "," + + file.get("vulnerabilities", [])[0].get("description", "-") + + "," + + file.get("vulnerabilities", [])[0].get("analysis", {}).get("state", "-") + + "\n" + ) self.assertEqual(result, expected_output) def test_get_list_of_ids_default_missing_data(self): - with open( - path_to_test_folder + "list_default_missing_data.csv", - "r", - encoding="utf-8-sig", - ) as my_file: - expected_output = my_file.read() - with open( - path_to_test_folder + "vex_missing_data.json", "r", encoding="utf-8-sig" - ) as my_file: - vex_file = json.load(my_file) - result = vex.get_list_of_ids(vex_file, "default") + file = load_file("vex.json") + file.get("vulnerabilities", [])[0].pop("id") + file.get("vulnerabilities", [])[0].pop("description") + file.get("vulnerabilities", [])[0].get("references", [])[0].pop("id") + file.get("vulnerabilities", [])[0].get("analysis", {}).pop("state") + + expected_output = "ID,RefID,Description,Status\n" + "-,-,-,-\n" + result = vex.get_list_of_ids(file, "default") self.assertEqual(result, expected_output) def test_get_list_of_ids_lightweight(self): - with open( - path_to_test_folder + "list_lightweight.csv", "r", encoding="utf-8-sig" - ) as my_file: - expected_output = my_file.read() - - with open( - path_to_test_folder + "vex.json", "r", encoding="utf-8-sig" - ) as my_file: - vex_file = json.load(my_file) - result = vex.get_list_of_ids(vex_file, "lightweight") - self.assertEqual(result, expected_output) - - def test_get_list_of_ids_lightweight_missing_data(self): - with open( - path_to_test_folder + "list_lightweight_missing_data.csv", - "r", - encoding="utf-8-sig", - ) as my_file: - expected_output = my_file.read() - with open( - path_to_test_folder + "vex_missing_data.json", "r", encoding="utf-8-sig" - ) as my_file: - vex_file = json.load(my_file) - result = vex.get_list_of_ids(vex_file, "lightweight") + file = load_file("vex.json") + expected_output = ( + "ID,RefID\n" + + file.get("vulnerabilities", [])[0].get("id", "-") + + "," + + file.get("vulnerabilities", [])[0].get("references", [])[0].get("id", "-") + + "\n" + ) + result = vex.get_list_of_ids(file, "lightweight") self.assertEqual(result, expected_output) def test_get_list_of_trimmed_vulnerabilities(self): - with open( - path_to_test_folder + "trimmed_vex.json", "r", encoding="utf-8-sig" - ) as my_file: - expected_output = json.load(my_file) - - with open( - path_to_test_folder + "vex.json", "r", encoding="utf-8-sig" - ) as my_file: - vex_file = json.load(my_file) - result = vex.get_list_of_trimed_vulnerabilities(vex_file, "not_affected") + file = load_file("vex.json") + file.get("vulnerabilities").append( + {"id": "CVE-2020-25649", "analysis": {"state": "exploitable"}} + ) + expected_output = file + expected_output.get("vulnerabilities", []).pop(1) + result = vex.get_list_of_trimed_vulnerabilities(file, "not_affected") self.assertEqual(result, expected_output) def test_get_vulnerability_by_id(self): - with open( - path_to_test_folder + "searched_vex.json", "r", encoding="utf-8-sig" - ) as my_file: - expected_output = json.load(my_file) - - with open( - path_to_test_folder + "vex.json", "r", encoding="utf-8-sig" - ) as my_file: - vex_file = json.load(my_file) - result = vex.get_vulnerability_by_id(vex_file, "CVE-1013-0002") + file = load_file("vex.json") + file.get("vulnerabilities").append(file.get("vulnerabilities")[0].copy()) + file.get("vulnerabilities")[1]["id"] = "CVE-2020-25648" + expected_output = file + expected_output.get("vulnerabilities", []).pop(1) + result = vex.get_vulnerability_by_id(file, "CVE-2020-25649") self.assertEqual(result, expected_output) def test_get_vulnerability_by_id_missing_data(self): - with open( - path_to_test_folder + "searched_vex_missing_data.json", - "r", - encoding="utf-8-sig", - ) as my_file: - expected_output = json.load(my_file) - - with open( - path_to_test_folder + "vex_missing_data.json", "r", encoding="utf-8-sig" - ) as my_file: - vex_file = json.load(my_file) - result = vex.get_vulnerability_by_id(vex_file, "CVE-1013-0005") + file = load_file("vex.json") + file.get("vulnerabilities", [])[0].pop("id") + expected_output = file + result = vex.get_vulnerability_by_id( + file, "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302" + ) self.assertEqual(result, expected_output) def test_get_vex_from_sbom(self): - with open( - path_to_test_folder + "embedded_vex.json", "r", encoding="utf-8-sig" - ) as my_file: - embedded_vex = json.load(my_file) - - with open( - path_to_test_folder + "vex.json", "r", encoding="utf-8-sig" - ) as my_file: - vex_file = json.load(my_file) - - result = vex.get_vex_from_sbom(embedded_vex) - self.assertEqual(result, vex_file) + file = load_file("embedded_vex.json") + result = vex.get_vex_from_sbom(file) + self.assertEqual(result, load_file("vex.json")) # Test subcommands def test_vex_list_command(self): - with open( - path_to_test_folder + "vex.json", "r", encoding="utf-8-sig" - ) as my_file: - vex_file = json.load(my_file) - result = vex.vex("list", vex_file, "", "default") + + result = vex.vex("list", load_file("vex.json"), "", "default") self.assertIn("ID,RefID,Description,Status", result) def test_vex_trim_command(self): - with open( - path_to_test_folder + "vex.json", "r", encoding="utf-8-sig" - ) as my_file: - vex_file = json.load(my_file) - result = vex.vex("trim", vex_file, "not_affected", "") - self.assertEqual(len(result["vulnerabilities"]), 8) + + result = vex.vex("trim", load_file("vex.json"), "not_affected", "") + self.assertEqual(len(result["vulnerabilities"]), 1) def test_vex_search_command(self): - with open( - path_to_test_folder + "vex.json", "r", encoding="utf-8-sig" - ) as my_file: - vex_file = json.load(my_file) - result = vex.vex("search", vex_file, "", "", "CVE-1013-0002") + + result = vex.vex("search", load_file("vex.json"), "", "", "CVE-2020-25649") self.assertEqual(len(result["vulnerabilities"]), 1) def test_vex_extract_command(self): @@ -161,9 +120,6 @@ def test_vex_extract_command(self): self.assertEqual(result["vulnerabilities"], embedded_vex["vulnerabilities"]) def test_vex_invalid_subcommand(self): - with open( - path_to_test_folder + "vex.json", "r", encoding="utf-8-sig" - ) as my_file: - vex_file = json.load(my_file) - result = vex.vex("invalid_command", vex_file, "", "") + + result = vex.vex("invalid_command", load_file("vex.json"), "", "") self.assertEqual(result, {})