|
6 | 6 | from crum import impersonate |
7 | 7 | from django.contrib.auth.models import User |
8 | 8 | from django.utils import timezone |
| 9 | +from rest_framework.authtoken.models import Token |
| 10 | +from rest_framework.test import APIClient |
9 | 11 |
|
10 | 12 | from dojo.finding.helper import save_vulnerability_ids, save_vulnerability_ids_template |
11 | 13 | from dojo.models import Finding, Finding_Template, Test, Vulnerability_Id, Vulnerability_Id_Template |
12 | 14 |
|
13 | | -from .dojo_test_case import DojoTestCase |
| 15 | +from .dojo_test_case import DojoAPITestCase, DojoTestCase |
14 | 16 |
|
15 | 17 | logger = logging.getLogger(__name__) |
16 | 18 |
|
@@ -245,3 +247,91 @@ def test_save_vulnerability_id_templates(self, save_mock, delete_mock, filter_mo |
245 | 247 | delete_mock.assert_called_once() |
246 | 248 | self.assertEqual(save_mock.call_count, 2) |
247 | 249 | self.assertEqual("REF-1", finding_template.cve) |
| 250 | + |
| 251 | + |
| 252 | +class TestFindingVulnerabilityIdsAPI(DojoAPITestCase): |
| 253 | + fixtures = ["dojo_testdata.json"] |
| 254 | + |
| 255 | + def setUp(self): |
| 256 | + super().setUp() |
| 257 | + self.system_settings(enable_jira=True) |
| 258 | + self.testuser = User.objects.get(username="admin") |
| 259 | + self.testuser.usercontactinfo.block_execution = True |
| 260 | + self.testuser.usercontactinfo.save() |
| 261 | + token = Token.objects.get(user=self.testuser) |
| 262 | + self.client = APIClient() |
| 263 | + self.client.credentials(HTTP_AUTHORIZATION="Token " + token.key) |
| 264 | + self.client.force_login(self.get_test_admin()) |
| 265 | + |
| 266 | + def test_finding_create_without_cve(self): |
| 267 | + # use existing finding as template for a new finding. this finding has no cve |
| 268 | + finding_details = self.get_finding_api(2) |
| 269 | + del finding_details["id"] |
| 270 | + if "cve" in finding_details: |
| 271 | + del finding_details["cve"] |
| 272 | + new_vulnerability_ids = [ |
| 273 | + {"vulnerability_id": "RHSA-12345"}, |
| 274 | + {"vulnerability_id": "GHSA-7890"}, |
| 275 | + ] |
| 276 | + finding_details["vulnerability_ids"] = new_vulnerability_ids |
| 277 | + response = self.post_new_finding_api(finding_details) |
| 278 | + # assert resopnse data |
| 279 | + self.assertIsNone(response.get("cve")) |
| 280 | + self.assertEqual(new_vulnerability_ids, response.get("vulnerability_ids")) |
| 281 | + |
| 282 | + # assert GET finding |
| 283 | + finding_id = response.get("id") |
| 284 | + response = self.get_finding_api(finding_id) |
| 285 | + self.assertIsNone(response.get("cve")) |
| 286 | + self.assertEqual(new_vulnerability_ids, response.get("vulnerability_ids")) |
| 287 | + |
| 288 | + def test_finding_create_with_cve(self): |
| 289 | + # use existing finding as template for a new finding. this finding has no cve |
| 290 | + finding_details = self.get_finding_api(2) |
| 291 | + del finding_details["id"] |
| 292 | + if "cve" in finding_details: |
| 293 | + del finding_details["cve"] |
| 294 | + new_vulnerability_ids = [ |
| 295 | + {"vulnerability_id": "CVE-2025-12345"}, |
| 296 | + {"vulnerability_id": "RHSA-12345"}, |
| 297 | + {"vulnerability_id": "GHSA-7890"}, |
| 298 | + ] |
| 299 | + finding_details["vulnerability_ids"] = new_vulnerability_ids |
| 300 | + response = self.post_new_finding_api(finding_details) |
| 301 | + # assert response data |
| 302 | + self.assertEqual(new_vulnerability_ids, response.get("vulnerability_ids")) |
| 303 | + |
| 304 | + # CVE is not in the response, so get it fromt the database |
| 305 | + self.assertEqual("CVE-2025-12345", Finding.objects.get(id=response.get("id")).cve) |
| 306 | + |
| 307 | + def test_finding_create_and_update_with_cve(self): |
| 308 | + # use existing finding as template for a new finding. this finding has no cve |
| 309 | + finding_details = self.get_finding_api(2) |
| 310 | + del finding_details["id"] |
| 311 | + if "cve" in finding_details: |
| 312 | + del finding_details["cve"] |
| 313 | + new_vulnerability_ids = [ |
| 314 | + {"vulnerability_id": "CVE-2025-12345"}, |
| 315 | + {"vulnerability_id": "RHSA-12345"}, |
| 316 | + {"vulnerability_id": "GHSA-7890"}, |
| 317 | + ] |
| 318 | + finding_details["vulnerability_ids"] = new_vulnerability_ids |
| 319 | + response = self.post_new_finding_api(finding_details) |
| 320 | + finding_id = response.get("id") |
| 321 | + # assert resopnse data |
| 322 | + self.assertEqual(new_vulnerability_ids, response.get("vulnerability_ids")) |
| 323 | + |
| 324 | + # CVE is not in the response, so get it fromt the database |
| 325 | + self.assertEqual("CVE-2025-12345", Finding.objects.get(id=finding_id).cve) |
| 326 | + |
| 327 | + # change vulnerability_id and remove cve |
| 328 | + updated_vulnerability_ids = [ |
| 329 | + {"vulnerability_id": "RHSA-000000"}, |
| 330 | + ] |
| 331 | + response = self.patch_finding_api(finding_id, {"vulnerability_ids": updated_vulnerability_ids}) |
| 332 | + # assert resopnse data |
| 333 | + self.assertEqual(updated_vulnerability_ids, response.get("vulnerability_ids")) |
| 334 | + |
| 335 | + # CVE is not in the response, so get it fromt the database |
| 336 | + # current behaviour is that the cve is taken from the first vulnerability_id... |
| 337 | + self.assertEqual("RHSA-000000", Finding.objects.get(id=finding_id).cve) |
0 commit comments