Add tests for cvelistv5-data importer

Add tests for parse_cve_v5_advisory function using vulnrichmentv2-data and cvelistv5-data

Signed-off-by: ziad hany <ziadhany2016@gmail.com>

Author: ziadhany

vulnerabilities/importers/vulnrichment.py

@@ -15,6 +15,7 @@
 from vulnerabilities.utils import get_advisory_url
 from vulnerabilities.utils import get_cwe_id
 from vulnerabilities.utils import get_reference_id
+from vulnerabilities.utils import ssvc_calculator
 
 logger = logging.getLogger(__name__)
 
@@ -184,117 +185,3 @@ def parse_cve_advisory(raw_data, advisory_url):
         weaknesses=sorted(weaknesses),
         url=advisory_url,
     )
-
-
-def ssvc_calculator(ssvc_data):
-    """
-    Return the ssvc vector and the decision value
-    """
-    options = ssvc_data.get("options", [])
-    timestamp = ssvc_data.get("timestamp")
-
-    # Extract the options into a dictionary
-    options_dict = {k: v.lower() for option in options for k, v in option.items()}
-
-    # We copied the table value from this link.
-    # https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf
-
-    # Determining Mission and Well-Being Impact Value
-    mission_well_being_table = {
-        # (Mission Prevalence, Public Well-being Impact) : "Mission & Well-being"
-        ("minimal", "minimal"): "low",
-        ("minimal", "material"): "medium",
-        ("minimal", "irreversible"): "high",
-        ("support", "minimal"): "medium",
-        ("support", "material"): "medium",
-        ("support", "irreversible"): "high",
-        ("essential", "minimal"): "high",
-        ("essential", "material"): "high",
-        ("essential", "irreversible"): "high",
-    }
-
-    if "Mission Prevalence" not in options_dict:
-        options_dict["Mission Prevalence"] = "minimal"
-
-    if "Public Well-being Impact" not in options_dict:
-        options_dict["Public Well-being Impact"] = "material"
-
-    options_dict["Mission & Well-being"] = mission_well_being_table[
-        (options_dict["Mission Prevalence"], options_dict["Public Well-being Impact"])
-    ]
-
-    decision_key = (
-        options_dict.get("Exploitation"),
-        options_dict.get("Automatable"),
-        options_dict.get("Technical Impact"),
-        options_dict.get("Mission & Well-being"),
-    )
-
-    decision_points = {
-        "Exploitation": {"E": {"none": "N", "poc": "P", "active": "A"}},
-        "Automatable": {"A": {"no": "N", "yes": "Y"}},
-        "Technical Impact": {"T": {"partial": "P", "total": "T"}},
-        "Public Well-being Impact": {"B": {"minimal": "M", "material": "A", "irreversible": "I"}},
-        "Mission Prevalence": {"P": {"minimal": "M", "support": "S", "essential": "E"}},
-        "Mission & Well-being": {"M": {"low": "L", "medium": "M", "high": "H"}},
-    }
-
-    # Create the SSVC vector
-    ssvc_vector = "SSVCv2/"
-    for key, value_map in options_dict.items():
-        options_key = decision_points.get(key)
-        for lhs, rhs_map in options_key.items():
-            ssvc_vector += f"{lhs}:{rhs_map.get(value_map)}/"
-
-    # "Decision": {"D": {"Track": "T", "Track*": "R", "Attend": "A", "Act": "C"}},
-    decision_values = {"Track": "T", "Track*": "R", "Attend": "A", "Act": "C"}
-
-    decision_lookup = {
-        ("none", "no", "partial", "low"): "Track",
-        ("none", "no", "partial", "medium"): "Track",
-        ("none", "no", "partial", "high"): "Track",
-        ("none", "no", "total", "low"): "Track",
-        ("none", "no", "total", "medium"): "Track",
-        ("none", "no", "total", "high"): "Track*",
-        ("none", "yes", "partial", "low"): "Track",
-        ("none", "yes", "partial", "medium"): "Track",
-        ("none", "yes", "partial", "high"): "Attend",
-        ("none", "yes", "total", "low"): "Track",
-        ("none", "yes", "total", "medium"): "Track",
-        ("none", "yes", "total", "high"): "Attend",
-        ("poc", "no", "partial", "low"): "Track",
-        ("poc", "no", "partial", "medium"): "Track",
-        ("poc", "no", "partial", "high"): "Track*",
-        ("poc", "no", "total", "low"): "Track",
-        ("poc", "no", "total", "medium"): "Track*",
-        ("poc", "no", "total", "high"): "Attend",
-        ("poc", "yes", "partial", "low"): "Track",
-        ("poc", "yes", "partial", "medium"): "Track",
-        ("poc", "yes", "partial", "high"): "Attend",
-        ("poc", "yes", "total", "low"): "Track",
-        ("poc", "yes", "total", "medium"): "Track*",
-        ("poc", "yes", "total", "high"): "Attend",
-        ("active", "no", "partial", "low"): "Track",
-        ("active", "no", "partial", "medium"): "Track",
-        ("active", "no", "partial", "high"): "Attend",
-        ("active", "no", "total", "low"): "Track",
-        ("active", "no", "total", "medium"): "Attend",
-        ("active", "no", "total", "high"): "Act",
-        ("active", "yes", "partial", "low"): "Attend",
-        ("active", "yes", "partial", "medium"): "Attend",
-        ("active", "yes", "partial", "high"): "Act",
-        ("active", "yes", "total", "low"): "Attend",
-        ("active", "yes", "total", "medium"): "Act",
-        ("active", "yes", "total", "high"): "Act",
-    }
-
-    decision = decision_lookup.get(decision_key, "")
-
-    if decision:
-        ssvc_vector += f"D:{decision_values.get(decision)}/"
-
-    if timestamp:
-        timestamp_formatted = dateparser.parse(timestamp).strftime("%Y-%m-%dT%H:%M:%SZ")
-
-        ssvc_vector += f"{timestamp_formatted}/"
-    return ssvc_vector, decision

vulnerabilities/tests/test_cve_schema.py

@@ -0,0 +1,68 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import json
+import os
+from unittest import TestCase
+
+from vulnerabilities.importers.cve_schema import parse_cve_v5_advisory
+from vulnerabilities.tests import util_tests
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+TEST_DATA = os.path.join(BASE_DIR, "test_data/cve_schema")
+
+
+class TestCVESchemaV5(TestCase):
+    def test_to_advisories1(self):
+        with open(os.path.join(TEST_DATA, "vulnrichment-data1.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "vulnrichment-data1-expected.json")
+        imported_data = parse_cve_v5_advisory(mock_response, advisory_url="https://test.com")
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
+
+    def test_to_advisorie2(self):
+        with open(os.path.join(TEST_DATA, "vulnrichment-data2.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "vulnrichment-data2-expected.json")
+        imported_data = parse_cve_v5_advisory(mock_response, advisory_url="https://test.com")
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
+
+    def test_to_advisorie3(self):
+        with open(os.path.join(TEST_DATA, "vulnrichment-data3.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "vulnrichment-data3-expected.json")
+        imported_data = parse_cve_v5_advisory(mock_response, advisory_url="https://test.com")
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
+
+    def test_to_advisories4(self):
+        with open(os.path.join(TEST_DATA, "cvelistv5-data1.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "cvelistv5-data1-expected.json")
+        imported_data = parse_cve_v5_advisory(mock_response, advisory_url="https://test.com")
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
+
+    def test_to_advisorie5(self):
+        with open(os.path.join(TEST_DATA, "cvelistv5-data2.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "cvelistv5-data2-expected.json")
+        imported_data = parse_cve_v5_advisory(mock_response, advisory_url="https://test.com")
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
+
+    def test_to_advisorie6(self):
+        with open(os.path.join(TEST_DATA, "cvelistv5-data3.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "cvelistv5-data3-expected.json")
+        imported_data = parse_cve_v5_advisory(mock_response, advisory_url="https://test.com")
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)

vulnerabilities/tests/test_data/cve_schema/cvelistv5-data1-expected.json

@@ -0,0 +1,61 @@
+{
+  "advisory_id": "CVE-2025-0950",
+  "aliases": [],
+  "summary": "A vulnerability was found in itsourcecode Tailoring Management System 1.0 and classified as critical. This issue affects some unknown processing of the file staffview.php. The manipulation of the argument staffid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.",
+  "affected_packages": [],
+  "references_v2": [
+    {
+      "reference_id": "?id.294305",
+      "reference_type": "advisory",
+      "url": "https://vuldb.com/?id.294305"
+    },
+    {
+      "reference_id": "?ctiid.294305",
+      "reference_type": "other",
+      "url": "https://vuldb.com/?ctiid.294305"
+    },
+    {
+      "reference_id": "7",
+      "reference_type": "bug",
+      "url": "https://github.com/magic2353112890/cve/issues/7"
+    },
+    {
+      "reference_id": "itsourcecode.com",
+      "reference_type": "other",
+      "url": "https://itsourcecode.com/"
+    }
+  ],
+  "severities": [
+    {
+      "system": "cvssv4",
+      "value": 5.3,
+      "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
+    },
+    {
+      "system": "cvssv3.1",
+      "value": 6.3,
+      "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "system": "cvssv3",
+      "value": 6.3,
+      "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "system": "cvssv2",
+      "value": 6.5,
+      "scoring_elements": "AV:N/AC:L/Au:S/C:P/I:P/A:P"
+    },
+    {
+      "system": "ssvc",
+      "value": "Track",
+      "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T17:14:26Z/"
+    }
+  ],
+  "date_published": "2025-02-01T20:00:12.431000+00:00",
+  "weaknesses": [
+    74,
+    89
+  ],
+  "url": "https://test.com"
+}

vulnerabilities/tests/test_data/cve_schema/cvelistv5-data2-expected.json

@@ -0,0 +1,35 @@
+{
+  "advisory_id": "CVE-2024-0906",
+  "aliases": [],
+  "summary": "The f(x) Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.1 via the API. This makes it possible for unauthenticated attackers to obtain page and post contents of a site protected with this plugin.",
+  "affected_packages": [],
+  "references_v2": [
+    {
+      "reference_id": "79c3abc6-68fa-4c51-88fa-03ab7d26cc4c?source=cve",
+      "reference_type": "other",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79c3abc6-68fa-4c51-88fa-03ab7d26cc4c?source=cve"
+    },
+    {
+      "reference_id": "fx-private-site",
+      "reference_type": "other",
+      "url": "https://wordpress.org/plugins/fx-private-site/"
+    }
+  ],
+  "severities": [
+    {
+      "system": "cvssv3.1",
+      "value": 5.3,
+      "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "system": "ssvc",
+      "value": "Track",
+      "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-12T18:42:41Z/"
+    }
+  ],
+  "date_published": "2024-03-12T08:34:17.481000+00:00",
+  "weaknesses": [
+    200
+  ],
+  "url": "https://test.com"
+}

vulnerabilities/tests/test_data/cve_schema/cvelistv5-data3-expected.json

@@ -0,0 +1,35 @@
+{
+  "advisory_id": "CVE-2023-0710",
+  "aliases": [],
+  "summary": "The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'fname' attribute of the 'mf_thankyou' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a a page containing the shortcode when the submission id is present in the query string. Note that getting the JavaScript to execute requires user interaction as the victim must visit a crafted link with the form entry id, but the script itself is stored in the site database. Additionally this requires successful payment, increasing the complexity.",
+  "affected_packages": [],
+  "references_v2": [
+    {
+      "reference_id": "89a98053-33c7-4e75-87a1-0f483a990641?source=cve",
+      "reference_type": "other",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89a98053-33c7-4e75-87a1-0f483a990641?source=cve"
+    },
+    {
+      "reference_id": "shortcode.php?rev=2845078",
+      "reference_type": "other",
+      "url": "https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078"
+    }
+  ],
+  "severities": [
+    {
+      "system": "cvssv3.1",
+      "value": 4.9,
+      "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    },
+    {
+      "system": "ssvc",
+      "value": "Track",
+      "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-23T13:13:32Z/"
+    }
+  ],
+  "date_published": "2023-06-09T05:33:23.543000+00:00",
+  "weaknesses": [
+    79
+  ],
+  "url": "https://test.com"
+}

vulnerabilities/tests/test_data/cve_schema/vulnrichment-data1-expected.json

@@ -1,48 +1,35 @@
 {
-  "aliases": [
-    "CVE-2024-3018"
-  ],
+  "advisory_id": "CVE-2024-3018",
+  "aliases": [],
   "summary": "The Essential Addons for Elementor plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.13 via deserialization of untrusted input from the 'error_resetpassword' attribute of the \"Login | Register Form\" widget (disabled by default). This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.",
   "affected_packages": [],
-  "references": [
+  "references_v2": [
     {
       "reference_id": "342049e5-834e-4867-8174-01ca7bb0caa2?source=cve",
       "reference_type": "other",
-      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/342049e5-834e-4867-8174-01ca7bb0caa2?source=cve",
-      "severities": [
-        {
-          "system": "cvssv3.1",
-          "value": 8.8,
-          "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
-        },
-        {
-          "system": "ssvc",
-          "value": "Track",
-          "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-01T17:33:59Z/"
-        }
-      ]
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/342049e5-834e-4867-8174-01ca7bb0caa2?source=cve"
     },
     {
       "reference_id": "essential-addons-for-elementor-lite",
       "reference_type": "other",
-      "url": "https://plugins.trac.wordpress.org/changeset/3060417/essential-addons-for-elementor-lite",
-      "severities": [
-        {
-          "system": "cvssv3.1",
-          "value": 8.8,
-          "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
-        },
-        {
-          "system": "ssvc",
-          "value": "Track",
-          "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-01T17:33:59Z/"
-        }
-      ]
+      "url": "https://plugins.trac.wordpress.org/changeset/3060417/essential-addons-for-elementor-lite"
+    }
+  ],
+  "severities": [
+    {
+      "system": "cvssv3.1",
+      "value": 8.8,
+      "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "system": "ssvc",
+      "value": "Track",
+      "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-01T17:33:59Z/"
     }
   ],
   "date_published": "2024-03-30T11:17:25.675000+00:00",
   "weaknesses": [
     502
   ],
-  "url": "http://test.com"
+  "url": "https://test.com"
 }