|
| 1 | +import datetime |
| 2 | +import pytz |
| 3 | +from unittest import TestCase |
| 4 | + |
| 5 | +from packageurl import PackageURL |
| 6 | +from univers.version_range import VersionRange |
| 7 | + |
| 8 | +from vulnerabilities.importer import AdvisoryData, AffectedPackage, Reference, VulnerabilitySeverity |
| 9 | +from vulnerabilities.severity_systems import SCORING_SYSTEMS |
| 10 | +from vulnerabilities.utils import compute_content_id |
| 11 | + |
| 12 | + |
| 13 | +class TestComputeContentId(TestCase): |
| 14 | + def setUp(self): |
| 15 | + self.maxDiff = None |
| 16 | + self.base_advisory = AdvisoryData( |
| 17 | + summary="Test summary", |
| 18 | + affected_packages=[ |
| 19 | + AffectedPackage( |
| 20 | + package=PackageURL( |
| 21 | + type="npm", |
| 22 | + name="package1", |
| 23 | + qualifiers={}, |
| 24 | + ), |
| 25 | + affected_version_range=VersionRange.from_string("vers:npm/>=1.0.0|<2.0.0"), |
| 26 | + ) |
| 27 | + ], |
| 28 | + references=[ |
| 29 | + Reference( |
| 30 | + url="https://example.com/vuln1", |
| 31 | + reference_id="GHSA-1234-5678-9012", |
| 32 | + severities=[ |
| 33 | + VulnerabilitySeverity( |
| 34 | + system=SCORING_SYSTEMS["cvssv3.1"], |
| 35 | + value="7.5", |
| 36 | + ) |
| 37 | + ], |
| 38 | + ) |
| 39 | + ], |
| 40 | + date_published=datetime.datetime(2024, 1, 1, tzinfo=pytz.UTC), |
| 41 | + ) |
| 42 | + |
| 43 | + def test_same_content_different_order_same_id(self): |
| 44 | + """ |
| 45 | + Test that advisories with same content but different ordering have same content ID |
| 46 | + """ |
| 47 | + advisory1 = self.base_advisory |
| 48 | + |
| 49 | + # Same content but different order of references and affected packages |
| 50 | + advisory2 = AdvisoryData( |
| 51 | + summary="Test summary", |
| 52 | + affected_packages=list(reversed(self.base_advisory.affected_packages)), |
| 53 | + references=list(reversed(self.base_advisory.references)), |
| 54 | + date_published=datetime.datetime(2024, 1, 1, tzinfo=pytz.UTC), |
| 55 | + ) |
| 56 | + |
| 57 | + self.assertEqual( |
| 58 | + compute_content_id(advisory1), |
| 59 | + compute_content_id(advisory2), |
| 60 | + ) |
| 61 | + |
| 62 | + def test_different_metadata_same_content_same_id(self): |
| 63 | + """ |
| 64 | + Test that advisories with same content but different metadata have same content ID |
| 65 | + when include_metadata=False |
| 66 | + """ |
| 67 | + advisory1 = self.base_advisory |
| 68 | + |
| 69 | + advisory2 = AdvisoryData( |
| 70 | + summary="Test summary", |
| 71 | + affected_packages=self.base_advisory.affected_packages, |
| 72 | + references=self.base_advisory.references, |
| 73 | + date_published=datetime.datetime(2024, 1, 1, tzinfo=pytz.UTC), |
| 74 | + created_by="different_importer", |
| 75 | + url="https://different.url", |
| 76 | + ) |
| 77 | + |
| 78 | + self.assertEqual( |
| 79 | + compute_content_id(advisory1), |
| 80 | + compute_content_id(advisory2), |
| 81 | + ) |
| 82 | + |
| 83 | + def test_different_metadata_different_id_when_included(self): |
| 84 | + """ |
| 85 | + Test that advisories with same content but different metadata have different content IDs |
| 86 | + when include_metadata=True |
| 87 | + """ |
| 88 | + advisory1 = self.base_advisory |
| 89 | + |
| 90 | + advisory2 = AdvisoryData( |
| 91 | + summary="Test summary", |
| 92 | + affected_packages=self.base_advisory.affected_packages, |
| 93 | + references=self.base_advisory.references, |
| 94 | + date_published=datetime.datetime(2024, 1, 1, tzinfo=pytz.UTC), |
| 95 | + created_by="different_importer", |
| 96 | + url="https://different.url", |
| 97 | + ) |
| 98 | + |
| 99 | + self.assertNotEqual( |
| 100 | + compute_content_id(advisory1, include_metadata=True), |
| 101 | + compute_content_id(advisory2, include_metadata=True), |
| 102 | + ) |
| 103 | + |
| 104 | + def test_different_summary_different_id(self): |
| 105 | + """ |
| 106 | + Test that advisories with different summaries have different content IDs |
| 107 | + """ |
| 108 | + advisory1 = self.base_advisory |
| 109 | + |
| 110 | + advisory2 = AdvisoryData( |
| 111 | + summary="Different summary", |
| 112 | + affected_packages=self.base_advisory.affected_packages, |
| 113 | + references=self.base_advisory.references, |
| 114 | + date_published=datetime.datetime(2024, 1, 1, tzinfo=pytz.UTC), |
| 115 | + ) |
| 116 | + |
| 117 | + self.assertNotEqual( |
| 118 | + compute_content_id(advisory1), |
| 119 | + compute_content_id(advisory2), |
| 120 | + ) |
| 121 | + |
| 122 | + def test_different_affected_packages_different_id(self): |
| 123 | + """ |
| 124 | + Test that advisories with different affected packages have different content IDs |
| 125 | + """ |
| 126 | + advisory1 = self.base_advisory |
| 127 | + |
| 128 | + advisory2 = AdvisoryData( |
| 129 | + summary="Test summary", |
| 130 | + affected_packages=[ |
| 131 | + AffectedPackage( |
| 132 | + package=PackageURL( |
| 133 | + type="npm", |
| 134 | + name="different-package", |
| 135 | + qualifiers={}, |
| 136 | + ), |
| 137 | + affected_version_range=VersionRange.from_string("vers:npm/>=1.0.0|<2.0.0"), |
| 138 | + ) |
| 139 | + ], |
| 140 | + references=self.base_advisory.references, |
| 141 | + date_published=datetime.datetime(2024, 1, 1, tzinfo=pytz.UTC), |
| 142 | + ) |
| 143 | + |
| 144 | + self.assertNotEqual( |
| 145 | + compute_content_id(advisory1), |
| 146 | + compute_content_id(advisory2), |
| 147 | + ) |
| 148 | + |
| 149 | + def test_different_references_different_id(self): |
| 150 | + """ |
| 151 | + Test that advisories with different references have different content IDs |
| 152 | + """ |
| 153 | + advisory1 = self.base_advisory |
| 154 | + |
| 155 | + advisory2 = AdvisoryData( |
| 156 | + summary="Test summary", |
| 157 | + affected_packages=self.base_advisory.affected_packages, |
| 158 | + references=[ |
| 159 | + Reference( |
| 160 | + url="https://example.com/different-vuln", |
| 161 | + reference_id="GHSA-9999-9999-9999", |
| 162 | + severities=[ |
| 163 | + VulnerabilitySeverity( |
| 164 | + system=SCORING_SYSTEMS["cvssv3.1"], |
| 165 | + value="8.5", |
| 166 | + ) |
| 167 | + ], |
| 168 | + ) |
| 169 | + ], |
| 170 | + date_published=datetime.datetime(2024, 1, 1, tzinfo=pytz.UTC), |
| 171 | + ) |
| 172 | + |
| 173 | + self.assertNotEqual( |
| 174 | + compute_content_id(advisory1), |
| 175 | + compute_content_id(advisory2), |
| 176 | + ) |
| 177 | + |
| 178 | + def test_different_weaknesses_different_id(self): |
| 179 | + """ |
| 180 | + Test that advisories with different weaknesses have different content IDs |
| 181 | + """ |
| 182 | + advisory1 = AdvisoryData( |
| 183 | + summary="Test summary", |
| 184 | + affected_packages=self.base_advisory.affected_packages, |
| 185 | + references=self.base_advisory.references, |
| 186 | + weaknesses=[1, 2, 3], |
| 187 | + date_published=datetime.datetime(2024, 1, 1, tzinfo=pytz.UTC), |
| 188 | + ) |
| 189 | + |
| 190 | + advisory2 = AdvisoryData( |
| 191 | + summary="Test summary", |
| 192 | + affected_packages=self.base_advisory.affected_packages, |
| 193 | + references=self.base_advisory.references, |
| 194 | + weaknesses=[4, 5, 6], |
| 195 | + date_published=datetime.datetime(2024, 1, 1, tzinfo=pytz.UTC), |
| 196 | + ) |
| 197 | + |
| 198 | + self.assertNotEqual( |
| 199 | + compute_content_id(advisory1), |
| 200 | + compute_content_id(advisory2), |
| 201 | + ) |
| 202 | + |
| 203 | + def test_empty_fields_same_id(self): |
| 204 | + """ |
| 205 | + Test that advisories with empty optional fields still generate same content ID |
| 206 | + """ |
| 207 | + advisory1 = AdvisoryData( |
| 208 | + summary="", |
| 209 | + affected_packages=self.base_advisory.affected_packages, |
| 210 | + references=self.base_advisory.references, |
| 211 | + date_published=None, |
| 212 | + ) |
| 213 | + |
| 214 | + advisory2 = AdvisoryData( |
| 215 | + summary="", |
| 216 | + affected_packages=self.base_advisory.affected_packages, |
| 217 | + references=self.base_advisory.references, |
| 218 | + date_published=None, |
| 219 | + ) |
| 220 | + |
| 221 | + self.assertEqual( |
| 222 | + compute_content_id(advisory1), |
| 223 | + compute_content_id(advisory2), |
| 224 | + ) |
0 commit comments