Skip to content

Commit

Permalink
Merge pull request #58 from Ostorlab/fix/dna_include_cve
Browse files Browse the repository at this point in the history 
Include CVEs in the dna
  • Loading branch information
@3asm
3asm authored Mar 27, 2024
2 parents 64b1029 + 80067a7 commit 69fd534
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 13 deletions.
6 changes: 4 additions & 2 deletions agent/osv_output_handler.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
"POTENTIALLY": 5,
}

MAX_SHOWN_CVES = 10

logger = logging.getLogger(__name__)

Expand Down Expand Up @@ -378,7 +379,8 @@ def construct_vuln(
technical_detail = f"Dependency `{vuln.package_name}` Found in {path} has a security issue: \n"
technical_detail += f"```\n{vuln.description}\n```"
else:
title = f"Use of Outdated Vulnerable Component: {vuln.package_name}@{vuln.package_version}: {', '.join(vuln.cves)}"
vuln.cves.sort(reverse=True)
title = f"Use of Outdated Vulnerable Component: {vuln.package_name}@{vuln.package_version}: {', '.join(vuln.cves[:MAX_SHOWN_CVES])}"

technical_detail = ""
if path is not None:
Expand Down Expand Up @@ -411,7 +413,7 @@ def construct_vuln(
targeted_by_nation_state=False,
recommendation=recommendation,
),
dna=f"Use of Outdated Vulnerable Component: {vuln.package_name}@{vuln.package_version}",
dna=f"Use of Outdated Vulnerable Component: {vuln.package_name}@{vuln.package_version}: {','.join(vuln.cves[:MAX_SHOWN_CVES])}",
technical_detail=technical_detail,
risk_rating=agent_report_vulnerability_mixin.RiskRating[
vuln.risk.upper()
Expand Down
22 changes: 11 additions & 11 deletions tests/osv_agent_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ def testAgentOSV_whenAnalysisRunsWithoutPathWithContent_processMessage(
)
assert (
agent_mock[0].data["dna"]
== "Use of Outdated Vulnerable Component: [email protected]"
== "Use of Outdated Vulnerable Component: [email protected]: CVE-2022-1941"
)
assert agent_mock[0].data["risk_rating"] == "HIGH"

Expand Down Expand Up @@ -244,12 +244,12 @@ def testAgentOSV_whenFingerprintMessage_processMessage(

assert (
agent_mock[0].data["title"]
== "Use of Outdated Vulnerable Component: [email protected]: CVE-2018-3721, CVE-2018-16487, CVE-2019-1010266, CVE-2019-10744, CVE-2020-8203, CVE-2020-28500, CVE-2021-23337"
== "Use of Outdated Vulnerable Component: [email protected]: CVE-2021-23337, CVE-2020-8203, CVE-2020-28500, CVE-2019-10744, CVE-2019-1010266, CVE-2018-3721, CVE-2018-16487"
)
assert agent_mock[0].data["risk_rating"] == "CRITICAL"
assert (
agent_mock[0].data["dna"]
== "Use of Outdated Vulnerable Component: [email protected]"
== "Use of Outdated Vulnerable Component: [email protected]: CVE-2021-23337,CVE-2020-8203,CVE-2020-28500,CVE-2019-10744,CVE-2019-1010266,CVE-2018-3721,CVE-2018-16487"
)


Expand All @@ -273,11 +273,11 @@ def testAgentOSV_whenRiskLowerCase_doesNotCrash(

assert (
agent_mock[0].data["title"]
== "Use of Outdated Vulnerable Component: [email protected]: CVE-2018-3721, CVE-2018-16487, CVE-2019-1010266, CVE-2019-10744, CVE-2020-8203, CVE-2020-28500, CVE-2021-23337"
== "Use of Outdated Vulnerable Component: [email protected]: CVE-2021-23337, CVE-2020-8203, CVE-2020-28500, CVE-2019-10744, CVE-2019-1010266, CVE-2018-3721, CVE-2018-16487"
)
assert (
agent_mock[0].data["dna"]
== "Use of Outdated Vulnerable Component: [email protected]"
== "Use of Outdated Vulnerable Component: [email protected]: CVE-2021-23337,CVE-2020-8203,CVE-2020-28500,CVE-2019-10744,CVE-2019-1010266,CVE-2018-3721,CVE-2018-16487"
)

assert agent_mock[0].data["risk_rating"] == "CRITICAL"
Expand All @@ -299,7 +299,7 @@ def testAgentOSV_whenRiskLowerCase_doesNotCrash(
assert agent_mock[0].data["short_description"] == "Prototype Pollution in lodash"
assert agent_mock[0].data["description"] == (
"""Dependency `lodash` with version `4.7.11` has a security issue.
The issue is identified by CVEs: `CVE-2018-3721, CVE-2018-16487, CVE-2019-1010266, CVE-2019-10744, CVE-2020-8203, CVE-2020-28500, CVE-2021-23337`."""
The issue is identified by CVEs: `CVE-2021-23337, CVE-2020-8203, CVE-2020-28500, CVE-2019-10744, CVE-2019-1010266, CVE-2018-3721, CVE-2018-16487`."""
)


Expand Down Expand Up @@ -334,11 +334,11 @@ def __init__(self, cve_id: str, api_key: str | None = None):

assert (
agent_mock[0].data["title"]
== "Use of Outdated Vulnerable Component: [email protected]: CVE-2018-3721, CVE-2018-16487, CVE-2019-1010266, CVE-2019-10744, CVE-2020-8203, CVE-2020-28500, CVE-2021-23337"
== "Use of Outdated Vulnerable Component: [email protected]: CVE-2021-23337, CVE-2020-8203, CVE-2020-28500, CVE-2019-10744, CVE-2019-1010266, CVE-2018-3721, CVE-2018-16487"
)
assert (
agent_mock[0].data["dna"]
== "Use of Outdated Vulnerable Component: [email protected]"
== "Use of Outdated Vulnerable Component: [email protected]: CVE-2021-23337,CVE-2020-8203,CVE-2020-28500,CVE-2019-10744,CVE-2019-1010266,CVE-2018-3721,CVE-2018-16487"
)
assert agent_mock[0].data["risk_rating"] == "CRITICAL"
assert (
Expand Down Expand Up @@ -374,7 +374,7 @@ def testAgentOSV_always_emitVulnWithValidTechnicalDetail(
)
assert (
agent_mock[0].data["dna"]
== "Use of Outdated Vulnerable Component: [email protected]"
== "Use of Outdated Vulnerable Component: [email protected]: CVE-2019-10061"
)
assert agent_mock[0].data["risk_rating"] == "CRITICAL"
assert (
Expand Down Expand Up @@ -470,7 +470,7 @@ def testAgentOSV_whenPathInMessage_technicalDetailShouldIncludeIt(
)
assert (
agent_mock[0].data["dna"]
== "Use of Outdated Vulnerable Component: [email protected]"
== "Use of Outdated Vulnerable Component: [email protected]: CVE-2019-10061"
)
assert agent_mock[0].data["risk_rating"] == "CRITICAL"
assert agent_mock[0].data["technical_detail"] == (
Expand Down Expand Up @@ -511,7 +511,7 @@ def testAgentOSV_whenElfLibraryFingerprintMessage_shouldExcludeNpmEcosystemVulnz
)
assert (
agent_mock[0].data["dna"]
== "Use of Outdated Vulnerable Component: [email protected]"
== "Use of Outdated Vulnerable Component: [email protected]: "
)
assert agent_mock[0].data["risk_rating"] == "POTENTIALLY"
assert agent_mock[0].data["technical_detail"] == (
Expand Down

0 comments on commit 69fd534

Please sign in to comment.