From a973fb77342d3d4bf72c0e2872a78ce3ac4343a3 Mon Sep 17 00:00:00 2001 From: Kartik Date: Fri, 9 Jun 2017 16:39:41 +0530 Subject: [PATCH 01/12] #1 Query cve-search' db --- api_data.py | 34 ++++++++++++++++++++++++++++++++ test_api_data.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 api_data.py create mode 100644 test_api_data.py diff --git a/api_data.py b/api_data.py new file mode 100644 index 000000000..534c1243f --- /dev/null +++ b/api_data.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python + +import json +from urllib import urlopen + +def output_cve_id(): + """Takes as input, a package name, package version. + Queries cve-search' dataset for any reported + vulnerabilities of the requested package. If + vulnerability exists, outputs cve-id(s). + """ + package_name = raw_input('Enter package name: ') + user_choice = raw_input('Do you have a package version? (Y/N): ') + + if user_choice == 'Y' or user_choice == 'y': + package_ver = raw_input('Enter package version: ') + url = 'https://cve.circl.lu/api/search/' + package_name + package_ver + + else: + url = 'https://cve.circl.lu/api/search/' + package_name + + raw_data = urlopen(url).read() + data = json.loads(raw_data) + + if len(data) > 0: + print 'Vulnerabilties Found:\n' + + for item in data['data']: + print item['id'] + else: + print 'No vulnerabilites found' + +if __name__ == '__main__': + output_cve_id() \ No newline at end of file diff --git a/test_api_data.py b/test_api_data.py new file mode 100644 index 000000000..5081830b2 --- /dev/null +++ b/test_api_data.py @@ -0,0 +1,50 @@ +import api_data as api + +from mock import Mock +import pytest +from urllib import urlopen + +test_data = ''' +{ "data": [ + { + "Modified": "2008-11-15T00:00:00", + "Published": "2007-02-19T21:28:00", + "access": { + "authentication": "NONE", + "complexity": "MEDIUM", + "vector": "NETWORK" + }, + "cvss": 4.3, + "cvss-time": "2007-02-20T14:55:00", + "id": CVE-2007-1004" + "impact": { + "availability": "NONE", + "confidentiality": "NONE", + "integrity": "PARTIAL" + }, + "reason": "Link", + "references": [ + "http://securityreason.com/securityalert/2264", + "http://www.securityfocus.com/archive/1/archive/1/460369/100/0/threaded", + "http://www.securityfocus.com/archive/1/archive/1/460412/100/0/threaded", + "http://www.securityfocus.com/archive/1/archive/1/460617/100/0/threaded", + "http://www.securityfocus.com/bid/22601", + "http://xforce.iss.net/xforce/xfdb/32580" + ], + "summary": "Mozilla Firefox might allow remote attackers to conduct spoofing and phishing attacks by writing to an about:blank tab and overlaying the location bar.", + "vulnerable_configuration": [ + "cpe:2.3:a:mozilla:firefox:2.0:rc3" + ], + "vulnerable_configuration_cpe_2_2": [ + "cpe:/a:mozilla:firefox:2.0:rc3" + ]}]} +''' + +def test_output_cve_id(): + + ##BUG## + api.urlopen = Mock() + api.urlopen.return_value = test_data + api.output_cve_id() + + assert api.output_cve_id.data["data"]["item"] == "CVE-2007-1004" \ No newline at end of file From 1f3bf763f38c862534802155e42c3d40d26ad6af Mon Sep 17 00:00:00 2001 From: Kartik Date: Fri, 9 Jun 2017 19:32:24 +0530 Subject: [PATCH 02/12] #1 Use args instead of user-input --- api_data.py | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/api_data.py b/api_data.py index 534c1243f..fb715c411 100644 --- a/api_data.py +++ b/api_data.py @@ -1,34 +1,35 @@ #!/usr/bin/env python import json -from urllib import urlopen +import sys -def output_cve_id(): +"""Py version check""" +if sys.version_info[0] == 3: + from urllib.request import urlopen +else: + from urllib import urlopen + +def output_cve_id(type=None, name=None, version=None): """Takes as input, a package name, package version. Queries cve-search' dataset for any reported vulnerabilities of the requested package. If vulnerability exists, outputs cve-id(s). """ - package_name = raw_input('Enter package name: ') - user_choice = raw_input('Do you have a package version? (Y/N): ') - - if user_choice == 'Y' or user_choice == 'y': - package_ver = raw_input('Enter package version: ') - url = 'https://cve.circl.lu/api/search/' + package_name + package_ver - + if version: + url = 'https://cve.circl.lu/api/search/' + name + version else: - url = 'https://cve.circl.lu/api/search/' + package_name + url = 'https://cve.circl.lu/api/search/' + name raw_data = urlopen(url).read() data = json.loads(raw_data) - if len(data) > 0: - print 'Vulnerabilties Found:\n' + if data: + print ('Vulnerabilties Found:\n') for item in data['data']: - print item['id'] + print (item['id']) else: - print 'No vulnerabilites found' + print ('No vulnerabilites found') if __name__ == '__main__': output_cve_id() \ No newline at end of file From 115933b6702a918f7f7947e01021d6b250aa2c6f Mon Sep 17 00:00:00 2001 From: Kartik Date: Sat, 10 Jun 2017 01:41:19 +0530 Subject: [PATCH 03/12] #1 Use format --- api_data.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api_data.py b/api_data.py index fb715c411..a3abe27fc 100644 --- a/api_data.py +++ b/api_data.py @@ -10,15 +10,15 @@ from urllib import urlopen def output_cve_id(type=None, name=None, version=None): - """Takes as input, a package name, package version. + """Take as input, a package name, package version. Queries cve-search' dataset for any reported vulnerabilities of the requested package. If vulnerability exists, outputs cve-id(s). """ if version: - url = 'https://cve.circl.lu/api/search/' + name + version + url = ('https://cve.circl.lu/api/search/{}/{}').format(name,version) else: - url = 'https://cve.circl.lu/api/search/' + name + url = ('https://cve.circl.lu/api/search/{}').format(name) raw_data = urlopen(url).read() data = json.loads(raw_data) From 4e5d290b925a1fb9d74628ff8c64f9ed8ef86d60 Mon Sep 17 00:00:00 2001 From: Kartik Date: Fri, 16 Jun 2017 09:29:40 +0530 Subject: [PATCH 04/12] #1 general fixes --- api_data.py | 49 +++++++++++++++++++++++-------------------------- 1 file changed, 23 insertions(+), 26 deletions(-) diff --git a/api_data.py b/api_data.py index a3abe27fc..7ebd1376c 100644 --- a/api_data.py +++ b/api_data.py @@ -2,34 +2,31 @@ import json import sys +from urllib.request import urlopen -"""Py version check""" -if sys.version_info[0] == 3: - from urllib.request import urlopen -else: - from urllib import urlopen +def output_cve_id(type=None, name=None, version=None): + """Take as input, a package name, package version. + Queries cve-search' dataset for any reported + vulnerabilities of the requested package. If + vulnerability exists, outputs cve-id(s). + """ + if not name: + return None -def output_cve_id(type=None, name=None, version=None): - """Take as input, a package name, package version. - Queries cve-search' dataset for any reported - vulnerabilities of the requested package. If - vulnerability exists, outputs cve-id(s). - """ - if version: - url = ('https://cve.circl.lu/api/search/{}/{}').format(name,version) - else: - url = ('https://cve.circl.lu/api/search/{}').format(name) - - raw_data = urlopen(url).read() - data = json.loads(raw_data) + if version: + url = 'https://cve.circl.lu/api/search/{name}/{version}' + else: + url = 'https://cve.circl.lu/api/search/{name}' - if data: - print ('Vulnerabilties Found:\n') - - for item in data['data']: - print (item['id']) - else: - print ('No vulnerabilites found') + raw_data = urlopen(url).read() + + data = json.loads(raw_data) + + if data: + for item in data['data']: + return item['id'] + else: + return None if __name__ == '__main__': - output_cve_id() \ No newline at end of file + output_cve_id() From d2dad49abd3fa12b4a97708d6539deb151b28b0d Mon Sep 17 00:00:00 2001 From: Kartik Date: Sat, 17 Jun 2017 12:54:19 +0530 Subject: [PATCH 05/12] #1 Changes in testdata --- test_api_data.py | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/test_api_data.py b/test_api_data.py index 5081830b2..6b39edb14 100644 --- a/test_api_data.py +++ b/test_api_data.py @@ -2,7 +2,7 @@ from mock import Mock import pytest -from urllib import urlopen +from urllib.request import urlopen test_data = ''' { "data": [ @@ -16,7 +16,7 @@ }, "cvss": 4.3, "cvss-time": "2007-02-20T14:55:00", - "id": CVE-2007-1004" + "id": "CVE-2007-1004", "impact": { "availability": "NONE", "confidentiality": "NONE", @@ -31,7 +31,7 @@ "http://www.securityfocus.com/bid/22601", "http://xforce.iss.net/xforce/xfdb/32580" ], - "summary": "Mozilla Firefox might allow remote attackers to conduct spoofing and phishing attacks by writing to an about:blank tab and overlaying the location bar.", + "summary": "Mozilla Firefox might allow remote", "vulnerable_configuration": [ "cpe:2.3:a:mozilla:firefox:2.0:rc3" ], @@ -41,10 +41,9 @@ ''' def test_output_cve_id(): - - ##BUG## - api.urlopen = Mock() - api.urlopen.return_value = test_data - api.output_cve_id() + #BUG: + api.urlopen.read = Mock() + api.urlopen.read.return_value = test_data + api.output_cve_id() - assert api.output_cve_id.data["data"]["item"] == "CVE-2007-1004" \ No newline at end of file + assert api.output_cve_id(name="test") == "CVE-2007-1004" From 892a28ced8a782e74d276f962d41b9cc037bff90 Mon Sep 17 00:00:00 2001 From: Kartik Date: Mon, 19 Jun 2017 00:24:18 +0530 Subject: [PATCH 06/12] #1 Minor fixes --- api_data.py | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/api_data.py b/api_data.py index 7ebd1376c..076334741 100644 --- a/api_data.py +++ b/api_data.py @@ -10,23 +10,30 @@ def output_cve_id(type=None, name=None, version=None): vulnerabilities of the requested package. If vulnerability exists, outputs cve-id(s). """ + id = [] + if not name: - return None + return if version: - url = 'https://cve.circl.lu/api/search/{name}/{version}' + url = f'https://cve.circl.lu/api/search/{name}/{version}' else: - url = 'https://cve.circl.lu/api/search/{name}' + url = f'https://cve.circl.lu/api/search/{name}' raw_data = urlopen(url).read() - data = json.loads(raw_data) - if data: + if data and name and not version: for item in data['data']: - return item['id'] - else: - return None + id.append(item['id']) + + return id + + if data and version and name: + for item in data: + id.append(item['id']) + + return id if __name__ == '__main__': output_cve_id() From 2c542bde7429f48a24a9e11a61f0616f6a2a1240 Mon Sep 17 00:00:00 2001 From: Kartik Date: Tue, 20 Jun 2017 23:07:03 +0530 Subject: [PATCH 07/12] #2 Return cvss,summary and cve-ids --- api_data.py | 67 ++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 51 insertions(+), 16 deletions(-) diff --git a/api_data.py b/api_data.py index 076334741..6a7228ac4 100644 --- a/api_data.py +++ b/api_data.py @@ -1,19 +1,43 @@ #!/usr/bin/env python +# +# Copyright (c) 2017 nexB Inc. and others. All rights reserved. +# http://nexb.com and https://github.com/nexB/vulnerablecode/ +# The VulnerableCode software is licensed under the Apache License version 2.0. +# Data generated with VulnerableCode require an acknowledgment. +# VulnerableCode is a trademark of nexB Inc. +# +# You may not use this software except in compliance with the License. +# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +# +# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode +# derivative work, you must accompany this data with the following acknowledgment: +# +# Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES +# OR CONDITIONS OF ANY KIND, either express or implied. No content created from +# VulnerableCode should be considered or used as legal advice. Consult an Attorney +# for any legal advice. +# VulnerableCode is a free software code scanning tool from nexB Inc. and others. +# Visit https://github.com/nexB/vulnerablecode/ for support and download. import json -import sys from urllib.request import urlopen +ids = [] +cvss = [] +summary = [] + def output_cve_id(type=None, name=None, version=None): - """Take as input, a package name, package version. - Queries cve-search' dataset for any reported - vulnerabilities of the requested package. If - vulnerability exists, outputs cve-id(s). """ - id = [] - + Outputs cve-ids, if any, related to a package. + Take as input, a package name, type, package version and + query cve-search' dataset for any reported vulnerabilities + """ if not name: - return + return if version: url = f'https://cve.circl.lu/api/search/{name}/{version}' @@ -23,17 +47,28 @@ def output_cve_id(type=None, name=None, version=None): raw_data = urlopen(url).read() data = json.loads(raw_data) + """ + Extract CVE-IDs & CVSS scores associated with + a package. + """ if data and name and not version: for item in data['data']: - id.append(item['id']) + try: + ids.append(item['id']) + cvss.append(item['cvss']) + summary.append(item['summary']) + except TypeError: + cvss.append(None) - return id + return ids, cvss, summary - if data and version and name: + if data and version: for item in data: - id.append(item['id']) - - return id + try: + ids.append(item['id']) + cvss.append(item['cvss']) + summary.append(item['summary']) + except TypeError: + cvss.append(None) -if __name__ == '__main__': - output_cve_id() + return ids, cvss, summary From 50e094b11a5865b0ed44aa26befd22e44c77c2db Mon Sep 17 00:00:00 2001 From: Kartik Date: Wed, 21 Jun 2017 15:35:51 +0530 Subject: [PATCH 08/12] #2 Remove boilerplate code --- api_data.py | 50 ++++++++++++++++++++------------------------------ 1 file changed, 20 insertions(+), 30 deletions(-) diff --git a/api_data.py b/api_data.py index 6a7228ac4..e12a24504 100644 --- a/api_data.py +++ b/api_data.py @@ -26,49 +26,39 @@ import json from urllib.request import urlopen -ids = [] -cvss = [] -summary = [] - -def output_cve_id(type=None, name=None, version=None): +def data_cve_circl(name, version=None): """ Outputs cve-ids, if any, related to a package. Take as input, a package name, type, package version and query cve-search' dataset for any reported vulnerabilities """ - if not name: - return + url = f'https://cve.circl.lu/api/search/{name}' if version: - url = f'https://cve.circl.lu/api/search/{name}/{version}' - else: - url = f'https://cve.circl.lu/api/search/{name}' + url += f'/{version}' raw_data = urlopen(url).read() data = json.loads(raw_data) + return data + +def extract_fields(data, fields_names, version=False): """ - Extract CVE-IDs & CVSS scores associated with - a package. + Extracts requested data fields using data generated by + cve-search' api. Takes as input data, fields requested """ - if data and name and not version: - for item in data['data']: - try: - ids.append(item['id']) - cvss.append(item['cvss']) - summary.append(item['summary']) - except TypeError: - cvss.append(None) + extracted_data = [] + + if version: + data = data + else: + data = data['data'] - return ids, cvss, summary + for item in data: + results = {} + for name in fields_names: + results[name] = item[name] - if data and version: - for item in data: - try: - ids.append(item['id']) - cvss.append(item['cvss']) - summary.append(item['summary']) - except TypeError: - cvss.append(None) + extracted_data.append(results) - return ids, cvss, summary + return extracted_data From fe1441d1ff1a012531acc70db8210a44e5fc9842 Mon Sep 17 00:00:00 2001 From: Kartik Date: Thu, 22 Jun 2017 23:40:22 +0530 Subject: [PATCH 09/12] #2 Remove dict comprehension --- api_data.py | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/api_data.py b/api_data.py index e12a24504..18d1cd3bc 100644 --- a/api_data.py +++ b/api_data.py @@ -26,6 +26,7 @@ import json from urllib.request import urlopen + def data_cve_circl(name, version=None): """ Outputs cve-ids, if any, related to a package. @@ -42,6 +43,7 @@ def data_cve_circl(name, version=None): return data + def extract_fields(data, fields_names, version=False): """ Extracts requested data fields using data generated by @@ -49,16 +51,17 @@ def extract_fields(data, fields_names, version=False): """ extracted_data = [] - if version: - data = data - else: + if not version: data = data['data'] + results = {} for item in data: - results = {} - for name in fields_names: - results[name] = item[name] + for name in fields_names : + try: + results[name] = item[name] + except KeyError: + results[name] = None - extracted_data.append(results) + extracted_data.append(results) return extracted_data From 240ec002b6b052eaf46f87238d31cb5b1d4c9d11 Mon Sep 17 00:00:00 2001 From: Kartik Date: Tue, 27 Jun 2017 22:07:47 +0530 Subject: [PATCH 10/12] #2 Use dict comprehension & added test cases --- api_data.py | 32 ++++++++++--------------------- test_api_data.py | 50 +++++++++++++++++++++++++++++++++--------------- 2 files changed, 45 insertions(+), 37 deletions(-) diff --git a/api_data.py b/api_data.py index 18d1cd3bc..2a8dfe96a 100644 --- a/api_data.py +++ b/api_data.py @@ -3,8 +3,7 @@ # Copyright (c) 2017 nexB Inc. and others. All rights reserved. # http://nexb.com and https://github.com/nexB/vulnerablecode/ # The VulnerableCode software is licensed under the Apache License version 2.0. -# Data generated with VulnerableCode require an acknowledgment. -# VulnerableCode is a trademark of nexB Inc. +# Data generated with VulnerableCode requires an acknowledgment. # # You may not use this software except in compliance with the License. # You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 @@ -29,7 +28,7 @@ def data_cve_circl(name, version=None): """ - Outputs cve-ids, if any, related to a package. + Output cve-ids, if any, related to a package. Take as input, a package name, type, package version and query cve-search' dataset for any reported vulnerabilities """ @@ -41,27 +40,16 @@ def data_cve_circl(name, version=None): raw_data = urlopen(url).read() data = json.loads(raw_data) - return data + if version: + return data + + return data['data'] -def extract_fields(data, fields_names, version=False): +def extract_fields(data, fields_names): """ - Extracts requested data fields using data generated by + Return requested data fields using data generated by cve-search' api. Takes as input data, fields requested """ - extracted_data = [] - - if not version: - data = data['data'] - - results = {} - for item in data: - for name in fields_names : - try: - results[name] = item[name] - except KeyError: - results[name] = None - - extracted_data.append(results) - - return extracted_data + return [{name: item.get(name) for name in fields_names} + for item in data] diff --git a/test_api_data.py b/test_api_data.py index 6b39edb14..dcc035613 100644 --- a/test_api_data.py +++ b/test_api_data.py @@ -1,12 +1,31 @@ -import api_data as api +# +# Copyright (c) 2017 nexB Inc. and others. All rights reserved. +# http://nexb.com and https://github.com/nexB/vulnerablecode/ +# The VulnerableCode software is licensed under the Apache License version 2.0. +# Data generated with VulnerableCode requires an acknowledgment. +# +# You may not use this software except in compliance with the License. +# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +# +# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode +# derivative work, you must accompany this data with the following acknowledgment: +# +# Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES +# OR CONDITIONS OF ANY KIND, either express or implied. No content created from +# VulnerableCode should be considered or used as legal advice. Consult an Attorney +# for any legal advice. +# VulnerableCode is a free software code scanning tool from nexB Inc. and others. +# Visit https://github.com/nexB/vulnerablecode/ for support and download. -from mock import Mock -import pytest -from urllib.request import urlopen +import api_data as api +import json -test_data = ''' -{ "data": [ - { +test_data = """ +[{ "Modified": "2008-11-15T00:00:00", "Published": "2007-02-19T21:28:00", "access": { @@ -37,13 +56,14 @@ ], "vulnerable_configuration_cpe_2_2": [ "cpe:/a:mozilla:firefox:2.0:rc3" - ]}]} -''' + ]}] +""" + -def test_output_cve_id(): - #BUG: - api.urlopen.read = Mock() - api.urlopen.read.return_value = test_data - api.output_cve_id() +def test_extract_fields(): + fields_names = ['id', 'cvss', 'summary'] + data = json.loads(test_data) + raw_data = api.extract_fields(data=data, fields_names=fields_names) - assert api.output_cve_id(name="test") == "CVE-2007-1004" + assert raw_data == [{'cvss': 4.3, 'id': 'CVE-2007-1004', + 'summary': 'Mozilla Firefox might allow remote'}] From 2ad3a9cfc61347dc0e83d273381af701f0a4a530 Mon Sep 17 00:00:00 2001 From: Kartik Date: Tue, 27 Jun 2017 23:25:27 +0530 Subject: [PATCH 11/12] #2 Added test cases --- test_api_data.py | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/test_api_data.py b/test_api_data.py index dcc035613..362ee2e33 100644 --- a/test_api_data.py +++ b/test_api_data.py @@ -60,10 +60,24 @@ """ -def test_extract_fields(): +def test_extract_fields_data(): fields_names = ['id', 'cvss', 'summary'] data = json.loads(test_data) - raw_data = api.extract_fields(data=data, fields_names=fields_names) + extracted_data = api.extract_fields(data=data, fields_names=fields_names) + + assert extracted_data == [{'cvss': 4.3, 'id': 'CVE-2007-1004', + 'summary': 'Mozilla Firefox might allow remote'}] + + +def test_extract_fields(): + fields_names = [] + data = json.loads(test_data) + extracted_data = api.extract_fields(data=data, fields_names=fields_names) + + assert extracted_data == [{}] + + fields_names = [''] + assert extracted_data == [{}] - assert raw_data == [{'cvss': 4.3, 'id': 'CVE-2007-1004', - 'summary': 'Mozilla Firefox might allow remote'}] + fields_names = ['invalid_field'] + assert extracted_data == [{}] From 09413f9691905afc0ca3a886c7480cff3e9d6bd8 Mon Sep 17 00:00:00 2001 From: Kartik Date: Tue, 27 Jun 2017 23:34:46 +0530 Subject: [PATCH 12/12] #2 Fixes unit tests --- test_api_data.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/test_api_data.py b/test_api_data.py index 362ee2e33..c45036921 100644 --- a/test_api_data.py +++ b/test_api_data.py @@ -73,11 +73,12 @@ def test_extract_fields(): fields_names = [] data = json.loads(test_data) extracted_data = api.extract_fields(data=data, fields_names=fields_names) - assert extracted_data == [{}] fields_names = [''] - assert extracted_data == [{}] + extracted_data = api.extract_fields(data=data, fields_names=fields_names) + assert extracted_data == [{'': None}] fields_names = ['invalid_field'] - assert extracted_data == [{}] + extracted_data = api.extract_fields(data=data, fields_names=fields_names) + assert extracted_data == [{'invalid_field': None}]