public async Task IngestsAdvisoryWithoutVulnerability(bool withdrawn)
{
// Arrange
var advisory = new SecurityAdvisory
{
DatabaseId = 1,
GhsaId = "ghsa",
Severity = "MODERATE",
WithdrawnAt = withdrawn ? new DateTimeOffset() : (DateTimeOffset?)null
};
PackageVulnerabilityServiceMock
.Setup(x => x.UpdateVulnerabilityAsync(It.IsAny <PackageVulnerability>(), withdrawn))
.Callback <PackageVulnerability, bool>((vulnerability, wasWithdrawn) =>
{
Assert.Equal(advisory.DatabaseId, vulnerability.GitHubDatabaseKey);
Assert.Equal(PackageVulnerabilitySeverity.Moderate, vulnerability.Severity);
Assert.Equal(advisory.GetPermalink(), vulnerability.AdvisoryUrl);
})
.Returns(Task.CompletedTask)
.Verifiable();
// Act
await Ingestor.IngestAsync(new[] { advisory });
// Assert
PackageVulnerabilityServiceMock.Verify();
}
private Tuple <PackageVulnerability, bool> FromAdvisory(SecurityAdvisory advisory)
{
var vulnerability = new PackageVulnerability
{
GitHubDatabaseKey = advisory.DatabaseId,
Severity = (PackageVulnerabilitySeverity)Enum.Parse(typeof(PackageVulnerabilitySeverity), advisory.Severity, ignoreCase: true),
AdvisoryUrl = advisory.GetPermalink()
};
foreach (var securityVulnerability in advisory.Vulnerabilities?.Edges?.Select(e => e.Node) ?? Enumerable.Empty <SecurityVulnerability>())
{
var packageVulnerability = FromVulnerability(vulnerability, securityVulnerability);
vulnerability.AffectedRanges.Add(packageVulnerability);
}
return(Tuple.Create(vulnerability, advisory.WithdrawnAt != null));
}
public async Task IngestsAdvisory(bool withdrawn, bool vulnerabilityHasFirstPatchedVersion)
{
// Arrange
var securityVulnerability = new SecurityVulnerability
{
Package = new SecurityVulnerabilityPackage {
Name = "crested.gecko"
},
VulnerableVersionRange = "homeOnTheRange",
FirstPatchedVersion = vulnerabilityHasFirstPatchedVersion
? new SecurityVulnerabilityPackageVersion {
Identifier = "1.2.3"
} : null
};
var advisory = new SecurityAdvisory
{
DatabaseId = 1,
GhsaId = "ghsa",
Severity = "CRITICAL",
WithdrawnAt = withdrawn ? new DateTimeOffset() : (DateTimeOffset?)null,
Vulnerabilities = new ConnectionResponseData <SecurityVulnerability>
{
Edges = new[]
{
new Edge <SecurityVulnerability>
{
Node = securityVulnerability
}
}
}
};
securityVulnerability.Advisory = advisory;
var versionRange = VersionRange.Parse("[1.0.0, 1.0.0]");
GitHubVersionRangeParserMock
.Setup(x => x.ToNuGetVersionRange(securityVulnerability.VulnerableVersionRange))
.Returns(versionRange);
PackageVulnerabilityServiceMock
.Setup(x => x.UpdateVulnerabilityAsync(It.IsAny <PackageVulnerability>(), withdrawn))
.Callback <PackageVulnerability, bool>((vulnerability, wasWithdrawn) =>
{
Assert.Equal(advisory.DatabaseId, vulnerability.GitHubDatabaseKey);
Assert.Equal(PackageVulnerabilitySeverity.Critical, vulnerability.Severity);
Assert.Equal(advisory.GetPermalink(), vulnerability.AdvisoryUrl);
var range = vulnerability.AffectedRanges.Single();
Assert.Equal(securityVulnerability.Package.Name, range.PackageId);
Assert.Equal(versionRange.ToNormalizedString(), range.PackageVersionRange);
Assert.Equal(securityVulnerability.FirstPatchedVersion?.Identifier, range.FirstPatchedPackageVersion);
})
.Returns(Task.CompletedTask)
.Verifiable();
// Act
await Ingestor.IngestAsync(new[] { advisory });
// Assert
PackageVulnerabilityServiceMock.Verify();
}