public async Task IngestsAdvisoryWithoutVulnerability(bool withdrawn)
{
// Arrange
var advisory = new SecurityAdvisory
{
DatabaseId = 1,
GhsaId = "ghsa",
Severity = "MODERATE",
References = new[] { new SecurityAdvisoryReference {
Url = "https://vulnerable"
} },
WithdrawnAt = withdrawn ? new DateTime() : (DateTime?)null
};
PackageVulnerabilityServiceMock
.Setup(x => x.UpdateVulnerabilityAsync(It.IsAny <PackageVulnerability>(), withdrawn))
.Callback <PackageVulnerability, bool>((vulnerability, wasWithdrawn) =>
{
Assert.Equal(advisory.DatabaseId, vulnerability.GitHubDatabaseKey);
Assert.Equal(PackageVulnerabilitySeverity.Moderate, vulnerability.Severity);
Assert.Equal(advisory.References.Single().Url, vulnerability.ReferenceUrl);
})
.Returns(Task.CompletedTask)
.Verifiable();
// Act
await Ingestor.IngestAsync(new[] { advisory });
// Assert
PackageVulnerabilityServiceMock.Verify();
}
public async Task IngestsAdvisoryWithoutVulnerability(bool withdrawn)
{
// Arrange
var advisory = new SecurityAdvisory
{
DatabaseId = 1,
Permalink = "https://example/advisories/GHSA-3456-abcd-7890",
Severity = "MODERATE",
WithdrawnAt = withdrawn ? new DateTimeOffset() : (DateTimeOffset?)null
};
PackageVulnerabilityServiceMock
.Setup(x => x.UpdateVulnerabilityAsync(It.IsAny <PackageVulnerability>(), withdrawn))
.Callback <PackageVulnerability, bool>((vulnerability, wasWithdrawn) =>
{
Assert.Equal(advisory.DatabaseId, vulnerability.GitHubDatabaseKey);
Assert.Equal(PackageVulnerabilitySeverity.Moderate, vulnerability.Severity);
Assert.Equal(advisory.Permalink, vulnerability.AdvisoryUrl);
})
.Returns(Task.CompletedTask)
.Verifiable();
// Act
await Ingestor.IngestAsync(new[] { advisory });
// Assert
PackageVulnerabilityServiceMock.Verify();
}
public async Task IngestsNone()
{
// Act
await Ingestor.IngestAsync(Enumerable.Empty <SecurityAdvisory>().ToList());
// Assert
PackageVulnerabilityServiceMock
.Verify(
x => x.UpdateVulnerabilityAsync(It.IsAny <PackageVulnerability>(), It.IsAny <bool>()),
Times.Never);
}
public async Task IngestsAdvisory(bool withdrawn)
{
// Arrange
var securityVulnerability = new SecurityVulnerability
{
Package = new SecurityVulnerabilityPackage {
Name = "crested.gecko"
},
VulnerableVersionRange = "homeOnTheRange"
};
var advisory = new SecurityAdvisory
{
DatabaseId = 1,
GhsaId = "ghsa",
Severity = "CRITICAL",
References = new[] { new SecurityAdvisoryReference {
Url = "https://vulnerable"
} },
WithdrawnAt = withdrawn ? new DateTime() : (DateTime?)null,
Vulnerabilities = new ConnectionResponseData <SecurityVulnerability>
{
Edges = new[]
{
new Edge <SecurityVulnerability>
{
Node = securityVulnerability
}
}
}
};
securityVulnerability.Advisory = advisory;
var versionRange = VersionRange.Parse("[1.0.0, 1.0.0]");
GitHubVersionRangeParserMock
.Setup(x => x.ToNuGetVersionRange(securityVulnerability.VulnerableVersionRange))
.Returns(versionRange);
PackageVulnerabilityServiceMock
.Setup(x => x.UpdateVulnerabilityAsync(It.IsAny <PackageVulnerability>(), withdrawn))
.Callback <PackageVulnerability, bool>((vulnerability, wasWithdrawn) =>
{
Assert.Equal(advisory.DatabaseId, vulnerability.GitHubDatabaseKey);
Assert.Equal(PackageVulnerabilitySeverity.Critical, vulnerability.Severity);
Assert.Equal(advisory.References.Single().Url, vulnerability.ReferenceUrl);
var packageVulnerability = vulnerability.AffectedRanges.Single();
Assert.Equal(securityVulnerability.Package.Name, packageVulnerability.PackageId);
Assert.Equal(versionRange.ToNormalizedString(), packageVulnerability.PackageVersionRange);
})
.Returns(Task.CompletedTask)
.Verifiable();
// Act
await Ingestor.IngestAsync(new[] { advisory });
// Assert
PackageVulnerabilityServiceMock.Verify();
}
public async Task IngestsAdvisory(bool withdrawn, bool vulnerabilityHasFirstPatchedVersion)
{
// Arrange
var securityVulnerability = new SecurityVulnerability
{
Package = new SecurityVulnerabilityPackage {
Name = "crested.gecko"
},
VulnerableVersionRange = "homeOnTheRange",
FirstPatchedVersion = vulnerabilityHasFirstPatchedVersion
? new SecurityVulnerabilityPackageVersion {
Identifier = "1.2.3"
} : null
};
var advisory = new SecurityAdvisory
{
DatabaseId = 1,
Permalink = "https://example/advisories/GHSA-6543-dcba-0987",
Severity = "CRITICAL",
WithdrawnAt = withdrawn ? new DateTimeOffset() : (DateTimeOffset?)null,
Vulnerabilities = new ConnectionResponseData <SecurityVulnerability>
{
Edges = new[]
{
new Edge <SecurityVulnerability>
{
Node = securityVulnerability
}
}
}
};
securityVulnerability.Advisory = advisory;
var versionRange = VersionRange.Parse("[1.0.0, 1.0.0]");
GitHubVersionRangeParserMock
.Setup(x => x.ToNuGetVersionRange(securityVulnerability.VulnerableVersionRange))
.Returns(versionRange);
PackageVulnerabilityServiceMock
.Setup(x => x.UpdateVulnerabilityAsync(It.IsAny <PackageVulnerability>(), withdrawn))
.Callback <PackageVulnerability, bool>((vulnerability, wasWithdrawn) =>
{
Assert.Equal(advisory.DatabaseId, vulnerability.GitHubDatabaseKey);
Assert.Equal(PackageVulnerabilitySeverity.Critical, vulnerability.Severity);
Assert.Equal(advisory.Permalink, vulnerability.AdvisoryUrl);
var range = vulnerability.AffectedRanges.Single();
Assert.Equal(securityVulnerability.Package.Name, range.PackageId);
Assert.Equal(versionRange.ToNormalizedString(), range.PackageVersionRange);
Assert.Equal(securityVulnerability.FirstPatchedVersion?.Identifier, range.FirstPatchedPackageVersion);
})
.Returns(Task.CompletedTask)
.Verifiable();
// Act
await Ingestor.IngestAsync(new[] { advisory });
// Assert
PackageVulnerabilityServiceMock.Verify();
}