-
Notifications
You must be signed in to change notification settings - Fork 45
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add vulnerability exception methods (#145)
New methods for the SdScanningClient: - add_vulnerability_exception_bundle - delete_vulnerability_exception_bundle - list_vulnerability_exception_bundles - get_vulnerability_exception_bundle - add_vulnerability_exception - delete_vulnerability_exception - update_vulnerability_exception
- Loading branch information
1 parent
7cf09bb
commit 191918f
Showing
3 changed files
with
314 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,178 @@ | ||
import datetime | ||
import os | ||
import uuid | ||
|
||
from expects import equal, expect, contain, be_empty, have_key, be_true, have_keys, not_, be_false, be_above | ||
from mamba import before, context, description, after, it | ||
|
||
from sdcclient import SdScanningClient | ||
from specs import be_successful_api_call | ||
|
||
with description("Scanning vulnerability exceptions") as self: | ||
with before.each: | ||
self.client = SdScanningClient(sdc_url=os.getenv("SDC_SECURE_URL", "https://secure.sysdig.com"), | ||
token=os.getenv("SDC_SECURE_TOKEN")) | ||
|
||
with after.each: | ||
self.clean_bundles() | ||
|
||
|
||
def clean_bundles(self): | ||
_, res = self.client.list_vulnerability_exception_bundles() | ||
for bundle in res: | ||
if str(bundle["name"]).startswith("test_exception_bundle_"): | ||
call = self.client.delete_vulnerability_exception_bundle(id=bundle["id"]) | ||
expect(call).to(be_successful_api_call) | ||
|
||
|
||
with context("when we are creating a new vulnerability exception bundle"): | ||
with it("creates the bundle correctly"): | ||
exception_bundle = f"test_exception_bundle_{uuid.uuid4()}" | ||
exception_comment = "This is an example of an exception bundle" | ||
ok, res = self.client.add_vulnerability_exception_bundle(name=exception_bundle, comment=exception_comment) | ||
|
||
expect((ok, res)).to(be_successful_api_call) | ||
expect(res).to( | ||
have_keys("id", items=be_empty, policyBundleId=equal("default"), version="1_0", | ||
comment=equal(exception_comment), name=equal(exception_bundle)) | ||
) | ||
|
||
with it("creates the bundle correctly with name only and removes it correctly"): | ||
exception_bundle = f"test_exception_bundle_{uuid.uuid4()}" | ||
ok, res = self.client.add_vulnerability_exception_bundle(name=exception_bundle) | ||
|
||
expect((ok, res)).to(be_successful_api_call) | ||
expect(res).to( | ||
have_keys("id", items=be_empty, policyBundleId=equal("default"), version="1_0", | ||
comment=be_empty, name=equal(exception_bundle)) | ||
) | ||
|
||
with context("when we are listing the vulnerability exception bundles"): | ||
with before.each: | ||
self.exception_bundle = f"test_exception_bundle_{uuid.uuid4()}" | ||
ok, res = self.client.add_vulnerability_exception_bundle(name=self.exception_bundle) | ||
expect((ok, res)).to(be_successful_api_call) | ||
self.created_exception_bundle = res["id"] | ||
|
||
with it("retrieves the list of bundles"): | ||
ok, res = self.client.list_vulnerability_exception_bundles() | ||
|
||
expect((ok, res)).to(be_successful_api_call) | ||
expect(res).to(contain( | ||
have_keys(id=self.created_exception_bundle, items=None, policyBundleId=equal("default"), | ||
version=equal("1_0"), comment=be_empty, name=equal(self.exception_bundle)) | ||
)) | ||
|
||
with context("when we are working with vulnerability exceptions in a bundle"): | ||
with before.each: | ||
ok, res = self.client.add_vulnerability_exception_bundle(name=f"test_exception_bundle_{uuid.uuid4()}") | ||
expect((ok, res)).to(be_successful_api_call) | ||
self.created_exception_bundle = res["id"] | ||
|
||
with it("is able to add a vulnerability exception to a bundle"): | ||
exception_notes = "Microsoft Vulnerability" | ||
exception_cve = "CVE-2020-1234" | ||
ok, res = self.client.add_vulnerability_exception(bundle=self.created_exception_bundle, | ||
cve=exception_cve, | ||
note=exception_notes, | ||
expiration_date=datetime.datetime(2030, 12, 31) | ||
.timestamp()) | ||
|
||
expect((ok, res)).to(be_successful_api_call) | ||
expect(res).to( | ||
have_keys("id", "description", gate=equal("vulnerabilities"), trigger_id=equal(exception_cve), | ||
notes=equal(exception_notes), enabled=be_true) | ||
) | ||
|
||
with context("and there are existing vulnerability exceptions"): | ||
with before.each: | ||
self.created_exception_cve = "CVE-2020-1234" | ||
ok, res = self.client.add_vulnerability_exception(bundle=self.created_exception_bundle, | ||
cve=self.created_exception_cve) | ||
expect((ok, res)).to(be_successful_api_call) | ||
self.created_exception = res["id"] | ||
|
||
with it("is able to list all the vulnerability exceptions from a bundle"): | ||
ok, res = self.client.get_vulnerability_exception_bundle(bundle=self.created_exception_bundle) | ||
|
||
expect((ok, res)).to(be_successful_api_call) | ||
expect(res).to( | ||
have_keys(id=equal(self.created_exception_bundle), | ||
items=contain( | ||
have_keys( | ||
id=equal(self.created_exception), | ||
gate=equal("vulnerabilities"), | ||
trigger_id=equal(self.created_exception_cve), | ||
enabled=be_true, | ||
) | ||
)) | ||
) | ||
|
||
with it("is able to remove them"): | ||
_, ex_before = self.client.get_vulnerability_exception_bundle(bundle=self.created_exception_bundle) | ||
ok, res = self.client.delete_vulnerability_exception(bundle=self.created_exception_bundle, | ||
id=self.created_exception) | ||
_, ex_after = self.client.get_vulnerability_exception_bundle(bundle=self.created_exception_bundle) | ||
|
||
expect((ok, res)).to(be_successful_api_call) | ||
expect(ex_before).to( | ||
have_key("items", contain( | ||
have_keys( | ||
id=equal(self.created_exception), | ||
gate=equal("vulnerabilities"), | ||
trigger_id=equal(self.created_exception_cve), | ||
enabled=be_true, | ||
) | ||
)) | ||
) | ||
expect(ex_after).to( | ||
have_key("items", not_(contain( | ||
have_keys( | ||
id=equal(self.created_exception), | ||
gate=equal("vulnerabilities"), | ||
trigger_id=equal(self.created_exception_cve), | ||
enabled=be_true, | ||
) | ||
))) | ||
) | ||
|
||
with it("is able to update them"): | ||
_, ex_before = self.client.get_vulnerability_exception_bundle(bundle=self.created_exception_bundle) | ||
|
||
ok, res = self.client.update_vulnerability_exception(bundle=self.created_exception_bundle, | ||
id=self.created_exception, | ||
cve="CVE-2020-1235", | ||
enabled=False, | ||
note="Dummy note", | ||
expiration_date=datetime.datetime(2030, 12, 31) | ||
.timestamp()) | ||
|
||
_, ex_after = self.client.get_vulnerability_exception_bundle(bundle=self.created_exception_bundle) | ||
|
||
expect((ok, res)).to(be_successful_api_call) | ||
|
||
expect(ex_before).to( | ||
have_key("items", contain( | ||
have_keys( | ||
id=equal(self.created_exception), | ||
gate=equal("vulnerabilities"), | ||
trigger_id=equal(self.created_exception_cve), | ||
notes=equal(None), | ||
expiration_date=equal(None), | ||
enabled=be_true, | ||
) | ||
)) | ||
) | ||
|
||
expect(ex_after).to( | ||
have_key("items", contain( | ||
have_keys( | ||
id=equal(self.created_exception), | ||
gate=equal("vulnerabilities"), | ||
trigger_id=equal("CVE-2020-1235"), | ||
notes=equal("Dummy note"), | ||
expiration_date=be_above(0), | ||
enabled=be_false, | ||
) | ||
)) | ||
) |
Oops, something went wrong.