////////////////////////////////////////////////////////////////////////
//
// Copyright (c) 2009-2014 Denim Group, Ltd.
//
// The contents of this file are subject to the Mozilla Public License
// Version 2.0 (the "License"); you may not use this file except in
// compliance with the License. You may obtain a copy of the License at
// http://www.mozilla.org/MPL/
//
// Software distributed under the License is distributed on an "AS IS"
// basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
// License for the specific language governing rights and limitations
// under the License.
//
// The Original Code is ThreadFix.
//
// The Initial Developer of the Original Code is Denim Group, Ltd.
// Portions created by Denim Group, Ltd. are Copyright (C)
// Denim Group, Ltd. All Rights Reserved.
//
// Contributor(s): Denim Group, Ltd.
//
////////////////////////////////////////////////////////////////////////
package com.denimgroup.threadfix.cli;
import com.denimgroup.threadfix.CommunityTests;
import com.denimgroup.threadfix.VulnerabilityInfo;
import com.denimgroup.threadfix.cli.util.TestUtils;
import com.denimgroup.threadfix.remote.ThreadFixRestClient;
import com.denimgroup.threadfix.remote.response.RestResponse;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import java.util.Calendar;
import java.util.Date;
import static com.denimgroup.threadfix.CollectionUtils.list;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
/**
* Created by mac on 5/21/14.
*
* These are integration tests which require a variety of data to be present in the ThreadFix instance.
*
*/
@Category(CommunityTests.class)
public class VulnerabilitySearchRestIT {
private ThreadFixRestClient getThreadFixRestClient() {
// TODO use parameters like an adult
return TestUtils.getConfiguredClient();
}
@Test
public void testGenericVulnerabilityIds() {
ThreadFixRestClient client = getThreadFixRestClient();
RestResponse<VulnerabilityInfo[]> response = client.searchVulnerabilities(list(79, 89),null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
for (VulnerabilityInfo vulnerability : response.object) {
assertTrue("Generic Vulnerability ID wasn't 79 or 89.",
vulnerability.getGenericVulnerability().getId() == 79 || vulnerability.getGenericVulnerability().getId() == 89);
}
}
@Test
public void testTeamIds() {
ThreadFixRestClient client = getThreadFixRestClient();
RestResponse<VulnerabilityInfo[]> response = client.searchVulnerabilities(null,list(1, 2, 3, 4, 5),null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null,null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
for (VulnerabilityInfo vulnerability : response.object) {
assertTrue("Team ID was invalid.", vulnerability.getTeam().getId() < 6);
}
}
@Test
public void testApplicationIds() {
ThreadFixRestClient client = getThreadFixRestClient();
RestResponse<VulnerabilityInfo[]> response = client.searchVulnerabilities(null,null,list(1, 2, 3, 4, 5),null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null,null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
for (VulnerabilityInfo vulnerability : response.object) {
assertTrue("Application ID was invalid.", vulnerability.getApp().getId() < 6);
}
}
@Test
public void testScanners() {
ThreadFixRestClient client = getThreadFixRestClient();
RestResponse<VulnerabilityInfo[]> response = client.searchVulnerabilities(null,null,null,list("Arachni"),null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
for (VulnerabilityInfo vulnerability : response.object) {
assertTrue("Scanner data was invalid.", vulnerability.getChannelNames().contains("Arachni"));
}
}
@Test
public void testGenericSeverityValues() {
ThreadFixRestClient client = getThreadFixRestClient();
for (int i = 1; i < 6; i++) {
RestResponse<VulnerabilityInfo[]> response = client.searchVulnerabilities(null,null,null,null,list(i),null,
null,null,null,null,null,null,null,null,null,null,null,null,null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
for (VulnerabilityInfo vulnerability : response.object) {
assertTrue("Generic Severity intValue wasn't " + i + ".",
vulnerability.getGenericSeverity().getIntValue() == i);
}
}
}
@Test
public void testSizeLimit() {
ThreadFixRestClient client = getThreadFixRestClient();
for (int i = 5; i < 50; i += 5) {
RestResponse<VulnerabilityInfo[]> response = client.searchVulnerabilities(null,null,null,null,null,i,null,
null,null,null,null,null,null,null,null,null,null,null,null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
assertTrue("Response size should have been " + i + " but was " + response.object.length, response.object.length == i);
}
}
@Test
public void testParameter() {
ThreadFixRestClient client = getThreadFixRestClient();
RestResponse<VulnerabilityInfo[]> response = client.searchVulnerabilities(null,null,null,null,null,null,
"username",null,null,null,null,null,null,null,null,null,null,null,null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
assertTrue("Response size was 0.", response.object.length != 0);
for (VulnerabilityInfo info : response.object) {
assertTrue("Response parameter was " + info.getParameter() + " instead of username.",
info.getParameter().equals("username"));
}
}
@Test
public void testPath() {
ThreadFixRestClient client = getThreadFixRestClient();
RestResponse<VulnerabilityInfo[]> response = client.searchVulnerabilities(null,null,null,null,null,null,null,
"login.jsp",null,null,null,null,null,null,null,null,null,null,null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
assertTrue("Response size was 0.", response.object.length != 0);
for (VulnerabilityInfo info : response.object) {
assertTrue("Response parameter was " + info.getPath() + " instead of login.jsp.",
info.getPath().contains("login.jsp"));
}
}
// This really only tests whether or not the parameter is going in.
// TODO make better date-based tests
@Test
public void testStartDateOfNow() {
ThreadFixRestClient client = getThreadFixRestClient();
Date date = new Date();
RestResponse<VulnerabilityInfo[]> response = client.searchVulnerabilities(null,null,null,null,null,null,null,
null,date,null,null,null,null,null,null,null,null,null,null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
assertTrue("Response size wasn't 0.", response.object.length == 0);
}
// This really only tests whether or not the parameter is going in.
// TODO make better date-based tests
@Test
public void testEndDateOf10YearsAgo() {
ThreadFixRestClient client = getThreadFixRestClient();
Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.YEAR, -10);
RestResponse<VulnerabilityInfo[]> response =
client.searchVulnerabilities(null,null,null,null,null,null,null,null,null,calendar.getTime(),null,null,
null,null,null,null,null,null,null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
assertTrue("Response size wasn't 0.", response.object.length == 0);
}
@Test
public void testShowOpen() {
RestResponse<VulnerabilityInfo[]> response =
getThreadFixRestClient().searchVulnerabilities(null, null, null, null, null, null, null, null, null,
null, true, null, null, null, null, null, null, null, null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
for (VulnerabilityInfo info : response.object) {
assertTrue("Response parameter was not open.", info.getActive());
}
}
@Test
public void testShowClosed() {
RestResponse<VulnerabilityInfo[]> response =
getThreadFixRestClient().searchVulnerabilities(null, null, null, null, null, null, null, null, null,
null, null, true, null, null, null, null, null, null, null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
for (VulnerabilityInfo info : response.object) {
assertFalse("Response parameter was open.", info.getActive());
}
}
@Test
public void testShowFalsePositive() {
RestResponse<VulnerabilityInfo[]> response =
getThreadFixRestClient().searchVulnerabilities(null, null, null, null, null, null, null, null, null,
null, null, null, true, null, null, null, null, null, null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
for (VulnerabilityInfo info : response.object) {
assertTrue("Response parameter was not false positive.", info.getFalsePositive());
}
}
@Test
public void testShowHidden() {
RestResponse<VulnerabilityInfo[]> response =
getThreadFixRestClient().searchVulnerabilities(null, null, null, null, null, null, null, null, null,
null, null, null, null, true, null, null, null, null, null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
for (VulnerabilityInfo info : response.object) {
assertTrue("Response parameter was not false positive.", info.getHidden());
}
}
@Test
public void testNumberMerged() {
for (int i = 2; i < 6; i++) {
RestResponse<VulnerabilityInfo[]> response =
getThreadFixRestClient().searchVulnerabilities(null, null, null, null, null, null, null, null, null,
null, null, null, null, null, i, null, null, null, null);
assertTrue("Response wasn't successful.", response.success);
assertTrue("Response object was null.", response.object != null);
for (VulnerabilityInfo info : response.object) {
assertTrue("Response parameter should have had " + i + " scanner names but had " +
info.getChannelNames().size() + ".", info.getChannelNames().size() >= i);
}
}
}
}