Skip to content

Commit 3df50fa

Browse files
fviernaufviernau
committed
test(black-duck): Test vulnerability parsing from a CVSS 2
Signed-off-by: Frank Viernau <[email protected]>
1 parent fab515f commit 3df50fa

File tree

2 files changed

+30
-2
lines changed

2 files changed

+30
-2
lines changed

plugins/advisors/black-duck/src/funTest/assets/retrieve-package-findings-expected-result.yml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,3 +27,30 @@ Crate::sys-info:0.7.0:
2727
severity: "CRITICAL"
2828
score: 9.8
2929
vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
30+
Pod::AFNetworking:0.10.0:
31+
advisor:
32+
name: "BlackDuck"
33+
capabilities:
34+
- "VULNERABILITIES"
35+
summary:
36+
start_time: "1970-01-01T00:00:00Z"
37+
end_time: "1970-01-01T00:00:00Z"
38+
vulnerabilities:
39+
- id: "CVE-2015-3996"
40+
description: "The default AFSecurityPolicy.validatesDomainName configuration for\
41+
\ AFSSLPinningModeNone in the AFNetworking framework before 2.5.3, as used in\
42+
\ the ownCloud iOS Library, disables verification of a server hostname against\
43+
\ the domain name in the subject's Common Name (CN) of the X.509 certificate,\
44+
\ which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary\
45+
\ valid certificate."
46+
references:
47+
- url: "https://BLACK_DUCK_SERVER_HOST/api/vulnerabilities/CVE-2015-3996"
48+
scoring_system: "CVSS2"
49+
severity: "MEDIUM"
50+
score: 4.3
51+
vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"
52+
- url: "https://BLACK_DUCK_SERVER_HOST/api/cwes/CWE-254"
53+
scoring_system: "CVSS2"
54+
severity: "MEDIUM"
55+
score: 4.3
56+
vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N"

plugins/advisors/black-duck/src/funTest/kotlin/BlackDuckFunTest.kt

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -111,8 +111,9 @@ class BlackDuckFunTest : WordSpec({
111111
.readValue<Map<Identifier, AdvisorResult>>()
112112
val packages = setOf(
113113
// Package using CVSS 3.1 vector:
114-
"Crate::sys-info:0.7.0"
115-
// Todo: Add a package using CVSS 2 vector:
114+
"Crate::sys-info:0.7.0",
115+
// Package using CVSS 2 vector only:
116+
"Pod::AFNetworking:0.10.0"
116117
).mapTo(mutableSetOf()) {
117118
identifierToPackage(it)
118119
}

0 commit comments

Comments
 (0)