-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added additional test for CVE-2024-22233.
- Loading branch information
1 parent
900fd24
commit 1024fe0
Showing
2 changed files
with
98 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -39,6 +39,7 @@ | |
| import java.util.stream.Stream; | ||
|
|
||
| import static org.junit.jupiter.api.Assertions.assertEquals; | ||
| import static org.junit.jupiter.api.Assertions.assertTrue; | ||
| import static org.mockito.Mockito.when; | ||
|
|
||
| public class GHParserTest { | ||
|
|
@@ -153,6 +154,16 @@ public class GHParserTest { | |
| } | ||
| } | ||
|
|
||
| String CVE_2024_22233; | ||
|
|
||
| { | ||
| try { | ||
| CVE_2024_22233 = FileUtils.readFileToString(new File("./src/test/resources/parsers/CVE-2024-22233.json"), StandardCharsets.UTF_8); | ||
| } catch (IOException e) { | ||
| e.printStackTrace(); | ||
| } | ||
| } | ||
|
|
||
| @Test | ||
| public void testQueryBuilder() { | ||
| String queryWithoutCursor = ghParser.buildQuery(null); | ||
|
|
@@ -204,6 +215,24 @@ public void testParseGHResponseWithdrawn() throws Exception { | |
| assertEquals(0, result.size()); | ||
| } | ||
|
|
||
| @Test | ||
| public void testParseCVE_2024_22233() throws Exception { | ||
| HashMap<String, String> values = new HashMap<>(); | ||
| values.put("query", queryNoCursor); | ||
| when(clientMock.sendPost("https://api.github.com/graphql", token, values)).thenReturn(CVE_2024_22233); | ||
| var versions = Stream.of("", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "6.0.0", "6.0.15", "6.1.2", "6.0.16", "6.1.3").map(x -> new ImmutablePair<>(x, new DateTime())).collect(Collectors.toList()); | ||
| ghParser.getVersionRanger().versionsMappings.put("pkg:maven/org.springframework/spring-core", versions); | ||
| ghParser.setCursor(null); | ||
|
|
||
| HashMap<String, Vulnerability> result = ghParser.getVulnerabilities(false); | ||
|
|
||
| assertEquals(1, result.size()); | ||
| var purls = result.get("CVE-2024-22233").getPurls(); | ||
| assertEquals(2, purls.size()); | ||
| assertTrue(purls.contains("pkg:maven/org.springframework/[email protected]")); | ||
| assertTrue(purls.contains("pkg:maven/org.springframework/[email protected]")); | ||
| } | ||
|
|
||
| @AfterAll | ||
| public static void deleteCursor() { | ||
| File ghCursor = new File("./src/test/resources/parsers/cursor.txt.txt"); | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| { | ||
| "data" : { | ||
| "securityAdvisories": { | ||
| "nodes": [ | ||
| { | ||
| "description": "In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * the application uses Spring MVC\n * Spring Security 6.1.6+ or 6.2.1+ is on the classpath\n\n\nTypically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.\n\n\n", | ||
| "withdrawnAt": null, | ||
| "identifiers": [ | ||
| { | ||
| "type": "GHSA", | ||
| "value": "GHSA-r4q3-7g4q-x89m" | ||
| }, | ||
| { | ||
| "type": "CVE", | ||
| "value": "CVE-2024-22233" | ||
| } | ||
| ], | ||
| "severity": "HIGH", | ||
| "cvss": { | ||
| "score": 7.5, | ||
| "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" | ||
| }, | ||
| "cwes": { | ||
| "nodes": [] | ||
| }, | ||
| "references": [ | ||
| { | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22233" | ||
| }, | ||
| { | ||
| "url": "https://spring.io/security/cve-2024-22233/" | ||
| }, | ||
| { | ||
| "url": "https://github.com/advisories/GHSA-r4q3-7g4q-x89m" | ||
| } | ||
| ], | ||
| "vulnerabilities": { | ||
| "nodes": [ | ||
| { | ||
| "vulnerableVersionRange": "= 6.0.15", | ||
| "firstPatchedVersion": { | ||
| "identifier": "6.0.16" | ||
| }, | ||
| "package": { | ||
| "ecosystem": "MAVEN", | ||
| "name": "org.springframework:spring-core" | ||
| } | ||
| }, | ||
| { | ||
| "vulnerableVersionRange": "= 6.1.2", | ||
| "firstPatchedVersion": { | ||
| "identifier": "6.1.3" | ||
| }, | ||
| "package": { | ||
| "ecosystem": "MAVEN", | ||
| "name": "org.springframework:spring-core" | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| ], | ||
| "pageInfo": { | ||
| "endCursor": "Y3Vyc29yOnYyOpK5MjAyMC0wNi0wNFQwMDowMjoxOSswMjowMM0ITw==", | ||
| "hasNextPage": false | ||
| } | ||
| } | ||
| } | ||
| } |