Add tests for apache httpd improver

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
aboutcode-org · Jan 27, 2023 · 136d868 · 136d868
1 parent 522ab6a
commit 136d868
Show file tree

Hide file tree

Showing 2 changed files with 131 additions and 0 deletions.
diff --git a/vulnerabilities/tests/test_apache_httpd.py b/vulnerabilities/tests/test_apache_httpd.py
@@ -9,13 +9,17 @@
 
 import json
 import os
+from unittest import mock
 
 import pytest
 from univers.version_constraint import VersionConstraint
 from univers.version_range import ApacheVersionRange
 from univers.versions import SemverVersion
 
+from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importers.apache_httpd import ApacheHTTPDImporter
+from vulnerabilities.importers.apache_httpd import ApacheHTTPDImprover
+from vulnerabilities.improvers.default import DefaultImprover
 from vulnerabilities.tests import util_tests
 
 BASE_DIR = os.path.dirname(os.path.abspath(__file__))
@@ -116,3 +120,24 @@ def test_to_advisory_CVE_2022_28614():
     result = advisories.to_dict()
     expected_file = os.path.join(TEST_DATA, f"CVE-2022-28614-apache-httpd-expected.json")
     util_tests.check_results_against_json(result, expected_file)
+
+
+@mock.patch("vulnerabilities.importers.apache_httpd.ApacheHTTPDImprover.get_package_versions")
+def test_apache_httpd_improver(mock_response):
+    advisory_file = os.path.join(TEST_DATA, f"CVE-2021-44224-apache-httpd-expected.json")
+    expected_file = os.path.join(TEST_DATA, f"apache-httpd-improver-expected.json")
+    with open(advisory_file) as exp:
+        advisory = AdvisoryData.from_dict(json.load(exp))
+    mock_response.return_value = [
+        "2.4.8",
+        "2.4.9",
+        "2.4.10",
+        "2.4.53",
+        "2.4.54",
+    ]
+    improvers = [ApacheHTTPDImprover(), DefaultImprover()]
+    result = []
+    for improver in improvers:
+        inference = [data.to_dict() for data in improver.get_inferences(advisory)]
+        result.extend(inference)
+    util_tests.check_results_against_json(result, expected_file)
diff --git a/vulnerabilities/tests/test_data/apache_httpd/apache-httpd-improver-expected.json b/vulnerabilities/tests/test_data/apache_httpd/apache-httpd-improver-expected.json
@@ -0,0 +1,106 @@
+[
+  {
+    "vulnerability_id": null,
+    "aliases": [
+      "CVE-2021-44224"
+    ],
+    "confidence": 100,
+    "summary": "A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).\n\nThis issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).",
+    "affected_purls": [
+      {
+        "type": "apache",
+        "namespace": null,
+        "name": "httpd",
+        "version": "2.4.8",
+        "qualifiers": null,
+        "subpath": null
+      },
+      {
+        "type": "apache",
+        "namespace": null,
+        "name": "httpd",
+        "version": "2.4.9",
+        "qualifiers": null,
+        "subpath": null
+      },
+      {
+        "type": "apache",
+        "namespace": null,
+        "name": "httpd",
+        "version": "2.4.10",
+        "qualifiers": null,
+        "subpath": null
+      }
+    ],
+    "fixed_purl": {
+      "type": "apache",
+      "namespace": null,
+      "name": "httpd",
+      "version": "2.4.53",
+      "qualifiers": null,
+      "subpath": null
+    },
+    "references": [
+      {
+        "reference_id": "CVE-2021-44224",
+        "url": "https://httpd.apache.org/security/json/CVE-2021-44224.json",
+        "severities": [
+          {
+            "system": "apache_httpd",
+            "value": "moderate",
+            "scoring_elements": ""
+          }
+        ]
+      }
+    ],
+    "weaknesses": []
+  },
+  {
+    "vulnerability_id": null,
+    "aliases": [
+      "CVE-2021-44224"
+    ],
+    "confidence": 100,
+    "summary": "A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).\n\nThis issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).",
+    "affected_purls": [
+      {
+        "type": "apache",
+        "namespace": null,
+        "name": "httpd",
+        "version": "2.4.7",
+        "qualifiers": null,
+        "subpath": null
+      },
+      {
+        "type": "apache",
+        "namespace": null,
+        "name": "httpd",
+        "version": "2.4.51",
+        "qualifiers": null,
+        "subpath": null
+      }
+    ],
+    "fixed_purl": {
+      "type": "apache",
+      "namespace": null,
+      "name": "httpd",
+      "version": "2.4.52",
+      "qualifiers": null,
+      "subpath": null
+    },
+    "references": [
+      {
+        "reference_id": "CVE-2021-44224",
+        "url": "https://httpd.apache.org/security/json/CVE-2021-44224.json",
+        "severities": [
+          {
+            "system": "apache_httpd",
+            "value": "moderate",
+            "scoring_elements": ""
+          }
+        ]
+      }
+    ],
+    "weaknesses": []
+  }
+]