Update upstream source from tag 'upstream/0.10.0'
Update to upstream version '0.10.0'
with Debian dir 82ebdb492460ebdff7d0674241ae858aa04bb99b
Sophie Brun
4 years ago
| 8 | 8 | module ClassMethods |
| 9 | 9 | # @return [ Array<Symbol> ] |
| 10 | 10 | def references_keys |
| 11 | @references_keys ||= %i[cve exploitdb url metasploit packetstorm securityfocus] | |
| 11 | @references_keys ||= %i[cve exploitdb url metasploit packetstorm securityfocus youtube] | |
| 12 | 12 | end |
| 13 | 13 | end |
| 14 | 14 | |
| 17 | 17 | @references = {} |
| 18 | 18 | |
| 19 | 19 | self.class.references_keys.each do |key| |
| 20 | @references[key] = [*refs[key]].map(&:to_s) if refs.key?(key) | |
| 20 | next unless refs.key?(key) | |
| 21 | ||
| 22 | @references[key] = if key == :youtube | |
| 23 | [*refs[:youtube]].map { |id| youtube_url(id) } | |
| 24 | else | |
| 25 | [*refs[key]].map(&:to_s) | |
| 26 | end | |
| 21 | 27 | end |
| 22 | 28 | end |
| 23 | 29 | |
| 29 | 35 | # @return [ Array<String> ] All the references URLs |
| 30 | 36 | def references_urls |
| 31 | 37 | cve_urls + exploitdb_urls + urls + msf_urls + |
| 32 | packetstorm_urls + securityfocus_urls | |
| 38 | packetstorm_urls + securityfocus_urls + youtube_urls | |
| 33 | 39 | end |
| 34 | 40 | |
| 35 | 41 | # @return [ Array<String> ] The CVEs |
| 111 | 117 | def securityfocus_url(id) |
| 112 | 118 | "https://www.securityfocus.com/bid/#{id}/" |
| 113 | 119 | end |
| 120 | ||
| 121 | # @return [ Array<String> ] | |
| 122 | def youtube_urls | |
| 123 | references[:youtube] || [] | |
| 124 | end | |
| 125 | ||
| 126 | # @return [ String ] | |
| 127 | def youtube_url(id) | |
| 128 | "https://www.youtube.com/watch?v=#{id}" | |
| 129 | end | |
| 114 | 130 | end |
| 115 | 131 | end |
| 4 | 4 | class Vulnerability |
| 5 | 5 | include References |
| 6 | 6 | |
| 7 | attr_reader :title, :type, :fixed_in | |
| 7 | attr_reader :title, :type, :fixed_in, :cvss | |
| 8 | 8 | |
| 9 | 9 | # @param [ String ] title |
| 10 | 10 | # @param [ Hash ] references |
| 11 | # @option references [ Array<String>, String ] cve | |
| 12 | # @option references [ Array<String>, String ] secunia | |
| 13 | # @option references [ Array<String>, String ] osvdb | |
| 14 | # @option references [ Array<String>, String ] exploitdb | |
| 15 | # @option references [ Array<String> ] url URL(s) to related advisories etc | |
| 16 | # @option references [ Array<String>, String ] metasploit The related metasploit module(s) | |
| 11 | # @option references [ Array<String>, String ] :cve | |
| 12 | # @option references [ Array<String>, String ] :secunia | |
| 13 | # @option references [ Array<String>, String ] :osvdb | |
| 14 | # @option references [ Array<String>, String ] :exploitdb | |
| 15 | # @option references [ Array<String> ] :url URL(s) to related advisories etc | |
| 16 | # @option references [ Array<String>, String ] :metasploit The related metasploit module(s) | |
| 17 | # @option references [ Array<String> ] :youtube | |
| 17 | 18 | # @param [ String ] type |
| 18 | 19 | # @param [ String ] fixed_in |
| 19 | def initialize(title, references = {}, type = nil, fixed_in = nil) | |
| 20 | # @param [ HashSymbol ] cvss | |
| 21 | # @option cvss [ String ] :score | |
| 22 | # @option cvss [ String ] :vector | |
| 23 | def initialize(title, references: {}, type: nil, fixed_in: nil, cvss: nil) | |
| 20 | 24 | @title = title |
| 21 | 25 | @type = type |
| 22 | 26 | @fixed_in = fixed_in |
| 27 | @cvss = { score: cvss[:score], vector: cvss[:vector] } if cvss | |
| 23 | 28 | |
| 24 | 29 | self.references = references |
| 25 | 30 | end |
| 31 | 36 | title == other.title && |
| 32 | 37 | type == other.type && |
| 33 | 38 | references == other.references && |
| 34 | fixed_in == other.fixed_in | |
| 39 | fixed_in == other.fixed_in && | |
| 40 | cvss == other.cvss | |
| 35 | 41 | end |
| 36 | 42 | end |
| 37 | 43 | end |
| 0 | 0 | # frozen_string_literal: true |
| 1 | 1 | |
| 2 | 2 | describe CMSScanner::Vulnerability do |
| 3 | subject(:vuln) { described_class.new(title, references) } | |
| 3 | subject(:vuln) { described_class.new(title, references: references, cvss: cvss) } | |
| 4 | 4 | let(:title) { 'Test Vuln' } |
| 5 | 5 | let(:references) { {} } |
| 6 | let(:cvss) { nil } | |
| 6 | 7 | |
| 7 | 8 | it_behaves_like CMSScanner::References |
| 8 | 9 | |
| 11 | 12 | its(:references) { should eql({}) } |
| 12 | 13 | its(:type) { should eql nil } |
| 13 | 14 | its(:fixed_in) { should eql nil } |
| 15 | its(:cvss) { should eql nil } | |
| 16 | ||
| 17 | context 'when CVSS' do | |
| 18 | let(:cvss) { { score: '5.4', vector: 'spec', y: 'key should not be added' } } | |
| 19 | ||
| 20 | its(:cvss) { should eql({ score: '5.4', vector: 'spec' }) } | |
| 21 | end | |
| 14 | 22 | end |
| 15 | 23 | |
| 16 | 24 | describe '#==' do |
| 17 | context 'when te same vuln' do | |
| 25 | context 'when the same vuln' do | |
| 26 | let(:cvss) { { score: '5.4', vector: 'spec' } } | |
| 27 | ||
| 18 | 28 | it 'returns true' do |
| 19 | 29 | expect(vuln).to eq vuln.dup |
| 20 | 30 | end |
| 3 | 3 | describe '#references_keys' do |
| 4 | 4 | it 'returns the expected array of symbols' do |
| 5 | 5 | expect(subject.class.references_keys) |
| 6 | .to eql %i[cve exploitdb url metasploit packetstorm securityfocus] | |
| 6 | .to eql %i[cve exploitdb url metasploit packetstorm securityfocus youtube] | |
| 7 | 7 | end |
| 8 | 8 | end |
| 9 | 9 | |
| 10 | 10 | describe 'references' do |
| 11 | 11 | context 'when no references' do |
| 12 | %i[cves exploitdb_ids urls msf_modules packetstorm_ids securityfocus_ids].each do |attribute| | |
| 12 | %i[cves exploitdb_ids urls msf_modules packetstorm_ids securityfocus_ids youtube_urls].each do |attribute| | |
| 13 | 13 | its(attribute) { should eql([]) } |
| 14 | 14 | end |
| 15 | 15 | |
| 16 | %i[cve_urls exploitdb_urls msf_urls packetstorm_urls securityfocus_urls].each do |attribute| | |
| 16 | %i[cve_urls exploitdb_urls msf_urls packetstorm_urls securityfocus_urls youtube_urls].each do |attribute| | |
| 17 | 17 | its(attribute) { should eql([]) } |
| 18 | 18 | end |
| 19 | 19 | |
| 36 | 36 | url: 'single-url', |
| 37 | 37 | metasploit: '/exploit/yolo', |
| 38 | 38 | packetstorm: 15, |
| 39 | securityfocus: 16 | |
| 39 | securityfocus: 16, | |
| 40 | youtube: 'xAAAA' | |
| 40 | 41 | } |
| 41 | 42 | end |
| 42 | 43 | |
| 57 | 58 | its(:securityfocus_ids) { should eq %w[16] } |
| 58 | 59 | its(:securityfocus_urls) { should eql %w[https://www.securityfocus.com/bid/16/] } |
| 59 | 60 | |
| 61 | its(:youtube_urls) { should eql %w[https://www.youtube.com/watch?v=xAAAA] } | |
| 62 | ||
| 60 | 63 | its(:references_urls) do |
| 61 | 64 | should eql [ |
| 62 | 65 | 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-11', |
| 64 | 67 | 'single-url', |
| 65 | 68 | 'https://www.rapid7.com/db/modules/exploit/yolo', |
| 66 | 69 | 'https://packetstormsecurity.com/files/15/', |
| 67 | 'https://www.securityfocus.com/bid/16/' | |
| 70 | 'https://www.securityfocus.com/bid/16/', | |
| 71 | 'https://www.youtube.com/watch?v=xAAAA' | |
| 68 | 72 | ] |
| 69 | 73 | end |
| 70 | 74 | end |
| 79 | 83 | url: %w[single-url another-url], |
| 80 | 84 | metasploit: %w[/exploit/yolo exploit/aa], |
| 81 | 85 | packetstorm: [50, 51], |
| 82 | securityfocus: [60, 61] | |
| 86 | securityfocus: [60, 61], | |
| 87 | youtube: %w[xBBBB] | |
| 83 | 88 | } |
| 84 | 89 | end |
| 85 | 90 | |
| 115 | 120 | https://www.securityfocus.com/bid/61/] |
| 116 | 121 | end |
| 117 | 122 | |
| 123 | its(:youtube_urls) { should eql %w[https://www.youtube.com/watch?v=xBBBB] } | |
| 124 | ||
| 118 | 125 | its(:references_urls) do |
| 119 | 126 | should eql [ |
| 120 | 127 | 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-10', |
| 128 | 135 | 'https://packetstormsecurity.com/files/50/', |
| 129 | 136 | 'https://packetstormsecurity.com/files/51/', |
| 130 | 137 | 'https://www.securityfocus.com/bid/60/', |
| 131 | 'https://www.securityfocus.com/bid/61/' | |
| 138 | 'https://www.securityfocus.com/bid/61/', | |
| 139 | 'https://www.youtube.com/watch?v=xBBBB' | |
| 132 | 140 | ] |
| 133 | 141 | end |
| 134 | 142 | end |