cvelist 0.1.0

data/spec/cve_methods_examples.rb

@@ -0,0 +1,130 @@
+require 'spec_helper'
+
+RSpec.shared_examples "CVE methods" do
+  describe "#each" do
+    let(:malformed_cves) { %w[CVE-2021-2999.json CVE-2021-2998.json] }
+    let(:malformed_cve_paths) do
+      Dir[File.join(path,"{**/}{#{malformed_cves.join(',')}}")]
+    end
+
+    let(:cve_paths) { Dir[File.join(path,'{**/}CVE-*.json')] }
+    let(:valid_cve_paths) { cve_paths - malformed_cve_paths }
+
+    context "when a block is given" do
+      it "must yield CVE objects "do
+        results = []
+        subject.each { |cve| results << cve }
+
+        expect(results).to all(be_kind_of(CVE))
+      end
+    end
+
+    context "when no block is given" do
+      it "must return an Enumerator object" do
+        expect(subject.each).to be_kind_of(Enumerator)
+      end
+    end
+
+    it "must find the valid CVE-*.json files in the repository" do
+      expect(subject.each.map(&:path)).to match_array(valid_cve_paths)
+    end
+
+    it "must omit malformed CVEs" do
+      expect(subject.each.map(&:path)).to_not include(malformed_cve_paths)
+    end
+  end
+
+  describe "#each_malformed" do
+    let(:malformed_cves) { %w[CVE-2021-2999.json CVE-2021-2998.json] }
+    let(:malformed_cve_paths) do
+      Dir[File.join(path,"{**/}{#{malformed_cves.join(',')}}")]
+    end
+
+    let(:cve_paths) { Dir[File.join(path,'{**/}CVE-*.json')] }
+    let(:valid_cve_paths) { cve_paths - malformed_cve_paths }
+
+    context "when a block is given" do
+      it "must yield MalformedCVE objects "do
+        results = []
+        subject.each_malformed { |cve| results << cve }
+
+        expect(results).to all(be_kind_of(MalformedCVE))
+      end
+    end
+
+    context "when no block is given" do
+      it "must return an Enumerator object" do
+        expect(subject.each_malformed).to be_kind_of(Enumerator)
+      end
+    end
+
+    it "must find the malformed CVE-*.json files in the repository" do
+      expect(subject.each_malformed.map(&:path)).to match_array(malformed_cve_paths)
+    end
+
+    it "must omit valid CVEs" do
+      expect(subject.each_malformed.map(&:path)).to_not include(valid_cve_paths)
+    end
+  end
+
+  describe "#has_cve?" do
+    let(:cve_id) { 'CVE-2021-2001' }
+
+    it "must find the .json file with the matching CVE ID in the repository" do
+      expect(subject.has_cve?(cve_id)).to eq(true)
+    end
+
+    context "when the given .json file cannot be found" do
+      let(:cve_id) { 'CVE-2021-2010' }
+
+      it "must return false" do
+        expect(subject.has_cve?(cve_id)).to eq(false)
+      end
+    end
+  end
+
+  describe "#[]" do
+    let(:cve_year)   { '2021' }
+    let(:cve_number) { '2001' }
+    let(:cve_id)     { "CVE-#{cve_year}-#{cve_number}" }
+
+    let(:cve_range)  { '2xxx' }
+    let(:cve_path) do
+      File.join(cvelist_dir,cve_year,cve_range,"#{cve_id}.json")
+    end
+
+    subject { super()[cve_id] }
+
+    it "must return a CVE object" do
+      expect(subject).to be_kind_of(CVE)
+    end
+
+    it "must load the CVE from the .json file with the matching CVE ID" do
+      expect(subject.path).to eq(cve_path)
+    end
+
+    context "when the repository does not have a matching year directory" do
+      let(:cve_id) { 'CVE-3000-1234' }
+
+      it "must return nil" do
+        expect(subject).to eq(nil)
+      end
+    end
+
+    context "when the repository does not have a matching range directory" do
+      let(:cve_id) { 'CVE-2021-9999' }
+
+      it "must return nil" do
+        expect(subject).to eq(nil)
+      end
+    end
+
+    context "when the repository does not have the CVE .json file" do
+      let(:cve_id) { 'CVE-2021-2010' }
+
+      it "must return nil" do
+        expect(subject).to eq(nil)
+      end
+    end
+  end
+end

data/spec/cve_spec.rb

@@ -0,0 +1,51 @@
+require 'spec_helper'
+require 'cvelist/cve'
+
+describe CVE do
+  let(:cve_id) { 'CVE-2020-1994' }
+  let(:file)   { File.expand_path("../fixtures/#{cve_id}.json",__FILE__) }
+
+  it { expect(described_class).to be < CVESchema::CVE }
+
+  describe ".parse" do
+    subject { described_class }
+
+    it "must parse the given JSON" do
+      expect(subject.parse('[1]')).to eq([1])
+    end
+
+    context "when given invalid JSON" do
+      let(:json) { '[' }
+
+      it do
+        expect {
+          subject.parse(json)
+        }.to raise_error(described_class::InvalidJSON)
+      end
+    end
+  end
+
+  describe ".read" do
+    subject { described_class }
+
+    it "must read and parse the JSON in the given file" do
+      expect(subject.read(file)).to eq(JSON.parse(File.read(file)))
+    end
+  end
+
+  describe ".load" do
+    subject { described_class.load(file) }
+
+    it "must load a CVE object from the given file" do
+      expect(subject).to be_kind_of(described_class)
+    end
+
+    it "must set #path" do
+      expect(subject.path).to eq(file)
+    end
+
+    it "must set other CVE fields" do
+      expect(subject.data_meta.id.to_s).to eq(cve_id)
+    end
+  end
+end

data/spec/cvelist_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'cvelist'
+
+describe CVEList do
+  it "should have a VERSION constant" do
+    expect(subject.const_get('VERSION')).to_not be_empty
+  end
+end

data/spec/directory_spec.rb

@@ -0,0 +1,83 @@
+require 'spec_helper'
+require 'cvelist/directory'
+
+describe Directory do
+  let(:fixture_dir) { File.expand_path('../fixtures',__FILE__)  }
+  let(:path)        { File.join(fixture_dir,'cvelist') }
+
+  subject { described_class.new(path) }
+
+  describe "#initialize" do
+    it "must set #path" do
+      expect(subject.path).to eq(path)
+    end
+
+    context "when given a relative path" do
+      let(:relative_path) { File.join(__FILE__,'../fixtures/cvelist') }
+
+      subject { described_class.new(relative_path) }
+
+      it "must expand the relative path" do
+        expect(subject.path).to eq(path)
+      end
+    end
+  end
+
+  describe "#join" do
+    let(:name) { 'foo' }
+
+    it "must join the path with the directory's #path" do
+      expect(subject.join(name)).to eq(File.join(path,name))
+    end
+
+    context "when given multiple arguments" do
+      let(:names) { %w[foo bar baz] }
+
+      it "must join all arguments together with the directory's #path" do
+        expect(subject.join(*names)).to eq(File.join(path,*names))
+      end
+    end
+  end
+
+  describe "#file?" do
+    let(:name) { '.gitkeep' }
+
+    it "must test whether the given path is a file within the directory" do
+      expect(subject.file?(name)).to eq(true)
+    end
+
+    context "when the given sub-directory does not exist" do
+      it { expect(subject.file?('foo')).to eq(false) }
+    end
+  end
+
+  describe "#directory?" do
+    let(:name) { '2000' }
+
+    it "must test whether the given path is a directory within the directory" do
+      expect(subject.directory?(name)).to eq(true)
+    end
+
+    context "when the given sub-directory does not exist" do
+      it { expect(subject.directory?('foo')).to eq(false) }
+    end
+  end
+
+  describe "#glob" do
+    let(:pattern) { '20*1' }
+    let(:dirs) { %w[2001 2011 2021] }
+    let(:paths) do
+      dirs.map { |dir| File.join(path,dir) }
+    end
+
+    it "must perform a Dir.glob within the directory" do
+      expect(subject.glob(pattern)).to match_array(paths)
+    end
+  end
+
+  describe "#to_s" do
+    it "must return the #path" do
+      expect(subject.to_s).to eq(path)
+    end
+  end
+end

data/spec/fixtures/CVE-2020-1994.json

@@ -0,0 +1,140 @@
+{
+    "CVE_data_meta": {
+        "ASSIGNER": "psirt@paloaltonetworks.com",
+        "DATE_PUBLIC": "2020-05-13T16:00:00.000Z",
+        "ID": "CVE-2020-1994",
+        "STATE": "PUBLIC",
+        "TITLE": "PAN-OS: Predictable temporary file vulnerability"
+    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "PAN-OS",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_affected": "<",
+                                            "version_name": "8.1",
+                                            "version_value": "8.1.13"
+                                        },
+                                        {
+                                            "version_affected": "<",
+                                            "version_name": "9.0",
+                                            "version_value": "9.0.7"
+                                        },
+                                        {
+                                            "version_affected": "=",
+                                            "version_name": "7.1",
+                                            "version_value": "7.1.*"
+                                        },
+                                        {
+                                            "version_affected": "=",
+                                            "version_name": "8.0",
+                                            "version_value": "8.0.*"
+                                        },
+                                        {
+                                            "version_affected": "!>=",
+                                            "version_name": "8.1",
+                                            "version_value": "8.1.13"
+                                        },
+                                        {
+                                            "version_affected": "!>=",
+                                            "version_name": "9.0",
+                                            "version_value": "9.0.7"
+                                        },
+                                        {
+                                            "version_affected": "!>=",
+                                            "version_name": "9.1",
+                                            "version_value": "9.1.0"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "Palo Alto Networks"
+                }
+            ]
+        }
+    },
+    "credit": [
+        {
+            "lang": "eng",
+            "value": "This issue was found by a customer."
+        }
+    ],
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
+    "description": {
+        "description_data": [
+            {
+                "lang": "eng",
+                "value": "A predictable temporary file vulnerability in PAN-OS allows a local authenticated user with shell access to corrupt arbitrary system files affecting the integrity of the system. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7."
+            }
+        ]
+    },
+    "generator": {
+        "engine": "Vulnogram 0.0.9"
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "HIGH",
+            "attackVector": "LOCAL",
+            "availabilityImpact": "NONE",
+            "baseScore": 4.1,
+            "baseSeverity": "MEDIUM",
+            "confidentialityImpact": "NONE",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "HIGH",
+            "scope": "UNCHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-377 Insecure Temporary File"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "refsource": "MISC",
+                "url": "https://security.paloaltonetworks.com/CVE-2020-1994",
+                "name": "https://security.paloaltonetworks.com/CVE-2020-1994"
+            }
+        ]
+    },
+    "solution": [
+        {
+            "lang": "eng",
+            "value": "This issue is fixed in PAN-OS 8.1.13, PAN-OS 9.0.7, PAN-OS 9.1.0, and all later PAN-OS versions.\n\nPAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.\n\nPAN-OS 7.1 is on extended support until June 30, 2020, and is only being considered for critical security vulnerability fixes."
+        }
+    ],
+    "source": {
+        "defect": [
+            "PAN-123391"
+        ],
+        "discovery": "USER"
+    },
+    "timeline": [
+        {
+            "lang": "eng",
+            "time": "2020-05-13T16:00:00.000Z",
+            "value": "Initial publication"
+        }
+    ]
+}