intelmq-extensions 1.8.1__py3-none-any.whl

intelmq_extensions/tests/bots/experts/vulnerability_lookup/test_expert.py

@@ -0,0 +1,203 @@
+"""Testing events splitter
+
+SPDX-FileCopyrightText: 2025 CERT.at GmbH <https://cert.at/>
+SPDX-License-Identifier: AGPL-3.0-or-later
+"""
+
+import json
+import os
+import unittest
+from unittest import mock
+
+import intelmq.lib.test as test
+import requests
+from requests_mock import MockerCore
+
+from intelmq_extensions.bots.experts.vulnerability_lookup.expert import (
+    VulnerabilityLookupExpertBot,
+)
+
+from ....base import BotTestCase
+
+INPUT = {
+    "__type": "Event",
+    "classification.identifier": "zeus",
+    "classification.type": "vulnerable-system",
+    "notify": True,
+}
+
+
+@test.skip_redis()
+class TestVulnerabilityLookupExpertBot(BotTestCase, unittest.TestCase):
+    @classmethod
+    def set_bot(cls):
+        cls.use_cache = True
+        cls.bot_reference = VulnerabilityLookupExpertBot
+
+    def mock_http_session(self):
+        session = requests.Session()
+        session_mock = mock.patch(
+            "intelmq_extensions.bots.experts.vulnerability_lookup.expert.create_request_session",
+            return_value=session,
+        )
+        session_mock.start()
+        self.addCleanup(session_mock.stop)
+
+        self.requests = MockerCore(session=session)
+        self.requests.start()
+        self.addCleanup(self.requests.stop)
+
+    def _load_data_file(self, filename: str):
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        file_path = os.path.join(current_dir, "data", filename)
+        with open(file_path, "r") as f:
+            return json.load(f)
+
+    def mock_request(
+        self,
+        path: str,
+        text: str = None,
+        json_: dict = None,
+        data_file: str = None,
+        **kwargs,
+    ):
+        if text is not None:
+            kwargs["text"] = text
+        elif json_ is not None:
+            kwargs["json"] = json_
+        else:
+            kwargs["json"] = self._load_data_file(data_file)
+        self.requests.get(
+            f"https://vulnerability.circl.lu/api/{path}",
+            status_code=200,
+            **kwargs,
+        )
+
+    def setUp(self):
+        super().setUp()
+        self.mock_http_session()
+
+    def tearDown(self):
+        self.cache.flushdb()
+        return super().tearDown()
+
+    def test_not_existing_vuln(self):
+        self.mock_request("vulnerability/zeus", "null\n")
+
+        self.input_message = INPUT
+        self.run_bot()
+
+        self.assertMessageEqual(0, INPUT)
+        self.assertEqual(1, self.requests.call_count)
+
+    def test_filter_classification(self):
+        self.input_message = {**INPUT, "classification.type": "information-disclosure"}
+        self.run_bot()
+
+        self.assertMessageEqual(
+            0, {**INPUT, "classification.type": "information-disclosure"}
+        )
+        self.assertEqual(0, self.requests.call_count)
+
+    def test_no_epss(self):
+        self.mock_request(
+            "vulnerability/cve-2023-49606", data_file="CVE-2023-49606.json"
+        )
+        self.mock_request("epss/cve-2023-49606", json_={"data": []})
+
+        self.input_message = {**INPUT, "classification.identifier": "CVE-2023-49606"}
+        self.run_bot()
+
+        expected = {
+            **INPUT,
+            "classification.identifier": "CVE-2023-49606",
+            "event_description.url": "https://vulnerability.circl.lu/vuln/cve-2023-49606",
+            "event_description.text": "A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.",  # noqa: E501
+            "extra.cvss3_1": 9.8,
+        }
+        self.assertEqual(2, self.requests.call_count)
+        self.assertMessageEqual(0, expected)
+
+    def test_cve_with_epss_and_cut_description(self):
+        self.mock_request(
+            "vulnerability/CVE-2024-23113", data_file="CVE-2024-23113.json"
+        )
+        self.mock_request("epss/CVE-2024-23113", data_file="CVE-2024-23113_epss.json")
+
+        self.input_message = {**INPUT, "classification.identifier": "CVE-2024-23113"}
+        self.run_bot(parameters={"description_length": 100})
+
+        expected = {
+            **INPUT,
+            "classification.identifier": "CVE-2024-23113",
+            "event_description.url": "https://vulnerability.circl.lu/vuln/cve-2024-23113",
+            "event_description.text": "A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0...",  # noqa: E501
+            "extra.cvss3_1": 9.8,
+            "extra.epss": "0.416590000",
+        }
+        self.assertEqual(2, self.requests.call_count)
+        self.assertMessageEqual(0, expected)
+
+    def test_cache_is_used(self):
+        self.mock_request(
+            "vulnerability/CVE-2024-23113", data_file="CVE-2024-23113.json"
+        )
+        self.mock_request("epss/CVE-2024-23113", data_file="CVE-2024-23113_epss.json")
+
+        self.input_message = [
+            {**INPUT, "classification.identifier": "CVE-2024-23113"},
+            {**INPUT, "classification.identifier": "CVE-2024-23113"},
+        ]
+        self.run_bot(parameters={"description_length": 100}, iterations=2)
+
+        expected = {
+            **INPUT,
+            "classification.identifier": "CVE-2024-23113",
+            "event_description.url": "https://vulnerability.circl.lu/vuln/cve-2024-23113",
+            "event_description.text": "A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0...",  # noqa: E501
+            "extra.cvss3_1": 9.8,
+            "extra.epss": "0.416590000",
+        }
+        self.assertEqual(2, self.requests.call_count)
+        self.assertMessageEqual(0, expected)
+        self.assertMessageEqual(1, expected)
+
+    def test_multiple_cvss_and_description_with_new_lines(self):
+        self.mock_request("vulnerability/cve-2025-2742", data_file="CVE-2025-2742.json")
+        self.mock_request("epss/cve-2025-2742", json_={"data": []})
+
+        self.input_message = {**INPUT, "classification.identifier": "CVE-2025-2742"}
+        self.run_bot(parameters={"description_length": 100})
+
+        expected = {
+            **INPUT,
+            "classification.identifier": "CVE-2025-2742",
+            "event_description.url": "https://vulnerability.circl.lu/vuln/cve-2025-2742",
+            "event_description.text": "A vulnerability classified     as critical was found in zhijiantianya ruoyi-vue-pro 2.4.1. This vuln...",  # noqa: E501
+            "extra.cvss3_0": 5.4,
+            "extra.cvss3_1": 5.4,
+            "extra.cvss4_0": 5.3,
+        }
+        self.assertEqual(2, self.requests.call_count)
+        self.assertMessageEqual(0, expected)
+
+    def test_ghsa(self):
+        self.mock_request(
+            "vulnerability/ghsa-r6xg-mjqp-qqg4", data_file="GHSA-r6xg-mjqp-qqg4.json"
+        )
+        self.mock_request("epss/ghsa-r6xg-mjqp-qqg4", json_={"data": []})
+
+        self.input_message = {
+            **INPUT,
+            "classification.identifier": "GHSA-r6xg-mjqp-qqg4",
+        }
+        self.run_bot(parameters={"description_length": 100})
+
+        expected = {
+            **INPUT,
+            "classification.identifier": "GHSA-r6xg-mjqp-qqg4",
+            "event_description.url": "https://vulnerability.circl.lu/vuln/ghsa-r6xg-mjqp-qqg4",
+            "event_description.text": "A vulnerability classified as critical was found in zhijiantianya ruoyi-vue-pro 2.4.1. This vulnerab...",  # noqa: E501
+        }
+        self.assertEqual(2, self.requests.call_count)
+        self.assertMessageEqual(0, expected)

intelmq_extensions/tests/bots/outputs/mattermost/test_output.py

@@ -0,0 +1,138 @@
+import unittest
+from unittest import mock
+
+import requests
+from requests_mock import MockerCore
+
+from intelmq_extensions.bots.outputs.mattermost.output import MattermostOutputBot
+
+from ....base import BotTestCase
+
+INPUT = {
+    "__type": "Event",
+    "classification.identifier": "zeus",
+    "classification.type": "infected-system",
+    "notify": False,
+    "source.asn": 1,
+    "source.ip": "192.0.2.1",
+    "feed.name": "Example Feed",
+}
+
+
+class TestMattermostOutputBot(BotTestCase, unittest.TestCase):
+    MM_URL = "https://my.mm.instance"
+    BOT_TOKEN = "XYZ"
+    CHANNEL = "channel-1"
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = MattermostOutputBot
+        cls.sysconfig = {
+            "mm_url": cls.MM_URL,
+            "bot_token": cls.BOT_TOKEN,
+            "channel_id": cls.CHANNEL,
+            "author_name": None,
+            "author_icon": None,
+        }
+
+    def mock_http_session(self):
+        session = requests.Session()
+        session_mock = mock.patch(
+            "intelmq_extensions.bots.outputs.mattermost.output.create_request_session",
+            return_value=session,
+        )
+        session_mock.start()
+        self.addCleanup(session_mock.stop)
+
+        self.requests = MockerCore(session=session)
+        self.requests.start()
+        self.addCleanup(self.requests.stop)
+
+    def mock_request(
+        self,
+        message: str = None,
+        attachment: dict = None,
+        card: str = None,
+        path: str = "api/v4/posts",
+        method: str = "post",
+        **kwargs,
+    ):
+        data = {"channel_id": self.CHANNEL}
+        if message is not None:
+            data["message"] = message
+        data["props"] = {}
+        if attachment is not None:
+            data["props"]["attachments"] = [attachment]
+        if card is not None:
+            data["props"]["card"] = card
+        mocking_method = getattr(self.requests, method)
+        mocking_method(
+            f"{self.MM_URL}/{path}",
+            request_headers={
+                "Authorization": f"Bearer {self.BOT_TOKEN}",
+            },
+            **kwargs,
+        )
+        return data
+
+    def setUp(self):
+        super().setUp()
+        self.mock_http_session()
+
+    def test_simple_static_message(self):
+        expected_payload = self.mock_request(message="This is a static message")
+
+        self.input_message = INPUT
+        self.run_bot(parameters={"message": "This is a static message"})
+
+        self.assertEqual(1, self.requests.call_count)
+        self.assertEqual(expected_payload, self.requests.last_request.json())
+
+    def test_get_info_from_event_if_allowed(self):
+        expected_payload = self.mock_request(
+            message="message zeus",
+            attachment={
+                "pretext": "pretext zeus",
+                "text": "text zeus",
+                "fallback": "fallback zeus",
+                "title": "title zeus",
+                "title_link": "title_link {ev[classification.identifier]}",
+                "author_name": "author_name {ev[classification.identifier]}",
+                "author_icon": "author_icon {ev[classification.identifier]}",
+                "author_link": "author_link {ev[classification.identifier]}",
+                "color": "color {ev[classification.identifier]}",
+                "footer": "footer zeus",
+                "fields": [
+                    {"short": True, "title": "field title zeus", "value": "value zeus"}
+                ],
+            },
+            card="card zeus",
+        )
+
+        self.input_message = INPUT
+        self.run_bot(
+            parameters={
+                "message": "message {ev[classification.identifier]}",
+                "card": "card {ev[classification.identifier]}",
+                "pretext": "pretext {ev[classification.identifier]}",
+                "text": "text {ev[classification.identifier]}",
+                "fallback": "fallback {ev[classification.identifier]}",
+                "title": "title {ev[classification.identifier]}",
+                "title_link": "title_link {ev[classification.identifier]}",
+                "author_name": "author_name {ev[classification.identifier]}",
+                "author_icon": "author_icon {ev[classification.identifier]}",
+                "author_link": "author_link {ev[classification.identifier]}",
+                "color": "color {ev[classification.identifier]}",
+                "footer": "footer {ev[classification.identifier]}",
+                "fields": [
+                    {
+                        "short": True,
+                        "title": "field title {ev[classification.identifier]}",
+                        "value": "value {ev[classification.identifier]}",
+                    }
+                ],
+            }
+        )
+
+        self.assertEqual(1, self.requests.call_count)
+        self.assertEqual(expected_payload, self.requests.last_request.json())

intelmq_extensions/tests/bots/outputs/xmpp/test_output.py

@@ -0,0 +1,10 @@
+"""
+Test for the XMPP Output Bot
+"""
+
+import os
+
+if os.environ.get("INTELMQ_TEST_EXOTIC"):
+    import intelmq_extensions.bots.outputs.xmpp.output  # noqa
+
+# This file is a stub.

intelmq_extensions/tests/bots/parsers/blackkite/data.py

@@ -0,0 +1,69 @@
+"""Test data for parser tests. Extracted for readiness
+
+SPDX-FileCopyrightText: 2023 CERT.at GmbH <https://cert.at/>
+SPDX-License-Identifier: AGPL-3.0-or-later
+"""
+
+DEFAULT_COMPANY = {
+    "CompanyId": 1,
+    "CompanyName": "Austrian National CERT",
+    "DomainName": "cert.at",
+}
+
+PATCH_MANAGEMENT = {
+    "FindingId": 1,
+    "Status": "Active",
+    "Severity": "Critical",
+    "ControlId": "PATCH-001",
+    "Domain": "example.cert.at",
+    "IpAddress": "127.0.0.1",
+    "ProductName": "openssh_/5.9",
+    "Cpes": [
+        "cpe:2.3:a:openbsd:openssh:7.6:p1:*:*:*:*:*:*",
+        "cpe:2.3:a:openbsd:openssh:7.6:-:*:*:*:*:*:*",
+    ],
+    "PublishDate": "2023-08-02T07:30:44.38",
+    "CvssScore": 9.8,
+    "CwssScore": None,
+    "CveId": "CVE-2023-38408",
+    "CweId": "CWE-428",
+    "Detail": (
+        "The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently "
+        "trustworthy search path, leading to remote code execution if an agent is forwarded "
+        "to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for "
+        "loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for"
+        " CVE-2016-10009."
+    ),
+    "References": ["https://nvd.nist.gov/vuln/detail/CVE-2023-38408"],
+    "FindingDate": "2023-08-28T13:37:22.717",
+    "LastCheckDate": "2023-10-03T11:48:54.257",
+    "Ticket": None,
+}
+
+APPLICATION_SECURITY = {
+    "FindingId": 658443,
+    "Status": "Active",
+    "Severity": "Critical",
+    "ControlId": "APPSEC-014",
+    "Domain": "example.cert.at",
+    "Output": "Failed",
+    "Title": "Cleartext Transmission of Sensitive Information",
+    "Detail": "Not encrypted communication on xxx.",
+    "FindingDate": "2023-08-28T13:37:22.717",
+    "LastCheckDate": "2023-10-03T11:48:58.937",
+    "Ticket": None,
+}
+
+CREDENTIAL_MANAGEMENT = {
+    "FindingId": 44823698,
+    "Status": "Active",
+    "Severity": "Low",
+    "ControlId": "LEAK-003",
+    "Domain": "cert.at",
+    "EmailorUsername": "user@example.cert.at",
+    "Source": "cert_com_leak",
+    "LeakDate": "2022-09-22T00:00:00",
+    "LeakInfo": "****",
+    "PasswordType": "PLAIN",
+    "Ticket": None,
+}

intelmq_extensions/tests/bots/parsers/blackkite/test_parser.py

@@ -0,0 +1,197 @@
+"""Tests for BlackKiteParserBot
+
+SPDX-FileCopyrightText: 2023 CERT.at GmbH <https://cert.at/>
+SPDX-License-Identifier: AGPL-3.0-or-later
+"""
+
+import json
+import unittest
+from datetime import datetime
+
+import intelmq.lib.message as message
+from dateutil.tz import UTC
+
+from intelmq_extensions.bots.parsers.blackkite.parser import BlackKiteParserBot
+
+from ....base import BotTestCase
+from .data import (
+    APPLICATION_SECURITY,
+    CREDENTIAL_MANAGEMENT,
+    DEFAULT_COMPANY,
+    PATCH_MANAGEMENT,
+)
+
+
+class TestBlackKiteParserBot(BotTestCase, unittest.TestCase):
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = BlackKiteParserBot
+        cls.sysconfig = {}
+
+    def _create_report_dict(self, finding_data: dict, company_data: dict = None):
+        company_data = company_data or DEFAULT_COMPANY
+        raw = {"company": company_data, "finding": finding_data}
+
+        data = {
+            "feed.accuracy": 100.0,
+            "time.observation": datetime(2023, 1, 1, tzinfo=UTC).isoformat(),
+        }
+
+        report = message.Report(data, harmonization=self.harmonization)
+        report.add("raw", json.dumps(raw))
+        return report.to_dict(with_type=True)
+
+    def _create_event_dict(
+        self,
+        ip: str = "127.0.0.1",
+        fqdn: str = None,
+        event_id: int = 1,
+        monitored_asset: str = "cert.at",
+        identifier: str = "bk-patch",
+        taxonomy: str = "vulnerable",
+        type_: str = "vulnerable-system",
+        **kwargs,
+    ):
+        data = {
+            "classification.identifier": identifier,
+            "classification.taxonomy": taxonomy,
+            "classification.type": type_,
+            "source.fqdn": fqdn,
+            "source.ip": ip,
+            "extra.feed_event_id": event_id,
+            "extra.blackkite_company_id": 1,
+            "feed.accuracy": 100.0,
+            "extra.monitored_asset": monitored_asset,  # Domain from Company
+            "time.observation": datetime(2023, 1, 1, tzinfo=UTC).isoformat(),
+            **kwargs,
+        }
+        event = message.Event(data, harmonization=self.harmonization)
+        if "time.source" not in event:
+            event.add("time.source", "2023-08-28T13:37:22.717")
+        event.add("raw", json.dumps({"company": {}, "finding": {}}))
+        return event.to_dict(with_type=True)
+
+    def test_parse_patch_management_finding(self):
+        self.input_message = self._create_report_dict(PATCH_MANAGEMENT)
+
+        self.run_bot()
+
+        expected = {
+            "identifier": "cve-2023-38408",
+            "event_description.text": PATCH_MANAGEMENT["Detail"],
+            "event_description.url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38408",
+            "extra.vendor": "openbsd",
+            "extra.product": "openssh",
+            "extra.product_name": "openssh_/5.9",
+            "extra.vulnerabilities": "cve-2023-38408",
+            # Cvss score? Severity?
+            "feed.documentation": "https://cyber.riskscore.cards/kb/PATCH-001",
+            "feed.code": "blackkite-patch",
+            "feed.name": "BlackKite PATCH",
+        }
+        self.assertMessageEqual(
+            0, self._create_event_dict(**expected), compare_raw=False
+        )
+
+    def test_handling_domain_in_ip_field(self):
+        "This is a workaround for bug in BlackKite, already reported. See Taiga#808"
+        msg = PATCH_MANAGEMENT.copy()
+        msg["IpAddress"] = "override.example.at"
+        self.input_message = self._create_report_dict(msg)
+
+        self.run_bot()
+
+        expected = {
+            "source.ip": None,
+            # "source.fqdn": "override.example.at", FIXME: Wait for explanation from BlackKite
+            "identifier": "cve-2023-38408",
+            "event_description.text": PATCH_MANAGEMENT["Detail"],
+            "event_description.url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38408",
+            "extra.vendor": "openbsd",
+            "extra.product": "openssh",
+            "extra.product_name": "openssh_/5.9",
+            "extra.vulnerabilities": "cve-2023-38408",
+            "feed.documentation": "https://cyber.riskscore.cards/kb/PATCH-001",
+            "feed.code": "blackkite-patch",
+            "feed.name": "BlackKite PATCH",
+        }
+        self.assertMessageEqual(
+            0, self._create_event_dict(**expected), compare_raw=False
+        )
+
+    def test_parse_patch_management_finding_without_cve(self):
+        # e.g. EoL software
+        msg = PATCH_MANAGEMENT.copy()
+        msg["ControlId"] = "PATCH-010"
+        msg["CveId"] = None
+        self.input_message = self._create_report_dict(msg)
+
+        self.run_bot()
+
+        expected = {
+            "identifier": "end-of-live",
+            "event_description.text": msg["Detail"],
+            "event_description.url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38408",
+            "extra.vendor": "openbsd",
+            "extra.product": "openssh",
+            "extra.product_name": "openssh_/5.9",
+            # Cvss score? Severity?
+            "feed.documentation": "https://cyber.riskscore.cards/kb/PATCH-010",
+            "feed.code": "blackkite-patch",
+            "feed.name": "BlackKite PATCH",
+        }
+        self.assertMessageEqual(
+            0, self._create_event_dict(**expected), compare_raw=False
+        )
+
+    def test_parse_application_security_finding(self):
+        self.input_message = self._create_report_dict(APPLICATION_SECURITY)
+
+        self.run_bot()
+
+        expected = {
+            "classification.taxonomy": "vulnerable",
+            "classification.type": "potentially-unwanted-accessible",
+            "identifier": "bk-appsec",
+            "event_description.text": (
+                "Cleartext Transmission of Sensitive Information. "
+                "Not encrypted communication on xxx."
+            ),
+            "feed.documentation": "https://cyber.riskscore.cards/kb/APPSEC-014",
+            "extra.feed_event_id": 658443,
+            "source.ip": None,
+            "feed.code": "blackkite-appsec",
+            "feed.name": "BlackKite APPSEC",
+        }
+        self.assertMessageEqual(
+            0, self._create_event_dict(**expected), compare_raw=False
+        )
+
+    def test_parse_credential_management_finding(self):
+        self.input_message = self._create_report_dict(CREDENTIAL_MANAGEMENT)
+
+        self.run_bot()
+
+        expected = {
+            "classification.taxonomy": "information-content-security",
+            "classification.type": "data-leak",
+            "classification.identifier": "leaked-credentials",
+            "source.fqdn": "example.cert.at",
+            "extra.monitored_asset": "cert.at",
+            "feed.documentation": "https://cyber.riskscore.cards/kb/LEAK-003",
+            "source.account": "user@example.cert.at",
+            "extra.account": "user@example.cert.at",  # intentionally twice
+            "extra.password": "PLAIN",  # BK doesn't provide us more info
+            "extra.compromise_time_full": "2022-09-22T00:00:00",
+            "extra.compromise_time": "2022-09",
+            "extra.leak_source": "cert_com_leak",
+            "source.ip": None,
+            "extra.feed_event_id": 44823698,
+            # This feed doesn't have a proper source time, use observation instead
+            "time.source": datetime(2023, 1, 1, tzinfo=UTC).isoformat(),
+            "feed.code": "blackkite-leak",
+            "feed.name": "BlackKite LEAK",
+        }
+        self.assertMessageEqual(
+            0, self._create_event_dict(**expected), compare_raw=False
+        )