Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
@@ -1,5 +1,6 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using FluentAssertions;
|
||||
using MongoDB.Bson;
|
||||
using StellaOps.Concelier.Models;
|
||||
@@ -20,23 +21,24 @@ public sealed class CiscoMapperTests
|
||||
var published = new DateTimeOffset(2025, 10, 1, 0, 0, 0, TimeSpan.Zero);
|
||||
var updated = published.AddDays(1);
|
||||
|
||||
var dto = new CiscoAdvisoryDto(
|
||||
AdvisoryId: "CISCO-SA-TEST",
|
||||
Title: "Test Advisory",
|
||||
Summary: "Sample summary",
|
||||
Severity: "High",
|
||||
var dto = new CiscoAdvisoryDto(
|
||||
AdvisoryId: "CISCO-SA-TEST",
|
||||
Title: "Test Advisory",
|
||||
Summary: "Sample summary",
|
||||
Severity: "High",
|
||||
Published: published,
|
||||
Updated: updated,
|
||||
PublicationUrl: "https://example.com/advisory",
|
||||
CsafUrl: "https://sec.cloudapps.cisco.com/csaf/test.json",
|
||||
CvrfUrl: "https://example.com/cvrf.xml",
|
||||
CvssBaseScore: 9.8,
|
||||
Cves: new List<string> { "CVE-2024-0001" },
|
||||
BugIds: new List<string> { "BUG123" },
|
||||
Products: new List<CiscoAffectedProductDto>
|
||||
{
|
||||
new("Cisco Widget", "PID-1", "1.2.3", new [] { AffectedPackageStatusCatalog.KnownAffected })
|
||||
});
|
||||
CvssBaseScore: 9.8,
|
||||
Cves: new List<string> { "CVE-2024-0001" },
|
||||
BugIds: new List<string> { "BUG123" },
|
||||
Products: new List<CiscoAffectedProductDto>
|
||||
{
|
||||
new("Cisco Widget", "PID-1", "1.2.3", new [] { AffectedPackageStatusCatalog.KnownAffected }),
|
||||
new("Cisco Router", "PID-2", ">=1.0.0 <1.4.0", new [] { AffectedPackageStatusCatalog.KnownAffected })
|
||||
});
|
||||
|
||||
var document = new DocumentRecord(
|
||||
Id: Guid.NewGuid(),
|
||||
@@ -62,18 +64,38 @@ public sealed class CiscoMapperTests
|
||||
advisory.Aliases.Should().Contain(new[] { "CISCO-SA-TEST", "CVE-2024-0001", "BUG123" });
|
||||
advisory.References.Should().Contain(reference => reference.Url == "https://example.com/advisory");
|
||||
advisory.References.Should().Contain(reference => reference.Url == "https://sec.cloudapps.cisco.com/csaf/test.json");
|
||||
advisory.AffectedPackages.Should().HaveCount(1);
|
||||
|
||||
var package = advisory.AffectedPackages[0];
|
||||
package.Type.Should().Be(AffectedPackageTypes.Vendor);
|
||||
package.Identifier.Should().Be("Cisco Widget");
|
||||
package.Statuses.Should().ContainSingle(status => status.Status == AffectedPackageStatusCatalog.KnownAffected);
|
||||
package.VersionRanges.Should().ContainSingle();
|
||||
var range = package.VersionRanges[0];
|
||||
range.RangeKind.Should().Be("semver");
|
||||
range.Provenance.Source.Should().Be(VndrCiscoConnectorPlugin.SourceName);
|
||||
range.Primitives.Should().NotBeNull();
|
||||
range.Primitives!.SemVer.Should().NotBeNull();
|
||||
range.Primitives.SemVer!.ExactValue.Should().Be("1.2.3");
|
||||
}
|
||||
}
|
||||
advisory.AffectedPackages.Should().HaveCount(2);
|
||||
|
||||
var package = advisory.AffectedPackages.Single(p => p.Identifier == "Cisco Widget");
|
||||
package.Type.Should().Be(AffectedPackageTypes.Vendor);
|
||||
package.Identifier.Should().Be("Cisco Widget");
|
||||
package.Statuses.Should().ContainSingle(status => status.Status == AffectedPackageStatusCatalog.KnownAffected);
|
||||
package.VersionRanges.Should().ContainSingle();
|
||||
var range = package.VersionRanges[0];
|
||||
range.RangeKind.Should().Be("semver");
|
||||
range.Provenance.Source.Should().Be(VndrCiscoConnectorPlugin.SourceName);
|
||||
range.Primitives.Should().NotBeNull();
|
||||
range.Primitives!.SemVer.Should().NotBeNull();
|
||||
range.Primitives.SemVer!.ExactValue.Should().Be("1.2.3");
|
||||
|
||||
package.NormalizedVersions.Should().ContainSingle();
|
||||
var normalized = package.NormalizedVersions[0];
|
||||
normalized.Scheme.Should().Be(NormalizedVersionSchemes.SemVer);
|
||||
normalized.Type.Should().Be(NormalizedVersionRuleTypes.Exact);
|
||||
normalized.Value.Should().Be("1.2.3");
|
||||
normalized.Notes.Should().Be("cisco:pid-1");
|
||||
|
||||
var rangePackage = advisory.AffectedPackages.Single(p => p.Identifier == "Cisco Router");
|
||||
rangePackage.VersionRanges.Should().ContainSingle();
|
||||
var rangePackageRange = rangePackage.VersionRanges[0];
|
||||
rangePackageRange.Primitives!.SemVer.Should().NotBeNull();
|
||||
rangePackageRange.Primitives.SemVer!.Introduced.Should().Be("1.0.0");
|
||||
rangePackageRange.Primitives.SemVer.Fixed.Should().Be("1.4.0");
|
||||
rangePackage.NormalizedVersions.Should().ContainSingle(rule =>
|
||||
rule.Min == "1.0.0" &&
|
||||
rule.Max == "1.4.0" &&
|
||||
rule.MinInclusive == true &&
|
||||
rule.MaxInclusive == false &&
|
||||
rule.Notes == "cisco:pid-2");
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user