diff --git a/.github/workflows/docker-tests.yml b/.github/workflows/docker-tests.yml new file mode 100644 index 000000000..67b6c24e4 --- /dev/null +++ b/.github/workflows/docker-tests.yml @@ -0,0 +1,24 @@ +name: Docker Tests + +on: + pull_request: + push: + branches: + - main + workflow_dispatch: + +jobs: + docker-tests: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Build Docker image + run: | + docker build -t vulnerablecode-test . + + - name: Run tests inside Docker container + run: | + docker run --rm vulnerablecode-test pytest \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_expected_8.json b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_8.json new file mode 100644 index 000000000..057a88d01 --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_expected_8.json @@ -0,0 +1,226 @@ +{ + "aliases": [ + "CVE-2016-4009", + "GHSA-hvr8-466p-75rh" + ], + "summary": "Pillow Integer overflow in ImagingResampleHorizontal\nInteger overflow in the `ImagingResampleHorizontal` function in `libImaging/Resample.c` in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.", + "affected_packages": [ + { + "package": { + "type": "pypi", + "namespace": "", + "name": "pillow", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "3.1.1" + } + ], + "references": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4009", + "severities": [ + { + "system": "cvssv3.1", + "value": "9.8", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "system": "cvssv4", + "value": "9.3", + "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + }, + { + "system": "generic_textual", + "value": "CRITICAL", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://github.com/python-pillow/Pillow/pull/1714", + "severities": [ + { + "system": "cvssv3.1", + "value": "9.8", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "system": "cvssv4", + "value": "9.3", + "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + }, + { + "system": "generic_textual", + "value": "CRITICAL", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e", + "severities": [ + { + "system": "cvssv3.1", + "value": "9.8", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "system": "cvssv4", + "value": "9.3", + "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + }, + { + "system": "generic_textual", + "value": "CRITICAL", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://github.com/advisories/GHSA-hvr8-466p-75rh", + "severities": [ + { + "system": "cvssv3.1", + "value": "9.8", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "system": "cvssv4", + "value": "9.3", + "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + }, + { + "system": "generic_textual", + "value": "CRITICAL", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-7.yaml", + "severities": [ + { + "system": "cvssv3.1", + "value": "9.8", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "system": "cvssv4", + "value": "9.3", + "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + }, + { + "system": "generic_textual", + "value": "CRITICAL", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://github.com/python-pillow/Pillow", + "severities": [ + { + "system": "cvssv3.1", + "value": "9.8", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "system": "cvssv4", + "value": "9.3", + "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + }, + { + "system": "generic_textual", + "value": "CRITICAL", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst", + "severities": [ + { + "system": "cvssv3.1", + "value": "9.8", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "system": "cvssv4", + "value": "9.3", + "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + }, + { + "system": "generic_textual", + "value": "CRITICAL", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://security.gentoo.org/glsa/201612-52", + "severities": [ + { + "system": "cvssv3.1", + "value": "9.8", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "system": "cvssv4", + "value": "9.3", + "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + }, + { + "system": "generic_textual", + "value": "CRITICAL", + "scoring_elements": "" + } + ] + }, + { + "reference_id": "", + "reference_type": "", + "url": "http://www.securityfocus.com/bid/86064", + "severities": [ + { + "system": "cvssv3.1", + "value": "9.8", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "system": "cvssv4", + "value": "9.3", + "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + }, + { + "system": "generic_textual", + "value": "CRITICAL", + "scoring_elements": "" + } + ] + } + ], + "date_published": "2018-07-24T20:15:48+00:00", + "weaknesses": [ + 119 + ], + "url": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/github_osv_test_8.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/github_osv/github_osv_test_8.json b/vulnerabilities/tests/test_data/github_osv/github_osv_test_8.json new file mode 100644 index 000000000..d89ef71a4 --- /dev/null +++ b/vulnerabilities/tests/test_data/github_osv/github_osv_test_8.json @@ -0,0 +1,89 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hvr8-466p-75rh", + "modified": "2024-10-08T13:06:58Z", + "published": "2018-07-24T20:15:48Z", + "aliases": [ + "CVE-2016-4009" + ], + "summary": "Pillow Integer overflow in ImagingResampleHorizontal", + "details": "Integer overflow in the `ImagingResampleHorizontal` function in `libImaging/Resample.c` in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "pillow" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4009" + }, + { + "type": "WEB", + "url": "https://github.com/python-pillow/Pillow/pull/1714" + }, + { + "type": "WEB", + "url": "https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hvr8-466p-75rh" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-7.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/python-pillow/Pillow" + }, + { + "type": "WEB", + "url": "https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/201612-52" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/86064" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2020-06-16T21:41:06Z", + "nvd_published_at": null + } +} \ No newline at end of file