From 1024fe0d0dce21afcc8f359df395b8737e4066bf Mon Sep 17 00:00:00 2001 From: Magiel Bruntink Date: Fri, 26 Jan 2024 19:11:08 +0100 Subject: [PATCH] Added additional test for CVE-2024-22233. --- .../parsers/GHParserTest.java | 29 ++++++++ .../resources/parsers/CVE-2024-22233.json | 69 +++++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 src/test/resources/parsers/CVE-2024-22233.json diff --git a/src/test/java/eu/fasten/vulnerabilityproducer/parsers/GHParserTest.java b/src/test/java/eu/fasten/vulnerabilityproducer/parsers/GHParserTest.java index 9a2f3fe..2c12880 100644 --- a/src/test/java/eu/fasten/vulnerabilityproducer/parsers/GHParserTest.java +++ b/src/test/java/eu/fasten/vulnerabilityproducer/parsers/GHParserTest.java @@ -39,6 +39,7 @@ import java.util.stream.Stream; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertTrue; import static org.mockito.Mockito.when; public class GHParserTest { @@ -153,6 +154,16 @@ public class GHParserTest { } } + String CVE_2024_22233; + + { + try { + CVE_2024_22233 = FileUtils.readFileToString(new File("./src/test/resources/parsers/CVE-2024-22233.json"), StandardCharsets.UTF_8); + } catch (IOException e) { + e.printStackTrace(); + } + } + @Test public void testQueryBuilder() { String queryWithoutCursor = ghParser.buildQuery(null); @@ -204,6 +215,24 @@ public void testParseGHResponseWithdrawn() throws Exception { assertEquals(0, result.size()); } + @Test + public void testParseCVE_2024_22233() throws Exception { + HashMap values = new HashMap<>(); + values.put("query", queryNoCursor); + when(clientMock.sendPost("https://api.github.com/graphql", token, values)).thenReturn(CVE_2024_22233); + var versions = Stream.of("", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "6.0.0", "6.0.15", "6.1.2", "6.0.16", "6.1.3").map(x -> new ImmutablePair<>(x, new DateTime())).collect(Collectors.toList()); + ghParser.getVersionRanger().versionsMappings.put("pkg:maven/org.springframework/spring-core", versions); + ghParser.setCursor(null); + + HashMap result = ghParser.getVulnerabilities(false); + + assertEquals(1, result.size()); + var purls = result.get("CVE-2024-22233").getPurls(); + assertEquals(2, purls.size()); + assertTrue(purls.contains("pkg:maven/org.springframework/spring-core@6.0.15")); + assertTrue(purls.contains("pkg:maven/org.springframework/spring-core@6.1.2")); + } + @AfterAll public static void deleteCursor() { File ghCursor = new File("./src/test/resources/parsers/cursor.txt.txt"); diff --git a/src/test/resources/parsers/CVE-2024-22233.json b/src/test/resources/parsers/CVE-2024-22233.json new file mode 100644 index 0000000..37a0788 --- /dev/null +++ b/src/test/resources/parsers/CVE-2024-22233.json @@ -0,0 +1,69 @@ +{ + "data" : { + "securityAdvisories": { + "nodes": [ + { + "description": "In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * the application uses Spring MVC\n * Spring Security 6.1.6+ or 6.2.1+ is on the classpath\n\n\nTypically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.\n\n\n", + "withdrawnAt": null, + "identifiers": [ + { + "type": "GHSA", + "value": "GHSA-r4q3-7g4q-x89m" + }, + { + "type": "CVE", + "value": "CVE-2024-22233" + } + ], + "severity": "HIGH", + "cvss": { + "score": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cwes": { + "nodes": [] + }, + "references": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22233" + }, + { + "url": "https://spring.io/security/cve-2024-22233/" + }, + { + "url": "https://github.com/advisories/GHSA-r4q3-7g4q-x89m" + } + ], + "vulnerabilities": { + "nodes": [ + { + "vulnerableVersionRange": "= 6.0.15", + "firstPatchedVersion": { + "identifier": "6.0.16" + }, + "package": { + "ecosystem": "MAVEN", + "name": "org.springframework:spring-core" + } + }, + { + "vulnerableVersionRange": "= 6.1.2", + "firstPatchedVersion": { + "identifier": "6.1.3" + }, + "package": { + "ecosystem": "MAVEN", + "name": "org.springframework:spring-core" + } + } + ] + } + } + ], + "pageInfo": { + "endCursor": "Y3Vyc29yOnYyOpK5MjAyMC0wNi0wNFQwMDowMjoxOSswMjowMM0ITw==", + "hasNextPage": false + } + } + } +}