testing/testcase: check eggs for known vulnerabilities

scan installed eggs and check if they have known vulnerabilities listed on https://github.com/pyupio/safety-db

testing/testcase: check eggs for known vulnerabilities
scan installed eggs and check if they have known vulnerabilities listed on https://github.com/pyupio/safety-db
ae8ac94e · Jérome Perrin · 2ca2830d · ae8ac94e
Commit ae8ac94e authored Aug 31, 2020 by Jérome Perrin
Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 0 deletions

slapos/testing/testcase.py slapos/testing/testcase.py +44 -0

No files found.
--- a/slapos/testing/testcase.py
+++ b/slapos/testing/testcase.py
@@ -34,6 +34,9 @@ import glob
 import logging
 import shutil
 import warnings
+
+import pkg_resources
+import requests
 from six.moves.urllib.parse import urlparse

 try:
@@ -332,6 +335,47 @@ def checkSoftware(slap, software_url):
          "Software hash present in signature {}\n{}\n".format(
              signature_file, signature_content))

+  def checkEggsVersionsKnownVulnerabilities(
+      egg_directories,
+      safety_db=requests.get(
+          'https://raw.githubusercontent.com/pyupio/safety-db/master/data/insecure_full.json'
+      ).json()):
+    # type: (List[str], Dict) -> Iterable[str]
+    """Check eggs against known vulnerabilities database from https://github.com/pyupio/safety-db
+    """
+    env = pkg_resources.Environment(egg_directories)
+    for egg in env:
+      known_vulnerabilities = safety_db.get(egg)
+      if known_vulnerabilities:
+        for distribution in env[egg]:
+          for known_vulnerability in known_vulnerabilities:
+            for vulnerable_spec in known_vulnerability['specs']:
+              for req in pkg_resources.parse_requirements(egg +
+                                                          vulnerable_spec):
+                vulnerability_description = "\n".join(
+                    u"{}: {}".format(*item)
+                    for item in known_vulnerability.items())
+                if distribution in req:
+                  yield (
+                      u"{egg} use vulnerable version {distribution.version} because {vulnerable_spec}.\n"
+                      "{vulnerability_description}\n".format(**locals()))
+
+  error_list.extend(
+      checkEggsVersionsKnownVulnerabilities(
+          glob.glob(
+              os.path.join(
+                  slap.software_directory,
+                  software_hash,
+                  'eggs',
+                  '*',
+              )) + glob.glob(
+                  os.path.join(
+                      slap.software_directory,
+                      software_hash,
+                      'develop-eggs',
+                      '*',
+                  ))))
+
  if error_list:
    raise RuntimeError('\n'.join(error_list))