Spaces:

Kaballas
/

auditforge

Runtime error

File size: 17,026 Bytes

56b6519

/*
  At the end
    3 Vulnerabilities: [
      {
        status: 2
        details: [
          {locale: 'en', title: 'Vulnerability English 1', vulnType: 'Internal'}, 
          {
            locale: 'fr',
            title: 'Vulnerability French 1',
            vulnType: 'Internal',
            description: 'French vuln description',
            observation: 'French vuln observation',
            remediation: 'French vuln remediation'
          }
        ]
      },
      {
        cvssv3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        status: 0
        details: [
          {locale: 'en', title: 'Vulnerability English 2', vulnType: 'Internal'},
          {
            locale: 'fr',
            title: 'Vulnerability French 2',
            vulnType: 'Internal',
            description: 'French vuln description',
            observation: 'French vuln observation',
            remediation: 'French vuln remediation',
            references: ['Ref1', 'Ref2']
          }
        ]
      },
      {
        status: 1,
        details: [
          {locale: 'en', title: 'New vulnerability from finding', vulnType: 'Internal', description: 'New vuln description'}
        ]
      }
    ]

*/

module.exports = function (request, app) {
  describe('Vulnerability Suite Tests', () => {
    var userToken = '';
    beforeAll(async () => {
      var response = await request(app)
        .post('/api/users/token')
        .send({ username: 'admin', password: 'Admin123' });
      userToken = response.body.datas.token;
    });

    describe('Vulnerability CRUD operations', () => {
      it('Get vulnerabilities (no existing vulnerabilities in db)', async () => {
        var response = await request(app)
          .get('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`]);

        expect(response.status).toBe(200);
        expect(response.body.datas).toHaveLength(0);
      });

      it('Get vulnerabilities for export (no existing vulnerabilities in db)', async () => {
        var response = await request(app)
          .get('/api/vulnerabilities/export')
          .set('Cookie', [`token=JWT ${userToken}`]);

        expect(response.status).toBe(200);
        expect(response.type).toEqual('application/json');
        //expect(response.headers['content-disposition'].indexOf('attachment; filename=')).toBe(0);

        expect(response.body.datas).toEqual([]);
      });

      it('Create 4 vulnerabilities', async () => {
        var vuln1 = {
          details: [
            {
              locale: 'en',
              title: 'Vulnerability English 1',
              vulnType: 'Internal',
            },
          ],
        };

        var vuln2 = {
          details: [
            {
              locale: 'en',
              title: 'Vulnerability English 2',
              vulnType: 'Internal',
            },
          ],
        };

        var vuln3 = {
          details: [
            {
              locale: 'es',
              title: 'Vulnerability Espagnol 1',
              vulnType: 'Web',
            },
            { locale: 'es', vulnType: 'Web' },
            { title: 'Vulnerability Espagnol 2', vulnType: 'Web' },
          ],
        };

        var vuln4 = {
          cvssv3:
            'CVSS3.0:/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X',
          status: 1,
          details: [
            {
              locale: 'fr',
              title: 'Vulnerability French 1',
              vulnType: 'Internal',
              description: 'French vuln description',
              observation: 'French vuln observation',
              remediation: 'French vuln remediation',
              references: ['Reference 1', 'Reference 2'],
            },
          ],
        };

        var response = await request(app)
          .post('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`])
          .send([vuln1, vuln2, vuln3, vuln4]);
        expect(response.status).toBe(201);
      });

      it('Should not create vulnerability with with existing title', async () => {
        var vuln1 = {
          details: [
            {
              locale: 'fr',
              title: 'Vulnerability English 1',
              vulnType: 'Internal',
            },
          ],
        };

        var response = await request(app)
          .post('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`])
          .send([vuln1]);
        expect(response.status).toBe(422);
      });

      it('Should not create vulnerability without title', async () => {
        var vuln1 = {
          details: [{ locale: 'fr', vulnType: 'Internal' }],
        };

        var response = await request(app)
          .post('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`])
          .send([vuln1]);

        expect(response.status).toBe(422);
      });

      it('Should not create vulnerability without locale', async () => {
        var vuln1 = {
          details: [{ title: 'Vulnerability English', vulnType: 'Internal' }],
        };

        var response = await request(app)
          .post('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`])
          .send([vuln1]);

        expect(response.status).toBe(422);
      });

      it('Get vulnerabilities (existing vulnerabilities in db)', async () => {
        var response = await request(app)
          .get('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`]);

        expect(response.status).toBe(200);

        expect(response.body.datas[0].details[0].locale).toEqual('en');
        expect(response.body.datas[0].details[0].title).toEqual(
          'Vulnerability English 1',
        );
        expect(response.body.datas[0].details[0].vulnType).toEqual('Internal');

        expect(response.body.datas[1].details[0].locale).toEqual('en');
        expect(response.body.datas[1].details[0].title).toEqual(
          'Vulnerability English 2',
        );
        expect(response.body.datas[1].details[0].vulnType).toEqual('Internal');

        expect(response.body.datas[2].details[0].locale).toEqual('es');
        expect(response.body.datas[2].details[0].title).toEqual(
          'Vulnerability Espagnol 1',
        );
        expect(response.body.datas[2].details[0].vulnType).toEqual('Web');

        expect(response.body.datas[3].cvssv3).toEqual(
          'CVSS3.0:/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X',
        );
        expect(response.body.datas[3].details[0].locale).toEqual('fr');
        expect(response.body.datas[3].details[0].title).toEqual(
          'Vulnerability French 1',
        );
        expect(response.body.datas[3].details[0].vulnType).toEqual('Internal');
        expect(response.body.datas[3].details[0].description).toEqual(
          'French vuln description',
        );
        expect(response.body.datas[3].details[0].observation).toEqual(
          'French vuln observation',
        );
        expect(response.body.datas[3].details[0].remediation).toEqual(
          'French vuln remediation',
        );
        expect(response.body.datas[3].details[0].references).toEqual([
          'Reference 1',
          'Reference 2',
        ]);
      });

      it('Get vulnerabilities for export (existing vulnerabilities in db)', async () => {
        var response = await request(app)
          .get('/api/vulnerabilities/export')
          .set('Cookie', [`token=JWT ${userToken}`]);

        expect(response.status).toBe(200);
        expect(response.type).toEqual('application/json');
        //expect(response.headers['content-disposition'].indexOf('attachment; filename=')).toBe(0);

        expect(response.body.datas[0].details[0].locale).toEqual('en');
        expect(response.body.datas[0].details[0].title).toEqual(
          'Vulnerability English 1',
        );
        expect(response.body.datas[0].details[0].vulnType).toEqual('Internal');

        expect(response.body.datas[1].details[0].locale).toEqual('en');
        expect(response.body.datas[1].details[0].title).toEqual(
          'Vulnerability English 2',
        );
        expect(response.body.datas[1].details[0].vulnType).toEqual('Internal');

        expect(response.body.datas[2].details[0].locale).toEqual('es');
        expect(response.body.datas[2].details[0].title).toEqual(
          'Vulnerability Espagnol 1',
        );
        expect(response.body.datas[2].details[0].vulnType).toEqual('Web');

        expect(response.body.datas[3].cvssv3).toEqual(
          'CVSS3.0:/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X',
        );
        expect(response.body.datas[3].details[0].locale).toEqual('fr');
        expect(response.body.datas[3].details[0].title).toEqual(
          'Vulnerability French 1',
        );
        expect(response.body.datas[3].details[0].vulnType).toEqual('Internal');
        expect(response.body.datas[3].details[0].description).toEqual(
          'French vuln description',
        );
        expect(response.body.datas[3].details[0].observation).toEqual(
          'French vuln observation',
        );
        expect(response.body.datas[3].details[0].remediation).toEqual(
          'French vuln remediation',
        );
        expect(response.body.datas[3].details[0].references).toEqual([
          'Reference 1',
          'Reference 2',
        ]);
      });

      it('Update vulnerability', async () => {
        var update = {
          cvssv3: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H',
          details: [
            {
              locale: 'en',
              title: 'Vulnerability English 2',
              vulnType: 'Internal',
            },
            {
              locale: 'fr',
              title: 'Vulnerability French 2',
              vulnType: 'Internal',
              description: 'French vuln description',
              observation: 'French vuln observation',
              remediation: 'French vuln remediation',
              references: ['Ref1', 'Ref2'],
            },
          ],
        };

        var response = await request(app)
          .get('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`]);
        var vulnId = response.body.datas[1]._id;
        response = await request(app)
          .put(`/api/vulnerabilities/${vulnId}`)
          .set('Cookie', [`token=JWT ${userToken}`])
          .send(update);
        expect(response.status).toBe(200);

        response = await request(app)
          .get('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`]);

        expect(response.body.datas[1].cvssv3).toEqual(
          'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H',
        );
        expect(response.body.datas[1].details[0].locale).toEqual('en');
        expect(response.body.datas[1].details[0].title).toEqual(
          'Vulnerability English 2',
        );
        expect(response.body.datas[1].details[0].vulnType).toEqual('Internal');
        expect(response.body.datas[1].details[1].locale).toEqual('fr');
        expect(response.body.datas[1].details[1].title).toEqual(
          'Vulnerability French 2',
        );
        expect(response.body.datas[1].details[1].vulnType).toEqual('Internal');
        expect(response.body.datas[1].details[1].description).toEqual(
          'French vuln description',
        );
        expect(response.body.datas[1].details[1].observation).toEqual(
          'French vuln observation',
        );
        expect(response.body.datas[1].details[1].remediation).toEqual(
          'French vuln remediation',
        );
        expect(response.body.datas[1].details[1].references).toEqual([
          'Ref1',
          'Ref2',
        ]);
      });

      it('Should not update vulnerability with nonexistent ID', async () => {
        var vulnerability = {
          details: [{ locale: 'en', title: 'Vulnerability English' }],
        };

        var response = await request(app)
          .put(`/api/vulnerabilities/deadbeefdeadbeefdeadbeef`)
          .set('Cookie', [`token=JWT ${userToken}`])
          .send(vulnerability);
        expect(response.status).toBe(404);
      });

      it('Get vulnerabilities by language', async () => {
        var response = await request(app)
          .get(`/api/vulnerabilities/en`)
          .set('Cookie', [`token=JWT ${userToken}`]);
        expect(response.status).toBe(200);
        expect(response.body.datas).toHaveLength(2);
      });

      it('Merge 2 vulnerabilities', async () => {
        var response = await request(app)
          .get('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`]);
        var vulnId = response.body.datas[0]._id;
        var vulnIdMerge = response.body.datas[3]._id;

        response = await request(app)
          .put(`/api/vulnerabilities/merge/${vulnId}`)
          .set('Cookie', [`token=JWT ${userToken}`])
          .send({ vulnId: vulnIdMerge, locale: 'fr' });
        expect(response.status).toBe(200);

        response = await request(app)
          .get('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`]);
        expect(response.body.datas).toHaveLength(3);
      });

      it('Delete vulnerability', async () => {
        var response = await request(app)
          .get('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`]);
        var vulnId = response.body.datas[2]._id;
        response = await request(app)
          .delete(`/api/vulnerabilities/${vulnId}`)
          .set('Cookie', [`token=JWT ${userToken}`]);
        expect(response.status).toBe(200);

        response = await request(app)
          .get('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`]);
        expect(response.body.datas).toHaveLength(2);
      });

      it('Delete vulnerability with nonexistent ID', async () => {
        var response = await request(app)
          .delete(`/api/vulnerabilities/deadbeefdeadbeefdeadbeef`)
          .set('Cookie', [`token=JWT ${userToken}`]);
        expect(response.status).toBe(404);
      });

      it('Create vulnerability from finding', async () => {
        var finding = {
          title: 'New vulnerability from finding',
          vulnType: 'Internal',
          description: 'New vuln description',
        };
        var response = await request(app)
          .post('/api/vulnerabilities/finding/en')
          .set('Cookie', [`token=JWT ${userToken}`])
          .send(finding);
        expect(response.status).toBe(201);

        response = await request(app)
          .get('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`]);
        expect(response.body.datas).toHaveLength(3);
        expect(response.body.datas[2].status).toBe(1);
      });

      it('Update vulnerability from finding', async () => {
        var finding = {
          title: 'Vulnerability English 1',
          description: 'Description English 1',
          observation: 'Observation English 1',
        };
        var response = await request(app)
          .post('/api/vulnerabilities/finding/en')
          .set('Cookie', [`token=JWT ${userToken}`])
          .send(finding);
        expect(response.status).toBe(200);

        response = await request(app)
          .get('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`]);
        expect(response.body.datas).toHaveLength(3);
        expect(response.body.datas[0].status).toBe(2);
      });

      it('Should not create/update vulnerability from finding without title', async () => {
        var finding = {
          observation: 'Observation new vuln from finding',
        };
        var response = await request(app)
          .post('/api/vulnerabilities/finding/en')
          .set('Cookie', [`token=JWT ${userToken}`])
          .send(finding);
        expect(response.status).toBe(422);
      });

      it('Should not update vulnerability from finding that is not yet approved', async () => {
        var finding = {
          title: 'New vulnerability from finding',
          observation: 'Observation new vuln from finding',
        };
        var response = await request(app)
          .post('/api/vulnerabilities/finding/en')
          .set('Cookie', [`token=JWT ${userToken}`])
          .send(finding);
        expect(response.status).toBe(403);
      });

      it('Get vulnerability updates', async () => {
        var response = await request(app)
          .get('/api/vulnerabilities')
          .set('Cookie', [`token=JWT ${userToken}`]);
        var vulnId = response.body.datas[0]._id;

        response = await request(app)
          .get(`/api/vulnerabilities/updates/${vulnId}`)
          .set('Cookie', [`token=JWT ${userToken}`]);
        expect(response.status).toBe(200);
        expect(response.body.datas).toHaveLength(1);
      });
    });
  });
};