/* At the end 3 Vulnerabilities: [ { status: 2 details: [ {locale: 'en', title: 'Vulnerability English 1', vulnType: 'Internal'}, { locale: 'fr', title: 'Vulnerability French 1', vulnType: 'Internal', description: 'French vuln description', observation: 'French vuln observation', remediation: 'French vuln remediation' } ] }, { cvssv3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", status: 0 details: [ {locale: 'en', title: 'Vulnerability English 2', vulnType: 'Internal'}, { locale: 'fr', title: 'Vulnerability French 2', vulnType: 'Internal', description: 'French vuln description', observation: 'French vuln observation', remediation: 'French vuln remediation', references: ['Ref1', 'Ref2'] } ] }, { status: 1, details: [ {locale: 'en', title: 'New vulnerability from finding', vulnType: 'Internal', description: 'New vuln description'} ] } ] */ module.exports = function (request, app) { describe('Vulnerability Suite Tests', () => { var userToken = ''; beforeAll(async () => { var response = await request(app) .post('/api/users/token') .send({ username: 'admin', password: 'Admin123' }); userToken = response.body.datas.token; }); describe('Vulnerability CRUD operations', () => { it('Get vulnerabilities (no existing vulnerabilities in db)', async () => { var response = await request(app) .get('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]); expect(response.status).toBe(200); expect(response.body.datas).toHaveLength(0); }); it('Get vulnerabilities for export (no existing vulnerabilities in db)', async () => { var response = await request(app) .get('/api/vulnerabilities/export') .set('Cookie', [`token=JWT ${userToken}`]); expect(response.status).toBe(200); expect(response.type).toEqual('application/json'); //expect(response.headers['content-disposition'].indexOf('attachment; filename=')).toBe(0); expect(response.body.datas).toEqual([]); }); it('Create 4 vulnerabilities', async () => { var vuln1 = { details: [ { locale: 'en', title: 'Vulnerability English 1', vulnType: 'Internal', }, ], }; var vuln2 = { details: [ { locale: 'en', title: 'Vulnerability English 2', vulnType: 'Internal', }, ], }; var vuln3 = { details: [ { locale: 'es', title: 'Vulnerability Espagnol 1', vulnType: 'Web', }, { locale: 'es', vulnType: 'Web' }, { title: 'Vulnerability Espagnol 2', vulnType: 'Web' }, ], }; var vuln4 = { cvssv3: 'CVSS3.0:/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X', status: 1, details: [ { locale: 'fr', title: 'Vulnerability French 1', vulnType: 'Internal', description: 'French vuln description', observation: 'French vuln observation', remediation: 'French vuln remediation', references: ['Reference 1', 'Reference 2'], }, ], }; var response = await request(app) .post('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]) .send([vuln1, vuln2, vuln3, vuln4]); expect(response.status).toBe(201); }); it('Should not create vulnerability with with existing title', async () => { var vuln1 = { details: [ { locale: 'fr', title: 'Vulnerability English 1', vulnType: 'Internal', }, ], }; var response = await request(app) .post('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]) .send([vuln1]); expect(response.status).toBe(422); }); it('Should not create vulnerability without title', async () => { var vuln1 = { details: [{ locale: 'fr', vulnType: 'Internal' }], }; var response = await request(app) .post('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]) .send([vuln1]); expect(response.status).toBe(422); }); it('Should not create vulnerability without locale', async () => { var vuln1 = { details: [{ title: 'Vulnerability English', vulnType: 'Internal' }], }; var response = await request(app) .post('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]) .send([vuln1]); expect(response.status).toBe(422); }); it('Get vulnerabilities (existing vulnerabilities in db)', async () => { var response = await request(app) .get('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]); expect(response.status).toBe(200); expect(response.body.datas[0].details[0].locale).toEqual('en'); expect(response.body.datas[0].details[0].title).toEqual( 'Vulnerability English 1', ); expect(response.body.datas[0].details[0].vulnType).toEqual('Internal'); expect(response.body.datas[1].details[0].locale).toEqual('en'); expect(response.body.datas[1].details[0].title).toEqual( 'Vulnerability English 2', ); expect(response.body.datas[1].details[0].vulnType).toEqual('Internal'); expect(response.body.datas[2].details[0].locale).toEqual('es'); expect(response.body.datas[2].details[0].title).toEqual( 'Vulnerability Espagnol 1', ); expect(response.body.datas[2].details[0].vulnType).toEqual('Web'); expect(response.body.datas[3].cvssv3).toEqual( 'CVSS3.0:/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X', ); expect(response.body.datas[3].details[0].locale).toEqual('fr'); expect(response.body.datas[3].details[0].title).toEqual( 'Vulnerability French 1', ); expect(response.body.datas[3].details[0].vulnType).toEqual('Internal'); expect(response.body.datas[3].details[0].description).toEqual( 'French vuln description', ); expect(response.body.datas[3].details[0].observation).toEqual( 'French vuln observation', ); expect(response.body.datas[3].details[0].remediation).toEqual( 'French vuln remediation', ); expect(response.body.datas[3].details[0].references).toEqual([ 'Reference 1', 'Reference 2', ]); }); it('Get vulnerabilities for export (existing vulnerabilities in db)', async () => { var response = await request(app) .get('/api/vulnerabilities/export') .set('Cookie', [`token=JWT ${userToken}`]); expect(response.status).toBe(200); expect(response.type).toEqual('application/json'); //expect(response.headers['content-disposition'].indexOf('attachment; filename=')).toBe(0); expect(response.body.datas[0].details[0].locale).toEqual('en'); expect(response.body.datas[0].details[0].title).toEqual( 'Vulnerability English 1', ); expect(response.body.datas[0].details[0].vulnType).toEqual('Internal'); expect(response.body.datas[1].details[0].locale).toEqual('en'); expect(response.body.datas[1].details[0].title).toEqual( 'Vulnerability English 2', ); expect(response.body.datas[1].details[0].vulnType).toEqual('Internal'); expect(response.body.datas[2].details[0].locale).toEqual('es'); expect(response.body.datas[2].details[0].title).toEqual( 'Vulnerability Espagnol 1', ); expect(response.body.datas[2].details[0].vulnType).toEqual('Web'); expect(response.body.datas[3].cvssv3).toEqual( 'CVSS3.0:/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X', ); expect(response.body.datas[3].details[0].locale).toEqual('fr'); expect(response.body.datas[3].details[0].title).toEqual( 'Vulnerability French 1', ); expect(response.body.datas[3].details[0].vulnType).toEqual('Internal'); expect(response.body.datas[3].details[0].description).toEqual( 'French vuln description', ); expect(response.body.datas[3].details[0].observation).toEqual( 'French vuln observation', ); expect(response.body.datas[3].details[0].remediation).toEqual( 'French vuln remediation', ); expect(response.body.datas[3].details[0].references).toEqual([ 'Reference 1', 'Reference 2', ]); }); it('Update vulnerability', async () => { var update = { cvssv3: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H', details: [ { locale: 'en', title: 'Vulnerability English 2', vulnType: 'Internal', }, { locale: 'fr', title: 'Vulnerability French 2', vulnType: 'Internal', description: 'French vuln description', observation: 'French vuln observation', remediation: 'French vuln remediation', references: ['Ref1', 'Ref2'], }, ], }; var response = await request(app) .get('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]); var vulnId = response.body.datas[1]._id; response = await request(app) .put(`/api/vulnerabilities/${vulnId}`) .set('Cookie', [`token=JWT ${userToken}`]) .send(update); expect(response.status).toBe(200); response = await request(app) .get('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]); expect(response.body.datas[1].cvssv3).toEqual( 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H', ); expect(response.body.datas[1].details[0].locale).toEqual('en'); expect(response.body.datas[1].details[0].title).toEqual( 'Vulnerability English 2', ); expect(response.body.datas[1].details[0].vulnType).toEqual('Internal'); expect(response.body.datas[1].details[1].locale).toEqual('fr'); expect(response.body.datas[1].details[1].title).toEqual( 'Vulnerability French 2', ); expect(response.body.datas[1].details[1].vulnType).toEqual('Internal'); expect(response.body.datas[1].details[1].description).toEqual( 'French vuln description', ); expect(response.body.datas[1].details[1].observation).toEqual( 'French vuln observation', ); expect(response.body.datas[1].details[1].remediation).toEqual( 'French vuln remediation', ); expect(response.body.datas[1].details[1].references).toEqual([ 'Ref1', 'Ref2', ]); }); it('Should not update vulnerability with nonexistent ID', async () => { var vulnerability = { details: [{ locale: 'en', title: 'Vulnerability English' }], }; var response = await request(app) .put(`/api/vulnerabilities/deadbeefdeadbeefdeadbeef`) .set('Cookie', [`token=JWT ${userToken}`]) .send(vulnerability); expect(response.status).toBe(404); }); it('Get vulnerabilities by language', async () => { var response = await request(app) .get(`/api/vulnerabilities/en`) .set('Cookie', [`token=JWT ${userToken}`]); expect(response.status).toBe(200); expect(response.body.datas).toHaveLength(2); }); it('Merge 2 vulnerabilities', async () => { var response = await request(app) .get('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]); var vulnId = response.body.datas[0]._id; var vulnIdMerge = response.body.datas[3]._id; response = await request(app) .put(`/api/vulnerabilities/merge/${vulnId}`) .set('Cookie', [`token=JWT ${userToken}`]) .send({ vulnId: vulnIdMerge, locale: 'fr' }); expect(response.status).toBe(200); response = await request(app) .get('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]); expect(response.body.datas).toHaveLength(3); }); it('Delete vulnerability', async () => { var response = await request(app) .get('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]); var vulnId = response.body.datas[2]._id; response = await request(app) .delete(`/api/vulnerabilities/${vulnId}`) .set('Cookie', [`token=JWT ${userToken}`]); expect(response.status).toBe(200); response = await request(app) .get('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]); expect(response.body.datas).toHaveLength(2); }); it('Delete vulnerability with nonexistent ID', async () => { var response = await request(app) .delete(`/api/vulnerabilities/deadbeefdeadbeefdeadbeef`) .set('Cookie', [`token=JWT ${userToken}`]); expect(response.status).toBe(404); }); it('Create vulnerability from finding', async () => { var finding = { title: 'New vulnerability from finding', vulnType: 'Internal', description: 'New vuln description', }; var response = await request(app) .post('/api/vulnerabilities/finding/en') .set('Cookie', [`token=JWT ${userToken}`]) .send(finding); expect(response.status).toBe(201); response = await request(app) .get('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]); expect(response.body.datas).toHaveLength(3); expect(response.body.datas[2].status).toBe(1); }); it('Update vulnerability from finding', async () => { var finding = { title: 'Vulnerability English 1', description: 'Description English 1', observation: 'Observation English 1', }; var response = await request(app) .post('/api/vulnerabilities/finding/en') .set('Cookie', [`token=JWT ${userToken}`]) .send(finding); expect(response.status).toBe(200); response = await request(app) .get('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]); expect(response.body.datas).toHaveLength(3); expect(response.body.datas[0].status).toBe(2); }); it('Should not create/update vulnerability from finding without title', async () => { var finding = { observation: 'Observation new vuln from finding', }; var response = await request(app) .post('/api/vulnerabilities/finding/en') .set('Cookie', [`token=JWT ${userToken}`]) .send(finding); expect(response.status).toBe(422); }); it('Should not update vulnerability from finding that is not yet approved', async () => { var finding = { title: 'New vulnerability from finding', observation: 'Observation new vuln from finding', }; var response = await request(app) .post('/api/vulnerabilities/finding/en') .set('Cookie', [`token=JWT ${userToken}`]) .send(finding); expect(response.status).toBe(403); }); it('Get vulnerability updates', async () => { var response = await request(app) .get('/api/vulnerabilities') .set('Cookie', [`token=JWT ${userToken}`]); var vulnId = response.body.datas[0]._id; response = await request(app) .get(`/api/vulnerabilities/updates/${vulnId}`) .set('Cookie', [`token=JWT ${userToken}`]); expect(response.status).toBe(200); expect(response.body.datas).toHaveLength(1); }); }); }); };