Add test to scan all python packages #1652
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AdriiiPRodri
suggested changes
Jul 27, 2021
There was a problem hiding this comment.
We should investigate the possibility of using safety as a library, this way we would avoid depending on subprocess and having to hardcode the safety executable into subprocess call.
In addition, we should move the security folder and leave it next to the system folder, not inside it.
|
It is possible that we can use a local database, we should investigate this option.
|
added 2 commits
July 27, 2021 18:06
UPDATEPytest support added: now this script is used by pytest in which it fails if exist a vulnerable package in the requirements.txt provided. Examples:Successful⬦⬦⬦ ~/git/wazuh-qa/tests/security ⨘ python3 -m pytest --repo wazuh --branch master --path framework/requirements.txt --disable-warnings
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.9.5, pytest-6.2.4, py-1.10.0, pluggy-0.13.1
rootdir: /home/kondent/git/wazuh-qa/tests/security
plugins: asyncio-0.15.1, html-3.1.1, metadata-1.11.0, cov-2.12.1
collected 1 item
test_package_vuln_scan/test_package_vuln_scan.py . [100%]
================================================================================ 1 passed, 1 warning in 1.03s ================================================================================Failed⬦⬦⬦ ~/git/wazuh-qa/tests/security ⨘ python3 -m pytest --repo wazuh-qa --branch master --path requirements.txt --disable-warnings
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.9.5, pytest-6.2.4, py-1.10.0, pluggy-0.13.1
rootdir: /home/kondent/git/wazuh-qa/tests/security
plugins: asyncio-0.15.1, html-3.1.1, metadata-1.11.0, cov-2.12.1
collected 1 item
test_package_vuln_scan/test_package_vuln_scan.py F [100%]
========================================================================================== FAILURES ==========================================================================================
___________________________________________________________________________________ test_package_vuln_scan ___________________________________________________________________________________
pytestconfig = <_pytest.config.Config object at 0x7fa51a862e20>
def test_package_vuln_scan(pytestconfig):
branch = pytestconfig.getoption('branch')
repo = pytestconfig.getoption('repo')
path = pytestconfig.getoption('path')
requirements_url = f'https://raw.githubusercontent.com/wazuh/{repo}/{branch}/{path}'
urlretrieve(requirements_url, REQUIREMENTS_TEMP_FILE.name)
result = report_for_pytest(REQUIREMENTS_TEMP_FILE.name)
REQUIREMENTS_TEMP_FILE.close()
export_report(result, REPORT_FILE)
> assert loads(result)['vulnerabilities_found'] == 0, f'Vulnerables packages were found, full report at: ' \
f'{REPORT_FILE}'
E AssertionError: Vulnerables packages were found, full report at: test_package_vuln_scan/report_file.json
E assert 27 == 0
test_package_vuln_scan/test_package_vuln_scan.py:20: AssertionError
================================================================================== short test summary info ===================================================================================
FAILED test_package_vuln_scan/test_package_vuln_scan.py::test_package_vuln_scan - AssertionError: Vulnerables packages were found, full report at: test_package_vuln_scan/report_file.json
===================================================================================== 1 failed in 3.60s ======================================================================================report_file.jsonClick to expand{
"report_date": "2021-07-28T15:25:53.503866",
"vulnerabilities_found": 27,
"packages": [
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<6.2.2",
"vuln_description": "libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. See: CVE-2020-5310.",
"safety_id": "37779"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<6.2.2",
"vuln_description": "libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. See: CVE-2020-5313.",
"safety_id": "37782"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<6.2.2",
"vuln_description": "libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.",
"safety_id": "37780"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<6.2.2",
"vuln_description": "libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.",
"safety_id": "37781"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<6.2.3",
"vuln_description": "In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c. See: CVE-2020-10379.",
"safety_id": "38450"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<6.2.3",
"vuln_description": "In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. See: CVE-2020-10378.",
"safety_id": "38449"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<7.0.0",
"vuln_description": "In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are multiple out-of-bounds reads via a crafted JP2 file. See: CVE-2020-10994.",
"safety_id": "38451"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.0.1",
"vuln_description": "Pillow 8.0.1 updates FreeType used in binary wheels to 2.10.4 to fix CVE-2020-15999.",
"safety_id": "40264"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.0",
"vuln_description": "Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175.",
"safety_id": "40265"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.0",
"vuln_description": "Pillow 8.1.0 includes a fix for Read Overflow in PCX Decoding. CVE-2020-35653 #5174.",
"safety_id": "40270"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.0",
"vuln_description": "Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173.",
"safety_id": "40271"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.1",
"vuln_description": "Pillow 8.1.1 uses more specific regex chars to prevent ReDoS. CVE-2021-25292.",
"safety_id": "40266"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.1",
"vuln_description": "Pillow 8.1.1 fixes OOB Read in TiffDecode.c, and checks the tile validity before reading. CVE-2021-25291.",
"safety_id": "40272"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.1",
"vuln_description": "Pillow 8.1.1 fixes OOB read in SgiRleDecode.c. CVE-2021-25293.",
"safety_id": "40273"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.1",
"vuln_description": "Pillow 8.1.1 fixes incorrect error code checking in TiffDecode.c. CVE-2021-25289.",
"safety_id": "40274"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.1",
"vuln_description": "Pillow 8.1.1 fixes negative size read in TiffDecode.c. CVE-2021-25290.",
"safety_id": "40275"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.2",
"vuln_description": "Pillow 8.1.2 fixes memory DOS in BLP Image Plugin (CVE-2021-27921).",
"safety_id": "40263"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.2",
"vuln_description": "Pillow 8.1.2 fixes memory DOS in ICNS Image Plugin (CVE-2021-27922).",
"safety_id": "40267"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.2",
"vuln_description": "Pillow 8.1.2 fixes memory DOS in ICO Image Plugin (CVE-2021-27923).",
"safety_id": "40268"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.1.2",
"vuln_description": "Pillow 8.1.2 fixes memory DOS in ICNS Image Plugin (CVE-2021-27922).",
"safety_id": "40269"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.2.0",
"vuln_description": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.",
"safety_id": "40592"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.2.0",
"vuln_description": "An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.",
"safety_id": "40596"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.2.0",
"vuln_description": "An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.",
"safety_id": "40594"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.2.0",
"vuln_description": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.",
"safety_id": "40593"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<8.2.0",
"vuln_description": "An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \\r and \\n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.",
"safety_id": "40595"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": "<=7.0.0",
"vuln_description": "In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files. See: CVE-2020-11538. Note that this is a different issue than CVE-2020-5311.",
"safety_id": "38452"
},
{
"package_name": "pillow",
"package_version": "6.2.0",
"package_affected_version": ">6.0,<6.2.2",
"vuln_description": "There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer. See: CVE-2019-19911.",
"safety_id": "37772"
}
]
} |
AdriiiPRodri
suggested changes
Jul 29, 2021
Rebits
requested changes
Aug 26, 2021
tests/security/test_package_vuln_scan/test_package_vuln_scan.py
Outdated
Show resolved
Hide resolved
tests/security/test_package_vuln_scan/test_package_vuln_scan.py
Outdated
Show resolved
Hide resolved
Rebits
requested changes
Aug 26, 2021
|
This test seems to work correctly, running without fail if python3.9.6 is used and failing for python3.6
In order to use this test in the Jenkins environment, it should be necessary to install a proper python version, otherwise, false positives will be generated. Also, it could affect to the development tool qactl. We should consider the python version in environment provision. |
UpdateRequested changes were reviewed and added. |
snaow
changed the title
Rebits
requested changes
Sep 2, 2021
| @@ -0,0 +1,21 @@ | |||
| import tempfile | |||
There was a problem hiding this comment.
Add the Wazuh header:
# Copyright (C) 2015-2021, Wazuh Inc.
# Created by Wazuh, Inc. <[email protected]>.
# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
There was a problem hiding this comment.
Maybe test_package_vuln_scan is not a very accurate name due to this tests check used python packages in a requirements file. Maybe test_python_packages_vuln_scan.py is more descriptive.
PR UPDATEIn the last commit, I did some minor fixes to adapt this test and tool to wazuh-qa repository file structure.
|
AdriiiPRodri
suggested changes
Sep 14, 2021
AdriiiPRodri
suggested changes
Sep 14, 2021
Related PR #1659 is already handling this so I think it's no needed, let me know if I'm wrong |
added 2 commits
September 14, 2021 11:21
Added those changes here too. PR updated. |
davidjiglesias
previously approved these changes
Sep 29, 2021
snaow
dismissed stale reviews from Rebits, davidjiglesias, and AdriiiPRodri
via
44f753f
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR closes #1612.
I made a tool to check vulnerabilities in all python packages used by wazuh specified from a requirements file or directly from pip.
Example of use