Merge pull request #1652 from wazuh/feature/1612-package-vuln-scanner

Add test to scan all python packages

deps/wazuh_testing/wazuh_testing/tools/scans/dependencies.py

@@ -0,0 +1,100 @@
+# Copyright (C) 2015-2021, Wazuh Inc.
+# Created by Wazuh, Inc. <[email protected]>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+import re
+import subprocess
+from collections import namedtuple
+from datetime import datetime
+from json import dumps, loads
+from os import environ
+
+from safety.formatter import report
+from safety.safety import check
+
+python_bin = environ['_']
+package_list = []
+package_tuple = namedtuple('Package', ['key', 'version'])
+
+
+def run_report():
+    """Perform vulnerability scan using Safety to check all packages listed.
+
+    Returns:
+        str: information about packages and vulnerabilities.
+    """
+    json_report = []
+    vulns = check(packages=package_list, key='', db_mirror='', cached=False, ignore_ids=(), proxy={})
+    output_report = report(vulns=vulns, full=True, json_report=True, bare_report=False,
+                           checked_packages=len(package_list), db='', key='')
+    for package_information in loads(output_report):
+        json_report.append({
+            'package_name': package_information[0],
+            'package_version': package_information[2],
+            'package_affected_version': package_information[1],
+            'vuln_description': package_information[3],
+            'safety_id': package_information[4]
+        })
+    json_data = {
+        'report_date': datetime.now().isoformat(),
+        'vulnerabilities_found': len(json_report),
+        'packages': json_report
+    }
+    return dumps(json_data, indent=4)
+
+
+def prepare_input(pip_mode, input_file_path):
+    """Create temp input file with all packages listed and prepared to be scanned later on.
+
+    Args:
+        pip_mode (bool): enable/disable pip freeze to retrieve package information.
+        input_file_path (str): path to the input file (used if pip_mode is disabled).
+    """
+    python_process = subprocess.run([python_bin, '--version'], stdout=subprocess.PIPE, universal_newlines=True)
+    pkg = python_process.stdout.strip().split()
+    package_list.append(package_tuple(pkg[0], pkg[1]))
+    if pip_mode:
+        pip_mode_process = subprocess.run([python_bin, '-m', 'pip', 'freeze'], stdout=subprocess.PIPE,
+                                          universal_newlines=True)
+        for package_line in pip_mode_process.stdout.strip().split('\n'):
+            pkg = package_line.strip().split('==')
+            package_list.append(package_tuple(pkg[0], pkg[1]))
+    else:
+        with open(input_file_path, mode='r') as input_file:
+            lines = input_file.readlines()
+            for line in lines:
+                line = re.sub('[<>~]', '=', line)
+                if ',' in line:
+                    package_version = max(re.findall('\d+\.+\d*\.*\d', line))
+                    package_name = re.findall('([a-z]+)', line)[0]
+                    line = f'{package_name}=={package_version}\n'
+                if ';' in line:
+                    line = line.split(';')[0] + '\n'
+                pkg = line.strip().split('==')
+                package_list.append(package_tuple(pkg[0], pkg[1]))
+
+
+def export_report(output, output_file_path):
+    """Export report to a file or console as a message.
+
+    Args:
+        output (str): information about packages and vulnerabilities.
+        output_file_path (str): path to file.
+    """
+    if output_file_path:
+        with open(output_file_path, mode='w') as output_file:
+            output_file.write(output)
+    else:
+        print(output)
+
+
+def report_for_pytest(requirements_file):
+    """Method used by pytest to generate a report.
+
+    Args:
+        requirements_file (str): path to the input file.
+
+    Returns:
+        str: information about packages and vulnerabilities.
+    """
+    prepare_input(False, requirements_file)
+    return run_report()

docs/index.md

@@ -18,9 +18,9 @@ In this repository you will find the tests used in the CI environment to test Wa
 
 - **[deps](deps/)**:  contains a Python's framework used to automatize tasks and interact with Wazuh.
 - **[tests](tests/)**: directory containing the test suite. These are tests developed using Pytest.
-    - **[integration](tests/integration/)**: integration tests of the different daemons/components.
-    - **[system](tests/system)**: system tests of Wazuh.
-    - **[scans](tests/scans)**: tests used to scan and verify Wazuh Python code and dependencies.
+    - **[integration](tests/integration/)**: integration tests for the different daemons/components.
+    - **[system](tests/system)**: system tests.
+    - **[scans](tests/scans)**: tests to validate the output of running static code and dependencies scanners looking for flaws and vulnerabilities
 - **[docs](link/to/docs)**: contains the technical documentation about the code and documentation about the tests.
 
 ## Builds docs locally

docs/tests/index.md

@@ -4,7 +4,5 @@ Contains the test suite classified in:
 
 - **[integration](integration#integration-tests)**: The purpose of this level of testing is to expose faults in the
 interaction between integrated units.
-
-- **[system](system)**: Testing level that evaluates the behavior of a fully integrated software system based on predetermined specifications and requirements.
-
-- **[scans](scans)**: Testing level that checks possible vulnerabilities in the Wazuh Python code and dependencies.
+- **[system](tests/system)**: system tests.
+- **[scans](tests/scans)**: tests to validate the output of running static code and dependencies scanners looking for flaws and vulnerabilities

mkdocs.yml

@@ -535,6 +535,8 @@ nav:
           - Test update password:  tests/system/test_jwt_invalidation/test_update_password.md
       - Scans:
         - tests/scans/index.md
+        - Dependencies:
+            - Test Python dependencies: tests/scans/dependencies/test_dependencies.md
         - Code Analysis:
             - Test Python flaws: tests/scans/code_analysis/test_python_flaws.md
       - Legacy:

requirements.txt

@@ -33,5 +33,6 @@ testinfra==5.0.0
 jq==1.1.2; platform_system == "Linux" or platform_system == "MacOS"
 cryptography==3.3.2; platform_system == "Linux" or platform_system == "MacOS" or platform_system=='Windows'
 urllib3>=1.26.5
+safety==1.10.3
 bandit==1.7.0
-git-repo==1.10.3
+git-repo==1.10.3

tests/scans/conftest.py

@@ -6,4 +6,4 @@ def pytest_addoption(parser):
     parser.addoption("--branch", action="store", default=DEFAULT_BRANCH,
                      help=f"Set the repository used. Default: {DEFAULT_REPOSITORY}")
     parser.addoption("--repo", action="store", default=DEFAULT_REPOSITORY,
-                     help=f"Set the repository branch. Default: {DEFAULT_BRANCH}")
+                     help=f"Set the repository branch. Default: {DEFAULT_BRANCH}")

tests/scans/dependencies/README.md

@@ -0,0 +1,95 @@
+# Dependencies Scanner
+
+## Description
+It's a tool used to scan for vulnerabilities in a requirements.txt file.\
+It can generate reports via console output or json file. Can be run with `pytest` and manage to handle remote files under github repositories. Requirements file can be specified with `repo`, `branch`, `requirements-path` parameters giving flexibility on file location.
+Output file in which the report will be generated can be specified with `report-path` parameter.
+
+## How to use - Pytest
+```
+Parameters:
+    --repo: repository name. Default: 'wazuh'.
+    --branch: branch name of specified repository. Default: 'master'.
+    --requirements-path: requirements file path. Default: 'framework/requirements.txt'.
+    --report-path: output file path. Default: 'dependencies/report_file.json'.
+```
+### Scanning wazuh-qa requirements file:
+```
+↪ ~/git/wazuh-qa/tests/scans ⊶ feature/1612-package-vuln-scanner ⨘ python3 -m pytest -vv -x --disable-warnings dependencies/ --repo wazuh-qa --branch master --requirements-path requirements.txt
+==================================================================================== test session starts =====================================================================================
+platform linux -- Python 3.9.5, pytest-6.2.3, py-1.10.0, pluggy-0.13.1 -- /home/kondent/pythonEnv/qa-env/bin/python3
+cachedir: .pytest_cache
+metadata: {'Python': '3.9.5', 'Platform': 'Linux-5.11.0-34-generic-x86_64-with-glibc2.31', 'Packages': {'pytest': '6.2.3', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'html': '3.1.1', 'metadata': '1.11.0', 'testinfra': '5.0.0'}}
+rootdir: /home/kondent/git/wazuh-qa/tests/scans
+plugins: html-3.1.1, metadata-1.11.0, testinfra-5.0.0
+collected 1 item                                                                                                                                                                             
+
+dependencies/test_dependencies.py::test_python_dependencies_vuln_scan FAILED                                                                                                               [100%]
+
+========================================================================================== FAILURES ==========================================================================================
+_______________________________________________________________________________ test_python_dependencies_vuln_scan _______________________________________________________________________________
+
+pytestconfig = <_pytest.config.Config object at 0x7f721b4c4eb0>
+
+    def test_python_dependencies_vuln_scan(pytestconfig):
+        branch = pytestconfig.getoption('--branch')
+        repo = pytestconfig.getoption('--repo')
+        requirements_path = pytestconfig.getoption('--requirements-path')
+        report_path = pytestconfig.getoption('--report-path')
+        requirements_url = f'https://raw.githubusercontent.com/wazuh/{repo}/{branch}/{requirements_path}'
+        urlretrieve(requirements_url, REQUIREMENTS_TEMP_FILE.name)
+        result = report_for_pytest(REQUIREMENTS_TEMP_FILE.name)
+        REQUIREMENTS_TEMP_FILE.close()
+        export_report(result, report_path)
+>       assert loads(result)['vulnerabilities_found'] == 0, f'Vulnerables packages were found, full report at: ' \
+                                                            f'{report_path}'
+E       AssertionError: Vulnerables packages were found, full report at: /home/kondent/git/wazuh-qa/tests/scans/dependencies/report_file.json
+E       assert 28 == 0
+E         +28
+E         -0
+
+dependencies/test_dependencies.py:23: AssertionError
+================================================================================== short test summary info ===================================================================================
+FAILED dependencies/test_dependencies.py::test_python_dependencies_vuln_scan - AssertionError: Vulnerables packages were found, full report at: /home/kondent/git/wazuh-qa/tests/scans/dependen...
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! stopping after 1 failures !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+===================================================================================== 1 failed in 1.87s ======================================================================================
+↪ ~/git/wazuh-qa/tests/scans ⊶ feature/1612-package-vuln-scanner ⨘ cat dependencies/report_file.json 
+{
+    "report_date": "2021-09-10T09:49:43.471148",
+    "vulnerabilities_found": 28,
+    "packages": [
+        {
+            "package_name": "pillow",
+            "package_version": "6.2.0",
+            "package_affected_version": "<6.2.2",
+            "vuln_description": "libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. See: CVE-2020-5310.",
+            "safety_id": "37779"
+        },
+        ...
+        ...
+        ...
+    ]
+}
+```
+
+### Scanning wazuh requirements file with a specific output path:
+```
+↪ ~/git/wazuh-qa/tests/scans ⊶ feature/1612-package-vuln-scanner ⨘ python3 -m pytest -vv -x --disable-warnings dependencies/ --repo wazuh --branch master --requirements-path framework/requirements.txt --report-path ~/Desktop/report_file.json
+==================================================================================== test session starts =====================================================================================
+platform linux -- Python 3.9.5, pytest-6.2.3, py-1.10.0, pluggy-0.13.1 -- /home/kondent/pythonEnv/qa-env/bin/python3
+cachedir: .pytest_cache
+metadata: {'Python': '3.9.5', 'Platform': 'Linux-5.11.0-34-generic-x86_64-with-glibc2.31', 'Packages': {'pytest': '6.2.3', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'html': '3.1.1', 'metadata': '1.11.0', 'testinfra': '5.0.0'}}
+rootdir: /home/kondent/git/wazuh-qa/tests/scans
+plugins: html-3.1.1, metadata-1.11.0, testinfra-5.0.0
+collected 1 item                                                                                                                                                                             
+
+dependencies/test_dependencies.py::test_python_dependencies_vuln_scan PASSED                                                                                                               [100%]
+
+===================================================================================== 1 passed in 0.68s ======================================================================================
+↪ ~/git/wazuh-qa/tests/scans ⊶ feature/1612-package-vuln-scanner ⨘ cat ~/Desktop/report_file.json 
+{
+    "report_date": "2021-09-10T09:53:39.284082",
+    "vulnerabilities_found": 0,
+    "packages": []
+}
+```

tests/scans/dependencies/conftest.py

@@ -0,0 +1,9 @@
+import os
+
+DEFAULT_REQUIREMENTS_PATH = 'framework/requirements.txt'
+DEFAULT_REPORT_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'report_file.json')
+
+
+def pytest_addoption(parser):
+    parser.addoption('--requirements-path', action='store', default=DEFAULT_REQUIREMENTS_PATH)
+    parser.addoption('--report-path', action='store', default=DEFAULT_REPORT_PATH)

tests/scans/dependencies/test_dependencies.md

@@ -0,0 +1,3 @@
+## Code documentation
+
+::: tests.scans.dependencies.test_dependencies

tests/scans/dependencies/test_dependencies.py

@@ -0,0 +1,29 @@
+# Copyright (C) 2015-2021, Wazuh Inc.
+# Created by Wazuh, Inc. <[email protected]>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+import tempfile
+from json import loads
+from urllib.request import urlretrieve
+
+from wazuh_testing.tools.scans.dependencies import export_report, report_for_pytest
+
+REQUIREMENTS_TEMP_FILE = tempfile.NamedTemporaryFile()
+
+
+def test_python_dependencies_vuln_scan(pytestconfig):
+    """Check that the specified dependencies do not have any known vulnerabilities.
+
+    Args:
+        pytestconfig (fixture): Fixture that returns the :class:`_pytest.config.Config` object.
+    """
+    branch = pytestconfig.getoption('--branch')
+    repo = pytestconfig.getoption('--repo')
+    requirements_path = pytestconfig.getoption('--requirements-path')
+    report_path = pytestconfig.getoption('--report-path')
+    requirements_url = f"https://raw.githubusercontent.com/wazuh/{repo}/{branch}/{requirements_path}"
+    urlretrieve(requirements_url, REQUIREMENTS_TEMP_FILE.name)
+    result = report_for_pytest(REQUIREMENTS_TEMP_FILE.name)
+    REQUIREMENTS_TEMP_FILE.close()
+    export_report(result, report_path)
+    assert loads(result)['vulnerabilities_found'] == 0, f'Vulnerables packages were found, full report at: ' \
+                                                        f"{report_path}"