Merge pull request #563 from enzbang/fix-cve-test

Fix CVE test by using a simpler cache

Author: enzbang

src/e3/cve.py

@@ -37,21 +37,27 @@ class NVD:
     """Provide access to the NVD API."""
 
     def __init__(
-        self, cache_db_path: str | None = None, nvd_api_key: str | None = None
+        self,
+        cache_db_path: str | None = None,
+        cache_backend: str | None = None,
+        nvd_api_key: str | None = None,
     ) -> None:
         """Initialize a NVD instance.
 
         :param cache_db_path: path to the cache database [strongly recommended]
             if the path is valid but the file does not exist, the database will
             be created when searching for CVE. Note that this requires requests-cache
             package.
+        :param cache_backend: which requests_cache backend to use, default is
+            sqlite
         :param nvd_api_key: the API key to use to avoid drastic rate limits
         """
         self.cache_db_path = cache_db_path
         if self.cache_db_path is None:
             logger.warning(
                 "the use of a cache for NVD requests is strongly recommended"
             )
+        self.cache_backend = cache_backend
         self.nvd_api_key = nvd_api_key
         if self.nvd_api_key is None:
             logger.warning(
@@ -116,14 +122,17 @@ def session(self) -> Session:
 
             session = CachedSession(
                 self.cache_db_path,
+                backend=self.cache_backend,
                 # Use Cache-Control headers for expiration, if available
                 cache_control=True,
                 # Otherwise renew the cache every day
                 expire_after=timedelta(days=1),
                 # Use cache data in case of errors
                 stale_if_error=True,
+                # Ignore headers
+                match_header=False,
             )
-            logger.debug(f"using requests cache from {session.cache.db_path}")
+            logger.debug(f"using requests cache from {self.cache_db_path}")
             return session
         else:
             return Session()

tests/tests_e3/cve/cache.db

@@ -0,0 +1,200 @@
+{
+  "created_at": "2023-03-08T11:37:29.224743",
+  "elapsed": 1.971946,
+  "encoding": "utf-8",
+  "headers": {
+    "content-type": "application/json",
+    "content-encoding": "gzip",
+    "vary": "Accept-Encoding",
+    "x-frame-options": "SAMEORIGIN",
+    "access-control-allow-origin": "*",
+    "access-control-allow-headers": "accept, apiKey, content-type, origin, x-requested-with",
+    "access-control-allow-methods": "GET, HEAD, OPTIONS",
+    "access-control-allow-credentials": "false",
+    "date": "Wed, 08 Mar 2023 11:37:29 GMT",
+    "Content-Length": "3224",
+    "apikey": "No",
+    "strict-transport-security": "max-age=31536000"
+  },
+  "reason": "OK",
+  "request": {
+    "body": "",
+    "headers": {
+      "Accept": "*/*",
+      "Accept-Encoding": "deflate, gzip",
+      "Connection": "keep-alive",
+      "User-Agent": "python-requests/2.28.2"
+    },
+    "method": "GET",
+    "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:libpng:libpng:1.6.0:-:*:*:*:*:*:*&isVulnerable&noRejected&resultsPerPage=5&startIndex=10"
+  },
+  "status_code": 200,
+  "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:libpng:libpng:1.6.0:-:*:*:*:*:*:*&isVulnerable&noRejected&resultsPerPage=5&startIndex=10",
+  "_decoded_content": {
+    "resultsPerPage": 1,
+    "startIndex": 10,
+    "totalResults": 11,
+    "format": "NVD_CVE",
+    "version": "2.0",
+    "timestamp": "2023-03-08T11:37:29.247",
+    "vulnerabilities": [
+      {
+        "cve": {
+          "id": "CVE-2021-4214",
+          "sourceIdentifier": "secalert@redhat.com",
+          "published": "2022-08-24T16:15:10.037",
+          "lastModified": "2022-11-08T02:32:10.533",
+          "vulnStatus": "Analyzed",
+          "descriptions": [
+            {
+              "lang": "en",
+              "value": "A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service."
+            },
+            {
+              "lang": "es",
+              "value": "Se ha encontrado un fallo de desbordamiento de la pila en el programa pngimage.c de libpngs. Este fallo permite a un atacante con acceso a la red local pasar un archivo PNG especialmente dise\u00f1ado a la utilidad pngimage, causando un fallo en la aplicaci\u00f3n, conllevando a una denegaci\u00f3n de servicio."
+            }
+          ],
+          "metrics": {
+            "cvssMetricV31": [
+              {
+                "source": "nvd@nist.gov",
+                "type": "Primary",
+                "cvssData": {
+                  "version": "3.1",
+                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
+                  "attackVector": "LOCAL",
+                  "attackComplexity": "LOW",
+                  "privilegesRequired": "NONE",
+                  "userInteraction": "REQUIRED",
+                  "scope": "UNCHANGED",
+                  "confidentialityImpact": "NONE",
+                  "integrityImpact": "NONE",
+                  "availabilityImpact": "HIGH",
+                  "baseScore": 5.5,
+                  "baseSeverity": "MEDIUM"
+                },
+                "exploitabilityScore": 1.8,
+                "impactScore": 3.6
+              }
+            ]
+          },
+          "weaknesses": [
+            {
+              "source": "secalert@redhat.com",
+              "type": "Primary",
+              "description": [
+                {
+                  "lang": "en",
+                  "value": "CWE-120"
+                }
+              ]
+            },
+            {
+              "source": "nvd@nist.gov",
+              "type": "Secondary",
+              "description": [
+                {
+                  "lang": "en",
+                  "value": "CWE-787"
+                }
+              ]
+            }
+          ],
+          "configurations": [
+            {
+              "nodes": [
+                {
+                  "operator": "OR",
+                  "negate": false,
+                  "cpeMatch": [
+                    {
+                      "vulnerable": true,
+                      "criteria": "cpe:2.3:a:libpng:libpng:1.6.0:-:*:*:*:*:*:*",
+                      "matchCriteriaId": "42882881-6827-4123-B217-FC9B4C36702A"
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "nodes": [
+                {
+                  "operator": "OR",
+                  "negate": false,
+                  "cpeMatch": [
+                    {
+                      "vulnerable": true,
+                      "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
+                      "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"
+                    },
+                    {
+                      "vulnerable": true,
+                      "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
+                      "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "nodes": [
+                {
+                  "operator": "OR",
+                  "negate": false,
+                  "cpeMatch": [
+                    {
+                      "vulnerable": true,
+                      "criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*",
+                      "matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797"
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "references": [
+            {
+              "url": "https://access.redhat.com/security/cve/CVE-2021-4214",
+              "source": "secalert@redhat.com",
+              "tags": [
+                "Third Party Advisory"
+              ]
+            },
+            {
+              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2043393",
+              "source": "secalert@redhat.com",
+              "tags": [
+                "Exploit",
+                "Issue Tracking",
+                "Third Party Advisory"
+              ]
+            },
+            {
+              "url": "https://github.com/glennrp/libpng/issues/302",
+              "source": "secalert@redhat.com",
+              "tags": [
+                "Exploit",
+                "Third Party Advisory"
+              ]
+            },
+            {
+              "url": "https://security-tracker.debian.org/tracker/CVE-2021-4214",
+              "source": "secalert@redhat.com",
+              "tags": [
+                "Third Party Advisory"
+              ]
+            },
+            {
+              "url": "https://security.netapp.com/advisory/ntap-20221020-0001/",
+              "source": "secalert@redhat.com",
+              "tags": [
+                "Third Party Advisory"
+              ]
+            }
+          ]
+        }
+      }
+    ]
+  }
+}