-
-
Notifications
You must be signed in to change notification settings - Fork 598
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: 4naesthetic <[email protected]>
- Loading branch information
1 parent
66d50d7
commit 8404e8f
Showing
2 changed files
with
207 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
179 changes: 179 additions & 0 deletions
179
src/test/java/org/dependencytrack/util/NotificationUtilTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,179 @@ | ||
| package org.dependencytrack.util; | ||
|
|
||
| import alpine.notification.Notification; | ||
| import alpine.notification.NotificationLevel; | ||
| import alpine.notification.NotificationService; | ||
| import alpine.notification.Subscriber; | ||
| import alpine.notification.Subscription; | ||
| import jakarta.json.JsonObject; | ||
| import org.dependencytrack.PersistenceCapableTest; | ||
|
|
||
| import org.dependencytrack.model.Component; | ||
| import org.dependencytrack.model.Project; | ||
| import org.dependencytrack.model.Severity; | ||
| import org.dependencytrack.model.Vulnerability; | ||
| import org.dependencytrack.model.VulnerabilityUpdateDiff; | ||
| import org.dependencytrack.notification.NotificationGroup; | ||
| import org.dependencytrack.notification.NotificationScope; | ||
| import org.dependencytrack.notification.vo.ProjectVulnerabilityUpdate; | ||
| import org.junit.After; | ||
| import org.junit.AfterClass; | ||
| import org.junit.Before; | ||
| import org.junit.BeforeClass; | ||
| import org.junit.Test; | ||
|
|
||
| import java.time.Duration; | ||
| import java.util.ArrayList; | ||
| import java.util.List; | ||
| import java.util.concurrent.ConcurrentLinkedQueue; | ||
|
|
||
| import static org.assertj.core.api.Assertions.assertThat; | ||
| import static org.awaitility.Awaitility.await; | ||
|
|
||
| public class NotificationUtilTest extends PersistenceCapableTest { | ||
|
|
||
| public static class NotificationSubscriber implements Subscriber { | ||
|
|
||
| @Override | ||
| public void inform(final Notification notification) { | ||
| NOTIFICATIONS.add(notification); | ||
| } | ||
|
|
||
| } | ||
|
|
||
| private static final ConcurrentLinkedQueue<Notification> NOTIFICATIONS = new ConcurrentLinkedQueue<>(); | ||
|
|
||
| @BeforeClass | ||
| public static void setUpClass() { | ||
| NotificationService.getInstance().subscribe(new Subscription(NotificationUtilTest.NotificationSubscriber.class)); | ||
| } | ||
|
|
||
| @AfterClass | ||
| public static void tearDownClass() { | ||
| NotificationService.getInstance().unsubscribe(new Subscription(NotificationUtilTest.NotificationSubscriber.class)); | ||
| } | ||
|
|
||
| @Before | ||
| public void setup() { | ||
| NOTIFICATIONS.clear(); | ||
| } | ||
|
|
||
| @After | ||
| public void tearDown() { | ||
| NOTIFICATIONS.clear(); | ||
| } | ||
|
|
||
| @Test | ||
| public void testVulnerabilityUpdateNoAffectedComponents() { | ||
| Vulnerability vulnerability = new Vulnerability(); | ||
| vulnerability.setVulnId("CVE-2024-12345"); | ||
| vulnerability.setSource(Vulnerability.Source.NVD); | ||
| vulnerability.setSeverity(Severity.CRITICAL); | ||
| qm.createVulnerability(vulnerability, false); | ||
|
|
||
| final VulnerabilityUpdateDiff vulnerabilityUpdateDiff = new VulnerabilityUpdateDiff(Severity.UNASSIGNED, vulnerability.getSeverity()); | ||
|
|
||
| NotificationUtil.analyzeNotificationCriteria(qm, vulnerability, vulnerabilityUpdateDiff); | ||
|
|
||
| // The Awaitility API is a bit awkward for asserting that something did not happen. | ||
| // Here we wait for 3 continuous seconds (out of the 4s timeout period) where there is no vuln update notification | ||
| // and fail early if we do find one. Due to the polling implementation atMost must be > the 'during' internal or | ||
| // we will trigger a timeout and fail the test. | ||
| org.awaitility.core.ThrowingRunnable assertion = ( | ||
| () -> assertThat(NOTIFICATIONS).extracting(Notification::getGroup).doesNotContain(NotificationGroup.PROJECT_VULNERABILITY_UPDATED.name()) | ||
| ); | ||
| await().during(Duration.ofSeconds(3)).atMost(Duration.ofSeconds(4)) | ||
| .failFast(assertion) | ||
| .untilAsserted(assertion); | ||
| } | ||
|
|
||
| @Test | ||
| public void testVulnerabilityUpdateMultipleComponents() { | ||
| final Project projectA = qm.createProject("Project A", null, "1.0", null, null, null, true, false); | ||
| var componentA = new Component(); | ||
| componentA.setProject(projectA); | ||
| componentA.setName("Component A"); | ||
| componentA.setPurl("pkg:npm/[email protected]"); | ||
| componentA = qm.createComponent(componentA, false); | ||
|
|
||
| final Project projectB = qm.createProject("Project B", null, "1.0", null, null, null, true, false); | ||
| var componentB = new Component(); | ||
| componentB.setProject(projectB); | ||
| componentB.setName("Component B"); | ||
| componentB.setPurl("pkg:npm/[email protected]"); // same purl | ||
| componentB = qm.createComponent(componentB, false); | ||
|
|
||
| final ArrayList<Component> components = new ArrayList<>(); | ||
| components.add(componentA); | ||
| components.add(componentB); | ||
|
|
||
| Vulnerability vulnerability = new Vulnerability(); | ||
| vulnerability.setVulnId("CVE-2024-12345"); | ||
| vulnerability.setSource(Vulnerability.Source.NVD); | ||
| vulnerability.setSeverity(Severity.CRITICAL); | ||
| vulnerability.setComponents(components); | ||
| qm.createVulnerability(vulnerability, false); | ||
|
|
||
| final VulnerabilityUpdateDiff vulnerabilityUpdateDiff = new VulnerabilityUpdateDiff(Severity.UNASSIGNED, vulnerability.getSeverity()); | ||
|
|
||
| NotificationUtil.analyzeNotificationCriteria(qm, vulnerability, vulnerabilityUpdateDiff); | ||
|
|
||
| // Only one notification should be generated regardless of how many affected components | ||
| await("Exactly 1 Vulnerability Update Notification Emitted") | ||
| .atMost(Duration.ofSeconds(5)) | ||
| .untilAsserted(() -> assertThat(NOTIFICATIONS) | ||
| .filteredOn(notification -> notification.getGroup().equals(NotificationGroup.PROJECT_VULNERABILITY_UPDATED.name())) | ||
| .hasSize(1) | ||
| .satisfiesExactly(notification -> { | ||
| assertThat(notification.getScope()).isEqualTo(NotificationScope.PORTFOLIO.name()); | ||
| assertThat(notification.getGroup()).isEqualTo(NotificationGroup.PROJECT_VULNERABILITY_UPDATED.name()); | ||
| assertThat(notification.getLevel()).isEqualTo(NotificationLevel.INFORMATIONAL); | ||
| assertThat(notification.getSubject()).isInstanceOf(ProjectVulnerabilityUpdate.class); | ||
| final var subject = (ProjectVulnerabilityUpdate) notification.getSubject(); | ||
| assertThat(components.stream().map(Component::getUuid).toList()).contains(subject.getComponent().getUuid()); | ||
| assertThat(subject.getVulnerability().getUuid()).isEqualTo(vulnerability.getUuid()); | ||
| assertThat(subject.getVulnerabilityUpdateDiff().getOldSeverity()).isEqualTo(vulnerabilityUpdateDiff.getOldSeverity()); | ||
| assertThat(subject.getVulnerabilityUpdateDiff().getNewSeverity()).isEqualTo(vulnerabilityUpdateDiff.getNewSeverity()); | ||
| }) | ||
| ); | ||
| } | ||
|
|
||
| @Test | ||
| public void testVulnerabilityUpdateToJson() { | ||
| final Project project = qm.createProject("Project A", null, "1.0", null, null, null, true, false); | ||
| var component = new Component(); | ||
| component.setProject(project); | ||
| component.setName("Component A"); | ||
| component.setPurl("pkg:npm/[email protected]"); | ||
| component = qm.createComponent(component, false); | ||
|
|
||
| var vulnerability = new Vulnerability(); | ||
| vulnerability.setVulnId("CVE-2024-12345"); | ||
| vulnerability.setSource(Vulnerability.Source.NVD); | ||
| vulnerability.setSeverity(Severity.CRITICAL); | ||
| vulnerability.setComponents(List.of(component)); | ||
| vulnerability = qm.createVulnerability(vulnerability, false); | ||
|
|
||
| final VulnerabilityUpdateDiff vulnerabilityUpdateDiff = new VulnerabilityUpdateDiff(Severity.UNASSIGNED, vulnerability.getSeverity()); | ||
|
|
||
| final ProjectVulnerabilityUpdate vo = new ProjectVulnerabilityUpdate(vulnerability, vulnerabilityUpdateDiff, component); | ||
| final JsonObject subjectJson = NotificationUtil.toJson(vo); | ||
|
|
||
| final String expectedJson = String.format( | ||
| "{\"vulnerability\":{\"uuid\":\"%s\",\"vulnId\":\"%s\",\"source\":\"%s\",\"aliases\":[]," | ||
| + "\"old\":{\"severity\":\"%s\"},\"new\":{\"severity\":\"%s\"}}," | ||
| + "\"component\":{\"uuid\":\"%s\",\"name\":\"%s\",\"purl\":\"%s\"}}", | ||
| vulnerability.getUuid(), | ||
| vulnerability.getVulnId(), | ||
| vulnerability.getSource(), | ||
| vulnerabilityUpdateDiff.getOldSeverity(), | ||
| vulnerabilityUpdateDiff.getNewSeverity(), | ||
| component.getUuid(), | ||
| component.getName(), | ||
| component.getPurl() | ||
| ); | ||
|
|
||
| assertThat(subjectJson).isNotNull(); | ||
| assertThat(subjectJson.toString()).isEqualTo(expectedJson); | ||
| } | ||
| } |