From 5fc306e8a7bf64cf273406078d8b1e838a5cbc09 Mon Sep 17 00:00:00 2001
From: Frank Viernau <x9fviern@zeiss.com>
Date: Wed, 29 Jan 2025 08:10:21 +0100
Subject: [PATCH] test(black-duck): Test parsing a vulnerability with CVSS 2
 only

This illustrates an issue with parsing the `vector` and
`scoring_system`.

Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
---
 .../src/test/assets/CVE-2015-3996-parsed.yml  | 43 ++++++++++++++
 .../src/test/assets/CVE-2015-3996.json        | 59 +++++++++++++++++++
 .../src/test/kotlin/BlackDuckTest.kt          |  9 +++
 3 files changed, 111 insertions(+)
 create mode 100644 plugins/advisors/black-duck/src/test/assets/CVE-2015-3996-parsed.yml
 create mode 100644 plugins/advisors/black-duck/src/test/assets/CVE-2015-3996.json

diff --git a/plugins/advisors/black-duck/src/test/assets/CVE-2015-3996-parsed.yml b/plugins/advisors/black-duck/src/test/assets/CVE-2015-3996-parsed.yml
new file mode 100644
index 0000000000000..9c8222b6e37c5
--- /dev/null
+++ b/plugins/advisors/black-duck/src/test/assets/CVE-2015-3996-parsed.yml
@@ -0,0 +1,43 @@
+---
+id: "CVE-2015-3996"
+description: "The default AFSecurityPolicy.validatesDomainName configuration for AFSSLPinningModeNone\
+  \ in the AFNetworking framework before 2.5.3, as used in the ownCloud iOS Library,\
+  \ disables verification of a server hostname against the domain name in the subject's\
+  \ Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers\
+  \ to spoof SSL servers via an arbitrary valid certificate."
+references:
+- url: "https://zeiss.app.blackduck.com/api/vulnerabilities/CVE-2015-3996"
+  scoring_system: "(AV:N"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+- url: "https://zeiss.app.blackduck.com/api/cwes/CWE-254"
+  scoring_system: "(AV:N"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+- url: "http://www.securityfocus.com/bid/76242"
+  scoring_system: "(AV:N"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+- url: "https://github.com/AFNetworking/AFNetworking/issues/2619"
+  scoring_system: "(AV:N"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+- url: "https://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3"
+  scoring_system: "(AV:N"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+- url: "https://owncloud.org/security/advisory/?id=oc-sa-2015-012"
+  scoring_system: "(AV:N"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+- url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3996"
+  scoring_system: "(AV:N"
+  severity: "MEDIUM"
+  score: 4.3
+  vector: "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
diff --git a/plugins/advisors/black-duck/src/test/assets/CVE-2015-3996.json b/plugins/advisors/black-duck/src/test/assets/CVE-2015-3996.json
new file mode 100644
index 0000000000000..709ae5282e27c
--- /dev/null
+++ b/plugins/advisors/black-duck/src/test/assets/CVE-2015-3996.json
@@ -0,0 +1,59 @@
+{
+  "source": "NVD",
+  "name": "CVE-2015-3996",
+  "description": "The default AFSecurityPolicy.validatesDomainName configuration for AFSSLPinningModeNone in the AFNetworking framework before 2.5.3, as used in the ownCloud iOS Library, disables verification of a server hostname against the domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
+  "publishedDate": "2015-10-27T16:59:00.100Z",
+  "updatedDate": "2015-10-28T18:41:26.763Z",
+  "severity": "MEDIUM",
+  "cvss2": {
+    "baseScore": 4.3,
+    "impactSubscore": 2.9,
+    "exploitabilitySubscore": 8.6,
+    "severity": "MEDIUM",
+    "accessVector": "NETWORK",
+    "accessComplexity": "MEDIUM",
+    "authentication": "NONE",
+    "confidentialityImpact": "NONE",
+    "integrityImpact": "PARTIAL",
+    "availabilityImpact": "NONE",
+    "vector": "(AV:N/AC:M/Au:N/C:N/I:P/A:N)"
+  },
+  "useCvss3": false,
+  "classifications": [],
+  "bdsaTags": [],
+  "overallScore": 4.3,
+  "_meta": {
+    "allow": [],
+    "href": "https://zeiss.app.blackduck.com/api/vulnerabilities/CVE-2015-3996",
+    "links": [
+      {
+        "rel": "cwes",
+        "href": "https://zeiss.app.blackduck.com/api/cwes/CWE-254"
+      },
+      {
+        "rel": "reference",
+        "href": "http://www.securityfocus.com/bid/76242",
+        "label": "Reference"
+      },
+      {
+        "rel": "reference",
+        "href": "https://github.com/AFNetworking/AFNetworking/issues/2619",
+        "label": "Reference"
+      },
+      {
+        "rel": "reference",
+        "href": "https://github.com/AFNetworking/AFNetworking/releases/tag/2.5.3",
+        "label": "Reference"
+      },
+      {
+        "rel": "reference",
+        "href": "https://owncloud.org/security/advisory/?id=oc-sa-2015-012",
+        "label": "Vendor Advisory"
+      },
+      {
+        "rel": "nist",
+        "href": "https://nvd.nist.gov/vuln/detail/CVE-2015-3996"
+      }
+    ]
+  }
+}
diff --git a/plugins/advisors/black-duck/src/test/kotlin/BlackDuckTest.kt b/plugins/advisors/black-duck/src/test/kotlin/BlackDuckTest.kt
index 8c82a7f30c08c..958543eb502d3 100644
--- a/plugins/advisors/black-duck/src/test/kotlin/BlackDuckTest.kt
+++ b/plugins/advisors/black-duck/src/test/kotlin/BlackDuckTest.kt
@@ -41,6 +41,15 @@ class BlackDuckTest : WordSpec({
 
             vulnerability.toYaml() shouldBe matchExpectedResult(expectedResultFile)
         }
+
+        "parse a vulnerability with CVSS 2 (only) as expected" {
+            val expectedResultFile = getAssetFile("CVE-2015-3996-parsed.yml")
+            val vulnerabilityView = readVulnerabilityViewAssetFile("CVE-2015-3996.json")
+
+            val vulnerability = vulnerabilityView.toOrtVulnerability()
+
+            vulnerability.toYaml() shouldBe matchExpectedResult(expectedResultFile)
+        }
     }
 })