ploughshares/tests/test_dependencies.py

#!/usr/bin/env python3
"""
Test script to check for vulnerable dependencies.
This script scans requirements.txt for known vulnerable packages.
"""

import os
import unittest
import subprocess
import sys


class DependencySecurityTests(unittest.TestCase):
    """Tests to verify that dependencies don't have known vulnerabilities."""

    def setUp(self):
        """Set up the test environment."""
        self.project_root = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
        self.requirements_path = os.path.join(self.project_root, 'docker', 'ploughshares', 'requirements.txt')
    
    def test_requirements_file_exists(self):
        """Test that requirements.txt exists."""
        self.assertTrue(os.path.exists(self.requirements_path), 
                       "requirements.txt file should exist")
    
    def test_no_pinned_vulnerable_packages(self):
        """Test that requirements.txt doesn't contain known vulnerable package versions."""
        # This is a simplified check - in production, you would use a tool like safety
        with open(self.requirements_path, 'r') as f:
            requirements = f.read()
        
        # List of known vulnerable packages and versions (example)
        known_vulnerable = [
            "flask==0.12.0",  # Example vulnerable version
            "psycopg2==2.4.5",  # Example vulnerable version
            "werkzeug==0.11.0",  # Example vulnerable version
        ]
        
        for package in known_vulnerable:
            self.assertNotIn(package, requirements, 
                           f"requirements.txt contains vulnerable package: {package}")
    
    def test_safety_check(self):
        """
        Test using safety to check for vulnerabilities (if installed).
        
        Note: This test is skipped if safety is not installed.
        To install safety: pip install safety
        """
        try:
            # Check if safety is installed
            subprocess.run(["safety", "--version"], 
                          stdout=subprocess.PIPE, 
                          stderr=subprocess.PIPE, 
                          check=True)
            
            # Skip the actual test - in CI/CD you would run this
            self.skipTest("Safety check skipped in test - run manually or in CI/CD")
            
            # Example of how to run safety:
            # result = subprocess.run(
            #     ["safety", "check", "-r", self.requirements_path, "--json"],
            #     stdout=subprocess.PIPE,
            #     stderr=subprocess.PIPE,
            #     text=True,
            #     check=False
            # )
            # self.assertEqual(result.returncode, 0, 
            #                 f"Safety check failed: {result.stdout}")
            
        except (subprocess.SubprocessError, FileNotFoundError):
            self.skipTest("safety not installed, skipping vulnerability check")


if __name__ == '__main__':
    unittest.main()