github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/pkg/detector/library/driver_test.go (about)

     1  package library_test
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/stretchr/testify/assert"
     7  	"github.com/stretchr/testify/require"
     8  
     9  	"github.com/aquasecurity/trivy-db/pkg/db"
    10  	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
    11  	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
    12  	"github.com/devseccon/trivy/pkg/dbtest"
    13  	"github.com/devseccon/trivy/pkg/detector/library"
    14  	ftypes "github.com/devseccon/trivy/pkg/fanal/types"
    15  	"github.com/devseccon/trivy/pkg/types"
    16  )
    17  
    18  func TestDriver_Detect(t *testing.T) {
    19  	type args struct {
    20  		pkgName string
    21  		pkgVer  string
    22  	}
    23  	tests := []struct {
    24  		name     string
    25  		fixtures []string
    26  		libType  ftypes.LangType
    27  		args     args
    28  		want     []types.DetectedVulnerability
    29  		wantErr  string
    30  	}{
    31  		{
    32  			name: "happy path",
    33  			fixtures: []string{
    34  				"testdata/fixtures/php.yaml",
    35  				"testdata/fixtures/data-source.yaml",
    36  			},
    37  			libType: ftypes.Composer,
    38  			args: args{
    39  				pkgName: "symfony/symfony",
    40  				pkgVer:  "4.2.6",
    41  			},
    42  			want: []types.DetectedVulnerability{
    43  				{
    44  					VulnerabilityID:  "CVE-2019-10909",
    45  					PkgName:          "symfony/symfony",
    46  					InstalledVersion: "4.2.6",
    47  					FixedVersion:     "4.2.7",
    48  					DataSource: &dbTypes.DataSource{
    49  						ID:   vulnerability.GLAD,
    50  						Name: "GitLab Advisory Database Community",
    51  						URL:  "https://gitlab.com/gitlab-org/advisories-community",
    52  					},
    53  				},
    54  			},
    55  		},
    56  		{
    57  			name: "case-sensitive go package",
    58  			fixtures: []string{
    59  				"testdata/fixtures/go.yaml",
    60  				"testdata/fixtures/data-source.yaml",
    61  			},
    62  			libType: ftypes.GoModule,
    63  			args: args{
    64  				pkgName: "github.com/Masterminds/vcs",
    65  				pkgVer:  "v1.13.1",
    66  			},
    67  			want: []types.DetectedVulnerability{
    68  				{
    69  					VulnerabilityID:  "CVE-2022-21235",
    70  					PkgName:          "github.com/Masterminds/vcs",
    71  					InstalledVersion: "v1.13.1",
    72  					FixedVersion:     "v1.13.2",
    73  					DataSource: &dbTypes.DataSource{
    74  						ID:   vulnerability.GLAD,
    75  						Name: "GitLab Advisory Database Community",
    76  						URL:  "https://gitlab.com/gitlab-org/advisories-community",
    77  					},
    78  				},
    79  			},
    80  		},
    81  		{
    82  			name:     "non-prefixed buckets",
    83  			fixtures: []string{"testdata/fixtures/php-without-prefix.yaml"},
    84  			libType:  ftypes.Composer,
    85  			args: args{
    86  				pkgName: "symfony/symfony",
    87  				pkgVer:  "4.2.6",
    88  			},
    89  			want: nil,
    90  		},
    91  		{
    92  			name: "no patched versions in the advisory",
    93  			fixtures: []string{
    94  				"testdata/fixtures/php.yaml",
    95  				"testdata/fixtures/data-source.yaml",
    96  			},
    97  			libType: ftypes.Composer,
    98  			args: args{
    99  				pkgName: "symfony/symfony",
   100  				pkgVer:  "4.4.6",
   101  			},
   102  			want: []types.DetectedVulnerability{
   103  				{
   104  					VulnerabilityID:  "CVE-2020-5275",
   105  					PkgName:          "symfony/symfony",
   106  					InstalledVersion: "4.4.6",
   107  					FixedVersion:     "4.4.7",
   108  					DataSource: &dbTypes.DataSource{
   109  						ID:   vulnerability.PhpSecurityAdvisories,
   110  						Name: "PHP Security Advisories Database",
   111  						URL:  "https://github.com/FriendsOfPHP/security-advisories",
   112  					},
   113  				},
   114  			},
   115  		},
   116  		{
   117  			name: "no vulnerable versions in the advisory",
   118  			fixtures: []string{
   119  				"testdata/fixtures/ruby.yaml",
   120  				"testdata/fixtures/data-source.yaml",
   121  			},
   122  			libType: ftypes.Bundler,
   123  			args: args{
   124  				pkgName: "activesupport",
   125  				pkgVer:  "4.1.1",
   126  			},
   127  			want: []types.DetectedVulnerability{
   128  				{
   129  					VulnerabilityID:  "CVE-2015-3226",
   130  					PkgName:          "activesupport",
   131  					InstalledVersion: "4.1.1",
   132  					FixedVersion:     ">= 4.2.2, ~> 4.1.11",
   133  					DataSource: &dbTypes.DataSource{
   134  						ID:   vulnerability.RubySec,
   135  						Name: "Ruby Advisory Database",
   136  						URL:  "https://github.com/rubysec/ruby-advisory-db",
   137  					},
   138  				},
   139  			},
   140  		},
   141  		{
   142  			name:     "no vulnerability",
   143  			fixtures: []string{"testdata/fixtures/php.yaml"},
   144  			libType:  ftypes.Composer,
   145  			args: args{
   146  				pkgName: "symfony/symfony",
   147  				pkgVer:  "4.4.7",
   148  			},
   149  		},
   150  		{
   151  			name:     "malformed JSON",
   152  			fixtures: []string{"testdata/fixtures/invalid-type.yaml"},
   153  			libType:  ftypes.Composer,
   154  			args: args{
   155  				pkgName: "symfony/symfony",
   156  				pkgVer:  "5.1.5",
   157  			},
   158  			wantErr: "failed to unmarshal advisory JSON",
   159  		},
   160  	}
   161  	for _, tt := range tests {
   162  		t.Run(tt.name, func(t *testing.T) {
   163  			// Initialize DB
   164  			_ = dbtest.InitDB(t, tt.fixtures)
   165  			defer db.Close()
   166  
   167  			driver, ok := library.NewDriver(tt.libType)
   168  			require.True(t, ok)
   169  
   170  			got, err := driver.DetectVulnerabilities("", tt.args.pkgName, tt.args.pkgVer)
   171  			if tt.wantErr != "" {
   172  				require.Error(t, err)
   173  				assert.Contains(t, err.Error(), tt.wantErr)
   174  				return
   175  			}
   176  
   177  			// Compare
   178  			assert.NoError(t, err)
   179  			assert.Equal(t, tt.want, got)
   180  		})
   181  	}
   182  }