github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/pkg/detector/ospkg/redhat/redhat_test.go (about) 1 package redhat_test 2 3 import ( 4 "os" 5 "testing" 6 "time" 7 8 "github.com/stretchr/testify/assert" 9 "github.com/stretchr/testify/require" 10 fake "k8s.io/utils/clock/testing" 11 12 dbTypes "github.com/aquasecurity/trivy-db/pkg/types" 13 "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" 14 "github.com/devseccon/trivy/pkg/dbtest" 15 "github.com/devseccon/trivy/pkg/detector/ospkg/redhat" 16 ftypes "github.com/devseccon/trivy/pkg/fanal/types" 17 "github.com/devseccon/trivy/pkg/log" 18 "github.com/devseccon/trivy/pkg/types" 19 ) 20 21 func TestMain(m *testing.M) { 22 log.InitLogger(false, false) 23 os.Exit(m.Run()) 24 } 25 26 func TestScanner_Detect(t *testing.T) { 27 type args struct { 28 osVer string 29 pkgs []ftypes.Package 30 } 31 tests := []struct { 32 name string 33 fixtures []string 34 args args 35 want []types.DetectedVulnerability 36 wantErr bool 37 }{ 38 { 39 name: "happy path", 40 fixtures: []string{ 41 "testdata/fixtures/redhat.yaml", 42 "testdata/fixtures/cpe.yaml", 43 }, 44 args: args{ 45 osVer: "7.6", 46 pkgs: []ftypes.Package{ 47 { 48 Name: "vim-minimal", 49 Version: "7.4.160", 50 Release: "5.el7", 51 Epoch: 2, 52 Arch: "x86_64", 53 SrcName: "vim", 54 SrcVersion: "7.4.160", 55 SrcRelease: "5.el7", 56 SrcEpoch: 2, 57 Layer: ftypes.Layer{ 58 DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", 59 }, 60 BuildInfo: &ftypes.BuildInfo{ 61 ContentSets: []string{"rhel-7-server-rpms"}, 62 }, 63 }, 64 }, 65 }, 66 want: []types.DetectedVulnerability{ 67 { 68 VulnerabilityID: "CVE-2017-5953", 69 PkgName: "vim-minimal", 70 InstalledVersion: "2:7.4.160-5.el7", 71 Status: dbTypes.StatusWillNotFix, 72 SeveritySource: vulnerability.RedHat, 73 Vulnerability: dbTypes.Vulnerability{ 74 Severity: dbTypes.SeverityLow.String(), 75 }, 76 Layer: ftypes.Layer{ 77 DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", 78 }, 79 }, 80 { 81 VulnerabilityID: "CVE-2019-12735", 82 VendorIDs: []string{"RHSA-2019:1619"}, 83 PkgName: "vim-minimal", 84 InstalledVersion: "2:7.4.160-5.el7", 85 FixedVersion: "2:7.4.160-6.el7_6", 86 SeveritySource: vulnerability.RedHat, 87 Vulnerability: dbTypes.Vulnerability{ 88 Severity: dbTypes.SeverityHigh.String(), 89 }, 90 Layer: ftypes.Layer{ 91 DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", 92 }, 93 }, 94 }, 95 }, 96 { 97 name: "happy path: multiple RHSA-IDs", 98 fixtures: []string{ 99 "testdata/fixtures/redhat.yaml", 100 "testdata/fixtures/cpe.yaml", 101 }, 102 args: args{ 103 osVer: "7.5", 104 pkgs: []ftypes.Package{ 105 { 106 Name: "nss", 107 Version: "3.36.0", 108 Release: "7.1.el7_6", 109 Epoch: 0, 110 Arch: "x86_64", 111 SrcName: "nss", 112 SrcVersion: "3.36.0", 113 SrcRelease: "7.4.160", 114 SrcEpoch: 0, 115 Layer: ftypes.Layer{ 116 DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", 117 }, 118 BuildInfo: &ftypes.BuildInfo{ 119 ContentSets: []string{"rhel-7-server-rpms"}, 120 }, 121 }, 122 }, 123 }, 124 want: []types.DetectedVulnerability{ 125 { 126 VulnerabilityID: "CVE-2019-17007", 127 VendorIDs: []string{"RHSA-2021:0876"}, 128 PkgName: "nss", 129 InstalledVersion: "3.36.0-7.1.el7_6", 130 FixedVersion: "3.36.0-9.el7_6", 131 SeveritySource: vulnerability.RedHat, 132 Vulnerability: dbTypes.Vulnerability{ 133 Severity: dbTypes.SeverityMedium.String(), 134 }, 135 Layer: ftypes.Layer{ 136 DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", 137 }, 138 }, 139 { 140 VulnerabilityID: "CVE-2020-12403", 141 VendorIDs: []string{ 142 "RHSA-2021:0538", 143 "RHSA-2021:0876", 144 }, 145 PkgName: "nss", 146 InstalledVersion: "3.36.0-7.1.el7_6", 147 FixedVersion: "3.53.1-17.el7_3", 148 SeveritySource: vulnerability.RedHat, 149 Vulnerability: dbTypes.Vulnerability{ 150 Severity: dbTypes.SeverityHigh.String(), 151 }, 152 Layer: ftypes.Layer{ 153 DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", 154 }, 155 }, 156 }, 157 }, 158 { 159 name: "happy path: package without architecture", 160 fixtures: []string{ 161 "testdata/fixtures/redhat.yaml", 162 "testdata/fixtures/cpe.yaml", 163 }, 164 args: args{ 165 osVer: "7.6", 166 pkgs: []ftypes.Package{ 167 { 168 Name: "kernel-headers", 169 Version: "3.10.0-1127.19", 170 Release: "1.el7", 171 Epoch: 0, 172 Arch: "noarch", 173 SrcName: "kernel-headers", 174 SrcVersion: "3.10.0-1127.19", 175 SrcRelease: "1.el7", 176 SrcEpoch: 0, 177 Layer: ftypes.Layer{ 178 DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", 179 }, 180 BuildInfo: &ftypes.BuildInfo{ 181 ContentSets: []string{"rhel-7-server-rpms"}, 182 }, 183 }, 184 }, 185 }, 186 want: []types.DetectedVulnerability{ 187 { 188 VulnerabilityID: "CVE-2016-5195", 189 VendorIDs: []string{"RHSA-2017:0372"}, 190 PkgName: "kernel-headers", 191 InstalledVersion: "3.10.0-1127.19-1.el7", 192 FixedVersion: "4.5.0-15.2.1.el7", 193 SeveritySource: vulnerability.RedHat, 194 Vulnerability: dbTypes.Vulnerability{ 195 Severity: dbTypes.SeverityHigh.String(), 196 }, 197 Layer: ftypes.Layer{ 198 DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", 199 }, 200 }, 201 }, 202 }, 203 { 204 name: "happy path: advisories have different arches", 205 fixtures: []string{ 206 "testdata/fixtures/redhat.yaml", 207 "testdata/fixtures/cpe.yaml", 208 }, 209 args: args{ 210 osVer: "7.6", 211 pkgs: []ftypes.Package{ 212 { 213 Name: "kernel-headers", 214 Version: "3.10.0-326.36", 215 Release: "3.el7", 216 Epoch: 0, 217 Arch: "x86_64", 218 SrcName: "kernel-headers", 219 SrcVersion: "3.10.0-326.36", 220 SrcRelease: "3.el7", 221 SrcEpoch: 0, 222 Layer: ftypes.Layer{ 223 DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", 224 }, 225 BuildInfo: &ftypes.BuildInfo{ 226 ContentSets: []string{"rhel-7-server-rpms"}, 227 }, 228 }, 229 }, 230 }, 231 want: []types.DetectedVulnerability{ 232 { 233 VulnerabilityID: "CVE-2016-5195", 234 VendorIDs: []string{"RHSA-2016:2098"}, 235 PkgName: "kernel-headers", 236 InstalledVersion: "3.10.0-326.36-3.el7", 237 FixedVersion: "3.10.0-327.36.3.el7", 238 SeveritySource: vulnerability.RedHat, 239 Vulnerability: dbTypes.Vulnerability{ 240 Severity: dbTypes.SeverityHigh.String(), 241 }, 242 Layer: ftypes.Layer{ 243 DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", 244 }, 245 }, 246 }, 247 }, 248 { 249 name: "no build info", 250 fixtures: []string{ 251 "testdata/fixtures/redhat.yaml", 252 "testdata/fixtures/cpe.yaml", 253 }, 254 args: args{ 255 osVer: "8.3", 256 pkgs: []ftypes.Package{ 257 { 258 Name: "vim-minimal", 259 Version: "7.4.160", 260 Release: "5.el8", 261 Epoch: 2, 262 Arch: "x86_64", 263 }, 264 }, 265 }, 266 want: []types.DetectedVulnerability{ 267 { 268 VulnerabilityID: "CVE-2019-12735", 269 VendorIDs: []string{"RHSA-2019:1619"}, 270 PkgName: "vim-minimal", 271 InstalledVersion: "2:7.4.160-5.el8", 272 FixedVersion: "2:7.4.160-7.el8_7", 273 SeveritySource: vulnerability.RedHat, 274 Vulnerability: dbTypes.Vulnerability{ 275 Severity: dbTypes.SeverityMedium.String(), 276 }, 277 }, 278 }, 279 }, 280 { 281 name: "modular packages", 282 fixtures: []string{ 283 "testdata/fixtures/redhat.yaml", 284 "testdata/fixtures/cpe.yaml", 285 }, 286 args: args{ 287 osVer: "8.3", 288 pkgs: []ftypes.Package{ 289 { 290 Name: "php", 291 Version: "7.2.10", 292 Release: "1.module_el8.2.0+313+b04d0a66", 293 Arch: "x86_64", 294 SrcName: "php", 295 SrcVersion: "7.2.10", 296 SrcRelease: "1.module_el8.2.0+313+b04d0a66", 297 Modularitylabel: "php:7.2:8020020200507003613:2c7ca891", 298 Layer: ftypes.Layer{ 299 DiffID: "sha256:3e968ecc016e1b9aa19023798229bf2d25c813d1bf092533f38b056aff820524", 300 }, 301 BuildInfo: &ftypes.BuildInfo{ 302 Nvr: "ubi8-init-container-8.0-7", 303 Arch: "x86_64", 304 }, 305 }, 306 }, 307 }, 308 want: []types.DetectedVulnerability{ 309 { 310 VulnerabilityID: "CVE-2019-11043", 311 VendorIDs: []string{"RHSA-2020:0322"}, 312 PkgName: "php", 313 InstalledVersion: "7.2.10-1.module_el8.2.0+313+b04d0a66", 314 FixedVersion: "7.2.11-1.1.module+el8.0.0+4664+17bd8d65", 315 SeveritySource: vulnerability.RedHat, 316 Vulnerability: dbTypes.Vulnerability{ 317 Severity: dbTypes.SeverityCritical.String(), 318 }, 319 Layer: ftypes.Layer{ 320 DiffID: "sha256:3e968ecc016e1b9aa19023798229bf2d25c813d1bf092533f38b056aff820524", 321 }, 322 }, 323 }, 324 }, 325 { 326 name: "packages from remi repository are skipped", 327 args: args{ 328 osVer: "7.6", 329 pkgs: []ftypes.Package{ 330 { 331 Name: "php", 332 Version: "7.3.23", 333 Release: "1.el7.remi", 334 Arch: "x86_64", 335 BuildInfo: &ftypes.BuildInfo{ 336 ContentSets: []string{"rhel-7-server-rpms"}, 337 }, 338 }, 339 }, 340 }, 341 want: []types.DetectedVulnerability(nil), 342 }, 343 { 344 name: "broken value", 345 fixtures: []string{ 346 "testdata/fixtures/invalid-type.yaml", 347 "testdata/fixtures/cpe.yaml", 348 }, 349 args: args{ 350 osVer: "7", 351 pkgs: []ftypes.Package{ 352 { 353 Name: "nss", 354 Version: "3.36.0", 355 Release: "7.1.el7_6", 356 Arch: "x86_64", 357 BuildInfo: &ftypes.BuildInfo{ 358 ContentSets: []string{"rhel-7-server-rpms"}, 359 }, 360 }, 361 }, 362 }, 363 wantErr: true, 364 }, 365 } 366 for _, tt := range tests { 367 t.Run(tt.name, func(t *testing.T) { 368 dbtest.InitDB(t, tt.fixtures) 369 defer func() { _ = dbtest.Close() }() 370 371 s := redhat.NewScanner() 372 got, err := s.Detect(tt.args.osVer, nil, tt.args.pkgs) 373 require.Equal(t, tt.wantErr, err != nil, err) 374 assert.Equal(t, tt.want, got) 375 }) 376 } 377 } 378 379 func TestScanner_IsSupportedVersion(t *testing.T) { 380 type args struct { 381 osFamily ftypes.OSType 382 osVer string 383 } 384 tests := []struct { 385 name string 386 now time.Time 387 args args 388 want bool 389 }{ 390 { 391 name: "centos 6", 392 now: time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC), 393 args: args{ 394 osFamily: "centos", 395 osVer: "6.8", 396 }, 397 want: true, 398 }, 399 { 400 name: "centos 6 EOL", 401 now: time.Date(2020, 12, 1, 0, 0, 0, 0, time.UTC), 402 args: args{ 403 osFamily: "centos", 404 osVer: "6.7", 405 }, 406 want: false, 407 }, 408 { 409 name: "two dots", 410 now: time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC), 411 args: args{ 412 osFamily: "centos", 413 osVer: "8.0.1", 414 }, 415 want: true, 416 }, 417 { 418 name: "rhel 8", 419 now: time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC), 420 args: args{ 421 osFamily: "redhat", 422 osVer: "8.0", 423 }, 424 want: true, 425 }, 426 { 427 name: "latest", 428 now: time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC), 429 args: args{ 430 osFamily: "redhat", 431 osVer: "999.0", 432 }, 433 want: true, 434 }, 435 } 436 for _, tt := range tests { 437 t.Run(tt.name, func(t *testing.T) { 438 s := redhat.NewScanner(redhat.WithClock(fake.NewFakeClock(tt.now))) 439 got := s.IsSupportedVersion(tt.args.osFamily, tt.args.osVer) 440 assert.Equal(t, tt.want, got) 441 }) 442 } 443 }