github.com/khulnasoft-lab/tunnel-db@v0.0.0-20231117205118-74e1113bd007/pkg/vulnsrc/alma/alma_test.go (about)

     1  package alma_test
     2  
     3  import (
     4  	"path/filepath"
     5  	"testing"
     6  
     7  	"github.com/khulnasoft-lab/tunnel-db/pkg/types"
     8  	"github.com/khulnasoft-lab/tunnel-db/pkg/vulnsrc/alma"
     9  	"github.com/khulnasoft-lab/tunnel-db/pkg/vulnsrc/vulnerability"
    10  	"github.com/khulnasoft-lab/tunnel-db/pkg/vulnsrctest"
    11  )
    12  
    13  func TestVulnSrc_Update(t *testing.T) {
    14  	tests := []struct {
    15  		name       string
    16  		dir        string
    17  		wantValues []vulnsrctest.WantValues
    18  		wantErr    string
    19  	}{
    20  		{
    21  			name: "happy path",
    22  			dir:  filepath.Join("testdata", "happy"),
    23  			wantValues: []vulnsrctest.WantValues{
    24  				{
    25  					Key: []string{"data-source", "alma 8"},
    26  					Value: types.DataSource{
    27  						ID:   vulnerability.Alma,
    28  						Name: "AlmaLinux Product Errata",
    29  						URL:  "https://errata.almalinux.org/",
    30  					},
    31  				},
    32  				{
    33  					Key: []string{"advisory-detail", "CVE-2021-27918", "alma 8", "go-toolset:rhel8::go-toolset"},
    34  					Value: types.Advisory{
    35  						FixedVersion: "1.15.14-1.module_el8.4.0+2519+614b07b8",
    36  					},
    37  				},
    38  				{
    39  					Key: []string{"advisory-detail", "CVE-2021-27918", "alma 8", "go-toolset:rhel8::golang"},
    40  					Value: types.Advisory{
    41  						FixedVersion: "1.15.14-1.module_el8.4.0+2519+614b07b8",
    42  					},
    43  				},
    44  				{
    45  					Key: []string{"advisory-detail", "CVE-2021-31525", "alma 8", "go-toolset:rhel8::go-toolset"},
    46  					Value: types.Advisory{
    47  						FixedVersion: "1.15.14-1.module_el8.4.0+2519+614b07b8",
    48  					},
    49  				},
    50  				{
    51  					Key: []string{"advisory-detail", "CVE-2021-31525", "alma 8", "go-toolset:rhel8::golang"},
    52  					Value: types.Advisory{
    53  						FixedVersion: "1.15.14-1.module_el8.4.0+2519+614b07b8",
    54  					},
    55  				},
    56  				{
    57  					Key: []string{"vulnerability-detail", "CVE-2021-27918", "alma"},
    58  					Value: types.VulnerabilityDetail{
    59  						Severity:    types.SeverityMedium,
    60  						Title:       "Moderate: go-toolset:rhel8 security, bug fix, and enhancement update",
    61  						Description: "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nThe following packages have been upgraded to a later upstream version: golang (1.15.14). (BZ#1982287)\n\nSecurity Fix(es):\n\n* golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918)\n\n* golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)\n\n* golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)\n\n* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* FIPS mode AES CBC CryptBlocks incorrectly re-initializes IV in file crypto/internal/boring/aes.go (BZ#1978567)\n\n* FIPS mode AES CBC Decrypter produces incorrect result (BZ#1983976)",
    62  					},
    63  				},
    64  				{
    65  					Key: []string{"vulnerability-detail", "CVE-2021-31525", "alma"},
    66  					Value: types.VulnerabilityDetail{
    67  						Severity:    types.SeverityMedium,
    68  						Title:       "Moderate: go-toolset:rhel8 security, bug fix, and enhancement update",
    69  						Description: "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nThe following packages have been upgraded to a later upstream version: golang (1.15.14). (BZ#1982287)\n\nSecurity Fix(es):\n\n* golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918)\n\n* golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)\n\n* golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)\n\n* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* FIPS mode AES CBC CryptBlocks incorrectly re-initializes IV in file crypto/internal/boring/aes.go (BZ#1978567)\n\n* FIPS mode AES CBC Decrypter produces incorrect result (BZ#1983976)",
    70  					},
    71  				},
    72  				{
    73  					Key:   []string{"vulnerability-id", "CVE-2021-27918"},
    74  					Value: map[string]interface{}{},
    75  				},
    76  				{
    77  					Key:   []string{"vulnerability-id", "CVE-2021-31525"},
    78  					Value: map[string]interface{}{},
    79  				},
    80  			},
    81  		},
    82  		{
    83  			name: "duplicate advisories",
    84  			dir:  filepath.Join("testdata", "duplicate"),
    85  			wantValues: []vulnsrctest.WantValues{
    86  				{
    87  					Key: []string{"advisory-detail", "CVE-2020-7754", "alma 8", "nodejs:14::nodejs-nodemon"},
    88  					Value: types.Advisory{
    89  						FixedVersion: "2.0.3-1.module_el8.3.0+2022+0cf59502",
    90  					},
    91  				},
    92  				{
    93  					Key: []string{"advisory-detail", "CVE-2020-7754", "alma 8", "nodejs:14::nodejs-packaging"},
    94  					Value: types.Advisory{
    95  						FixedVersion: "23-3.module_el8.3.0+2022+0cf59502",
    96  					},
    97  				},
    98  				{
    99  					Key: []string{"vulnerability-detail", "CVE-2020-7754", "alma"},
   100  					Value: types.VulnerabilityDetail{
   101  						Severity:    types.SeverityHigh,
   102  						Title:       "Important: nodejs:14 security and bug fix update",
   103  						Description: "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (14.15.4).\n\nSecurity Fix(es):\n\n* nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)\n\n* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)\n\n* nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)\n\n* nodejs: use-after-free in the TLS implementation (CVE-2020-8265)\n\n* c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277)\n\n* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)\n\n* nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* yarn install crashes with nodejs:14 on aarch64 (BZ#1916465)",
   104  					},
   105  				},
   106  				{
   107  					Key:   []string{"vulnerability-id", "CVE-2020-7754"},
   108  					Value: map[string]interface{}{},
   109  				},
   110  			},
   111  		},
   112  		{
   113  			name:    "sad path",
   114  			dir:     filepath.Join("testdata", "sad"),
   115  			wantErr: "failed to decode Alma erratum",
   116  		},
   117  	}
   118  	for _, tt := range tests {
   119  		t.Run(tt.name, func(t *testing.T) {
   120  			vs := alma.NewVulnSrc()
   121  			vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{
   122  				Dir:        tt.dir,
   123  				WantValues: tt.wantValues,
   124  				WantErr:    tt.wantErr,
   125  			})
   126  		})
   127  	}
   128  }