github.com/khulnasoft-lab/tunnel-db@v0.0.0-20231117205118-74e1113bd007/pkg/vulnsrc/node/node_test.go (about) 1 package node 2 3 import ( 4 "path/filepath" 5 "testing" 6 7 "github.com/khulnasoft-lab/tunnel-db/pkg/types" 8 "github.com/khulnasoft-lab/tunnel-db/pkg/vulnsrc/vulnerability" 9 "github.com/khulnasoft-lab/tunnel-db/pkg/vulnsrctest" 10 ) 11 12 func TestVulnSrc_Update(t *testing.T) { 13 tests := []struct { 14 name string 15 dir string 16 wantValues []vulnsrctest.WantValues 17 wantErr string 18 }{ 19 { 20 name: "happy path, npm package only includes CVSS score", 21 dir: filepath.Join("testdata", "happy", "node_cvssnumberonly"), 22 wantValues: []vulnsrctest.WantValues{ 23 { 24 Key: []string{"data-source", "npm::Node.js Ecosystem Security Working Group"}, 25 Value: types.DataSource{ 26 ID: vulnerability.NodejsSecurityWg, 27 Name: "Node.js Ecosystem Security Working Group", 28 URL: "https://github.com/nodejs/security-wg", 29 }, 30 }, 31 { 32 Key: []string{"advisory-detail", "CVE-2014-7205", "npm::Node.js Ecosystem Security Working Group", "bassmaster"}, 33 Value: types.Advisory{ 34 PatchedVersions: []string{">=1.5.2"}, 35 VulnerableVersions: []string{"<=1.5.1"}, 36 }, 37 }, 38 { 39 Key: []string{"vulnerability-detail", "CVE-2014-7205", "nodejs-security-wg"}, 40 Value: types.VulnerabilityDetail{ 41 ID: "CVE-2014-7205", 42 Title: "Arbitrary JavaScript Execution", 43 Description: "A vulnerability exists in bassmaster <= 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval.", 44 References: []string{"https://www.npmjs.org/package/bassmaster", "https://github.com/hapijs/bassmaster/commit/b751602d8cb7194ee62a61e085069679525138c4"}, 45 CvssScore: 6.5, 46 }, 47 }, 48 { 49 Key: []string{"vulnerability-id", "CVE-2014-7205"}, 50 Value: map[string]interface{}{}, 51 }, 52 }, 53 }, 54 { 55 name: "happy path, npm package includes CVSS score and severity string", 56 dir: filepath.Join("testdata", "happy", "node_cvssnumberandstring"), 57 wantValues: []vulnsrctest.WantValues{ 58 { 59 Key: []string{"data-source", "npm::Node.js Ecosystem Security Working Group"}, 60 Value: types.DataSource{ 61 ID: vulnerability.NodejsSecurityWg, 62 Name: "Node.js Ecosystem Security Working Group", 63 URL: "https://github.com/nodejs/security-wg", 64 }, 65 }, 66 { 67 Key: []string{"advisory-detail", "CVE-2014-7205", "npm::Node.js Ecosystem Security Working Group", "bassmaster"}, 68 Value: types.Advisory{ 69 PatchedVersions: []string{">=1.5.2"}, 70 VulnerableVersions: []string{"<=1.5.1"}, 71 }, 72 }, 73 { 74 Key: []string{"vulnerability-detail", "CVE-2014-7205", "nodejs-security-wg"}, 75 Value: types.VulnerabilityDetail{ 76 ID: "CVE-2014-7205", 77 Title: "Arbitrary JavaScript Execution", 78 Description: "A vulnerability exists in bassmaster <= 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval.", 79 References: []string{"https://www.npmjs.org/package/bassmaster", "https://github.com/hapijs/bassmaster/commit/b751602d8cb7194ee62a61e085069679525138c4"}, 80 CvssScore: 6.5, 81 }, 82 }, 83 { 84 Key: []string{"vulnerability-id", "CVE-2014-7205"}, 85 Value: map[string]interface{}{}, 86 }, 87 }, 88 }, 89 { 90 name: "happy-(ish) path, node.js core is skipped", 91 dir: filepath.Join("testdata", "happy", "core"), 92 wantValues: []vulnsrctest.WantValues{ 93 { 94 Key: []string{"data-source", "npm::Node.js Ecosystem Security Working Group"}, 95 Value: types.DataSource{ 96 ID: vulnerability.NodejsSecurityWg, 97 Name: "Node.js Ecosystem Security Working Group", 98 URL: "https://github.com/nodejs/security-wg", 99 }, 100 }, 101 }, 102 }, 103 { 104 name: "happy-(ish) path, npm package includes no cvss and no severity", 105 dir: filepath.Join("testdata", "happy", "npm_nocvssseverity"), 106 wantValues: []vulnsrctest.WantValues{ 107 { 108 Key: []string{"data-source", "npm::Node.js Ecosystem Security Working Group"}, 109 Value: types.DataSource{ 110 ID: vulnerability.NodejsSecurityWg, 111 Name: "Node.js Ecosystem Security Working Group", 112 URL: "https://github.com/nodejs/security-wg", 113 }, 114 }, 115 { 116 Key: []string{"advisory-detail", "NSWG-ECO-0", "npm::Node.js Ecosystem Security Working Group", "missingcvss-missingseverity-package"}, 117 Value: types.Advisory{}, 118 }, 119 { 120 Key: []string{"vulnerability-detail", "NSWG-ECO-0", "nodejs-security-wg"}, 121 Value: types.VulnerabilityDetail{ 122 ID: "NSWG-ECO-0", 123 Description: "The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR\nresponses, could be triggered to read memory outside of the given input buffer\nif the passed in DNS response packet was crafted in a particular way.\n\n", 124 CvssScore: -1, 125 }, 126 }, 127 { 128 Key: []string{"vulnerability-id", "NSWG-ECO-0"}, 129 Value: map[string]interface{}{}, 130 }, 131 }, 132 }, 133 { 134 name: "happy-(ish) path, npm package includes null cvss", 135 dir: filepath.Join("testdata", "happy", "npm_nullcvssscore"), 136 wantValues: []vulnsrctest.WantValues{ 137 { 138 Key: []string{"data-source", "npm::Node.js Ecosystem Security Working Group"}, 139 Value: types.DataSource{ 140 ID: vulnerability.NodejsSecurityWg, 141 Name: "Node.js Ecosystem Security Working Group", 142 URL: "https://github.com/nodejs/security-wg", 143 }, 144 }, 145 { 146 Key: []string{"advisory-detail", "NSWG-ECO-334", "npm::Node.js Ecosystem Security Working Group", "hubl-server"}, 147 Value: types.Advisory{ 148 PatchedVersions: []string{"<0.0.0"}, 149 VulnerableVersions: []string{"<=99.999.99999"}, 150 }, 151 }, 152 { 153 Key: []string{"vulnerability-detail", "NSWG-ECO-334", "nodejs-security-wg"}, 154 Value: types.VulnerabilityDetail{ 155 ID: "NSWG-ECO-334", 156 Title: "Downloads resources over HTTP", 157 Description: "The hubl-server module is a wrapper for the HubL Development Server.\n\nDuring installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation.", 158 CvssScore: -1, 159 }, 160 }, 161 { 162 Key: []string{"vulnerability-id", "NSWG-ECO-334"}, 163 Value: map[string]interface{}{}, 164 }, 165 }, 166 }, 167 { 168 name: "sad path, invalid json", 169 dir: filepath.Join("testdata", "sad"), 170 wantErr: "invalid character", 171 }, 172 } 173 for _, tt := range tests { 174 t.Run(tt.name, func(t *testing.T) { 175 vs := NewVulnSrc() 176 vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{ 177 Dir: tt.dir, 178 WantValues: tt.wantValues, 179 WantErr: tt.wantErr, 180 }) 181 }) 182 } 183 }