github.com/khulnasoft-lab/tunnel-db@v0.0.0-20231117205118-74e1113bd007/pkg/vulnsrc/vulnerability/vulnerability_test.go (about) 1 package vulnerability_test 2 3 import ( 4 "testing" 5 6 "github.com/stretchr/testify/assert" 7 8 "github.com/khulnasoft-lab/tunnel-db/pkg/db" 9 "github.com/khulnasoft-lab/tunnel-db/pkg/dbtest" 10 "github.com/khulnasoft-lab/tunnel-db/pkg/types" 11 "github.com/khulnasoft-lab/tunnel-db/pkg/utils" 12 "github.com/khulnasoft-lab/tunnel-db/pkg/vulnsrc/vulnerability" 13 ) 14 15 func TestGetDetails(t *testing.T) { 16 testCases := []struct { 17 name string 18 vulnID string 19 fixtures []string 20 want map[types.SourceID]types.VulnerabilityDetail 21 }{ 22 { 23 name: "happy path", 24 vulnID: "CVE-2020-1234", 25 fixtures: []string{"testdata/fixtures/happy.yaml"}, 26 want: map[types.SourceID]types.VulnerabilityDetail{ 27 vulnerability.NVD: { 28 CvssScore: 4.2, 29 CvssVector: "AV:N/AC:M/Au:N/C:N/I:P/A:N", 30 CvssScoreV3: 5.6, 31 CvssVectorV3: "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 32 SeverityV3: types.SeverityHigh, 33 CweIDs: []string{"CWE-125", "CWE-200"}, 34 LastModifiedDate: utils.MustTimeParse("2020-01-01T01:02:03Z"), 35 PublishedDate: utils.MustTimeParse("2001-01-01T01:02:03Z"), 36 }, 37 vulnerability.RedHat: { 38 CvssScoreV3: 6.7, 39 CvssVectorV3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 40 SeverityV3: types.SeverityHigh, 41 Title: "test vulnerability", 42 Description: "a test vulnerability where vendor rates it lower than NVD", 43 References: []string{"http://foo-bar.com/baz"}, 44 }, 45 }, 46 }, 47 { 48 name: "no advisories are returned", 49 fixtures: []string{"testdata/fixtures/happy.yaml"}, 50 vulnID: "CVE-2020-9999", 51 want: nil, 52 }, 53 { 54 name: "GetVulnerabilityDetail returns an error", 55 fixtures: []string{"testdata/fixtures/sad.yaml"}, 56 vulnID: "CVE-2020-1234", 57 want: nil, 58 }, 59 } 60 61 for _, tc := range testCases { 62 t.Run(tc.name, func(t *testing.T) { 63 _ = dbtest.InitDB(t, tc.fixtures) 64 defer db.Close() 65 66 v := vulnerability.New(db.Config{}) 67 got := v.GetDetails(tc.vulnID) 68 69 assert.Equal(t, tc.want, got) 70 }) 71 } 72 } 73 74 func TestIsRejected(t *testing.T) { 75 testCases := []struct { 76 name string 77 details map[types.SourceID]types.VulnerabilityDetail 78 want bool 79 }{ 80 { 81 name: "happy path", 82 details: map[types.SourceID]types.VulnerabilityDetail{ 83 vulnerability.NVD: { 84 ID: "CVE-2020-1234", 85 CvssScore: 9.1, 86 Title: "test vulnerability", 87 Description: "a test vulnerability where vendor rates it lower than NVD", 88 }, 89 vulnerability.RedHat: { 90 ID: "CVE-2020-1234", 91 CvssScoreV3: 5.6, 92 Title: "test vulnerability", 93 Description: "a test vulnerability where vendor rates it lower than NVD", 94 }, 95 }, 96 want: false, 97 }, 98 { 99 name: "happy path, when vulnerability from redhat and ubuntu is rejected by Nvd", 100 details: map[types.SourceID]types.VulnerabilityDetail{ 101 vulnerability.RedHat: { 102 ID: "CVE-2020-1234", 103 CvssScoreV3: 5.6, 104 Title: "test vulnerability", 105 Description: "a test vulnerability where vendor rates it lower than NVD", 106 }, 107 vulnerability.Ubuntu: { 108 ID: "CVE-2020-1234", 109 CvssScore: 1.2, 110 CvssScoreV3: 3.4, 111 Severity: types.SeverityLow, 112 SeverityV3: types.SeverityMedium, 113 Title: "test vulnerability", 114 Description: "a test vulnerability where vendor rates it lower than NVD", 115 }, 116 vulnerability.NVD: { 117 ID: "CVE-2020-1234", 118 CvssScore: 9.1, 119 Title: "test vulnerability", 120 Description: "** REJECT ** a test vulnerability where vendor rates it lower than NVD", 121 }, 122 }, 123 want: true, 124 }, 125 } 126 127 for _, tc := range testCases { 128 t.Run(tc.name, func(t *testing.T) { 129 got := vulnerability.New(nil).IsRejected(tc.details) 130 assert.Equal(t, tc.want, got) 131 }) 132 } 133 } 134 135 func TestNormalize(t *testing.T) { 136 testCases := []struct { 137 name string 138 details map[types.SourceID]types.VulnerabilityDetail 139 want types.Vulnerability 140 }{ 141 { 142 name: "happy path", 143 details: map[types.SourceID]types.VulnerabilityDetail{ 144 vulnerability.NVD: { 145 CvssScore: 4.2, 146 CvssVector: "AV:N/AC:M/Au:N/C:N/I:P/A:N", 147 CvssScoreV3: 5.6, 148 CvssVectorV3: "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 149 SeverityV3: types.SeverityMedium, 150 CweIDs: []string{"CWE-125", "CWE-200"}, 151 LastModifiedDate: utils.MustTimeParse("2020-01-01T01:02:03Z"), 152 PublishedDate: utils.MustTimeParse("2001-01-01T01:02:03Z"), 153 }, 154 vulnerability.RedHat: { 155 CvssScoreV3: 6.7, 156 CvssVectorV3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 157 SeverityV3: types.SeverityHigh, 158 Title: "test vulnerability", 159 Description: "a test vulnerability where vendor rates it lower than NVD", 160 References: []string{"http://foo-bar.com/baz"}, 161 }, 162 }, 163 want: types.Vulnerability{ 164 Title: "test vulnerability", 165 Description: "a test vulnerability where vendor rates it lower than NVD", 166 Severity: types.SeverityMedium.String(), 167 VendorSeverity: types.VendorSeverity{ 168 vulnerability.NVD: types.SeverityMedium, 169 vulnerability.RedHat: types.SeverityHigh, 170 }, 171 CVSS: types.VendorCVSS{ 172 vulnerability.NVD: types.CVSS{ 173 V2Vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N", 174 V3Vector: "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 175 V2Score: 4.2, 176 V3Score: 5.6, 177 }, 178 vulnerability.RedHat: types.CVSS{ 179 V2Vector: "", 180 V3Vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 181 V2Score: 0, 182 V3Score: 6.7, 183 }, 184 }, 185 CweIDs: []string{"CWE-125", "CWE-200"}, 186 References: []string{"http://foo-bar.com/baz"}, 187 LastModifiedDate: utils.MustTimeParse("2020-01-01T01:02:03Z"), 188 PublishedDate: utils.MustTimeParse("2001-01-01T01:02:03Z"), 189 }, 190 }, 191 { 192 name: "happy path, classifications for redhat, ubuntu and nodejs with variety of scores and vectors", 193 details: map[types.SourceID]types.VulnerabilityDetail{ 194 vulnerability.RedHat: { 195 ID: "CVE-2020-1234", 196 CvssScore: 4.2, 197 CvssVector: "AV:N/AC:M/Au:N/C:N/I:P/A:N", 198 CvssScoreV3: 5.6, 199 CvssVectorV3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 200 SeverityV3: types.SeverityCritical, 201 Title: "test vulnerability", 202 Description: "a test vulnerability where vendor rates it lower than NVD", 203 References: []string{"http://foo-bar.com/baz"}, 204 }, 205 vulnerability.Ubuntu: { 206 ID: "CVE-2020-1234", 207 CvssScoreV3: 3.4, 208 CvssVectorV3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 209 Severity: types.SeverityLow, 210 SeverityV3: types.SeverityMedium, 211 Title: "test vulnerability", 212 Description: "a test vulnerability where vendor rates it lower than NVD", 213 }, 214 vulnerability.NodejsSecurityWg: { 215 ID: "CVE-2020-1234", 216 CvssScore: -1, 217 Title: "test vulnerability", 218 Description: "a test vulnerability where vendor rates it lower than NVD", 219 }, 220 }, 221 want: types.Vulnerability{ 222 Title: "test vulnerability", 223 Description: "a test vulnerability where vendor rates it lower than NVD", 224 Severity: types.SeverityMedium.String(), // from Red Hat 225 VendorSeverity: types.VendorSeverity{ 226 vulnerability.RedHat: types.SeverityCritical, 227 vulnerability.Ubuntu: types.SeverityMedium, 228 }, 229 CVSS: types.VendorCVSS{ 230 vulnerability.RedHat: types.CVSS{ 231 V2Vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N", 232 V3Vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 233 V2Score: 4.2, 234 V3Score: 5.6, 235 }, 236 vulnerability.Ubuntu: types.CVSS{ 237 V3Vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 238 V3Score: 3.4, 239 }, 240 }, 241 References: []string{"http://foo-bar.com/baz"}, 242 }, 243 }, 244 { 245 name: "happy path, classifications for ubuntu and nodejs with variety vectors but no scores", 246 details: map[types.SourceID]types.VulnerabilityDetail{ 247 vulnerability.Ubuntu: { 248 ID: "CVE-2020-1234", 249 Severity: types.SeverityLow, 250 SeverityV3: types.SeverityMedium, 251 Title: "test vulnerability", 252 Description: "a test vulnerability where vendor rates it lower than NVD", 253 }, 254 vulnerability.NodejsSecurityWg: { 255 ID: "CVE-2020-1234", 256 Title: "test vulnerability", 257 Description: "a test vulnerability where vendor rates it lower than NVD", 258 }, 259 }, 260 want: types.Vulnerability{ 261 Severity: types.SeverityMedium.String(), 262 VendorSeverity: types.VendorSeverity{ 263 vulnerability.Ubuntu: types.SeverityMedium, 264 }, 265 CVSS: types.VendorCVSS{}, 266 Title: "test vulnerability", 267 Description: "a test vulnerability where vendor rates it lower than NVD", 268 }, 269 }, 270 } 271 272 for _, tc := range testCases { 273 t.Run(tc.name, func(t *testing.T) { 274 got := vulnerability.New(nil).Normalize(tc.details) 275 assert.Equal(t, tc.want, got) 276 }) 277 } 278 }