github.com/quay/claircore@v1.5.28/rhel/parse_test.go (about) 1 package rhel 2 3 import ( 4 "context" 5 "encoding/xml" 6 "os" 7 "testing" 8 "time" 9 10 "github.com/quay/goval-parser/oval" 11 "github.com/quay/zlog" 12 13 "github.com/quay/claircore/libvuln/driver" 14 ) 15 16 func TestCVEDefFromUnpatched(t *testing.T) { 17 ctx := context.Background() 18 var table = []struct { 19 name string 20 fileName string 21 configFunc driver.ConfigUnmarshaler 22 expectedVulnCount int 23 ignoreUnpatched bool 24 }{ 25 { 26 name: "default path", 27 fileName: "testdata/rhel-8-rpm-unpatched.xml", 28 configFunc: func(_ interface{}) error { return nil }, 29 expectedVulnCount: 192, 30 }, 31 { 32 name: "ignore unpatched path", 33 fileName: "testdata/rhel-8-rpm-unpatched.xml", 34 configFunc: func(c interface{}) error { return nil }, 35 ignoreUnpatched: true, 36 expectedVulnCount: 0, 37 }, 38 } 39 40 for _, test := range table { 41 t.Run(test.name, func(t *testing.T) { 42 ctx := zlog.Test(ctx, t) 43 44 f, err := os.Open(test.fileName) 45 if err != nil { 46 t.Fatal(err) 47 } 48 defer f.Close() 49 u, err := NewUpdater("rhel-8-unpatched-updater", 8, "file:///dev/null", test.ignoreUnpatched) 50 if err != nil { 51 t.Fatal(err) 52 } 53 54 u.Configure(ctx, test.configFunc, nil) 55 56 vulns, err := u.Parse(ctx, f) 57 if err != nil { 58 t.Fatal(err) 59 } 60 if len(vulns) != test.expectedVulnCount { 61 t.Fatalf("was expecting %d vulns, but got %d", test.expectedVulnCount, len(vulns)) 62 } 63 }) 64 } 65 } 66 67 func TestParse(t *testing.T) { 68 t.Parallel() 69 ctx := zlog.Test(context.Background(), t) 70 71 u, err := NewUpdater(`rhel-3-updater`, 3, "file:///dev/null", false) 72 if err != nil { 73 t.Fatal(err) 74 } 75 f, err := os.Open("testdata/com.redhat.rhsa-20201980.xml") 76 if err != nil { 77 t.Fatal(err) 78 } 79 80 vs, err := u.Parse(ctx, f) 81 if err != nil { 82 t.Fatal(err) 83 } 84 t.Logf("found %d vulnerabilities", len(vs)) 85 // 15 packages, 2 cpes = 30 vulnerabilities 86 if got, want := len(vs), 30; got != want { 87 t.Fatalf("got: %d vulnerabilities, want: %d vulnerabilities", got, want) 88 } 89 count := make(map[string]int) 90 for _, vuln := range vs { 91 count[vuln.Repo.Name]++ 92 } 93 94 const ( 95 base = "cpe:/a:redhat:enterprise_linux:8" 96 appstream = "cpe:/a:redhat:enterprise_linux:8::appstream" 97 ) 98 if count[base] != 15 || count[appstream] != 15 { 99 t.Fatalf("got: %v vulnerabilities with, want 15 of each", count) 100 } 101 } 102 103 // Here's a giant restructured struct for reference and tests. 104 var ovalDef = oval.Definition{ 105 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "definition"}, 106 ID: "oval:com.redhat.rhsa:def:20100401", 107 Class: "patch", 108 Title: "RHSA-2010:0401: tetex security update (Moderate)", 109 Affecteds: []oval.Affected{ 110 { 111 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "affected"}, 112 Family: "unix", 113 Platforms: []string{"Red Hat Enterprise Linux 3"}, 114 }, 115 }, 116 References: []oval.Reference{ 117 { 118 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "reference"}, 119 Source: "RHSA", 120 RefID: "RHSA-2010:0401", 121 RefURL: "https://access.redhat.com/errata/RHSA-2010:0401", 122 }, 123 { 124 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "reference"}, 125 Source: "CVE", 126 RefID: "CVE-2007-5935", 127 RefURL: "https://access.redhat.com/security/cve/CVE-2007-5935", 128 }, 129 { 130 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "reference"}, 131 Source: "CVE", 132 RefID: "CVE-2009-0791", 133 RefURL: "https://access.redhat.com/security/cve/CVE-2009-0791", 134 }, 135 { 136 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "reference"}, 137 Source: "CVE", 138 RefID: "CVE-2009-3609", 139 RefURL: "https://access.redhat.com/security/cve/CVE-2009-3609", 140 }, 141 { 142 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "reference"}, 143 Source: "CVE", 144 RefID: "CVE-2010-0739", 145 RefURL: "https://access.redhat.com/security/cve/CVE-2010-0739", 146 }, 147 { 148 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "reference"}, 149 Source: "CVE", 150 RefID: "CVE-2010-0827", 151 RefURL: "https://access.redhat.com/security/cve/CVE-2010-0827", 152 }, 153 { 154 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "reference"}, 155 Source: "CVE", 156 RefID: "CVE-2010-1440", 157 RefURL: "https://access.redhat.com/security/cve/CVE-2010-1440", 158 }, 159 }, 160 Description: "teTeX is an implementation of TeX. TeX takes a text file and a set of\nformatting commands as input, and creates a typesetter-independent DeVice\nIndependent (DVI) file as output.\n\nA buffer overflow flaw was found in the way teTeX processed virtual font\nfiles when converting DVI files into PostScript. An attacker could create a\nmalicious DVI file that would cause the dvips executable to crash or,\npotentially, execute arbitrary code. (CVE-2010-0827)\n\nMultiple integer overflow flaws were found in the way teTeX processed\nspecial commands when converting DVI files into PostScript. An attacker\ncould create a malicious DVI file that would cause the dvips executable to\ncrash or, potentially, execute arbitrary code. (CVE-2010-0739,\nCVE-2010-1440)\n\nA stack-based buffer overflow flaw was found in the way teTeX processed DVI\nfiles containing HyperTeX references with long titles, when converting them\ninto PostScript. An attacker could create a malicious DVI file that would\ncause the dvips executable to crash. (CVE-2007-5935)\n\nteTeX embeds a copy of Xpdf, an open source Portable Document Format (PDF)\nfile viewer, to allow adding images in PDF format to the generated PDF\ndocuments. The following issues affect Xpdf code:\n\nMultiple integer overflow flaws were found in Xpdf. If a local user\ngenerated a PDF file from a TeX document, referencing a specially-crafted\nPDF file, it would cause Xpdf to crash or, potentially, execute arbitrary\ncode with the privileges of the user running pdflatex. (CVE-2009-0791,\nCVE-2009-3609)\n\nAll users of tetex are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.", 161 Advisory: oval.Advisory{ 162 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "advisory"}, 163 Severity: "Moderate", 164 Cves: []oval.Cve{ 165 { 166 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "cve"}, 167 CveID: "CVE-2007-5935", 168 Cvss2: "", 169 Cvss3: "", 170 Cwe: "", 171 Impact: "low", 172 Href: "https://access.redhat.com/security/cve/CVE-2007-5935", 173 Public: "20071017", 174 }, 175 { 176 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "cve"}, 177 CveID: "CVE-2009-0791", 178 Cvss2: "5.8/AV:A/AC:L/Au:N/C:P/I:P/A:P", 179 Cvss3: "", 180 Cwe: "CWE-190", 181 Impact: "", 182 Href: "https://access.redhat.com/security/cve/CVE-2009-0791", 183 Public: "20090519", 184 }, 185 { 186 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "cve"}, 187 CveID: "CVE-2009-3609", 188 Cvss2: "2.1/AV:L/AC:L/Au:N/C:N/I:N/A:P", 189 Cvss3: "", 190 Cwe: "CWE-190", 191 Impact: "low", 192 Href: "https://access.redhat.com/security/cve/CVE-2009-3609", 193 Public: "20091014", 194 }, 195 { 196 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "cve"}, 197 CveID: "CVE-2010-0739", 198 Cvss2: "6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P", 199 Cvss3: "", 200 Cwe: "CWE-190", 201 Impact: "", 202 Href: "https://access.redhat.com/security/cve/CVE-2010-0739", 203 Public: "20100412", 204 }, 205 { 206 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "cve"}, 207 CveID: "CVE-2010-0827", 208 Cvss2: "6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P", 209 Cvss3: "", 210 Cwe: "", 211 Impact: "", 212 Href: "https://access.redhat.com/security/cve/CVE-2010-0827", 213 Public: "20100325", 214 }, 215 { 216 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "cve"}, 217 CveID: "CVE-2010-1440", 218 Cvss2: "6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P", 219 Cvss3: "", 220 Cwe: "CWE-190", 221 Impact: "", 222 Href: "https://access.redhat.com/security/cve/CVE-2010-1440", 223 Public: "20100503", 224 }, 225 }, 226 Bugzillas: []oval.Bugzilla{ 227 { 228 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "bugzilla"}, 229 ID: "368591", 230 URL: "https://bugzilla.redhat.com/368591", 231 Title: "CVE-2007-5935 dvips -z buffer overflow with long href", 232 }, 233 { 234 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "bugzilla"}, 235 ID: "491840", 236 URL: "https://bugzilla.redhat.com/491840", 237 Title: "CVE-2009-0791 xpdf: multiple integer overflows", 238 }, 239 { 240 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "bugzilla"}, 241 ID: "526893", 242 URL: "https://bugzilla.redhat.com/526893", 243 Title: "CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow", 244 }, 245 { 246 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "bugzilla"}, 247 ID: "572914", 248 URL: "https://bugzilla.redhat.com/572914", 249 Title: "CVE-2010-0827 tetex, texlive: Buffer overflow flaw by processing virtual font files", 250 }, 251 { 252 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "bugzilla"}, 253 ID: "572941", 254 URL: "https://bugzilla.redhat.com/572941", 255 Title: "CVE-2010-0739 tetex, texlive: Integer overflow by processing special commands", 256 }, 257 { 258 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "bugzilla"}, 259 ID: "586819", 260 URL: "https://bugzilla.redhat.com/586819", 261 Title: "CVE-2010-1440 tetex, texlive: Integer overflow by processing special commands", 262 }, 263 }, 264 AffectedCPEList: []string{"cpe:/o:redhat:enterprise_linux:3"}, 265 Refs: []oval.Ref(nil), 266 Bugs: []oval.Bug(nil), 267 Issued: oval.Date{ 268 Date: time.Date(2010, 5, 6, 0, 0, 0, 0, time.UTC), 269 }, 270 Updated: oval.Date{ 271 Date: time.Date(2010, 5, 6, 0, 0, 0, 0, time.UTC), 272 }, 273 }, 274 Debian: oval.Debian{XMLName: xml.Name{Space: "", Local: ""}, MoreInfo: "", Date: oval.Date{Date: time.Time{}}}, 275 Criteria: oval.Criteria{ 276 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criteria"}, 277 Operator: "AND", 278 Criterias: []oval.Criteria{ 279 { 280 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criteria"}, 281 Operator: "OR", 282 Criterias: []oval.Criteria{ 283 { 284 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criteria"}, 285 Operator: "AND", 286 Criterias: []oval.Criteria(nil), 287 Criterions: []oval.Criterion{ 288 { 289 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 290 Negate: false, 291 TestRef: "oval:com.redhat.rhsa:tst:20100401001", 292 Comment: "tetex-xdvi is earlier than 0:1.0.7-67.19", 293 }, 294 { 295 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 296 Negate: false, 297 TestRef: "oval:com.redhat.rhsa:tst:20060160004", 298 Comment: "tetex-xdvi is signed with Red Hat master key", 299 }, 300 }, 301 }, 302 { 303 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criteria"}, 304 Operator: "AND", 305 Criterias: []oval.Criteria(nil), 306 Criterions: []oval.Criterion{ 307 { 308 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 309 Negate: false, 310 TestRef: "oval:com.redhat.rhsa:tst:20100401003", 311 Comment: "tetex-fonts is earlier than 0:1.0.7-67.19", 312 }, 313 { 314 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 315 Negate: false, 316 TestRef: "oval:com.redhat.rhsa:tst:20060160012", 317 Comment: "tetex-fonts is signed with Red Hat master key", 318 }, 319 }, 320 }, 321 { 322 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criteria"}, 323 Operator: "AND", 324 Criterias: []oval.Criteria(nil), 325 Criterions: []oval.Criterion{ 326 { 327 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 328 Negate: false, 329 TestRef: "oval:com.redhat.rhsa:tst:20100401005", 330 Comment: "tetex-dvips is earlier than 0:1.0.7-67.19", 331 }, 332 { 333 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 334 Negate: false, 335 TestRef: "oval:com.redhat.rhsa:tst:20060160008", 336 Comment: "tetex-dvips is signed with Red Hat master key", 337 }, 338 }, 339 }, 340 { 341 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criteria"}, 342 Operator: "AND", 343 Criterias: []oval.Criteria(nil), 344 Criterions: []oval.Criterion{ 345 { 346 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 347 Negate: false, 348 TestRef: "oval:com.redhat.rhsa:tst:20100401007", 349 Comment: "tetex is earlier than 0:1.0.7-67.19", 350 }, 351 { 352 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 353 Negate: false, 354 TestRef: "oval:com.redhat.rhsa:tst:20060160002", 355 Comment: "tetex is signed with Red Hat master key", 356 }, 357 }, 358 }, 359 { 360 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criteria"}, 361 Operator: "AND", 362 Criterias: []oval.Criteria(nil), 363 Criterions: []oval.Criterion{ 364 { 365 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 366 Negate: false, 367 TestRef: "oval:com.redhat.rhsa:tst:20100401009", 368 Comment: "tetex-afm is earlier than 0:1.0.7-67.19", 369 }, 370 { 371 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 372 Negate: false, 373 TestRef: "oval:com.redhat.rhsa:tst:20060160010", 374 Comment: "tetex-afm is signed with Red Hat master key", 375 }, 376 }, 377 }, 378 { 379 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criteria"}, 380 Operator: "AND", 381 Criterias: []oval.Criteria(nil), 382 Criterions: []oval.Criterion{ 383 { 384 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 385 Negate: false, 386 TestRef: "oval:com.redhat.rhsa:tst:20100401011", 387 Comment: "tetex-latex is earlier than 0:1.0.7-67.19", 388 }, 389 { 390 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 391 Negate: false, 392 TestRef: "oval:com.redhat.rhsa:tst:20060160006", 393 Comment: "tetex-latex is signed with Red Hat master key", 394 }, 395 }, 396 }, 397 }, 398 Criterions: []oval.Criterion(nil), 399 }, 400 }, 401 Criterions: []oval.Criterion{ 402 { 403 XMLName: xml.Name{Space: "http://oval.mitre.org/XMLSchema/oval-definitions-5", Local: "criterion"}, 404 Negate: false, 405 TestRef: "oval:com.redhat.rhba:tst:20070026003", 406 Comment: "Red Hat Enterprise Linux 3 is installed", 407 }, 408 }, 409 }, 410 }