github.com/quay/claircore@v1.5.28/rhel/rhcc/parser_test.go (about) 1 package rhcc 2 3 import ( 4 "context" 5 "math" 6 "os" 7 "sort" 8 "testing" 9 "time" 10 11 "github.com/google/go-cmp/cmp" 12 "github.com/quay/zlog" 13 14 "github.com/quay/claircore" 15 "github.com/quay/claircore/toolkit/types/cpe" 16 ) 17 18 func TestDB(t *testing.T) { 19 t.Parallel() 20 cve20213762issued, _ := time.Parse(time.RFC3339, "2021-09-28T00:00:00Z") 21 22 date_2021_12_14, _ := time.Parse(time.RFC3339, "2021-12-14T00:00:00Z") 23 date_2021_12_16, _ := time.Parse(time.RFC3339, "2021-12-16T00:00:00Z") 24 date_2021_05_19, _ := time.Parse(time.RFC3339, "2021-05-19T00:00:00Z") 25 date_2021_08_03, _ := time.Parse(time.RFC3339, "2021-08-03T00:00:00Z") 26 27 tt := []dbTestcase{ 28 { 29 Name: "Clair", 30 File: "testdata/cve-2021-3762.xml", 31 Want: []*claircore.Vulnerability{ 32 { 33 Name: "RHSA-2021:3665", 34 Description: "A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution.", 35 Package: &claircore.Package{Name: "quay/clair-rhel8", Kind: claircore.BINARY}, 36 Updater: "rhel-container-updater", 37 Issued: cve20213762issued, 38 Severity: "Important", 39 Links: "https://access.redhat.com/errata/RHSA-2021:3665 https://access.redhat.com/security/cve/CVE-2021-3762", 40 NormalizedSeverity: claircore.High, 41 FixedInVersion: "v3.5.7-8", 42 Repo: &goldRepo, 43 Range: &claircore.Range{ 44 Lower: claircore.Version{ 45 Kind: "rhctag", 46 V: [10]int32{}, 47 }, 48 Upper: claircore.Version{ 49 Kind: "rhctag", 50 V: [10]int32{ 51 3, 52 5, 53 math.MaxInt32, 54 }, 55 }, 56 }, 57 }, 58 }, 59 }, 60 { 61 Name: "Hive", 62 File: "testdata/cve-2021-44228-ose-metering-hive.xml", 63 Want: []*claircore.Vulnerability{ 64 { 65 Name: "RHSA-2021:5106", 66 Description: "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", 67 Package: &claircore.Package{Name: "openshift4/ose-metering-hive", Kind: claircore.BINARY}, 68 Updater: "rhel-container-updater", 69 Issued: date_2021_12_16, 70 Severity: "Moderate", 71 Links: "https://access.redhat.com/errata/RHSA-2021:5106 https://access.redhat.com/security/cve/CVE-2021-44228", 72 NormalizedSeverity: claircore.Medium, 73 Range: &claircore.Range{ 74 Lower: claircore.Version{ 75 Kind: "rhctag", 76 V: [10]int32{}, 77 }, 78 Upper: claircore.Version{ 79 Kind: "rhctag", 80 V: [10]int32{4, 6, math.MaxInt32}, 81 }, 82 }, 83 FixedInVersion: "v4.6.0-202112140546.p0.g8b9da97.assembly.stream", 84 Repo: &goldRepo, 85 }, 86 { 87 Name: "RHSA-2021:5107", 88 Description: "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", 89 Package: &claircore.Package{Name: "openshift4/ose-metering-hive", Kind: claircore.BINARY}, 90 Updater: "rhel-container-updater", 91 Issued: date_2021_12_16, 92 Severity: "Critical", 93 Links: "https://access.redhat.com/errata/RHSA-2021:5107 https://access.redhat.com/security/cve/CVE-2021-44228", 94 NormalizedSeverity: claircore.Critical, 95 Range: &claircore.Range{ 96 Lower: claircore.Version{ 97 Kind: "rhctag", 98 V: [10]int32{4, 7}, 99 }, 100 Upper: claircore.Version{ 101 Kind: "rhctag", 102 V: [10]int32{4, 7, math.MaxInt32}, 103 }, 104 }, 105 FixedInVersion: "v4.7.0-202112140553.p0.g091bb99.assembly.stream", 106 Repo: &goldRepo, 107 }, 108 { 109 Name: "RHSA-2021:5108", 110 Description: "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", 111 Package: &claircore.Package{Name: "openshift4/ose-metering-hive", Kind: claircore.BINARY}, 112 Updater: "rhel-container-updater", 113 Issued: date_2021_12_14, 114 Severity: "Critical", 115 Links: "https://access.redhat.com/errata/RHSA-2021:5108 https://access.redhat.com/security/cve/CVE-2021-44228", 116 NormalizedSeverity: claircore.Critical, 117 Range: &claircore.Range{ 118 Lower: claircore.Version{ 119 Kind: "rhctag", 120 V: [10]int32{4, 8}, 121 }, 122 Upper: claircore.Version{ 123 Kind: "rhctag", 124 V: [10]int32{4, 8, math.MaxInt32}, 125 }, 126 }, 127 FixedInVersion: "v4.8.0-202112132154.p0.g57dd03a.assembly.stream", 128 Repo: &goldRepo, 129 }, 130 }, 131 }, 132 { 133 Name: "Logging", 134 File: "testdata/cve-2021-44228-openshift-logging.xml", 135 Want: []*claircore.Vulnerability{ 136 { 137 Name: "RHSA-2021:5129", 138 Description: "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", 139 Package: &claircore.Package{Name: "openshift-logging/elasticsearch6-rhel8", Kind: claircore.BINARY}, 140 Updater: "rhel-container-updater", 141 Issued: date_2021_12_14, 142 Severity: "Critical", 143 NormalizedSeverity: claircore.Critical, 144 Links: "https://access.redhat.com/errata/RHSA-2021:5129 https://access.redhat.com/security/cve/CVE-2021-44228", 145 Range: &claircore.Range{ 146 Lower: claircore.Version{ 147 Kind: "rhctag", 148 V: [10]int32{6, 8}, 149 }, 150 Upper: claircore.Version{ 151 Kind: "rhctag", 152 V: [10]int32{6, 8, math.MaxInt32}, 153 }, 154 }, 155 FixedInVersion: "v6.8.1-65", 156 Repo: &goldRepo, 157 }, 158 { 159 Name: "RHSA-2021:5137", 160 Description: "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", 161 Package: &claircore.Package{Name: "openshift-logging/elasticsearch6-rhel8", Kind: claircore.BINARY}, 162 Updater: "rhel-container-updater", 163 Issued: date_2021_12_14, 164 Severity: "Moderate", 165 Links: "https://access.redhat.com/errata/RHSA-2021:5137 https://access.redhat.com/security/cve/CVE-2021-44228", 166 NormalizedSeverity: claircore.Medium, 167 Range: &claircore.Range{ 168 Lower: claircore.Version{ 169 Kind: "rhctag", 170 V: [10]int32{}, 171 }, 172 Upper: claircore.Version{ 173 Kind: "rhctag", 174 V: [10]int32{5, 0, math.MaxInt32}, 175 }, 176 }, 177 FixedInVersion: "v5.0.10-1", 178 Repo: &goldRepo, 179 }, 180 }, 181 }, 182 { 183 Name: "Kubernetes", 184 File: "testdata/cve-2020-8565.xml", 185 Want: []*claircore.Vulnerability{ 186 { 187 Name: "RHBA-2021:3003", 188 Description: "A flaw was found in kubernetes. In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like `kubectl`. Previously, CVE-2019-11250 was assigned for the same issue for logging levels of at least 4.", 189 Package: &claircore.Package{Name: "ocs4/rook-ceph-rhel8-operator", Kind: claircore.BINARY}, 190 Updater: "rhel-container-updater", 191 Issued: date_2021_08_03, 192 Severity: "Moderate", 193 NormalizedSeverity: claircore.Medium, 194 Links: "https://access.redhat.com/errata/RHBA-2021:3003 https://access.redhat.com/security/cve/CVE-2020-8565", 195 Range: &claircore.Range{ 196 Lower: claircore.Version{ 197 Kind: "rhctag", 198 V: [10]int32{4, 8}, 199 }, 200 Upper: claircore.Version{ 201 Kind: "rhctag", 202 V: [10]int32{4, 8, math.MaxInt32}, 203 }, 204 }, 205 FixedInVersion: "4.8-167.9a9db5f.release_4.8", 206 Repo: &goldRepo, 207 }, 208 { 209 Name: "RHSA-2021:2041", 210 Description: "A flaw was found in kubernetes. In Kubernetes, if the logging level is to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like `kubectl`. Previously, CVE-2019-11250 was assigned for the same issue for logging levels of at least 4.", 211 Package: &claircore.Package{Name: "ocs4/rook-ceph-rhel8-operator", Kind: claircore.BINARY}, 212 Updater: "rhel-container-updater", 213 Issued: date_2021_05_19, 214 Severity: "Moderate", 215 Links: "https://access.redhat.com/errata/RHSA-2021:2041 https://access.redhat.com/security/cve/CVE-2020-8565", 216 NormalizedSeverity: claircore.Medium, 217 Range: &claircore.Range{ 218 Lower: claircore.Version{ 219 Kind: "rhctag", 220 V: [10]int32{}, 221 }, 222 Upper: claircore.Version{ 223 Kind: "rhctag", 224 V: [10]int32{4, 7, math.MaxInt32}, 225 }, 226 }, 227 FixedInVersion: "4.7-140.49a6fcf.release_4.7", 228 Repo: &goldRepo, 229 }, 230 }, 231 }, 232 } 233 234 for _, tc := range tt { 235 t.Run(tc.Name, tc.Run) 236 } 237 } 238 239 type dbTestcase struct { 240 Name string 241 File string 242 Want []*claircore.Vulnerability 243 } 244 245 func cpeUnbind(cpeValue string) cpe.WFN { 246 wfn, _ := cpe.Unbind(cpeValue) 247 return wfn 248 } 249 250 func (tc dbTestcase) Run(t *testing.T) { 251 ctx := zlog.Test(context.Background(), t) 252 253 f, err := os.Open(tc.File) 254 if err != nil { 255 t.Fatal(err) 256 } 257 defer f.Close() 258 259 u := &updater{} 260 got, err := u.Parse(ctx, f) 261 if err != nil { 262 t.Fatal(err) 263 } 264 t.Logf("found %d vulnerabilities", len(got)) 265 if len(got) != len(tc.Want) { 266 t.Fatalf("got: %d vulnerabilities, want %d vulnerabilities", len(got), len(tc.Want)) 267 } 268 // Sort for the comparison, because the Vulnerabilities method can return 269 // the slice in any order. 270 sort.SliceStable(got, func(i, j int) bool { return got[i].Name < got[j].Name }) 271 if !cmp.Equal(tc.Want, got) { 272 t.Error(cmp.Diff(tc.Want, got)) 273 } 274 }