github.com/quay/claircore@v1.5.28/ruby/matcher_test.go (about) 1 package ruby 2 3 import ( 4 "context" 5 "testing" 6 7 "github.com/google/go-cmp/cmp" 8 "github.com/quay/claircore" 9 ) 10 11 func TestVulnerable(t *testing.T) { 12 matcher := &Matcher{} 13 14 testcases := []struct { 15 name string 16 record *claircore.IndexRecord 17 vuln *claircore.Vulnerability 18 want bool 19 }{ 20 { 21 name: "bootstrap affected", 22 record: &claircore.IndexRecord{ 23 Package: &claircore.Package{ 24 Name: "bootstrap", 25 Version: "3.2.9", 26 Kind: "binary", 27 }, 28 }, 29 vuln: &claircore.Vulnerability{ 30 Updater: "osv", 31 Name: "GHSA-7mvr-5x2g-wfc8", 32 Description: "Bootstrap Cross-site Scripting vulnerability", 33 Package: &claircore.Package{ 34 Name: "bootstrap", 35 RepositoryHint: "RubyGems", 36 }, 37 FixedInVersion: "fixed=4.1.2", 38 }, 39 want: true, 40 }, 41 { 42 name: "bootstrap unaffected", 43 record: &claircore.IndexRecord{ 44 Package: &claircore.Package{ 45 Name: "bootstrap", 46 Version: "4.1.2", 47 Kind: "binary", 48 }, 49 }, 50 vuln: &claircore.Vulnerability{ 51 Updater: "osv", 52 Name: "GHSA-7mvr-5x2g-wfc8", 53 Description: "Bootstrap Cross-site Scripting vulnerability", 54 Package: &claircore.Package{ 55 Name: "bootstrap", 56 RepositoryHint: "rubygems", 57 }, 58 FixedInVersion: "fixed=4.1.2-alpha", 59 }, 60 want: false, 61 }, 62 { 63 name: "openshift-origin-node unfixed", 64 record: &claircore.IndexRecord{ 65 Package: &claircore.Package{ 66 Name: "openshift-origin-node", 67 Version: "1.3.2", 68 Kind: "binary", 69 }, 70 }, 71 vuln: &claircore.Vulnerability{ 72 Updater: "osv", 73 Name: "GHSA-2c25-xfpq-8n9r", 74 Description: "Ruby gem openshift-origin-node before 2014-02-14 does not contain a cronjob timeout which could result in a denial of service in cron.daily and cron.weekly.", 75 Package: &claircore.Package{ 76 Name: "openshift-origin-node", 77 RepositoryHint: "rubygems", 78 }, 79 FixedInVersion: "lastAffected=1.3.3", 80 }, 81 want: true, 82 }, 83 { 84 name: "openshift-origin-node unfixed again", 85 record: &claircore.IndexRecord{ 86 Package: &claircore.Package{ 87 Name: "openshift-origin-node", 88 Version: "1.3.3", 89 Kind: "binary", 90 }, 91 }, 92 vuln: &claircore.Vulnerability{ 93 Updater: "osv", 94 Name: "GHSA-2c25-xfpq-8n9r", 95 Description: "Ruby gem openshift-origin-node before 2014-02-14 does not contain a cronjob timeout which could result in a denial of service in cron.daily and cron.weekly.", 96 Package: &claircore.Package{ 97 Name: "openshift-origin-node", 98 RepositoryHint: "rubygems", 99 }, 100 FixedInVersion: "lastAffected=1.3.3", 101 }, 102 want: true, 103 }, 104 { 105 name: "dependabot-omnibus affected", 106 record: &claircore.IndexRecord{ 107 Package: &claircore.Package{ 108 Name: "dependabot-omnibus", 109 Version: "0.120.0.beta2", 110 Kind: "binary", 111 }, 112 }, 113 vuln: &claircore.Vulnerability{ 114 Updater: "osv", 115 Name: "GHSA-23f7-99jx-m54r", 116 Description: "Remote code execution in dependabot-core branch names when cloning", 117 Package: &claircore.Package{ 118 Name: "dependabot-omnibus", 119 RepositoryHint: "rubygems", 120 }, 121 FixedInVersion: "fixed=0.125.1&introduced=0.119.0.beta1", 122 }, 123 want: true, 124 }, 125 { 126 name: "dependabot-omnibus unaffected", 127 record: &claircore.IndexRecord{ 128 Package: &claircore.Package{ 129 Name: "dependabot-omnibus", 130 Version: "0.119.0-alpha3", 131 Kind: "binary", 132 }, 133 }, 134 vuln: &claircore.Vulnerability{ 135 Updater: "osv", 136 Name: "GHSA-23f7-99jx-m54r", 137 Description: "Remote code execution in dependabot-core branch names when cloning", 138 Package: &claircore.Package{ 139 Name: "dependabot-omnibus", 140 RepositoryHint: "rubygems", 141 }, 142 FixedInVersion: "fixed=0.125.1&introduced=0.119.0-beta1", 143 }, 144 want: false, 145 }, 146 { 147 name: "dependabot-omnibus no upper bound", 148 record: &claircore.IndexRecord{ 149 Package: &claircore.Package{ 150 Name: "dependabot-omnibus", 151 Version: "0.119.0", 152 Kind: "binary", 153 }, 154 }, 155 vuln: &claircore.Vulnerability{ 156 Updater: "osv", 157 Name: "GHSA-23f7-99jx-m54r", 158 Description: "Remote code execution in dependabot-core branch names when cloning", 159 Package: &claircore.Package{ 160 Name: "dependabot-omnibus", 161 RepositoryHint: "rubygems", 162 }, 163 FixedInVersion: "introduced=0.119.0-beta1", 164 }, 165 want: true, 166 }, 167 } 168 169 for _, testcase := range testcases { 170 t.Run(testcase.name, func(t *testing.T) { 171 got, err := matcher.Vulnerable(context.Background(), testcase.record, testcase.vuln) 172 if err != nil { 173 t.Fatal(err) 174 } 175 if !cmp.Equal(got, testcase.want) { 176 t.Error(cmp.Diff(got, testcase.want)) 177 } 178 }) 179 } 180 }