github.com/quay/claircore@v1.5.28/updater/osv/cvss_test.go

github.com/quay/claircore@v1.5.28/updater/osv/cvss_test.go (about)

     1  package osv
     2  
     3  import (
     4  	"context"
     5  	"testing"
     6  
     7  	"github.com/quay/claircore"
     8  
     9  	"github.com/quay/zlog"
    10  )
    11  
    12  // Test harness adapted from https://github.com/goark/go-cvss/blob/634a87a6c9dd62c8d061d04133e022627cc0e1f8/v3/base/base_test.go
    13  
    14  func TestCVSS(t *testing.T) {
    15  	t.Run("Error", func(t *testing.T) {
    16  		ctx := zlog.Test(context.Background(), t)
    17  		tcs := []struct {
    18  			vector string
    19  			err    bool
    20  		}{
    21  			{vector: "CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N"},
    22  			{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N"},
    23  			{vector: "XXX:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N", err: true},
    24  			{vector: "CVSS:2.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N", err: true},
    25  			{vector: "CVSS:3.1", err: true},
    26  			{vector: "CVSS3.1/AV:X/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N", err: true},
    27  			{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A-N", err: true},
    28  			{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/X:N", err: true},
    29  			{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:X", err: true},
    30  			{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:X/A:N", err: true},
    31  			{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:X/I:N/A:N", err: true},
    32  			{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:X/C:N/I:N/A:N", err: true},
    33  			{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:X/S:U/C:N/I:N/A:N", err: true},
    34  			{vector: "CVSS:3.1/AV:P/AC:H/PR:X/UI:R/S:U/C:N/I:N/A:N", err: true},
    35  			{vector: "CVSS:3.1/AV:P/AC:X/PR:H/UI:R/S:U/C:N/I:N/A:N", err: true},
    36  			{vector: "CVSS:3.1/AV:X/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N", err: true},
    37  		}
    38  		for _, tc := range tcs {
    39  			_, err := fromCVSS3(ctx, tc.vector)
    40  			t.Logf("in: %q, got: %v", tc.vector, err)
    41  			if (err != nil) != tc.err {
    42  				t.Error(err)
    43  			}
    44  		}
    45  	})
    46  
    47  	t.Run("Severity", func(t *testing.T) {
    48  		ctx := zlog.Test(context.Background(), t)
    49  		tcs := []struct {
    50  			vector   string
    51  			severity claircore.Severity
    52  		}{
    53  			{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N", severity: claircore.Negligible}, // Zero metrics
    54  			{vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", severity: claircore.High},       // CVE-2015-8252
    55  			{vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", severity: claircore.Medium},     // CVE-2013-1937
    56  			{vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", severity: claircore.Medium},     // CVE-2013-0375
    57  			{vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", severity: claircore.Low},        // CVE-2014-3566
    58  			{vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", severity: claircore.Critical},   // CVE-2012-1516
    59  			{vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", severity: claircore.High},       // CVE-2012-0384
    60  			{vector: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", severity: claircore.High},       // CVE-2015-1098
    61  			{vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", severity: claircore.High},       // CVE-2014-0160
    62  			{vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", severity: claircore.Critical},   // CVE-2014-6271
    63  			{vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", severity: claircore.Medium},     // CVE-2008-1447
    64  			{vector: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", severity: claircore.Medium},     // CVE-2014-2005
    65  			{vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", severity: claircore.Medium},     // CVE-2010-0467
    66  			{vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", severity: claircore.Medium},     // CVE-2012-1342
    67  			{vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", severity: claircore.Medium},     // CVE-2014-9253
    68  			{vector: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", severity: claircore.High},       // CVE-2009-0658
    69  			{vector: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", severity: claircore.High},       // CVE-2011-1265
    70  			{vector: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", severity: claircore.Medium},     // CVE-2014-2019
    71  			{vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", severity: claircore.High},       // CVE-2015-0970
    72  			{vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", severity: claircore.High},       // CVE-2014-0224
    73  			{vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", severity: claircore.Critical},   // CVE-2012-5376
    74  		}
    75  
    76  		for _, tc := range tcs {
    77  			sev, err := fromCVSS3(ctx, tc.vector)
    78  			t.Logf("in: %q, got: %v", tc.vector, sev)
    79  			if err != nil {
    80  				t.Error(err)
    81  			}
    82  			if got, want := sev, tc.severity; got != want {
    83  				t.Errorf("got: %v, want: %v", got, want)
    84  			}
    85  		}
    86  	})
    87  
    88  	t.Run("V2", func(t *testing.T) {
    89  		tcs := []struct {
    90  			vector   string
    91  			severity claircore.Severity
    92  		}{
    93  			{vector: "AV:N/AC:L/Au:N/C:N/I:N/A:C", severity: claircore.High},   // CVE-2002-0392
    94  			{vector: "AV:N/AC:L/Au:N/C:C/I:C/A:C", severity: claircore.High},   // CVE-2003-0818
    95  			{vector: "AV:L/AC:H/Au:N/C:C/I:C/A:C", severity: claircore.Medium}, // CVE-2003-0062
    96  		}
    97  
    98  		for _, tc := range tcs {
    99  			sev, err := fromCVSS2(tc.vector)
   100  			t.Logf("in: %q, got: %v", tc.vector, sev)
   101  			if err != nil {
   102  				t.Error(err)
   103  			}
   104  			if got, want := sev, tc.severity; got != want {
   105  				t.Errorf("got: %v, want: %v", got, want)
   106  			}
   107  		}
   108  	})
   109  }