clair/ext/vulnsrc/oracle/oracle_test.go

// Copyright 2017 clair authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package oracle

import (
	"fmt"
	"os"
	"path/filepath"
	"runtime"
	"testing"

	"github.com/coreos/clair/database"
	"github.com/coreos/clair/ext/versionfmt/rpm"
	"github.com/stretchr/testify/assert"
)

func TestOracleParserOneCve(t *testing.T) {
	_, filename, _, _ := runtime.Caller(0)
	path := filepath.Join(filepath.Dir(filename))

	// Test parsing testdata/fetcher_oracle_test.1.xml
	testFile, _ := os.Open(filepath.Join(path, "/testdata/fetcher_oracle_test.1.xml"))
	defer testFile.Close()

	vulnerabilities, err := parseELSA(testFile)
	if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
		assert.Equal(t, "CVE-2015-0252", vulnerabilities[0].Name)
		assert.Equal(t, "http://linux.oracle.com/cve/CVE-2015-0252.html", vulnerabilities[0].Link)
		assert.Equal(t, database.MediumSeverity, vulnerabilities[0].Severity)
		assert.Equal(t, ` [3.1.1-7] Resolves: rhbz#1217104 CVE-2015-0252 `, vulnerabilities[0].Description)

		expectedFeatures := []database.AffectedFeature{
			{
				FeatureType: affectedType,
				Namespace: database.Namespace{
					Name:          "oracle:7",
					VersionFormat: rpm.ParserName,
				},
				FeatureName:     "xerces-c",
				FixedInVersion:  "0:3.1.1-7.el7_1",
				AffectedVersion: "0:3.1.1-7.el7_1",
			},
			{
				FeatureType: affectedType,
				Namespace: database.Namespace{
					Name:          "oracle:7",
					VersionFormat: rpm.ParserName,
				},
				FeatureName:     "xerces-c-devel",
				FixedInVersion:  "0:3.1.1-7.el7_1",
				AffectedVersion: "0:3.1.1-7.el7_1",
			},
			{
				FeatureType: affectedType,
				Namespace: database.Namespace{
					Name:          "oracle:7",
					VersionFormat: rpm.ParserName,
				},
				FeatureName:     "xerces-c-doc",
				FixedInVersion:  "0:3.1.1-7.el7_1",
				AffectedVersion: "0:3.1.1-7.el7_1",
			},
		}

		for _, expectedFeature := range expectedFeatures {
			assert.Contains(t, vulnerabilities[0].Affected, expectedFeature)
		}
	}
}

func TestELSAParserMultipleCVE(t *testing.T) {
	testFile, _ := os.Open("testdata/fetcher_oracle_test.2.xml")
	defer testFile.Close()

	vulnerabilities, err := parseELSA(testFile)

	// Expected
	expectedCve := []string{"CVE-2015-2722", "CVE-2015-2724", "CVE-2015-2725", "CVE-2015-2727",
		"CVE-2015-2728", "CVE-2015-2729", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734",
		"CVE-2015-2735", "CVE-2015-2736", "CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739",
		"CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743"}
	expectedSeverity := []string{"Negligible", "Low", "Medium", "High",
		"Critical", "Unknown", "Critical", "Critical", "Critical",
		"Critical", "Critical", "Critical", "Critical", "Critical",
		"Critical", "Critical", "Critical"}

	if assert.Nil(t, err) && assert.Len(t, vulnerabilities, len(expectedCve)) {
		for i, vulnerability := range vulnerabilities {
			assert.Equal(t, expectedCve[i], vulnerability.Name)
			assert.Equal(t, fmt.Sprintf("http://linux.oracle.com/cve/%s.html", expectedCve[i]), vulnerability.Link)
			assert.Equal(t, database.Severity(expectedSeverity[i]), vulnerability.Severity)
			assert.Equal(t, ` [38.1.0-1.0.1.el7_1] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file [38.1.0-1] - Update to 38.1.0 ESR [38.0.1-2] - Fixed rhbz#1222807 by removing preun section `, vulnerability.Description)
		}
	}
}

func TestELSAComparison(t *testing.T) {
	var table = []struct {
		left     int
		right    int
		expected int
	}{
		{20170935, 20170935, 0},
		{20170934, 20170935, -1},
		{20170936, 20170935, 1},

		{20170935, 201709331, 1},
		{201709351, 20170935, 1},
		{201709331, 20170935, -1},
	}

	for _, tt := range table {
		assert.Equal(t, tt.expected, compareELSA(tt.left, tt.right))
	}
}
clair: remove `types` package This removes the `types` package instead moving the contents to the top-level clair package. This change also renames the `Priority` type to `Severity` in order to reduce confusion. This change also removes the IsValid method and replaces it with a safe constructor to avoid the creation of invalid values. Many docstrings were tweaked in the making of this commit. 2017-01-15 15:52:13 +00:00			`// Copyright 2017 clair authors`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package oracle`

			`import (`
vulnsrc_oracle: one vulnerability per CVE Get one vulnerability per CVE for Oracle instead of one per ELSA so we can have NVD metadata added to the vulnerabilities. Related: #495, #499. 2018-11-02 23:28:54 +00:00			`"fmt"`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`"os"`
			`"path/filepath"`
			`"runtime"`
			`"testing"`

			`"github.com/coreos/clair/database"`
versionfmt: convert to using constant over literal 2017-01-03 21:00:20 +00:00			`"github.com/coreos/clair/ext/versionfmt/rpm"`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`"github.com/stretchr/testify/assert"`
			`)`

vulnsrc_oracle: one vulnerability per CVE Get one vulnerability per CVE for Oracle instead of one per ELSA so we can have NVD metadata added to the vulnerabilities. Related: #495, #499. 2018-11-02 23:28:54 +00:00			`func TestOracleParserOneCve(t *testing.T) {`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`_, filename, _, _ := runtime.Caller(0)`
			`path := filepath.Join(filepath.Dir(filename))`

			`// Test parsing testdata/fetcher_oracle_test.1.xml`
vulnsrc: Refactor vulnerability sources to use utility functions 2018-10-19 20:38:54 +00:00			`testFile, _ := os.Open(filepath.Join(path, "/testdata/fetcher_oracle_test.1.xml"))`
Updated fetcher and tests to close the file handles and HTTP response. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 01:14:10 +00:00			`defer testFile.Close()`

Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`vulnerabilities, err := parseELSA(testFile)`
			`if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {`
vulnsrc_oracle: one vulnerability per CVE Get one vulnerability per CVE for Oracle instead of one per ELSA so we can have NVD metadata added to the vulnerabilities. Related: #495, #499. 2018-11-02 23:28:54 +00:00			`assert.Equal(t, "CVE-2015-0252", vulnerabilities[0].Name)`
			`assert.Equal(t, "http://linux.oracle.com/cve/CVE-2015-0252.html", vulnerabilities[0].Link)`
clair: mv updater clair and mv severity to db 2017-01-19 18:42:37 +00:00			`assert.Equal(t, database.MediumSeverity, vulnerabilities[0].Severity)`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			assert.Equal(t, ` [3.1.1-7] Resolves: rhbz#1217104 CVE-2015-0252 `, vulnerabilities[0].Description)

Clair Logic, Extensions: updated mock tests, extensions, basic logic Main Clair logic is changed in worker, updater, notifier for better adapting ancestry schema. Extensions are updated with the new model and feature lister and namespace detector drivers are able to specify the specific listers and detectors used to process layer's content. InRange and GetFixedIn interfaces are added to Version format for adapting ranged affected features and next available fixed in in the future. Tests for worker, updater and extensions are fixed. 2017-07-26 23:22:29 +00:00			`expectedFeatures := []database.AffectedFeature{`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`{`
database: Rename affected Type to feature type 2019-02-19 21:36:31 +00:00			`FeatureType: affectedType,`
Clair Logic, Extensions: updated mock tests, extensions, basic logic Main Clair logic is changed in worker, updater, notifier for better adapting ancestry schema. Extensions are updated with the new model and feature lister and namespace detector drivers are able to specify the specific listers and detectors used to process layer's content. InRange and GetFixedIn interfaces are added to Version format for adapting ranged affected features and next available fixed in in the future. Tests for worker, updater and extensions are fixed. 2017-07-26 23:22:29 +00:00			`Namespace: database.Namespace{`
			`Name: "oracle:7",`
			`VersionFormat: rpm.ParserName,`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`},`
Clair Logic, Extensions: updated mock tests, extensions, basic logic Main Clair logic is changed in worker, updater, notifier for better adapting ancestry schema. Extensions are updated with the new model and feature lister and namespace detector drivers are able to specify the specific listers and detectors used to process layer's content. InRange and GetFixedIn interfaces are added to Version format for adapting ranged affected features and next available fixed in in the future. Tests for worker, updater and extensions are fixed. 2017-07-26 23:22:29 +00:00			`FeatureName: "xerces-c",`
			`FixedInVersion: "0:3.1.1-7.el7_1",`
			`AffectedVersion: "0:3.1.1-7.el7_1",`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`},`
			`{`
database: Rename affected Type to feature type 2019-02-19 21:36:31 +00:00			`FeatureType: affectedType,`
Clair Logic, Extensions: updated mock tests, extensions, basic logic Main Clair logic is changed in worker, updater, notifier for better adapting ancestry schema. Extensions are updated with the new model and feature lister and namespace detector drivers are able to specify the specific listers and detectors used to process layer's content. InRange and GetFixedIn interfaces are added to Version format for adapting ranged affected features and next available fixed in in the future. Tests for worker, updater and extensions are fixed. 2017-07-26 23:22:29 +00:00			`Namespace: database.Namespace{`
			`Name: "oracle:7",`
			`VersionFormat: rpm.ParserName,`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`},`
Clair Logic, Extensions: updated mock tests, extensions, basic logic Main Clair logic is changed in worker, updater, notifier for better adapting ancestry schema. Extensions are updated with the new model and feature lister and namespace detector drivers are able to specify the specific listers and detectors used to process layer's content. InRange and GetFixedIn interfaces are added to Version format for adapting ranged affected features and next available fixed in in the future. Tests for worker, updater and extensions are fixed. 2017-07-26 23:22:29 +00:00			`FeatureName: "xerces-c-devel",`
			`FixedInVersion: "0:3.1.1-7.el7_1",`
			`AffectedVersion: "0:3.1.1-7.el7_1",`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`},`
			`{`
database: Rename affected Type to feature type 2019-02-19 21:36:31 +00:00			`FeatureType: affectedType,`
Clair Logic, Extensions: updated mock tests, extensions, basic logic Main Clair logic is changed in worker, updater, notifier for better adapting ancestry schema. Extensions are updated with the new model and feature lister and namespace detector drivers are able to specify the specific listers and detectors used to process layer's content. InRange and GetFixedIn interfaces are added to Version format for adapting ranged affected features and next available fixed in in the future. Tests for worker, updater and extensions are fixed. 2017-07-26 23:22:29 +00:00			`Namespace: database.Namespace{`
			`Name: "oracle:7",`
			`VersionFormat: rpm.ParserName,`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`},`
Clair Logic, Extensions: updated mock tests, extensions, basic logic Main Clair logic is changed in worker, updater, notifier for better adapting ancestry schema. Extensions are updated with the new model and feature lister and namespace detector drivers are able to specify the specific listers and detectors used to process layer's content. InRange and GetFixedIn interfaces are added to Version format for adapting ranged affected features and next available fixed in in the future. Tests for worker, updater and extensions are fixed. 2017-07-26 23:22:29 +00:00			`FeatureName: "xerces-c-doc",`
			`FixedInVersion: "0:3.1.1-7.el7_1",`
			`AffectedVersion: "0:3.1.1-7.el7_1",`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`},`
			`}`

Clair Logic, Extensions: updated mock tests, extensions, basic logic Main Clair logic is changed in worker, updater, notifier for better adapting ancestry schema. Extensions are updated with the new model and feature lister and namespace detector drivers are able to specify the specific listers and detectors used to process layer's content. InRange and GetFixedIn interfaces are added to Version format for adapting ranged affected features and next available fixed in in the future. Tests for worker, updater and extensions are fixed. 2017-07-26 23:22:29 +00:00			`for _, expectedFeature := range expectedFeatures {`
			`assert.Contains(t, vulnerabilities[0].Affected, expectedFeature)`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`}`
			`}`
vulnsrc_oracle: one vulnerability per CVE Get one vulnerability per CVE for Oracle instead of one per ELSA so we can have NVD metadata added to the vulnerabilities. Related: #495, #499. 2018-11-02 23:28:54 +00:00			`}`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00
vulnsrc_oracle: one vulnerability per CVE Get one vulnerability per CVE for Oracle instead of one per ELSA so we can have NVD metadata added to the vulnerabilities. Related: #495, #499. 2018-11-02 23:28:54 +00:00			`func TestELSAParserMultipleCVE(t *testing.T) {`
			`testFile, _ := os.Open("testdata/fetcher_oracle_test.2.xml")`
			`defer testFile.Close()`
Updated fetcher and tests to close the file handles and HTTP response. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 01:14:10 +00:00
vulnsrc_oracle: one vulnerability per CVE Get one vulnerability per CVE for Oracle instead of one per ELSA so we can have NVD metadata added to the vulnerabilities. Related: #495, #499. 2018-11-02 23:28:54 +00:00			`vulnerabilities, err := parseELSA(testFile)`
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00
vulnsrc_oracle: one vulnerability per CVE Get one vulnerability per CVE for Oracle instead of one per ELSA so we can have NVD metadata added to the vulnerabilities. Related: #495, #499. 2018-11-02 23:28:54 +00:00			`// Expected`
			`expectedCve := []string{"CVE-2015-2722", "CVE-2015-2724", "CVE-2015-2725", "CVE-2015-2727",`
			`"CVE-2015-2728", "CVE-2015-2729", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734",`
			`"CVE-2015-2735", "CVE-2015-2736", "CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739",`
			`"CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743"}`
			`expectedSeverity := []string{"Negligible", "Low", "Medium", "High",`
			`"Critical", "Unknown", "Critical", "Critical", "Critical",`
			`"Critical", "Critical", "Critical", "Critical", "Critical",`
			`"Critical", "Critical", "Critical"}`

			`if assert.Nil(t, err) && assert.Len(t, vulnerabilities, len(expectedCve)) {`
			`for i, vulnerability := range vulnerabilities {`
			`assert.Equal(t, expectedCve[i], vulnerability.Name)`
			`assert.Equal(t, fmt.Sprintf("http://linux.oracle.com/cve/%s.html", expectedCve[i]), vulnerability.Link)`
			`assert.Equal(t, database.Severity(expectedSeverity[i]), vulnerability.Severity)`
			assert.Equal(t, ` [38.1.0-1.0.1.el7_1] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file [38.1.0-1] - Update to 38.1.0 ESR [38.0.1-2] - Fixed rhbz#1222807 by removing preun section `, vulnerability.Description)
Add Oracle Linux fetcher to grab and parse OVAL data. Signed-off-by: Avi Miller <avi.miller@oracle.com> 2016-12-20 00:25:07 +00:00			`}`
			`}`
			`}`
ext/vulnsrc/oracle: fix ELSA version comparison Previously we naively compared integers. However, not all versions have the same length. 2017-04-19 17:13:46 +00:00
			`func TestELSAComparison(t *testing.T) {`
			`var table = []struct {`
			`left int`
			`right int`
			`expected int`
			`}{`
			`{20170935, 20170935, 0},`
			`{20170934, 20170935, -1},`
			`{20170936, 20170935, 1},`

			`{20170935, 201709331, 1},`
			`{201709351, 20170935, 1},`
			`{201709331, 20170935, -1},`
			`}`

			`for _, tt := range table {`
			`assert.Equal(t, tt.expected, compareELSA(tt.left, tt.right))`
			`}`
			`}`