From a90db713a2722a80db33e47343c4a4d417f48a0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9goire=20Unbekandt?= Date: Thu, 26 Jul 2018 15:46:06 +0200 Subject: [PATCH] vulnsrc_rhel: add test Add test for multiple CVE --- ext/vulnsrc/rhel/rhel.go | 15 +++--- ext/vulnsrc/rhel/rhel_test.go | 86 ++++++++++++++++++++--------------- 2 files changed, 59 insertions(+), 42 deletions(-) diff --git a/ext/vulnsrc/rhel/rhel.go b/ext/vulnsrc/rhel/rhel.go index c5fdb968..e87e48bd 100644 --- a/ext/vulnsrc/rhel/rhel.go +++ b/ext/vulnsrc/rhel/rhel.go @@ -214,13 +214,16 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi // Only RHSA is present if len(definition.References) == 1 { vulnerabilities = append(vulnerabilities, vulnerability) - } else { - for _, reference := range definition.References[1:] { - vulnerability.Name = reference.ID - vulnerability.Link = reference.URI - vulnerabilities = append(vulnerabilities, vulnerability) - } + continue } + + // Create one vulnerability by CVE + for _, reference := range definition.References[1:] { + vulnerability.Name = reference.ID + vulnerability.Link = reference.URI + vulnerabilities = append(vulnerabilities, vulnerability) + } + } } diff --git a/ext/vulnsrc/rhel/rhel_test.go b/ext/vulnsrc/rhel/rhel_test.go index 86136a78..3d5340d4 100644 --- a/ext/vulnsrc/rhel/rhel_test.go +++ b/ext/vulnsrc/rhel/rhel_test.go @@ -15,6 +15,7 @@ package rhel import ( + "fmt" "os" "path/filepath" "runtime" @@ -25,7 +26,55 @@ import ( "github.com/stretchr/testify/assert" ) -func TestRHELParser(t *testing.T) { +func TestRHELParserMultipleCVE(t *testing.T) { + _, filename, _, _ := runtime.Caller(0) + path := filepath.Join(filepath.Dir(filename)) + + // Test parsing testdata/fetcher_rhel_test.2.xml + testFile, _ := os.Open(path + "/testdata/fetcher_rhel_test.2.xml") + vulnerabilities, err := parseRHSA(testFile) + + // Expected + expectedCve := []string{"CVE-2015-2722", "CVE-2015-2724", "CVE-2015-2725", "CVE-2015-2727", "CVE-2015-2728", + "CVE-2015-2729", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734", "CVE-2015-2735", "CVE-2015-2736", + "CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739", "CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743", + } + expectedFeatures := []database.AffectedFeature{ + { + Namespace: database.Namespace{ + Name: "centos:6", + VersionFormat: rpm.ParserName, + }, + FeatureName: "firefox", + FixedInVersion: "0:38.1.0-1.el6_6", + AffectedVersion: "0:38.1.0-1.el6_6", + }, + { + Namespace: database.Namespace{ + Name: "centos:7", + VersionFormat: rpm.ParserName, + }, + FeatureName: "firefox", + FixedInVersion: "0:38.1.0-1.el7_1", + AffectedVersion: "0:38.1.0-1.el7_1", + }, + } + + if assert.Nil(t, err) && assert.Len(t, vulnerabilities, len(expectedCve)) { + + for i, vulnerability := range vulnerabilities { + assert.Equal(t, expectedCve[i], vulnerability.Name) + assert.Equal(t, fmt.Sprintf("https://access.redhat.com/security/cve/%s", expectedCve[i]), vulnerability.Link) + assert.Equal(t, database.CriticalSeverity, vulnerability.Severity) + assert.Equal(t, `Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.`, vulnerability.Description) + + for _, expectedFeature := range expectedFeatures { + assert.Contains(t, vulnerability.Affected, expectedFeature) + } + } + } +} +func TestRHELParserOneCVE(t *testing.T) { _, filename, _, _ := runtime.Caller(0) path := filepath.Join(filepath.Dir(filename)) @@ -72,39 +121,4 @@ func TestRHELParser(t *testing.T) { assert.Contains(t, vulnerabilities[0].Affected, expectedFeature) } } - - // Test parsing testdata/fetcher_rhel_test.2.xml - testFile, _ = os.Open(path + "/testdata/fetcher_rhel_test.2.xml") - vulnerabilities, err = parseRHSA(testFile) - if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 17) { - assert.Equal(t, "CVE-2015-2722", vulnerabilities[0].Name) - assert.Equal(t, "https://access.redhat.com/security/cve/CVE-2015-2722", vulnerabilities[0].Link) - assert.Equal(t, database.CriticalSeverity, vulnerabilities[0].Severity) - assert.Equal(t, `Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.`, vulnerabilities[0].Description) - - expectedFeatures := []database.AffectedFeature{ - { - Namespace: database.Namespace{ - Name: "centos:6", - VersionFormat: rpm.ParserName, - }, - FeatureName: "firefox", - FixedInVersion: "0:38.1.0-1.el6_6", - AffectedVersion: "0:38.1.0-1.el6_6", - }, - { - Namespace: database.Namespace{ - Name: "centos:7", - VersionFormat: rpm.ParserName, - }, - FeatureName: "firefox", - FixedInVersion: "0:38.1.0-1.el7_1", - AffectedVersion: "0:38.1.0-1.el7_1", - }, - } - - for _, expectedFeature := range expectedFeatures { - assert.Contains(t, vulnerabilities[0].Affected, expectedFeature) - } - } }