feat(fedora): add test

aquasecurity · Jan 21, 2022 · 3e2cfa7 · 3e2cfa7
1 parent 9800c32
commit 3e2cfa7
Show file tree

Hide file tree

Showing 5 changed files with 294 additions and 60 deletions.
diff --git a/pkg/vulnsrc/fedora/fedora.go b/pkg/vulnsrc/fedora/fedora.go
@@ -26,11 +26,9 @@ var (
 		"fedora": "fedora %s",
 		"epel":   "epel %s",
 	}
-	targetMode          = []string{"fedora", "epel"}
-	targetFedoraRelease = []string{"32", "33", "34", "35"}
-	targetEPELRelease   = []string{"7", "8", "9"}
-	targetRepository    = []string{"Everything", "Modular"}
-	targetArches        = []string{"x86_64"}
+	targetMode       = []string{"fedora"}
+	targetRepository = []string{"Everything", "Modular"}
+	targetArches     = []string{"x86_64"}
 )
 
 type VulnSrc struct {
@@ -61,66 +59,26 @@ func (vs VulnSrc) Update(dir string) error {
 
 		dirs := strings.Split(strings.TrimPrefix(path, rootDir), string(filepath.Separator))[1:]
 		mode := dirs[0]
-		if !utils.StringInSlice(mode, targetMode) {
-			log.Printf("unsupported Fedora mode: %s\n", mode)
+		majorVer := dirs[1]
+		if mode != "fedora" {
+			return nil
+		}
+		repo := dirs[2]
+		if !utils.StringInSlice(repo, targetRepository) {
+			log.Printf("unsupported Fedora Repository: %s\n", repo)
 			return nil
 		}
-		majorVer := dirs[1]
-		if mode == "fedora" {
-			if !utils.StringInSlice(majorVer, targetFedoraRelease) {
-				log.Printf("unsupported Fedora version: %s\n", majorVer)
-				return nil
-			}
-
-			repo := dirs[2]
-			if !utils.StringInSlice(repo, targetRepository) {
-				log.Printf("unsupported Fedora Repository: %s\n", repo)
-				return nil
-			}
-
-			arch := dirs[3]
-			if !utils.StringInSlice(arch, targetArches) {
-				switch arch {
-				case "aarch64":
-				default:
-					log.Printf("unsupported Fedora arch: %s\n", arch)
-				}
-				return nil
-			}
-		} else {
-			if !utils.StringInSlice(majorVer, targetEPELRelease) {
-				log.Printf("unsupported EPEL version: %s\n", majorVer)
-				return nil
-			}
-
-			if majorVer == "7" {
-				arch := dirs[2]
-				if !utils.StringInSlice(arch, targetArches) {
-					switch arch {
-					case "aarch64":
-					default:
-						log.Printf("unsupported EPEL arch: %s\n", arch)
-					}
-					return nil
-				}
-			} else {
-				repo := dirs[2]
-				if !utils.StringInSlice(repo, targetRepository) {
-					log.Printf("unsupported EPEL Repository: %s\n", repo)
-					return nil
-				}
 
-				arch := dirs[3]
-				if !utils.StringInSlice(arch, targetArches) {
-					switch arch {
-					case "aarch64":
-					default:
-						log.Printf("unsupported EPEL arch: %s\n", arch)
-					}
-					return nil
-				}
+		arch := dirs[3]
+		if !utils.StringInSlice(arch, targetArches) {
+			switch arch {
+			case "aarch64":
+			default:
+				log.Printf("unsupported Fedora arch: %s\n", arch)
 			}
+			return nil
 		}
+
 		errata[mode][majorVer] = append(errata[mode][majorVer], erratum)
 		return nil
 	})

diff --git a/pkg/vulnsrc/fedora/fedora_test.go b/pkg/vulnsrc/fedora/fedora_test.go
@@ -0,0 +1,109 @@
+package fedora
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/aquasecurity/trivy-db/pkg/db"
+	"github.com/aquasecurity/trivy-db/pkg/dbtest"
+	"github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestVulnSrc_Update(t *testing.T) {
+	type want struct {
+		key   []string
+		value interface{}
+	}
+	tests := []struct {
+		name       string
+		dir        string
+		wantValues []want
+		wantErr    string
+	}{
+		{
+			name: "everything package",
+			dir:  filepath.Join("testdata", "everything"),
+			wantValues: []want{
+				{
+					key: []string{"advisory-detail", "CVE-2021-41159", "fedora 35", "freerdp-libs-debuginfo"},
+					value: types.Advisory{
+						FixedVersion: "2:2.4.1-1.fc35",
+					},
+				},
+				{
+					key: []string{"vulnerability-detail", "CVE-2021-41159", vulnerability.Fedora},
+					value: types.VulnerabilityDetail{
+						Severity: types.SeverityHigh,
+						References: []string{
+							"https://bugzilla.redhat.com/show_bug.cgi?id=2015189",
+						},
+						Title:       "freerdp-2.4.1-1.fc35 guacamole-server-1.3.0-9.fc35 remmina-1.4.21-1.fc35",
+						Description: "- Update to 2.4.1 containing security fixes for CVE-2021-41159 and CVE-2021-41160.\n- Remmina 1.4.21 with bugfixes.\n\n",
+					},
+				},
+				{
+					key:   []string{"vulnerability-id", "CVE-2021-41159"},
+					value: map[string]interface{}{},
+				},
+			},
+		},
+		{
+			name: "modular package",
+			dir:  filepath.Join("testdata", "module"),
+			wantValues: []want{
+				{
+					key: []string{"advisory-detail", "CVE-2021-35623", "fedora 35", "mysql:8.0::community-mysql"},
+					value: types.Advisory{
+						FixedVersion: "8.0.27-1.module_f35+13269+c9322734",
+					},
+				},
+				{
+					key: []string{"vulnerability-detail", "CVE-2021-35623", vulnerability.Fedora},
+					value: types.VulnerabilityDetail{
+						Severity: types.SeverityMedium,
+						References: []string{
+							"https://bugzilla.redhat.com/show_bug.cgi?id=2016142",
+						},
+						Title:       "mysql-8.0-3520211031142409.f27b74a8",
+						Description: "**MySQL 8.0.27**\n\nRelease notes:\n\n    https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-27.html",
+					},
+				},
+				{
+					key:   []string{"vulnerability-id", "CVE-2021-35623"},
+					value: map[string]interface{}{},
+				},
+			},
+		},
+		{
+			name:    "sad path",
+			dir:     filepath.Join("testdata", "sad"),
+			wantErr: "failed to decode Fedora erratum",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tempDir := t.TempDir()
+
+			err := db.Init(tempDir)
+			require.NoError(t, err)
+			defer db.Close()
+
+			vs := NewVulnSrc()
+			err = vs.Update(tt.dir)
+			if tt.wantErr != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tt.wantErr)
+				return
+			}
+
+			require.NoError(t, err)
+			require.NoError(t, db.Close()) // Need to close before dbtest.JSONEq is called
+			for _, want := range tt.wantValues {
+				dbtest.JSONEq(t, db.Path(tempDir), want.key, want.value)
+			}
+		})
+	}
+}
diff --git a/.../everything/vuln-list/fedora/fedora/35/Everything/x86_64/2021/FEDORA-2021-2c25f03d0b.json b/.../everything/vuln-list/fedora/fedora/35/Everything/x86_64/2021/FEDORA-2021-2c25f03d0b.json
@@ -0,0 +1,36 @@
+{
+  "id": "FEDORA-2021-2c25f03d0b",
+  "title": "freerdp-2.4.1-1.fc35 guacamole-server-1.3.0-9.fc35 remmina-1.4.21-1.fc35",
+  "type": "security",
+  "issued": {
+    "date": "2021-11-17 01:12:41"
+  },
+  "updated": {
+    "date": "2021-11-10 20:45:11"
+  },
+  "severity": "Important",
+  "description": "- Update to 2.4.1 containing security fixes for CVE-2021-41159 and CVE-2021-41160.\n- Remmina 1.4.21 with bugfixes.\n\n",
+  "packages": [
+    {
+      "name": "freerdp-libs-debuginfo",
+      "epoch": "2",
+      "version": "2.4.1",
+      "release": "1.fc35",
+      "arch": "x86_64",
+      "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/x86_64/f/freerdp-libs-debuginfo-2.4.1-1.fc35.x86_64.rpm",
+      "filename": "freerdp-libs-debuginfo-2.4.1-1.fc35.x86_64.rpm"
+    }
+  ],
+  "module": {},
+  "references": [
+    {
+      "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2015189",
+      "id": "2015189",
+      "title": "remmina-1.4.21 is available",
+      "type": "bugzilla"
+    }
+  ],
+  "cveids": [
+    "CVE-2021-41159"
+  ]
+}
diff --git a/...module/vuln-list/fedora/fedora/35/Modular/x86_64/2021/FEDORA-MODULAR-2021-217f84c072.json b/...module/vuln-list/fedora/fedora/35/Modular/x86_64/2021/FEDORA-MODULAR-2021-217f84c072.json
@@ -0,0 +1,41 @@
+{
+  "id": "FEDORA-MODULAR-2021-217f84c072",
+  "title": "mysql-8.0-3520211031142409.f27b74a8",
+  "type": "security",
+  "issued": {
+    "date": "2021-11-10 00:48:52"
+  },
+  "updated": {
+    "date": "2021-10-31 17:53:03"
+  },
+  "severity": "Moderate",
+  "description": "**MySQL 8.0.27**\n\nRelease notes:\n\n    https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-27.html",
+  "packages": [
+    {
+      "name": "community-mysql",
+      "epoch": "0",
+      "version": "8.0.27",
+      "release": "1.module_f35+13269+c9322734",
+      "arch": "x86_64",
+      "filename": "community-mysql-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm"
+    }
+  ],
+  "module": {
+    "stream": "8.0",
+    "name": "mysql",
+    "version": 3520211031142409,
+    "arch": "x86_64",
+    "context": "f27b74a8"
+  },
+  "references": [
+    {
+      "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2016142",
+      "id": "2016142",
+      "title": "CVE-2021-2478 CVE-2021-2479 CVE-2021-2481 CVE-2021-35546 CVE-2021-35575 CVE-2021-35577 CVE-2021-35591 CVE-2021-35596 CVE-2021-35597 CVE-2021-35602 CVE-2021-35604 CVE-2021-35607 CVE-2021-35608 ... mysql:8.0/community-mysql: various flaws [fedora-all]",
+      "type": "bugzilla"
+    }
+  ],
+  "cveids": [
+    "CVE-2021-35623"
+  ]
+}
diff --git a/...estdata/sad/vuln-list/fedora/fedora/35/Everything/x86_64/2021/FEDORA-2021-0b8814db99.json b/...estdata/sad/vuln-list/fedora/fedora/35/Everything/x86_64/2021/FEDORA-2021-0b8814db99.json
@@ -0,0 +1,90 @@
+{
+  "id": "FEDORA-2021-0b8814db99"
+  "title": "cacti-1.2.19-1.fc35 cacti-spine-1.2.19-1.fc35",
+  "type": "security",
+  "issued": {
+    "date": "2021-11-11 01:17:54"
+  },
+  "updated": {
+    "date": "2021-11-02 09:38:12"
+  },
+  "severity": "Moderate",
+  "description": "- Update to 1.2.19\n\nRelease notes: https://www.cacti.net/info/changelog/1.2.19",
+  "packages": [
+    {
+      "name": "cacti",
+      "epoch": "0",
+      "version": "1.2.19",
+      "release": "1.fc35",
+      "arch": "noarch",
+      "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/cacti-1.2.19-1.fc35.noarch.rpm",
+      "filename": "cacti-1.2.19-1.fc35.noarch.rpm"
+    },
+    {
+      "name": "cacti-spine-debugsource",
+      "epoch": "0",
+      "version": "1.2.19",
+      "release": "1.fc35",
+      "arch": "i686",
+      "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/cacti-spine-debugsource-1.2.19-1.fc35.i686.rpm",
+      "filename": "cacti-spine-debugsource-1.2.19-1.fc35.i686.rpm"
+    },
+    {
+      "name": "cacti-spine",
+      "epoch": "0",
+      "version": "1.2.19",
+      "release": "1.fc35",
+      "arch": "i686",
+      "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/cacti-spine-1.2.19-1.fc35.i686.rpm",
+      "filename": "cacti-spine-1.2.19-1.fc35.i686.rpm"
+    },
+    {
+      "name": "cacti-spine-debuginfo",
+      "epoch": "0",
+      "version": "1.2.19",
+      "release": "1.fc35",
+      "arch": "i686",
+      "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/cacti-spine-debuginfo-1.2.19-1.fc35.i686.rpm",
+      "filename": "cacti-spine-debuginfo-1.2.19-1.fc35.i686.rpm"
+    },
+    {
+      "name": "cacti-spine-debugsource",
+      "epoch": "0",
+      "version": "1.2.19",
+      "release": "1.fc35",
+      "arch": "x86_64",
+      "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/x86_64/c/cacti-spine-debugsource-1.2.19-1.fc35.x86_64.rpm",
+      "filename": "cacti-spine-debugsource-1.2.19-1.fc35.x86_64.rpm"
+    },
+    {
+      "name": "cacti-spine-debuginfo",
+      "epoch": "0",
+      "version": "1.2.19",
+      "release": "1.fc35",
+      "arch": "x86_64",
+      "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/x86_64/c/cacti-spine-debuginfo-1.2.19-1.fc35.x86_64.rpm",
+      "filename": "cacti-spine-debuginfo-1.2.19-1.fc35.x86_64.rpm"
+    },
+    {
+      "name": "cacti-spine",
+      "epoch": "0",
+      "version": "1.2.19",
+      "release": "1.fc35",
+      "arch": "x86_64",
+      "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/x86_64/c/cacti-spine-1.2.19-1.fc35.x86_64.rpm",
+      "filename": "cacti-spine-1.2.19-1.fc35.x86_64.rpm"
+    }
+  ],
+  "module": {},
+  "references": [
+    {
+      "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2001017",
+      "id": "2001017",
+      "title": "CVE-2020-14424 cacti: lack of escaping on template import can lead to XSS [fedora-all]",
+      "type": "bugzilla"
+    }
+  ],
+  "cveids": [
+    "CVE-2020-14424"
+  ]
+}