go
/
vulndb
зеркало из https://github.com/golang/vulndb.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
vulndb/internal/ghsa/ghsa2report_test.go

164 строки
4.2 KiB
Go
Исходник Ответственный История

// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package ghsa
import (
"flag"
"testing"
"time"
"github.com/google/go-cmp/cmp"
"golang.org/x/vulndb/internal/proxy"
"golang.org/x/vulndb/internal/report"
)
var (
realProxy = flag.Bool("proxy", false, "if true, contact the real module proxy and update expected responses")
)
var testTime = time.Date(1999, 1, 1, 0, 0, 0, 0, time.UTC)
func TestGHSAToReport(t *testing.T) {
updatedTime := time.Date(2022, 01, 01, 01, 01, 00, 00, time.UTC)
sa := &SecurityAdvisory{
ID: "G1_blah",
Identifiers: []Identifier{{Type: "GHSA", Value: "G1"}, {Type: "CVE", Value: "C1"}},
UpdatedAt: updatedTime,
Permalink: "https://github.com/permalink/to/G1",
Description: "a description",
Vulns: []*Vuln{{
Package: "golang.org/x/tools/go/packages",
EarliestFixedVersion: "0.9.0",
VulnerableVersionRange: "< 0.9.0",
}},
References: []Reference{{URL: "https://github.com/permalink/to/issue/12345"}},
}
pc, err := proxy.NewTestClient(t, *realProxy)
if err != nil {
t.Fatal(err)
}
for _, test := range []struct {
name string
module string
want *report.Report
}{
{
name: "module provided",
module: "golang.org/x/tools",
want: &report.Report{
ID: report.PendingID,
Modules: []*report.Module{{
Module: "golang.org/x/tools",
VulnerableAt: "0.8.0",
Versions: []report.VersionRange{
{Fixed: "0.9.0"},
},
Packages: []*report.Package{{
Package: "golang.org/x/tools/go/packages",
}},
}},
Summary: "C1 in golang.org/x/tools",
Description: "a description",
GHSAs: []string{"G1"},
CVEs: []string{"C1"},
References: []*report.Reference{{Type: "REPORT", URL: "https://github.com/permalink/to/issue/12345"}},
SourceMeta: &report.SourceMeta{
ID: "G1_blah",
Created: &testTime,
},
ReviewStatus: report.Unreviewed,
},
},
{
name: "empty module attempts to find module from package",
module: "",
want: &report.Report{
ID: report.PendingID,
Modules: []*report.Module{{
Module: "golang.org/x/tools",
Versions: []report.VersionRange{
{Fixed: "0.9.0"},
},
VulnerableAt: "0.8.0",
Packages: []*report.Package{{
Package: "golang.org/x/tools/go/packages",
},
{
Package: "golang.org/x/tools/go/packages",
}},
}},
Summary: "C1 in golang.org/x/tools",
Description: "a description",
GHSAs: []string{"G1"},
CVEs: []string{"C1"},
References: []*report.Reference{{Type: "REPORT", URL: "https://github.com/permalink/to/issue/12345"}},
SourceMeta: &report.SourceMeta{
ID: "G1_blah",
Created: &testTime,
},
ReviewStatus: report.Unreviewed,
},
},
} {
test := test
t.Run(test.name, func(t *testing.T) {
got := report.New(sa, pc, report.WithModulePath(test.module),
report.WithCreated(testTime))
if diff := cmp.Diff(*got, *test.want); diff != "" {
t.Errorf("mismatch (-want, +got):\n%s", diff)
}
})
}
}
func TestParseVulnRange(t *testing.T) {
for _, test := range []struct {
in string
want []vulnRangeItem
}{
{"", nil},
{"< 1.2.3", []vulnRangeItem{{"<", "1.2.3"}}},
{"< 4.3.2, >= 1.2.3", []vulnRangeItem{
{"<", "4.3.2"},
{">=", "1.2.3"},
}},
} {
got, err := parseVulnRange(test.in)
if err != nil {
t.Fatal(err)
}
if !cmp.Equal(got, test.want, cmp.AllowUnexported(vulnRangeItem{})) {
t.Errorf("%q:\ngot %+v\nwant %+v", test.in, got, test.want)
}
}
}
func TestVersions(t *testing.T) {
for _, test := range []struct {
earliestFixed string
vulnRange string
intro, fixed string
}{
{"1.0.0", "< 1.0.0", "", "1.0.0"},
{"", "<= 1.4.2", "", ""},
{"1.1.3", ">= 1.1.0, < 1.1.3", "1.1.0", "1.1.3"},
{
"1.2.3", "<= 2.3.4",
`TODO (earliest fixed "1.2.3", vuln range "<= 2.3.4")`, "",
},
} {
got := versions(test.earliestFixed, test.vulnRange)
want := []report.VersionRange{{
Introduced: test.intro,
Fixed: test.fixed,
}}
if !cmp.Equal(got, want) {
t.Errorf("%q, %q:\ngot %+v\nwant %+v",
test.earliestFixed, test.vulnRange, got, want)
}
}
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку