test: update tests

pkg/vulnsrc/mariner/mariner_test.go

@@ -50,6 +50,18 @@ func TestVulnSrc_Update(t *testing.T) {
 						FixedVersion: "",
 					},
 				},
+				{
+					Key: []string{"advisory-detail", "CVE-2023-5678", "CBL-Mariner 2.0", "openssl"},
+					Value: types.Advisory{
+						FixedVersion: "0:1.1.1k-28.cm2",
+					},
+				},
+				{
+					Key: []string{"advisory-detail", "CVE-2023-5678", "CBL-Mariner 2.0", "edk2"},
+					Value: types.Advisory{
+						FixedVersion: "0:20230301gitf80f052277c8-38.cm2",
+					},
+				},
 				{
 					Key: []string{"vulnerability-detail", "CVE-2008-3914", "cbl-mariner"},
 					Value: types.VulnerabilityDetail{
@@ -68,6 +80,15 @@ func TestVulnSrc_Update(t *testing.T) {
 						References:  []string{"https://nvd.nist.gov/vuln/detail/CVE-2021-39924"},
 					},
 				},
+				{
+					Key: []string{"vulnerability-detail", "CVE-2023-5678", "cbl-mariner"},
+					Value: types.VulnerabilityDetail{
+						Severity:    types.SeverityMedium,
+						Title:       "CVE-2023-5678 affecting package edk2 for versions less than 20230301gitf80f052277c8-38",
+						Description: "CVE-2023-5678 affecting package edk2 for versions less than 20230301gitf80f052277c8-38. A patched version of the package is available.",
+						References:  []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-5678"},
+					},
+				},
 				{
 					Key:   []string{"vulnerability-id", "CVE-2008-3914"},
 					Value: map[string]interface{}{},
@@ -76,6 +97,10 @@ func TestVulnSrc_Update(t *testing.T) {
 					Key:   []string{"vulnerability-id", "CVE-2021-39924"},
 					Value: map[string]interface{}{},
 				},
+				{
+					Key:   []string{"vulnerability-id", "CVE-2023-5678"},
+					Value: map[string]interface{}{},
+				},
 			},
 		},
 		{

pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/1.0/definitions/2008/CVE-2008-3914.json

@@ -1,29 +1,31 @@
-{
-  "Class": "vulnerability",
-  "ID": "oval:com.microsoft.cbl-mariner:def:3173",
-  "Version": "1643374849",
-  "Metadata": {
-    "Title": "CVE-2008-3914 affecting package clamav 0.101.2",
-    "Affected": {
-      "Family": "unix",
-      "Platform": "CBL-Mariner"
+[
+  {
+    "Class": "vulnerability",
+    "ID": "oval:com.microsoft.cbl-mariner:def:3173",
+    "Version": "1643374849",
+    "Metadata": {
+      "Title": "CVE-2008-3914 affecting package clamav 0.101.2",
+      "Affected": {
+        "Family": "unix",
+        "Platform": "CBL-Mariner"
+      },
+      "Reference": {
+        "RefID": "CVE-2008-3914",
+        "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2008-3914",
+        "Source": "CVE"
+      },
+      "Patchable": "true",
+      "AdvisoryDate": "2021-05-06T23:56:51Z",
+      "AdvisoryID": "3173",
+      "Severity": "Critical",
+      "Description": "CVE-2008-3914 affecting package clamav 0.101.2. An upgraded version of the package is available that resolves this issue."
     },
-    "Reference": {
-      "RefID": "CVE-2008-3914",
-      "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2008-3914",
-      "Source": "CVE"
-    },
-    "Patchable": "true",
-    "AdvisoryDate": "2021-05-06T23:56:51Z",
-    "AdvisoryID": "3173",
-    "Severity": "Critical",
-    "Description": "CVE-2008-3914 affecting package clamav 0.101.2. An upgraded version of the package is available that resolves this issue."
-  },
-  "Criteria": {
-    "Operator": "AND",
-    "Criterion": {
-      "Comment": "Package clamav is earlier than 0.103.2-1, affected by CVE-2008-3914",
-      "TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374849000003"
+    "Criteria": {
+      "Operator": "AND",
+      "Criterion": {
+        "Comment": "Package clamav is earlier than 0.103.2-1, affected by CVE-2008-3914",
+        "TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374849000003"
+      }
     }
   }
-}
+]

pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/definitions/2021/CVE-2021-39924.json

@@ -1,28 +1,30 @@
-{
-  "Class": "vulnerability",
-  "ID": "oval:com.microsoft.cbl-mariner:def:7412",
-  "Version": "1643374850",
-  "Metadata": {
-    "Title": "CVE-2021-39924 affecting package wireshark 3.4.4",
-    "Affected": {
-      "Family": "unix",
-      "Platform": "CBL-Mariner"
+[
+  {
+    "Class": "vulnerability",
+    "ID": "oval:com.microsoft.cbl-mariner:def:7412",
+    "Version": "1643374850",
+    "Metadata": {
+      "Title": "CVE-2021-39924 affecting package wireshark 3.4.4",
+      "Affected": {
+        "Family": "unix",
+        "Platform": "CBL-Mariner"
+      },
+      "Reference": {
+        "RefID": "CVE-2021-39924",
+        "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-39924",
+        "Source": "CVE"
+      },
+      "Patchable": "false",
+      "AdvisoryID": "7412",
+      "Severity": "High",
+      "Description": "CVE-2021-39924 affecting package wireshark 3.4.4. No patch is available currently."
     },
-    "Reference": {
-      "RefID": "CVE-2021-39924",
-      "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-39924",
-      "Source": "CVE"
-    },
-    "Patchable": "false",
-    "AdvisoryID": "7412",
-    "Severity": "High",
-    "Description": "CVE-2021-39924 affecting package wireshark 3.4.4. No patch is available currently."
-  },
-  "Criteria": {
-    "Operator": "AND",
-    "Criterion": {
-      "Comment": "Package wireshark is installed with version 3.4.4 or earlier",
-      "TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374850000435"
+    "Criteria": {
+      "Operator": "AND",
+      "Criterion": {
+        "Comment": "Package wireshark is installed with version 3.4.4 or earlier",
+        "TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374850000435"
+      }
     }
   }
-}
+]

pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/definitions/2023/CVE-2023-5678.json

@@ -0,0 +1,58 @@
+[
+  {
+    "Class": "vulnerability",
+    "ID": "oval:com.microsoft.cbl-mariner:def:31880",
+    "Version": "1",
+    "Metadata": {
+      "Title": "CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28",
+      "Affected": {
+        "Family": "unix",
+        "Platform": "CBL-Mariner"
+      },
+      "Reference": {
+        "RefID": "CVE-2023-5678",
+        "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678",
+        "Source": "CVE"
+      },
+      "Patchable": "true",
+      "AdvisoryID": "31880-1",
+      "Severity": "Medium",
+      "Description": "CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28. A patched version of the package is available."
+    },
+    "Criteria": {
+      "Operator": "AND",
+      "Criterion": {
+        "Comment": "Package openssl is earlier than 1.1.1k-28, affected by CVE-2023-5678",
+        "TestRef": "oval:com.microsoft.cbl-mariner:tst:31880000"
+      }
+    }
+  },
+  {
+    "Class": "vulnerability",
+    "ID": "oval:com.microsoft.cbl-mariner:def:31872",
+    "Version": "1",
+    "Metadata": {
+      "Title": "CVE-2023-5678 affecting package edk2 for versions less than 20230301gitf80f052277c8-38",
+      "Affected": {
+        "Family": "unix",
+        "Platform": "CBL-Mariner"
+      },
+      "Reference": {
+        "RefID": "CVE-2023-5678",
+        "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678",
+        "Source": "CVE"
+      },
+      "Patchable": "true",
+      "AdvisoryID": "31872-1",
+      "Severity": "Medium",
+      "Description": "CVE-2023-5678 affecting package edk2 for versions less than 20230301gitf80f052277c8-38. A patched version of the package is available."
+    },
+    "Criteria": {
+      "Operator": "AND",
+      "Criterion": {
+        "Comment": "Package edk2 is earlier than 20230301gitf80f052277c8-38, affected by CVE-2023-5678",
+        "TestRef": "oval:com.microsoft.cbl-mariner:tst:31872000"
+      }
+    }
+  }
+]

pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/objects/objects.json

@@ -4,6 +4,16 @@
       "ID": "oval:com.microsoft.cbl-mariner:obj:1643374850000429",
       "Version": "1643374850",
       "Name": "wireshark"
+    },
+    {
+      "ID": "oval:com.microsoft.cbl-mariner:obj:31880001",
+      "Version": "0",
+      "Name": "openssl"
+    },
+    {
+      "ID": "oval:com.microsoft.cbl-mariner:obj:31872001",
+      "Version": "0",
+      "Name": "edk2"
     }
   ]
 }

pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/states/states.json

@@ -8,6 +8,24 @@
         "Datatype": "evr_string",
         "Operation": "less than or equal"
       }
+    },
+    {
+      "ID": "oval:com.microsoft.cbl-mariner:ste:31880002",
+      "Version": "0",
+      "Evr": {
+        "Text": "0:1.1.1k-28.cm2",
+        "Datatype": "evr_string",
+        "Operation": "less than"
+      }
+    },
+    {
+      "ID": "oval:com.microsoft.cbl-mariner:ste:31872002",
+      "Version": "0",
+      "Evr": {
+        "Text": "0:20230301gitf80f052277c8-38.cm2",
+        "Datatype": "evr_string",
+        "Operation": "less than"
+      }
     }
   ]
 }

pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/tests/tests.json

@@ -11,6 +11,30 @@
       "State": {
         "StateRef": "oval:com.microsoft.cbl-mariner:ste:1643374850000031"
       }
+    },
+    {
+      "Check": "at least one",
+      "Comment": "Package openssl is earlier than 1.1.1k-28, affected by CVE-2023-5678",
+      "ID": "oval:com.microsoft.cbl-mariner:tst:31880000",
+      "Version": "0",
+      "Object": {
+        "ObjectRef": "oval:com.microsoft.cbl-mariner:obj:31880001"
+      },
+      "State": {
+        "StateRef": "oval:com.microsoft.cbl-mariner:ste:31880002"
+      }
+    },
+    {
+      "Check": "at least one",
+      "Comment": "Package edk2 is earlier than 20230301gitf80f052277c8-38, affected by CVE-2023-5678",
+      "ID": "oval:com.microsoft.cbl-mariner:tst:31872000",
+      "Version": "0",
+      "Object": {
+        "ObjectRef": "oval:com.microsoft.cbl-mariner:obj:31872001"
+      },
+      "State": {
+        "StateRef": "oval:com.microsoft.cbl-mariner:ste:31872002"
+      }
     }
   ]
 }

pkg/vulnsrc/mariner/testdata/not-applicable-definition/vuln-list/mariner/2.0/definitions/2013/CVE-2013-7381.json

@@ -1,28 +1,30 @@
-{
-  "Class": "vulnerability",
-  "ID": "oval:com.microsoft.cbl-mariner:def:6640",
-  "Version": "0",
-  "Metadata": {
-    "Title": "CVE-2013-7381 affecting package libnotify 0.7.9",
-    "Affected": {
-      "Family": "unix",
-      "Platform": "CBL-Mariner"
+[
+  {
+    "Class": "vulnerability",
+    "ID": "oval:com.microsoft.cbl-mariner:def:6640",
+    "Version": "0",
+    "Metadata": {
+      "Title": "CVE-2013-7381 affecting package libnotify 0.7.9",
+      "Affected": {
+        "Family": "unix",
+        "Platform": "CBL-Mariner"
+      },
+      "Reference": {
+        "RefID": "CVE-2013-7381",
+        "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2013-7381",
+        "Source": "CVE"
+      },
+      "Patchable": "Not Applicable",
+      "AdvisoryID": "6640",
+      "Severity": "Critical",
+      "Description": "CVE-2013-7381 affecting package libnotify 0.7.9. This CVE is either no longer or was never applicable."
     },
-    "Reference": {
-      "RefID": "CVE-2013-7381",
-      "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2013-7381",
-      "Source": "CVE"
-    },
-    "Patchable": "Not Applicable",
-    "AdvisoryID": "6640",
-    "Severity": "Critical",
-    "Description": "CVE-2013-7381 affecting package libnotify 0.7.9. This CVE is either no longer or was never applicable."
-  },
-  "Criteria": {
-    "Operator": "AND",
-    "Criterion": {
-      "Comment": "Package libnotify is installed with version 0.7.9 or earlier",
-      "TestRef": "oval:com.microsoft.cbl-mariner:tst:1653048070000135"
+    "Criteria": {
+      "Operator": "AND",
+      "Criterion": {
+        "Comment": "Package libnotify is installed with version 0.7.9 or earlier",
+        "TestRef": "oval:com.microsoft.cbl-mariner:tst:1653048070000135"
+      }
     }
   }
-}
+]