From d447101f6185daeeba1c23b5b4a220c24b16e960 Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Fri, 5 May 2023 10:26:40 +0200 Subject: [PATCH] add unit test to cover cve exceptions Signed-off-by: Matthias Bertschy --- adapters/v1/armo_test.go | 37 +- .../v1/testdata/cve-body-with-exception.json | 409 ++++++++++++++++++ 2 files changed, 433 insertions(+), 13 deletions(-) create mode 100644 adapters/v1/testdata/cve-body-with-exception.json diff --git a/adapters/v1/armo_test.go b/adapters/v1/armo_test.go index be30378..690622d 100644 --- a/adapters/v1/armo_test.go +++ b/adapters/v1/armo_test.go @@ -98,33 +98,40 @@ func fileToCVEManifest(path string) domain.CVEManifest { } func TestArmoAdapter_SubmitCVE(t *testing.T) { - getCVEExceptionsFunc := func(s string, s2 string, designator *armotypes.PortalDesignator) ([]armotypes.VulnerabilityExceptionPolicy, error) { - return []armotypes.VulnerabilityExceptionPolicy{}, nil - } ja := jsonassert.New(t) tests := []struct { - name string - cve domain.CVEManifest - cvep domain.CVEManifest - checkFullBody bool - wantErr bool + name string + cve domain.CVEManifest + cvep domain.CVEManifest + checkFullBody bool + checkFullBodyWithException bool + exceptions []armotypes.VulnerabilityExceptionPolicy + wantErr bool }{ { name: "submit small cve", cve: fileToCVEManifest("testdata/nginx-cve-small.json"), - cvep: domain.CVEManifest{}, checkFullBody: true, }, { name: "submit big cve", cve: fileToCVEManifest("testdata/nginx-cve.json"), - cvep: domain.CVEManifest{}, }, { name: "submit big cve with relevancy", cve: fileToCVEManifest("testdata/nginx-cve.json"), cvep: fileToCVEManifest("testdata/nginx-filtered-cve.json"), }, + { + name: "submit small cve with exceptions", + cve: fileToCVEManifest("testdata/nginx-cve-small.json"), + checkFullBodyWithException: true, + exceptions: []armotypes.VulnerabilityExceptionPolicy{{ + PolicyType: "vulnerabilityExceptionPolicy", + Actions: []armotypes.VulnerabilityExceptionPolicyActions{"ignore"}, + VulnerabilityPolicies: []armotypes.VulnerabilityPolicy{{Name: "CVE-2007-5686"}}, + }}, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -145,6 +152,8 @@ func TestArmoAdapter_SubmitCVE(t *testing.T) { switch { case tt.checkFullBody: expectedBody, err = os.ReadFile("testdata/cve-body.json") + case tt.checkFullBodyWithException: + expectedBody, err = os.ReadFile("testdata/cve-body-with-exception.json") case report.Summary == nil: expectedBody, err = os.ReadFile("testdata/cve-chunk.json") case tt.cvep.Content != nil: @@ -173,9 +182,11 @@ func TestArmoAdapter_SubmitCVE(t *testing.T) { }, nil } a := &ArmoAdapter{ - clusterConfig: armometadata.ClusterConfig{}, - getCVEExceptionsFunc: getCVEExceptionsFunc, - httpPostFunc: httpPostFunc, + clusterConfig: armometadata.ClusterConfig{}, + getCVEExceptionsFunc: func(s string, s2 string, designator *armotypes.PortalDesignator) ([]armotypes.VulnerabilityExceptionPolicy, error) { + return tt.exceptions, nil + }, + httpPostFunc: httpPostFunc, } ctx := context.TODO() ctx = context.WithValue(ctx, domain.TimestampKey{}, time.Now().Unix()) diff --git a/adapters/v1/testdata/cve-body-with-exception.json b/adapters/v1/testdata/cve-body-with-exception.json new file mode 100644 index 0000000..c53cccb --- /dev/null +++ b/adapters/v1/testdata/cve-body-with-exception.json @@ -0,0 +1,409 @@ +{ + "designators": { + "designatorType": "Attributes", + "attributes": { + "containerName": "", + "customerGUID": "", + "workloadHash": "14695981039346656037" + } + }, + "summary": { + "designators": { + "designatorType": "Attributes", + "attributes": { + "containerName": "", + "customerGUID": "", + "workloadHash": "14695981039346656037" + } + }, + "healthStatus": "", + "total": 2, + "rceFixCount": 0, + "relevantFixCount": 0, + "fixedTotal": 0, + "relevantTotal": 0, + "rceTotal": 0, + "urgent": 0, + "neglected": 0, + "version": "", + "registry": "", + "customerGUID": "", + "containersScanID": "<>", + "wlid": "", + "imageHash": "", + "imageTag": "", + "cluster": "", + "namespace": "", + "containerName": "", + "versionImage": "", + "status": "Success", + "excludedSeveritiesStats": [ + { + "severity": "Negligible", + "healthStatus": "", + "total": 2, + "rceFixCount": 0, + "relevantFixCount": 0, + "fixedTotal": 0, + "relevantTotal": 0, + "rceTotal": 0, + "urgent": 0, + "neglected": 0 + } + ], + "packages": [], + "severitiesStats": [ + { + "severity": "Negligible", + "healthStatus": "", + "total": 2, + "rceFixCount": 0, + "relevantFixCount": 0, + "fixedTotal": 0, + "relevantTotal": 0, + "rceTotal": 0, + "urgent": 0, + "neglected": 0 + } + ], + "jobIDs": null, + "vulnerabilities": ["<>", + { + "name": "CVE-2005-2541" + }, + { + "name": "CVE-2007-6755" + } + ], + "context": ["<>", + { + "attribute": "containerName", + "value": "", + "source": "designators.attributes" + }, + { + "attribute": "workloadHash", + "value": "14695981039346656037", + "source": "designators.attributes" + }, + { + "attribute": "customerGUID", + "value": "", + "source": "designators.attributes" + } + ], + "timestamp": "<>", + "relevantLabel": "", + "hasRelevancyData": false + }, + "containersScanID": "<>", + "vulnerabilities": ["<>", + { + "designators": { + "designatorType": "Attributes", + "attributes": { + "containerName": "", + "customerGUID": "", + "workloadHash": "14695981039346656037" + } + }, + "layerHash": "generatedlayer", + "wlid": "", + "containersScanID": "<>", + "healthStatus": "", + "imageHash": "", + "imageTag": "", + "packageName": "tar", + "packageVersion": "1.29b-1.1", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2541", + "description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", + "severity": "Negligible", + "name": "CVE-2005-2541", + "fixedIn": [ + { + "name": "not-fixed", + "imageTag": "", + "version": "" + } + ], + "severityScore": 100, + "neglected": 0, + "urgent": 0, + "categories": { + "isRce": false + }, + "layers": [ + { + "layerHash": "generatedlayer", + "parentLayerHash": "" + } + ], + "layersNested": null, + "context": ["<>", + { + "attribute": "containerName", + "value": "", + "source": "designators.attributes" + }, + { + "attribute": "workloadHash", + "value": "14695981039346656037", + "source": "designators.attributes" + }, + { + "attribute": "customerGUID", + "value": "", + "source": "designators.attributes" + } + ], + "links": ["<>", + "https://nvd.nist.gov/vuln/detail/CVE-2005-2541", + "https://security-tracker.debian.org/tracker/CVE-2005-2541" + ], + "timestamp": "<>", + "isLastScan": 1, + "isFixed": 0, + "relevantLabel": "" + }, + { + "designators": { + "designatorType": "Attributes", + "attributes": { + "containerName": "", + "customerGUID": "", + "workloadHash": "14695981039346656037" + } + }, + "layerHash": "generatedlayer", + "wlid": "", + "containersScanID": "<>", + "healthStatus": "", + "imageHash": "", + "imageTag": "", + "packageName": "login", + "packageVersion": "1:4.4-4.1", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5686", + "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", + "severity": "Negligible", + "name": "CVE-2007-5686", + "fixedIn": [ + { + "name": "not-fixed", + "imageTag": "", + "version": "" + } + ], + "exceptionApplied": [ + { + "guid": "", + "name": "", + "policyType": "vulnerabilityExceptionPolicy", + "creationTime": "", + "actions": [ + "ignore" + ], + "designators": null, + "vulnerabilities": [ + { + "name": "CVE-2007-5686" + } + ] + } + ], + "severityScore": 100, + "neglected": 0, + "urgent": 0, + "categories": { + "isRce": false + }, + "layers": [ + { + "layerHash": "generatedlayer", + "parentLayerHash": "" + } + ], + "layersNested": null, + "context": ["<>", + { + "attribute": "containerName", + "value": "", + "source": "designators.attributes" + }, + { + "attribute": "workloadHash", + "value": "14695981039346656037", + "source": "designators.attributes" + }, + { + "attribute": "customerGUID", + "value": "", + "source": "designators.attributes" + } + ], + "links": ["<>", + "https://nvd.nist.gov/vuln/detail/CVE-2007-5686", + "https://security-tracker.debian.org/tracker/CVE-2007-5686" + ], + "timestamp": "<>", + "isLastScan": 1, + "isFixed": 0, + "relevantLabel": "" + }, + { + "designators": { + "designatorType": "Attributes", + "attributes": { + "containerName": "", + "customerGUID": "", + "workloadHash": "14695981039346656037" + } + }, + "layerHash": "generatedlayer", + "wlid": "", + "containersScanID": "<>", + "healthStatus": "", + "imageHash": "", + "imageTag": "", + "packageName": "passwd", + "packageVersion": "1:4.4-4.1", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5686", + "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", + "severity": "Negligible", + "name": "CVE-2007-5686", + "fixedIn": [ + { + "name": "not-fixed", + "imageTag": "", + "version": "" + } + ], + "exceptionApplied": [ + { + "guid": "", + "name": "", + "policyType": "vulnerabilityExceptionPolicy", + "creationTime": "", + "actions": [ + "ignore" + ], + "designators": null, + "vulnerabilities": [ + { + "name": "CVE-2007-5686" + } + ] + } + ], + "severityScore": 100, + "neglected": 0, + "urgent": 0, + "categories": { + "isRce": false + }, + "layers": [ + { + "layerHash": "generatedlayer", + "parentLayerHash": "" + } + ], + "layersNested": null, + "context": ["<>", + { + "attribute": "containerName", + "value": "", + "source": "designators.attributes" + }, + { + "attribute": "workloadHash", + "value": "14695981039346656037", + "source": "designators.attributes" + }, + { + "attribute": "customerGUID", + "value": "", + "source": "designators.attributes" + } + ], + "links": ["<>", + "https://nvd.nist.gov/vuln/detail/CVE-2007-5686", + "https://security-tracker.debian.org/tracker/CVE-2007-5686" + ], + "timestamp": "<>", + "isLastScan": 1, + "isFixed": 0, + "relevantLabel": "" + }, + { + "designators": { + "designatorType": "Attributes", + "attributes": { + "containerName": "", + "customerGUID": "", + "workloadHash": "14695981039346656037" + } + }, + "layerHash": "generatedlayer", + "wlid": "", + "containersScanID": "<>", + "healthStatus": "", + "imageHash": "", + "imageTag": "", + "packageName": "libssl1.1", + "packageVersion": "1.1.0f-3+deb9u2", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-6755", + "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", + "severity": "Negligible", + "name": "CVE-2007-6755", + "fixedIn": [ + { + "name": "not-fixed", + "imageTag": "", + "version": "" + } + ], + "severityScore": 100, + "neglected": 0, + "urgent": 0, + "categories": { + "isRce": false + }, + "layers": [ + { + "layerHash": "generatedlayer", + "parentLayerHash": "" + } + ], + "layersNested": null, + "context": ["<>", + { + "attribute": "containerName", + "value": "", + "source": "designators.attributes" + }, + { + "attribute": "workloadHash", + "value": "14695981039346656037", + "source": "designators.attributes" + }, + { + "attribute": "customerGUID", + "value": "", + "source": "designators.attributes" + } + ], + "links": ["<>", + "https://nvd.nist.gov/vuln/detail/CVE-2007-6755", + "https://security-tracker.debian.org/tracker/CVE-2007-6755" + ], + "timestamp": "<>", + "isLastScan": 1, + "isFixed": 0, + "relevantLabel": "" + } + ], + "paginationInfo": { + "chunkNumber": 0, + "isLastChunk": true + }, + "timestamp": "<>" +} \ No newline at end of file