test: add tests for rootio

2025-12-05 20:40:16 -08:00 · 2025-06-26 19:06:14 +06:00
parent 978276ddd0
commit 71ab2b8926
5 changed files with 284 additions and 0 deletions
--- a/pkg/detector/ospkg/rootio/rootio_private_test.go
+++ b/pkg/detector/ospkg/rootio/rootio_private_test.go
@@ -0,0 +1,63 @@
+package rootio
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy-db/pkg/types"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+)
+
+func TestScanner_IsVulnerable(t *testing.T) {
+	tests := []struct {
+		name             string
+		installedVersion string
+		vulnerableRanges []string
+		want             bool
+	}{
+		// Case 1
+		{"1-a", "1.0.0", []string{"<1.0.0-2"}, true},
+		{"1-b", "1.0.0-2", []string{"<1.0.0-2"}, false},
+		{"1-c", "1.0.0-2", []string{"<1.0.0-2.root.io", ">=1.0.0-2 <1.0.0-3"}, true},
+		{"1-d", "1.0.0-3", []string{"<1.0.0-2.root.io", ">=1.0.0-2 <1.0.0-3"}, false},
+
+		// Case 2
+		{"2-a", "1.0.0-1", []string{"<1.0.0-2"}, true},
+		{"2-b", "1.0.0-2", []string{"<1.0.0-2"}, false},
+
+		// Case 3
+		{"3-a", "1.0.0-1", []string{"<1.0.0-2.root.io"}, true},
+		// Impossible to detect
+		// {"3-b", "1.0.0-3", []string{"<1.0.0-2.root.io"}, false},
+
+		// Case 4
+		{"4", "1.0.0", []string{}, true},
+
+		// Case 5
+		{"5-a", "1.0.0-1.root.io", []string{"<1.0.0-2.root.io", ">=1.0.0-2 <1.0.0-2"}, true},
+		{"5-b", "1.0.0-2.root.io", []string{"<1.0.0-2.root.io", ">=1.0.0-2 <1.0.0-2"}, false},
+		{"5-c", "1.0.0-1.root.io", []string{"<1.0.0-2.root.io", ">=1.0.0-2 <1.0.0-3"}, true},
+		// Incorrect range. Ranges are intersect. Debian order is 1.0.0-2 < 1.0.0-2.root.io < 1.0.0-3.
+		// {"5-d", "1.0.0-2.root.io", []string{"<1.0.0-2.root.io", ">=1.0.0-2 <1.0.0-3"}, false},
+
+		// Case 6
+		{"6-a", "1.0.0-1.root.io", []string{"<1.0.0-2.root.io"}, true},
+		{"6-b", "1.0.0-2.root.io", []string{"<1.0.0-2.root.io"}, false},
+
+		// Case 7
+		{"7-a", "1.0.0-1.root.io", []string{"<1.0.0-2"}, true},
+		{"7-b", "1.0.0-3.root.io", []string{"<1.0.0-2"}, false},
+
+		// Case 8
+		{"8", "1.0.0-1.root.io", []string{}, true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			scanner := NewScanner(ftypes.Debian)
+			vulnerable := scanner.isVulnerable(t.Context(), tt.installedVersion, types.Advisory{VulnerableVersions: tt.vulnerableRanges})
+			require.Equal(t, tt.want, vulnerable)
+		})
+	}
+}
--- a/pkg/detector/ospkg/rootio/rootio_test.go
+++ b/pkg/detector/ospkg/rootio/rootio_test.go
@@ -0,0 +1,163 @@
+package rootio_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy-db/pkg/db"
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
+	"github.com/aquasecurity/trivy/internal/dbtest"
+	"github.com/aquasecurity/trivy/pkg/detector/ospkg/rootio"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+func TestScanner_Detect(t *testing.T) {
+	type args struct {
+		osVer string
+		pkgs  []ftypes.Package
+	}
+	tests := []struct {
+		name     string
+		baseOS   ftypes.OSType
+		fixtures []string
+		args     args
+		want     []types.DetectedVulnerability
+		wantErr  string
+	}{
+		{
+			name:   "Debian scanner",
+			baseOS: ftypes.Debian,
+			fixtures: []string{
+				"testdata/fixtures/rootio.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			args: args{
+				osVer: "12",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "openssl",
+						Version:    "3.0.15-1~deb12u1.root.io.0",
+						SrcName:    "openssl",
+						SrcVersion: "3.0.15-1~deb12u1.root.io.0",
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					PkgName:          "openssl",
+					VulnerabilityID:  "CVE-2024-13176",
+					InstalledVersion: "3.0.15-1~deb12u1.root.io.0",
+					FixedVersion:     "3.0.15-1~deb12u1.root.io.1, 3.0.16-1~deb12u1",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.RootIO,
+						Name: "Root.io Security Patches",
+						URL:  "https://api.root.io/external/patch_feed",
+					},
+				},
+			},
+		},
+		{
+			name:   "Ubuntu scanner",
+			baseOS: ftypes.Ubuntu,
+			fixtures: []string{
+				"testdata/fixtures/rootio.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			args: args{
+				osVer: "20.04",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "nginx",
+						Version:    "1.22.1-9+deb12u2.root.io.0",
+						SrcName:    "nginx",
+						SrcVersion: "1.22.1-9+deb12u2.root.io.0",
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					PkgName:          "nginx",
+					VulnerabilityID:  "CVE-2023-44487",
+					InstalledVersion: "1.22.1-9+deb12u2.root.io.0",
+					FixedVersion:     "1.22.1-9+deb12u2.root.io.1",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.RootIO,
+						Name: "Root.io Security Patches",
+						URL:  "https://api.root.io/external/patch_feed",
+					},
+				},
+			},
+		},
+		{
+			name:   "Alpine scanner",
+			baseOS: ftypes.Alpine,
+			fixtures: []string{
+				"testdata/fixtures/rootio.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			args: args{
+				osVer: "3.19",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "less",
+						Version:    "643-r00072",
+						SrcName:    "less",
+						SrcVersion: "643-r00072",
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					PkgName:          "less",
+					VulnerabilityID:  "CVE-2024-32487",
+					InstalledVersion: "643-r00072",
+					FixedVersion:     "643-r10072",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.RootIO,
+						Name: "Root.io Security Patches",
+						URL:  "https://api.root.io/external/patch_feed",
+					},
+				},
+			},
+		},
+		{
+			name:   "Get returns an error",
+			baseOS: ftypes.Alpine,
+			fixtures: []string{
+				"testdata/fixtures/invalid.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			args: args{
+				osVer: "3.20",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "jq",
+						Version:    "1.5-12",
+						SrcName:    "jq",
+						SrcVersion: "1.5-12",
+					},
+				},
+			},
+			wantErr: "failed to get Root.io advisories",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_ = dbtest.InitDB(t, tt.fixtures)
+			defer db.Close()
+
+			scanner := rootio.NewScanner(tt.baseOS)
+			got, err := scanner.Detect(t.Context(), tt.args.osVer, nil, tt.args.pkgs)
+			if tt.wantErr != "" {
+				require.ErrorContains(t, err, tt.wantErr)
+				return
+			}
+			require.NoError(t, err)
+			require.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/pkg/detector/ospkg/rootio/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/ospkg/rootio/testdata/fixtures/data-source.yaml
@@ -0,0 +1,17 @@
+- bucket: data-source
+  pairs:
+    - key: root.io debian 12
+      value:
+        ID: "rootio"
+        Name: "Root.io Security Patches"
+        URL: "https://api.root.io/external/patch_feed"
+    - key: root.io ubuntu 20.04
+      value:
+        ID: "rootio"
+        Name: "Root.io Security Patches"
+        URL: "https://api.root.io/external/patch_feed"
+    - key: root.io alpine 3.19
+      value:
+        ID: "rootio"
+        Name: "Root.io Security Patches"
+        URL: "https://api.root.io/external/patch_feed"
--- a/pkg/detector/ospkg/rootio/testdata/fixtures/invalid.yaml
+++ b/pkg/detector/ospkg/rootio/testdata/fixtures/invalid.yaml
@@ -0,0 +1,9 @@
+- bucket: root.io alpine 3.20
+  pairs:
+    - bucket: jq
+      pairs:
+        - key: CVE-2020-8177
+          value:
+            FixedVersion:
+              - foo
+              - bar
--- a/pkg/detector/ospkg/rootio/testdata/fixtures/rootio.yaml
+++ b/pkg/detector/ospkg/rootio/testdata/fixtures/rootio.yaml
@@ -0,0 +1,32 @@
+- bucket: root.io debian 12
+  pairs:
+    - bucket: openssl
+      pairs:
+        - key: CVE-2024-13176
+          value:
+            VulnerableVersions:
+              - "<3.0.15-1~deb12u1.root.io.1"
+              - ">3.0.15-1~deb12u1.root.io.1 <3.0.16-1~deb12u1"
+            PatchedVersions:
+              - "3.0.15-1~deb12u1.root.io.1"
+              - "3.0.16-1~deb12u1"
+- bucket: root.io ubuntu 20.04
+  pairs:
+    - bucket: nginx
+      pairs:
+        - key: CVE-2023-44487
+          value:
+            VulnerableVersions:
+              - "<1.22.1-9+deb12u2.root.io.1"
+            PatchedVersions:
+              - "1.22.1-9+deb12u2.root.io.1"
+- bucket: root.io alpine 3.19
+  pairs:
+    - bucket: less
+      pairs:
+        - key: CVE-2024-32487
+          value:
+            VulnerableVersions:
+              - "<643-r10072"
+            PatchedVersions:
+              - "643-r10072"