fix: version comparison (#740)

* feat: add comparer * refactor: rename lang with ecosystem * feat(bundler): add comparer * feat(node): add comparer * feat(bundler): integrate comparer * feat(cargo): integrate comparer * feat(composer): add comparer * feat(ghsa): integrate comparer * feat(node): integrate comparer * feat(python): integrate comparer * test(bundler): add tests * test(cargo): add tests * test(composer): add tests * test(ghsa): add tests * test(node): add tests * test(python): add tests * refactor(utils): remove unnecessary functions * test(utils): add tests * test: rename bucket prefixes * fix(detect): use string * chore: update dependencies * docs: add comments * fix(cargo): handle unpatched vulnerability * test(db): update trivy-db for integration tests * test(integration): update a golden file * test(cargo): Add a case for missing patched version Signed-off-by: Simarpreet Singh <simar@linux.com> * refactor(advisory): update comments * refactor(node/advisory): change the receiver * chore(mod): update dependencies * refactor(comparer): unexport MatchVersion * refactor: fix maligned structs * test(node): add empty value * refactor * refactor: sort imports * chore(mod): update trivy-db Co-authored-by: Simarpreet Singh <simar@linux.com>
2025-12-22 23:26:39 -08:00 · 2020-11-17 18:38:58 +09:00
parent 9dfb0fe3a9
commit b6d5b82c48
45 changed files with 1455 additions and 473 deletions
--- a/pkg/detector/library/python/advisory_test.go
+++ b/pkg/detector/library/python/advisory_test.go
@@ -0,0 +1,84 @@
+package python_test
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/detector/library/python"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/utils"
+)
+
+func TestAdvisory_DetectVulnerabilities(t *testing.T) {
+	type args struct {
+		pkgName string
+		pkgVer  string
+	}
+	tests := []struct {
+		name     string
+		args     args
+		fixtures []string
+		want     []types.DetectedVulnerability
+		wantErr  string
+	}{
+		{
+			name: "detected",
+			args: args{
+				pkgName: "django",
+				pkgVer:  "2.2.11-alpha",
+			},
+			fixtures: []string{"testdata/fixtures/pip.yaml"},
+			want: []types.DetectedVulnerability{
+				{
+					PkgName:          "django",
+					InstalledVersion: "2.2.11-alpha",
+					VulnerabilityID:  "CVE-2020-9402",
+					FixedVersion:     "1.11.29, 2.2.11, 3.0.4",
+				},
+			},
+		},
+		{
+			// https://github.com/aquasecurity/trivy/issues/713
+			name: "not detected",
+			args: args{
+				pkgName: "django",
+				pkgVer:  "3.0.10",
+			},
+			fixtures: []string{"testdata/fixtures/pip.yaml"},
+			want:     nil,
+		},
+		{
+			name: "malformed JSON",
+			args: args{
+				pkgName: "django",
+				pkgVer:  "2.0.18",
+			},
+			fixtures: []string{"testdata/fixtures/invalid-type.yaml"},
+			wantErr:  "failed to unmarshal advisory JSON",
+		},
+	}
+
+	log.InitLogger(false, true)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			dir := utils.InitTestDB(t, tt.fixtures)
+			defer os.RemoveAll(dir)
+
+			a := python.NewAdvisory()
+			got, err := a.DetectVulnerabilities(tt.args.pkgName, tt.args.pkgVer)
+			if tt.wantErr != "" {
+				require.NotNil(t, err)
+				assert.Contains(t, err.Error(), tt.wantErr)
+				return
+			} else {
+				assert.NoError(t, err)
+			}
+
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}