gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 07:10:41 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
6040d9f43a35819d4c0338839b97619338e753ed
trivy/pkg/vulnerability/vulnerability_test.go
DmitriyLewen 6040d9f43a fix(sbom): add missed primaryURL and source severity for CycloneDX (#5399) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
2023-10-19 05:37:32 +00:00

314 lines
10 KiB
Go
Raw Blame History

package vulnerability_test
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/utils"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/types"
vuln "github.com/aquasecurity/trivy/pkg/vulnerability"
)
func TestClient_FillInfo(t *testing.T) {
tests := []struct {
name string
fixtures []string
vulns []types.DetectedVulnerability
expectedVulnerabilities []types.DetectedVulnerability
}{
{
name: "happy path, with only OS vulnerability but no vendor severity, no NVD",
fixtures: []string{"testdata/fixtures/vulnerability.yaml"},
vulns: []types.DetectedVulnerability{
{VulnerabilityID: "CVE-2019-0001"},
},
expectedVulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2019-0001",
Status: dbTypes.StatusAffected,
Vulnerability: dbTypes.Vulnerability{
Title: "dos",
Description: "dos vulnerability",
Severity: dbTypes.SeverityMedium.String(),
References: []string{"http://example.com"},
LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"),
PublishedDate: utils.MustTimeParse("2001-01-01T01:01:00Z"),
},
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2019-0001",
},
},
},
{
name: "happy path, with only OS vulnerability but no vendor severity, yes NVD",
fixtures: []string{"testdata/fixtures/vulnerability.yaml"},
vulns: []types.DetectedVulnerability{
{
VulnerabilityID: "RUSTSEC-2018-0017",
DataSource: &dbTypes.DataSource{
ID: vulnerability.OSV,
Name: "RustSec Advisory Database",
URL: "https://github.com/RustSec/advisory-db",
},
},
},
expectedVulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "RUSTSEC-2018-0017",
Status: dbTypes.StatusAffected,
Vulnerability: dbTypes.Vulnerability{
Title: "dos",
Description: "dos vulnerability",
Severity: dbTypes.SeverityLow.String(),
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.NVD: dbTypes.SeverityLow,
},
LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"),
PublishedDate: utils.MustTimeParse("2001-01-01T01:01:00Z"),
},
SeveritySource: vulnerability.NVD,
PrimaryURL: "https://osv.dev/vulnerability/RUSTSEC-2018-0017",
DataSource: &dbTypes.DataSource{
ID: vulnerability.OSV,
Name: "RustSec Advisory Database",
URL: "https://github.com/RustSec/advisory-db",
},
},
},
},
{
name: "happy path, with only OS vulnerability but no severity, no vendor severity, no NVD",
fixtures: []string{"testdata/fixtures/vulnerability.yaml"},
vulns: []types.DetectedVulnerability{
{
VulnerabilityID: "GHSA-28fw-88hq-6jmm",
DataSource: &dbTypes.DataSource{
ID: vulnerability.GHSA,
Name: "GitHub Security Advisory Pip",
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip",
},
},
},
expectedVulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "GHSA-28fw-88hq-6jmm",
Status: dbTypes.StatusAffected,
Vulnerability: dbTypes.Vulnerability{
Title: "dos",
Description: "dos vulnerability",
Severity: dbTypes.SeverityUnknown.String(),
References: []string{"http://example.com"},
},
PrimaryURL: "https://github.com/advisories/GHSA-28fw-88hq-6jmm",
DataSource: &dbTypes.DataSource{
ID: vulnerability.GHSA,
Name: "GitHub Security Advisory Pip",
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip",
},
},
},
},
{
name: "happy path, with only OS vulnerability, yes vendor severity, with both NVD and CVSS info",
fixtures: []string{"testdata/fixtures/vulnerability.yaml"},
vulns: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2019-0004",
DataSource: &dbTypes.DataSource{
ID: vulnerability.RedHat,
Name: "Red Hat OVAL v2",
URL: "https://www.redhat.com/security/data/oval/v2/",
},
},
},
expectedVulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2019-0004",
Status: dbTypes.StatusAffected,
Vulnerability: dbTypes.Vulnerability{
Title: "dos",
Description: "dos vulnerability",
Severity: dbTypes.SeverityLow.String(),
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.RedHat: dbTypes.SeverityLow,
},
CweIDs: []string{"CWE-311"},
References: []string{"http://example.com"},
CVSS: map[dbTypes.SourceID]dbTypes.CVSS{
vulnerability.NVD: {
V2Vector: "AV:N/AC:L/Au:N/C:P/I:P/A:P",
V2Score: 4.5,
V3Vector: "CVSS:3.0/PR:N/UI:N/S:U/C:H/I:H/A:H",
V3Score: 5.6,
},
vulnerability.RedHat: {
V2Vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
V2Score: 7.8,
V3Vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
V3Score: 9.8,
},
},
},
SeveritySource: vulnerability.RedHat,
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2019-0004",
DataSource: &dbTypes.DataSource{
ID: vulnerability.RedHat,
Name: "Red Hat OVAL v2",
URL: "https://www.redhat.com/security/data/oval/v2/",
},
},
},
},
{
name: "happy path, with only library vulnerability",
fixtures: []string{"testdata/fixtures/vulnerability.yaml"},
vulns: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2019-0005",
Status: dbTypes.StatusAffected,
DataSource: &dbTypes.DataSource{
ID: vulnerability.GHSA,
Name: "GitHub Security Advisory Pip",
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip",
},
},
},
expectedVulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2019-0005",
Status: dbTypes.StatusAffected,
Vulnerability: dbTypes.Vulnerability{
Title: "COVID-19",
Description: "a nasty virus vulnerability for humans",
Severity: dbTypes.SeverityCritical.String(),
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.GHSA: dbTypes.SeverityCritical,
},
References: []string{"https://www.who.int/emergencies/diseases/novel-coronavirus-2019"},
},
SeveritySource: vulnerability.GHSA,
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2019-0005",
DataSource: &dbTypes.DataSource{
ID: vulnerability.GHSA,
Name: "GitHub Security Advisory Pip",
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip",
},
},
},
},
{
name: "happy path, with package-specific severity",
fixtures: []string{"testdata/fixtures/vulnerability.yaml"},
vulns: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2019-0001",
SeveritySource: vulnerability.Debian,
Vulnerability: dbTypes.Vulnerability{
Severity: dbTypes.SeverityLow.String(),
},
},
},
expectedVulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2019-0001",
Status: dbTypes.StatusAffected,
SeveritySource: vulnerability.Debian,
Vulnerability: dbTypes.Vulnerability{
Title: "dos",
Description: "dos vulnerability",
Severity: dbTypes.SeverityLow.String(),
VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
vulnerability.Debian: dbTypes.SeverityLow,
},
References: []string{"http://example.com"},
LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"),
PublishedDate: utils.MustTimeParse("2001-01-01T01:01:00Z"),
},
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2019-0001",
},
},
},
{
name: "happy path. GHSA-xxx. Severity gets from ghsa",
fixtures: []string{"testdata/fixtures/vulnerability.yaml"},
vulns: []types.DetectedVulnerability{
{VulnerabilityID: "GHSA-0000-aaaa-1111"},
},
expectedVulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "GHSA-0000-aaaa-1111",
Status: dbTypes.StatusAffected,
SeveritySource: vulnerability.GHSA,
Vulnerability: dbTypes.Vulnerability{
Title: "dos",
Description: "dos vulnerability",
Severity: dbTypes.SeverityHigh.String(),
References: []string{"http://example.com"},
VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
"nvd": dbTypes.SeverityLow,
"ghsa": dbTypes.SeverityHigh,
},
},
PrimaryURL: "https://github.com/advisories/GHSA-0000-aaaa-1111",
},
},
},
{
name: "happy path. CVE-xxx. Severity gets from nvd",
fixtures: []string{"testdata/fixtures/vulnerability.yaml"},
vulns: []types.DetectedVulnerability{
{VulnerabilityID: "CVE-2022-0001"},
},
expectedVulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2022-0001",
Status: dbTypes.StatusAffected,
SeveritySource: vulnerability.NVD,
Vulnerability: dbTypes.Vulnerability{
Title: "dos",
Description: "dos vulnerability",
Severity: dbTypes.SeverityLow.String(),
References: []string{"http://example.com"},
VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
"nvd": dbTypes.SeverityLow,
"ghsa": dbTypes.SeverityHigh,
},
},
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2022-0001",
},
},
},
{
name: "GetVulnerability returns an error",
fixtures: []string{"testdata/fixtures/sad.yaml"},
vulns: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2019-0004",
Status: dbTypes.StatusAffected,
},
},
expectedVulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2019-0004",
Status: dbTypes.StatusAffected,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
dbtest.InitDB(t, tt.fixtures)
defer db.Close()
c := vuln.NewClient(db.Config{})
c.FillInfo(tt.vulns)
assert.Equal(t, tt.expectedVulnerabilities, tt.vulns, tt.name)
})
}
}
Reference in New Issue View Git Blame Copy Permalink