mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-23 07:29:00 -08:00
139 lines
2.9 KiB
Go
139 lines
2.9 KiB
Go
package npm_test
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
|
"github.com/aquasecurity/trivy/pkg/detector/library/compare/npm"
|
|
)
|
|
|
|
func TestNpmComparer_IsVulnerable(t *testing.T) {
|
|
type args struct {
|
|
currentVersion string
|
|
advisory dbTypes.Advisory
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want bool
|
|
}{
|
|
{
|
|
name: "happy path",
|
|
args: args{
|
|
currentVersion: "1.0.0",
|
|
advisory: dbTypes.Advisory{
|
|
VulnerableVersions: []string{"<=1.0"},
|
|
PatchedVersions: []string{">=1.1"},
|
|
},
|
|
},
|
|
want: true,
|
|
},
|
|
{
|
|
name: "no patch",
|
|
args: args{
|
|
currentVersion: "1.2.3",
|
|
advisory: dbTypes.Advisory{
|
|
VulnerableVersions: []string{"<=99.999.99999"},
|
|
PatchedVersions: []string{"<0.0.0"},
|
|
},
|
|
},
|
|
want: true,
|
|
},
|
|
{
|
|
name: "no patch with wildcard",
|
|
args: args{
|
|
currentVersion: "1.2.3",
|
|
advisory: dbTypes.Advisory{
|
|
VulnerableVersions: []string{"*"},
|
|
PatchedVersions: nil,
|
|
},
|
|
},
|
|
want: true,
|
|
},
|
|
{
|
|
name: "pre-release",
|
|
args: args{
|
|
currentVersion: "1.2.3-alpha",
|
|
advisory: dbTypes.Advisory{
|
|
VulnerableVersions: []string{"<=1.2.2"},
|
|
PatchedVersions: []string{">=1.2.2"},
|
|
},
|
|
},
|
|
want: false,
|
|
},
|
|
{
|
|
name: "multiple constraints",
|
|
args: args{
|
|
currentVersion: "2.0.0",
|
|
advisory: dbTypes.Advisory{
|
|
VulnerableVersions: []string{">=1.7.0 <1.7.16", ">=1.8.0 <1.8.8", ">=2.0.0 <2.0.8", ">=3.0.0-beta.1 <3.0.0-beta.7"},
|
|
PatchedVersions: []string{">=3.0.0-beta.7", ">=2.0.8 <3.0.0-beta.1", ">=1.8.8 <2.0.0", ">=1.7.16 <1.8.0"},
|
|
},
|
|
},
|
|
want: true,
|
|
},
|
|
{
|
|
name: "x",
|
|
args: args{
|
|
currentVersion: "2.0.1",
|
|
advisory: dbTypes.Advisory{
|
|
VulnerableVersions: []string{"2.0.x", "2.1.x"},
|
|
PatchedVersions: []string{">=2.2.x"},
|
|
},
|
|
},
|
|
want: true,
|
|
},
|
|
{
|
|
name: "exact versions",
|
|
args: args{
|
|
currentVersion: "2.1.0-M1",
|
|
advisory: dbTypes.Advisory{
|
|
VulnerableVersions: []string{"2.1.0-M1", "2.1.0-M2"},
|
|
PatchedVersions: []string{">=2.1.0"},
|
|
},
|
|
},
|
|
want: true,
|
|
},
|
|
{
|
|
name: "caret",
|
|
args: args{
|
|
currentVersion: "2.0.18",
|
|
advisory: dbTypes.Advisory{
|
|
VulnerableVersions: []string{"<2.0.18", "<3.0.16"},
|
|
PatchedVersions: []string{"^2.0.18", "^3.0.16"},
|
|
},
|
|
},
|
|
want: false,
|
|
},
|
|
{
|
|
name: "invalid version",
|
|
args: args{
|
|
currentVersion: "1.2..4",
|
|
advisory: dbTypes.Advisory{
|
|
VulnerableVersions: []string{"<1.0.0"},
|
|
},
|
|
},
|
|
want: false,
|
|
},
|
|
{
|
|
name: "invalid constraint",
|
|
args: args{
|
|
currentVersion: "1.2.4",
|
|
advisory: dbTypes.Advisory{
|
|
VulnerableVersions: []string{"!1.0.0"},
|
|
},
|
|
},
|
|
want: false,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
c := npm.Comparer{}
|
|
got := c.IsVulnerable(tt.args.currentVersion, tt.args.advisory)
|
|
assert.Equal(t, tt.want, got)
|
|
})
|
|
}
|
|
}
|