| // Copyright 2022 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| package govulncheck |
| |
| import ( |
| "testing" |
| |
| "github.com/google/go-cmp/cmp" |
| "golang.org/x/vuln/osv" |
| "golang.org/x/vuln/vulncheck" |
| ) |
| |
| func TestLatestFixed(t *testing.T) { |
| for _, test := range []struct { |
| name string |
| in []osv.Affected |
| want string |
| }{ |
| {"empty", nil, ""}, |
| { |
| "no semver", |
| []osv.Affected{ |
| { |
| Ranges: osv.Affects{ |
| { |
| Type: osv.TypeGit, |
| Events: []osv.RangeEvent{ |
| {Introduced: "v1.0.0", Fixed: "v1.2.3"}, |
| }, |
| }}, |
| }, |
| }, |
| "", |
| }, |
| { |
| "one", |
| []osv.Affected{ |
| { |
| Ranges: osv.Affects{ |
| { |
| Type: osv.TypeSemver, |
| Events: []osv.RangeEvent{ |
| {Introduced: "v1.0.0", Fixed: "v1.2.3"}, |
| }, |
| }}, |
| }, |
| }, |
| "v1.2.3", |
| }, |
| { |
| "several", |
| []osv.Affected{ |
| { |
| Ranges: osv.Affects{ |
| { |
| Type: osv.TypeSemver, |
| Events: []osv.RangeEvent{ |
| {Introduced: "v1.0.0", Fixed: "v1.2.3"}, |
| {Introduced: "v1.5.0", Fixed: "v1.5.6"}, |
| }, |
| }}, |
| }, |
| { |
| Ranges: osv.Affects{ |
| { |
| Type: osv.TypeSemver, |
| Events: []osv.RangeEvent{ |
| {Introduced: "v1.3.0", Fixed: "v1.4.1"}, |
| }, |
| }}, |
| }, |
| }, |
| "v1.5.6", |
| }, |
| { |
| "no v prefix", |
| []osv.Affected{ |
| { |
| Ranges: osv.Affects{ |
| { |
| Type: osv.TypeSemver, |
| Events: []osv.RangeEvent{ |
| {Fixed: "1.17.2"}, |
| }, |
| }}, |
| }, |
| { |
| Ranges: osv.Affects{ |
| { |
| Type: osv.TypeSemver, |
| Events: []osv.RangeEvent{ |
| {Introduced: "1.18.0", Fixed: "1.18.4"}, |
| }, |
| }}, |
| }, |
| }, |
| "1.18.4", |
| }, |
| } { |
| t.Run(test.name, func(t *testing.T) { |
| got := LatestFixed(test.in) |
| if got != test.want { |
| t.Errorf("got %q, want %q", got, test.want) |
| } |
| }) |
| } |
| } |
| |
| func TestPlatforms(t *testing.T) { |
| for _, test := range []struct { |
| entry *osv.Entry |
| want string |
| }{ |
| { |
| entry: &osv.Entry{ID: "All"}, |
| want: "", |
| }, |
| { |
| entry: &osv.Entry{ |
| ID: "one-import", |
| Affected: []osv.Affected{{ |
| Package: osv.Package{Name: "golang.org/vmod"}, |
| Ranges: osv.Affects{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "1.2.0"}}}}, |
| EcosystemSpecific: osv.EcosystemSpecific{ |
| Imports: []osv.EcosystemSpecificImport{{ |
| GOOS: []string{"windows", "linux"}, |
| GOARCH: []string{"amd64", "wasm"}, |
| }}, |
| }, |
| }}, |
| }, |
| want: "linux/amd64, linux/wasm, windows/amd64, windows/wasm", |
| }, |
| { |
| entry: &osv.Entry{ |
| ID: "two-imports", |
| Affected: []osv.Affected{{ |
| Package: osv.Package{Name: "golang.org/vmod"}, |
| Ranges: osv.Affects{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "1.2.0"}}}}, |
| EcosystemSpecific: osv.EcosystemSpecific{ |
| Imports: []osv.EcosystemSpecificImport{ |
| { |
| GOOS: []string{"windows"}, |
| GOARCH: []string{"amd64"}, |
| }, |
| { |
| GOOS: []string{"linux"}, |
| GOARCH: []string{"amd64"}, |
| }, |
| }, |
| }, |
| }}, |
| }, |
| want: "linux/amd64, windows/amd64", |
| }, |
| } { |
| t.Run(test.entry.ID, func(t *testing.T) { |
| got := platforms(test.entry) |
| if got != test.want { |
| t.Errorf("got %q, want %q", got, test.want) |
| } |
| }) |
| } |
| } |
| |
| func TestIndent(t *testing.T) { |
| for _, test := range []struct { |
| name string |
| s string |
| n int |
| want string |
| }{ |
| {"short", "hello", 2, " hello"}, |
| {"multi", "mulit\nline\nstring", 1, " mulit\n line\n string"}, |
| } { |
| t.Run(test.name, func(t *testing.T) { |
| got := indent(test.s, test.n) |
| if diff := cmp.Diff(test.want, got); diff != "" { |
| t.Fatalf("mismatch (-want, +got):\n%s", diff) |
| } |
| }) |
| } |
| } |
| |
| func TestUniqueCallStack(t *testing.T) { |
| a := &vulncheck.FuncNode{Name: "A"} |
| b := &vulncheck.FuncNode{Name: "B"} |
| v1 := &vulncheck.FuncNode{Name: "V1"} |
| v2 := &vulncheck.FuncNode{Name: "V2"} |
| v3 := &vulncheck.FuncNode{Name: "V3"} |
| |
| vuln1 := &vulncheck.Vuln{Symbol: "V1", CallSink: 1} |
| vuln2 := &vulncheck.Vuln{Symbol: "V2", CallSink: 2} |
| vuln3 := &vulncheck.Vuln{Symbol: "V3", CallSink: 3} |
| |
| vr := &vulncheck.Result{ |
| Calls: &vulncheck.CallGraph{ |
| Functions: map[int]*vulncheck.FuncNode{1: v1, 2: v2, 3: v3}, |
| }, |
| Vulns: []*vulncheck.Vuln{vuln1, vuln2, vuln3}, |
| } |
| |
| callStack := func(fs ...*vulncheck.FuncNode) vulncheck.CallStack { |
| var cs vulncheck.CallStack |
| for _, f := range fs { |
| cs = append(cs, vulncheck.StackEntry{Function: f}) |
| } |
| return cs |
| } |
| |
| // V1, V2, and V3 are vulnerable symbols |
| skip := []*vulncheck.Vuln{vuln1, vuln2, vuln3} |
| for _, test := range []struct { |
| vuln *vulncheck.Vuln |
| css []vulncheck.CallStack |
| want vulncheck.CallStack |
| }{ |
| // [A -> B -> V3 -> V1, A -> V1] ==> A -> V1 since the first stack goes through V3 |
| {vuln1, []vulncheck.CallStack{callStack(a, b, v3, v1), callStack(a, v1)}, callStack(a, v1)}, |
| // [A -> V1 -> V2] ==> nil since the only candidate call stack goes through V1 |
| {vuln2, []vulncheck.CallStack{callStack(a, v1, v2)}, nil}, |
| // [A -> V1 -> V3, A -> B -> v3] ==> A -> B -> V3 since the first stack goes through V1 |
| {vuln3, []vulncheck.CallStack{callStack(a, v1, v3), callStack(a, b, v3)}, callStack(a, b, v3)}, |
| } { |
| t.Run(test.vuln.Symbol, func(t *testing.T) { |
| got := uniqueCallStack(test.vuln, test.css, skip, vr) |
| if diff := cmp.Diff(test.want, got); diff != "" { |
| t.Fatalf("mismatch (-want, +got):\n%s", diff) |
| } |
| }) |
| } |
| } |