internal/worker/false_positives_test.go

// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

//go:build go1.17
// +build go1.17

package worker

import (
	"context"
	"testing"
	"time"

	"github.com/google/go-cmp/cmp"
	"golang.org/x/vulndb/internal/cve4"
	"golang.org/x/vulndb/internal/worker/store"
)

func TestUpdateFalsePositives(t *testing.T) {
	const commitHash = "17294f1a2af61a2a2df52ac89cbd7c516f0c4e6a"
	commitTime := time.Date(2021, time.April, 12, 23, 0, 56, 0, time.UTC)

	mstore := store.NewMemStore()
	createCVERecords(t, mstore, []*store.CVERecord{
		// This DB record is older than the matching false positive record
		// embedded in the program, so it will be updated.
		{
			ID:                "CVE-2020-15112",
			Path:              "2020/15xxx/CVE-2020-15112.json",
			CommitHash:        "xyz",
			CommitTime:        time.Date(2021, time.March, 1, 0, 0, 0, 0, time.UTC),
			BlobHash:          "3d87891317ff107037bc0145194ab72df1890411",
			CVEState:          cve4.StatePublic,
			TriageState:       store.TriageStateNeedsIssue,
			TriageStateReason: "will be replaced",
		},
		// This DB record is newer, so it won't be changed.
		{
			ID:          "CVE-2020-15113",
			Path:        "2020/15xxx/CVE-2020-15113.json",
			BlobHash:    "9133c3be68ef84771bad74ec8770e1efff7bf0de",
			CommitHash:  commitHash,
			CommitTime:  commitTime,
			CVEState:    cve4.StatePublic,
			TriageState: store.TriageStateNoActionNeeded,
			ReferenceURLs: []string{
				"https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92",
			},
		},
	})

	if err := updateFalsePositives(context.Background(), mstore); err != nil {
		t.Fatal(err)
	}
	got := mstore.CVERecords()
	for _, want := range []*store.CVERecord{
		{
			// Doesn't exist in DB.
			ID:          "CVE-2016-0216",
			Path:        "2016/0xxx/CVE-2016-0216.json",
			CommitHash:  commitHash,
			CommitTime:  commitTime,
			BlobHash:    "ac9f59c6700576b5936dc014ce265ee0c9a41097",
			CVEState:    cve4.StatePublic,
			TriageState: store.TriageStateFalsePositive,
			ReferenceURLs: []string{
				"http://www.ibm.com/support/docview.wss?uid=swg21975358",
				"http://www.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_multiple_security_vulnerabilities_in_ibm_tivoli_storage_manager_fastback_cve_2016_0212_cve_2016_0213_cve_2016_0216",
			},
		},
		{
			// Newer than DB.
			ID:                "CVE-2020-15112",
			Path:              "2020/15xxx/CVE-2020-15112.json",
			CommitHash:        commitHash,
			CommitTime:        commitTime,
			BlobHash:          "3d87891317ff107037bc0145194ab72df1890411",
			CVEState:          cve4.StatePublic,
			TriageState:       store.TriageStateHasVuln,
			TriageStateReason: "GO-2020-0005",
		},
		{
			ID:          "CVE-2020-15113",
			Path:        "2020/15xxx/CVE-2020-15113.json",
			BlobHash:    "9133c3be68ef84771bad74ec8770e1efff7bf0de",
			CommitHash:  commitHash,
			CommitTime:  commitTime,
			CVEState:    cve4.StatePublic,
			TriageState: store.TriageStateNoActionNeeded,
			ReferenceURLs: []string{
				"https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92",
			},
		},
	} {
		if diff := cmp.Diff(want, got[want.ID]); diff != "" {
			t.Errorf("mismatch (-want, +got):\n%s", diff)
		}
	}
}