internal/report/cve_test.go - vulndb - Git at Google

 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package report

 import (
 	"context"
 	"flag"
 	"fmt"
 	"io/fs"
 	"os"
 	"path/filepath"
 	"testing"

 	"github.com/google/go-cmp/cmp"
 	"golang.org/x/exp/maps"
 	"golang.org/x/tools/txtar"
 	"golang.org/x/vulndb/internal/cvelistrepo"
 	"golang.org/x/vulndb/internal/cveschema"
 	"golang.org/x/vulndb/internal/cveschema5"
 	"golang.org/x/vulndb/internal/gitrepo"
 	"golang.org/x/vulndb/internal/test"
 	"gopkg.in/yaml.v3"
 )

 var (
 	updateGolden     = flag.Bool("update", false, "update golden files")
 	updateTxtarRepos = flag.Bool("update-repo", false, "update the test repos ({v4,v5}.txtar) with real CVE data - this takes a while")
 )

 var (
 	testdata = filepath.Join("testdata", "cve")
 	v4txtar  = filepath.Join(testdata, "v4.txtar")
 	v5txtar  = filepath.Join(testdata, "v5.txtar")
 	testCVEs = map[string]string{
 		"CVE-2020-9283":  "golang.org/x/crypto",
 		"CVE-2022-39213": "github.com/pandatix/go-cvss",
 		"CVE-2023-44378": "github.com/Consensys/gnark",
 		"CVE-2023-45141": "github.com/gofiber/fiber",
 	}
 )

 func TestMain(m *testing.M) {
 	flag.Parse()
 	if *updateTxtarRepos {
 		ctx := context.Background()
 		ids := maps.Keys(testCVEs)
 		if err := cvelistrepo.WriteTxtarRepo(ctx, cvelistrepo.URLv4, v4txtar, ids); err != nil {
 			fail(err)
 		}
 		if err := cvelistrepo.WriteTxtarRepo(ctx, cvelistrepo.URLv5, v5txtar, ids); err != nil {
 			fail(err)
 		}
 	}
 	os.Exit(m.Run())
 }

 func fail(err error) {
 	fmt.Fprintln(os.Stderr, err)
 	os.Exit(1)
 }

 const placeholderID = "PLACEHOLDER-ID"

 func TestCVEToReport(t *testing.T) {
 	newV4 := func() cvelistrepo.CVE {
 		return new(cveschema.CVE)
 	}
 	toReportV4 := func(cve cvelistrepo.CVE, modulePath string) *Report {
 		return cveToReport(cve.(*cveschema.CVE), placeholderID, modulePath)
 	}
 	if err := run(t, v4txtar, newV4, toReportV4); err != nil {
 		t.Fatal(err)
 	}
 }

 func TestCVE5ToReport(t *testing.T) {
 	newV5 := func() cvelistrepo.CVE {
 		return new(cveschema5.CVERecord)
 	}
 	toReportV5 := func(cve cvelistrepo.CVE, modulePath string) *Report {
 		return cve5ToReport(cve.(*cveschema5.CVERecord), placeholderID, modulePath)
 	}
 	if err := run(t, v5txtar, newV5, toReportV5); err != nil {
 		t.Fatal(err)
 	}
 }

 // Check that the created report is the same for v4 and v5.
 // This is a transitional test that will be removed once we are OK
 // with divergence between v4 and v5, or if we remove support for v4 entirely.
 func TestV4V5Equivalence(t *testing.T) {
 	if err := filepath.WalkDir(filepath.Join(testdata, "TestCVE5ToReport"), func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
 		if d.IsDir() {
 			return nil
 		}

 		fname := filepath.Base(path)
 		t.Run(fname, func(t *testing.T) {
 			v5b, err := findCVEFile(path)
 			if err != nil {
 				t.Fatal(err)
 			}
 			v4file := filepath.Join(testdata, "TestCVEToReport", fname)
 			v4b, err := findCVEFile(v4file)
 			if err != nil {
 				t.Fatal(err)
 			}
 			if diff := cmp.Diff(v4b, v5b); diff != "" {
 				t.Errorf("mismatch (-v4, +v5):\n%s", diff)
 			}
 		})
 		return nil
 	}); err != nil {
 		t.Fatal(err)
 	}
 }

 func findCVEFile(tf string) (*txtar.File, error) {
 	ar, err := txtar.ParseFile(tf)
 	if err != nil {
 		return nil, err
 	}
 	for _, af := range ar.Files {
 		if cveschema5.IsCVE(af.Name) {
 			return &af, nil
 		}
 	}
 	return nil, fmt.Errorf("%s: cve archive file not found", tf)
 }

 func run(t *testing.T, txtarFile string, newCVE func() cvelistrepo.CVE, toReport func(cvelistrepo.CVE, string) *Report) error {
 	if *updateGolden {
 		if err := os.RemoveAll(filepath.Join(testdata, t.Name())); err != nil {
 			t.Fatal(err)
 		}
 	}

 	repo, commit, err := gitrepo.TxtarRepoAndHead(txtarFile)
 	if err != nil {
 		return err
 	}
 	files, err := cvelistrepo.Files(repo, commit)
 	if err != nil {
 		return err
 	}

 	for _, file := range files {
 		id := cveschema5.FindCVE(file.Filename)
 		t.Run(id, func(t *testing.T) {
 			cve := newCVE()
 			if err := cvelistrepo.Parse(repo, file, cve); err != nil {
 				t.Fatalf("Parse(%s)=%s", id, err)
 			}

 			mp, ok := testCVEs[id]
 			if !ok {
 				t.Fatalf("%s not found in testCVEs", id)
 			}

 			b, err := yaml.Marshal(toReport(cve, mp))
 			if err != nil {
 				t.Fatal(err)
 			}

 			tf := filepath.Join(testdata, t.Name()+".txtar")

 			if *updateGolden {
 				if err := test.WriteTxtar(tf, []txtar.File{
 					{
 						Name: id,
 						Data: b,
 					},
 				}, fmt.Sprintf("Expected output of %s.", t.Name())); err != nil {
 					t.Fatal(err)
 				}
 			}

 			ar, err := txtar.ParseFile(tf)
 			if err != nil {
 				t.Fatal(err)
 			}

 			for _, af := range ar.Files {
 				if af.Name != id {
 					t.Errorf("unexpected archive file %s", af.Name)
 					continue
 				}
 				want, got := string(b), string(af.Data)
 				if diff := cmp.Diff(want, got); diff != "" {
 					t.Errorf("%s content mismatch (-want, +got):\n%s", af.Name, diff)
 				}
 			}
 		})
 	}

 	return nil
 }
	// Copyright 2023 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package report

	import (
	"context"
	"flag"
	"fmt"
	"io/fs"
	"os"
	"path/filepath"
	"testing"

	"github.com/google/go-cmp/cmp"
	"golang.org/x/exp/maps"
	"golang.org/x/tools/txtar"
	"golang.org/x/vulndb/internal/cvelistrepo"
	"golang.org/x/vulndb/internal/cveschema"
	"golang.org/x/vulndb/internal/cveschema5"
	"golang.org/x/vulndb/internal/gitrepo"
	"golang.org/x/vulndb/internal/test"
	"gopkg.in/yaml.v3"
	)

	var (
	updateGolden = flag.Bool("update", false, "update golden files")
	updateTxtarRepos = flag.Bool("update-repo", false, "update the test repos ({v4,v5}.txtar) with real CVE data - this takes a while")
	)

	var (
	testdata = filepath.Join("testdata", "cve")
	v4txtar = filepath.Join(testdata, "v4.txtar")
	v5txtar = filepath.Join(testdata, "v5.txtar")
	testCVEs = map[string]string{
	"CVE-2020-9283": "golang.org/x/crypto",
	"CVE-2022-39213": "github.com/pandatix/go-cvss",
	"CVE-2023-44378": "github.com/Consensys/gnark",
	"CVE-2023-45141": "github.com/gofiber/fiber",
	}
	)

	func TestMain(m *testing.M) {
	flag.Parse()
	if *updateTxtarRepos {
	ctx := context.Background()
	ids := maps.Keys(testCVEs)
	if err := cvelistrepo.WriteTxtarRepo(ctx, cvelistrepo.URLv4, v4txtar, ids); err != nil {
	fail(err)
	}
	if err := cvelistrepo.WriteTxtarRepo(ctx, cvelistrepo.URLv5, v5txtar, ids); err != nil {
	fail(err)
	}
	}
	os.Exit(m.Run())
	}

	func fail(err error) {
	fmt.Fprintln(os.Stderr, err)
	os.Exit(1)
	}

	const placeholderID = "PLACEHOLDER-ID"

	func TestCVEToReport(t *testing.T) {
	newV4 := func() cvelistrepo.CVE {
	return new(cveschema.CVE)
	}
	toReportV4 := func(cve cvelistrepo.CVE, modulePath string) *Report {
	return cveToReport(cve.(*cveschema.CVE), placeholderID, modulePath)
	}
	if err := run(t, v4txtar, newV4, toReportV4); err != nil {
	t.Fatal(err)
	}
	}

	func TestCVE5ToReport(t *testing.T) {
	newV5 := func() cvelistrepo.CVE {
	return new(cveschema5.CVERecord)
	}
	toReportV5 := func(cve cvelistrepo.CVE, modulePath string) *Report {
	return cve5ToReport(cve.(*cveschema5.CVERecord), placeholderID, modulePath)
	}
	if err := run(t, v5txtar, newV5, toReportV5); err != nil {
	t.Fatal(err)
	}
	}

	// Check that the created report is the same for v4 and v5.
	// This is a transitional test that will be removed once we are OK
	// with divergence between v4 and v5, or if we remove support for v4 entirely.
	func TestV4V5Equivalence(t *testing.T) {
	if err := filepath.WalkDir(filepath.Join(testdata, "TestCVE5ToReport"), func(path string, d fs.DirEntry, err error) error {
	if err != nil {
	return err
	}
	if d.IsDir() {
	return nil
	}

	fname := filepath.Base(path)
	t.Run(fname, func(t *testing.T) {
	v5b, err := findCVEFile(path)
	if err != nil {
	t.Fatal(err)
	}
	v4file := filepath.Join(testdata, "TestCVEToReport", fname)
	v4b, err := findCVEFile(v4file)
	if err != nil {
	t.Fatal(err)
	}
	if diff := cmp.Diff(v4b, v5b); diff != "" {
	t.Errorf("mismatch (-v4, +v5):\n%s", diff)
	}
	})
	return nil
	}); err != nil {
	t.Fatal(err)
	}
	}

	func findCVEFile(tf string) (*txtar.File, error) {
	ar, err := txtar.ParseFile(tf)
	if err != nil {
	return nil, err
	}
	for _, af := range ar.Files {
	if cveschema5.IsCVE(af.Name) {
	return &af, nil
	}
	}
	return nil, fmt.Errorf("%s: cve archive file not found", tf)
	}

	func run(t testing.T, txtarFile string, newCVE func() cvelistrepo.CVE, toReport func(cvelistrepo.CVE, string) Report) error {
	if *updateGolden {
	if err := os.RemoveAll(filepath.Join(testdata, t.Name())); err != nil {
	t.Fatal(err)
	}
	}

	repo, commit, err := gitrepo.TxtarRepoAndHead(txtarFile)
	if err != nil {
	return err
	}
	files, err := cvelistrepo.Files(repo, commit)
	if err != nil {
	return err
	}

	for _, file := range files {
	id := cveschema5.FindCVE(file.Filename)
	t.Run(id, func(t *testing.T) {
	cve := newCVE()
	if err := cvelistrepo.Parse(repo, file, cve); err != nil {
	t.Fatalf("Parse(%s)=%s", id, err)
	}

	mp, ok := testCVEs[id]
	if !ok {
	t.Fatalf("%s not found in testCVEs", id)
	}

	b, err := yaml.Marshal(toReport(cve, mp))
	if err != nil {
	t.Fatal(err)
	}

	tf := filepath.Join(testdata, t.Name()+".txtar")

	if *updateGolden {
	if err := test.WriteTxtar(tf, []txtar.File{
	{
	Name: id,
	Data: b,
	},
	}, fmt.Sprintf("Expected output of %s.", t.Name())); err != nil {
	t.Fatal(err)
	}
	}

	ar, err := txtar.ParseFile(tf)
	if err != nil {
	t.Fatal(err)
	}

	for _, af := range ar.Files {
	if af.Name != id {
	t.Errorf("unexpected archive file %s", af.Name)
	continue
	}
	want, got := string(b), string(af.Data)
	if diff := cmp.Diff(want, got); diff != "" {
	t.Errorf("%s content mismatch (-want, +got):\n%s", af.Name, diff)
	}
	}
	})
	}

	return nil
	}