internal/worker: make a copy of testdata repo for worker
Instead of directly using testdata folder of the cveschema5 package
in the worker, make a copy of the required test data.
This allows us to transition to a new testing framework in the
cveschema5 package without needing to (immediately) change the worker logic.
For golang/go#49289
Change-Id: Ieab8fb4701ffa30b2dc000a48d86efe524f1cb02
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545297
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/internal/worker/testdata/basic.txtar b/internal/worker/testdata/basic.txtar
new file mode 100644
index 0000000..27e4439
--- /dev/null
+++ b/internal/worker/testdata/basic.txtar
@@ -0,0 +1,288 @@
+Repo in the shape of github.com/CVEProject/cvelist, with
+some actual data.
+
+-- README.md --
+ignore me please
+
+-- 2021/0xxx/CVE-2021-0001.json --
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "CVE_data_meta": {
+ "ID": "CVE-2021-0001",
+ "ASSIGNER": "secure@intel.com",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "n/a",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Intel(R) IPP",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "before version 2020 update 1"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "information disclosure"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "MISC",
+ "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00477.html",
+ "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00477.html"
+ },
+ {
+ "refsource": "*added for testing*",
+ "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00477.html",
+ "url": "https://golang.org/x/mod"
+ }
+ ]
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Observable timing discrepancy in Intel(R) IPP before version 2020 update 1 may allow authorized user to potentially enable information disclosure via local access."
+ }
+ ]
+ }
+}
+-- 2021/0xxx/CVE-2021-0010.json --
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "CVE_data_meta": {
+ "ID": "CVE-2021-0010",
+ "ASSIGNER": "cve@mitre.org",
+ "STATE": "RESERVED"
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ }
+ ]
+ }
+}
+-- 2021/1xxx/CVE-2021-1384.json --
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "CVE_data_meta": {
+ "ID": "CVE-2021-1384",
+ "ASSIGNER": "cve@mitre.org",
+ "STATE": "REJECT"
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "*added for testing*",
+ "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00477.html",
+ "url": "https://golang.org/x/sync"
+ }
+ ]
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none."
+ }
+ ]
+ }
+}
+-- 2020/9xxx/CVE-2020-9283.json --
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "cve@mitre.org",
+ "ID": "CVE-2020-9283",
+ "STATE": "PUBLIC"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "n/a",
+ "version": {
+ "version_data": [
+ {
+ "version_value": "n/a"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "n/a"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "n/a"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM",
+ "name": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY",
+ "url": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY"
+ },
+ {
+ "refsource": "*added for testing*",
+ "name": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY",
+ "url": "https://golang.org/x/crypto"
+ }
+ ]
+ }
+}
+-- 2022/39xxx/CVE-2022-39213.json --
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security-advisories@github.com",
+ "ID": "CVE-2022-39213",
+ "STATE": "PUBLIC",
+ "TITLE": "Out-of-bounds Read in go-cvss"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "go-cvss",
+ "version": {
+ "version_data": [
+ {
+ "version_value": ">= 0.2.0, < 0.4.0"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "pandatix"
+ }
+ ]
+ }
+ },
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "go-cvss is a Go module to manipulate Common Vulnerability Scoring System (CVSS). In affected versions when a full CVSS v2.0 vector string is parsed using `ParseVector`, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic. The problem is patched in tag `v0.4.0`, by the commit `d9d478ff0c13b8b09ace030db9262f3c2fe031f4`. Users are advised to upgrade. Users unable to upgrade may avoid this issue by parsing only CVSS v2.0 vector strings that do not have all attributes defined (e.g. `AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M`). As stated in [SECURITY.md](https://github.com/pandatix/go-cvss/blob/master/SECURITY.md), the CPE v2.3 to refer to this Go module is `cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*`. The entry has already been requested to the NVD CPE dictionary."
+ }
+ ]
+ },
+ "impact": {
+ "cvss": {
+ "attackComplexity": "LOW",
+ "attackVector": "NETWORK",
+ "availabilityImpact": "HIGH",
+ "baseScore": 7.5,
+ "baseSeverity": "HIGH",
+ "confidentialityImpact": "NONE",
+ "integrityImpact": "NONE",
+ "privilegesRequired": "NONE",
+ "scope": "UNCHANGED",
+ "userInteraction": "NONE",
+ "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+ "version": "3.1"
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-125: Out-of-bounds Read"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "name": "https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx",
+ "refsource": "CONFIRM",
+ "url": "https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx"
+ },
+ {
+ "name": "https://github.com/pandatix/go-cvss/commit/d9d478ff0c13b8b09ace030db9262f3c2fe031f4",
+ "refsource": "MISC",
+ "url": "https://github.com/pandatix/go-cvss/commit/d9d478ff0c13b8b09ace030db9262f3c2fe031f4"
+ },
+ {
+ "name": "https://github.com/pandatix/go-cvss/blob/master/SECURITY.md",
+ "refsource": "MISC",
+ "url": "https://github.com/pandatix/go-cvss/blob/master/SECURITY.md"
+ },
+ {
+ "name": "https://bitbucket.org/foo/bar/baz",
+ "refsource": "*added for testing*",
+ "url": "https://bitbucket.org/foo/bar/baz"
+ }
+ ]
+ },
+ "source": {
+ "advisory": "GHSA-xhmf-mmv2-4hhx",
+ "discovery": "UNKNOWN"
+ }
+}
diff --git a/internal/worker/worker_test.go b/internal/worker/worker_test.go
index a21a135..f41341c 100644
--- a/internal/worker/worker_test.go
+++ b/internal/worker/worker_test.go
@@ -33,7 +33,7 @@
"golang.org/x/vulndb/internal/worker/store"
)
-const testRepoPath = "../cvelistrepo/testdata/basic.txtar"
+const testRepoPath = "testdata/basic.txtar"
var realProxy = flag.Bool("proxy", false, "if true, contact the real module proxy and update expected responses")