[jackhill/guix/guix.git] / tests / cve.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-cve)
  #:use-module (guix cve)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-64))

(define %sample
  (search-path %load-path "tests/cve-sample.xml"))

(define (vulnerability id packages)
  (make-struct (@@ (guix cve) <vulnerability>) 0 id packages))

(define %expected-vulnerabilities
  ;; What we should get when reading %SAMPLE.
  (list
   ;; CVE-2003-0001 has no "/a" in its product list so it is omitted.
   ;; CVE-2004-0230 lists "tcp" as an application, but lacks a version number.
   (vulnerability "CVE-2008-2335" '(("phpvid" . "1.1") ("phpvid" . "1.2")))
   (vulnerability "CVE-2008-3522" '(("enterprise_virtualization" . "3.5")
                                    ("jasper" . "1.900.1")))
   (vulnerability "CVE-2009-3301" '(("openoffice.org" . "2.1.0")
                                    ("openoffice.org" . "2.3.0")
                                    ("openoffice.org" . "2.2.1")))
   ;; CVE-2015-8330 has no software list.
   ))

\f
(test-begin "cve")

(test-equal "xml->vulnerabilities"
  %expected-vulnerabilities
  (call-with-input-file %sample xml->vulnerabilities))

(test-equal ""
  (list `(("1.1" . ,(first %expected-vulnerabilities))
          ("1.2" . ,(first %expected-vulnerabilities)))
        '()
        '()
        (list (second %expected-vulnerabilities))
        (list (third %expected-vulnerabilities)))
  (let* ((vulns  (call-with-input-file %sample xml->vulnerabilities))
         (lookup (vulnerabilities->lookup-proc vulns)))
    (list (lookup "phpvid")
          (lookup "jasper" "2.0")
          (lookup "foobar")
          (lookup "jasper" "1.900.1")
          (lookup "openoffice.org" "2.3.0"))))

(test-end "cve")

\f
(exit (= (test-runner-fail-count (test-runner-current)) 0))
Commit	Line	Data
0eef7551 LC	1	;;; GNU Guix --- Functional package management for GNU
	2	;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
	3	;;;
	4	;;; This file is part of GNU Guix.
	5	;;;
	6	;;; GNU Guix is free software; you can redistribute it and/or modify it
	7	;;; under the terms of the GNU General Public License as published by
	8	;;; the Free Software Foundation; either version 3 of the License, or (at
	9	;;; your option) any later version.
	10	;;;
	11	;;; GNU Guix is distributed in the hope that it will be useful, but
	12	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	13	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	;;; GNU General Public License for more details.
	15	;;;
	16	;;; You should have received a copy of the GNU General Public License
	17	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	18
	19	(define-module (test-cve)
	20	#:use-module (guix cve)
	21	#:use-module (srfi srfi-1)
	22	#:use-module (srfi srfi-64))
	23
	24	(define %sample
	25	(search-path %load-path "tests/cve-sample.xml"))
	26
	27	(define (vulnerability id packages)
	28	(make-struct (@@ (guix cve) <vulnerability>) 0 id packages))
	29
	30	(define %expected-vulnerabilities
	31	;; What we should get when reading %SAMPLE.
	32	(list
	33	;; CVE-2003-0001 has no "/a" in its product list so it is omitted.
	34	;; CVE-2004-0230 lists "tcp" as an application, but lacks a version number.
	35	(vulnerability "CVE-2008-2335" '(("phpvid" . "1.1") ("phpvid" . "1.2")))
	36	(vulnerability "CVE-2008-3522" '(("enterprise_virtualization" . "3.5")
	37	("jasper" . "1.900.1")))
	38	(vulnerability "CVE-2009-3301" '(("openoffice.org" . "2.1.0")
	39	("openoffice.org" . "2.3.0")
	40	("openoffice.org" . "2.2.1")))
	41	;; CVE-2015-8330 has no software list.
	42	))
	43
	44	\f
	45	(test-begin "cve")
	46
	47	(test-equal "xml->vulnerabilities"
	48	%expected-vulnerabilities
	49	(call-with-input-file %sample xml->vulnerabilities))
	50
	51	(test-equal ""
	52	(list `(("1.1" . ,(first %expected-vulnerabilities))
	53	("1.2" . ,(first %expected-vulnerabilities)))
	54	'()
	55	'()
	56	(list (second %expected-vulnerabilities))
	57	(list (third %expected-vulnerabilities)))
	58	(let* ((vulns (call-with-input-file %sample xml->vulnerabilities))
	59	(lookup (vulnerabilities->lookup-proc vulns)))
	60	(list (lookup "phpvid")
	61	(lookup "jasper" "2.0")
	62	(lookup "foobar")
	63	(lookup "jasper" "1.900.1")
	64	(lookup "openoffice.org" "2.3.0"))))
65
66	(test-end "cve")
67
68	\f
69	(exit (= (test-runner-fail-count (test-runner-current)) 0))