[jackhill/guix/guix.git] / tests / cve.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-cve)
  #:use-module (guix cve)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-19)
  #:use-module (srfi srfi-64))

(define %sample
  (search-path %load-path "tests/cve-sample.json"))

(define (vulnerability id packages)
  (make-struct/no-tail (@@ (guix cve) <vulnerability>) id packages))

(define %expected-vulnerabilities
  ;; What we should get when reading %SAMPLE.
  (list
   (vulnerability "CVE-2019-0001"
                  ;; Only the "a" CPE configurations are kept; the "o"
                  ;; configurations are discarded.
                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
   (vulnerability "CVE-2019-0005"
                  '(("junos" (or "18.11" "18.1"))))
   ;; CVE-2019-0005 has no "a" configurations.
   (vulnerability "CVE-2019-14811"
                  '(("ghostscript" (< "9.28"))))
   (vulnerability "CVE-2019-17365"
                  '(("nix" (<= "2.3"))))
   (vulnerability "CVE-2019-1010180"
                  '(("gdb" _)))                   ;any version
   (vulnerability "CVE-2019-1010204"
                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
   ;; CVE-2019-18192 has no associated configurations.
   ))

\f
(test-begin "cve")

(test-equal "json->cve-items"
  '("CVE-2019-0001"
    "CVE-2019-0005"
    "CVE-2019-14811"
    "CVE-2019-17365"
    "CVE-2019-1010180"
    "CVE-2019-1010204"
    "CVE-2019-18192")
  (map (compose cve-id cve-item-cve)
       (call-with-input-file %sample json->cve-items)))

(test-equal "cve-item-published-date"
  '(2019)
  (delete-duplicates
   (map (compose date-year cve-item-published-date)
        (call-with-input-file %sample json->cve-items))))

(test-equal "json->vulnerabilities"
  %expected-vulnerabilities
  (call-with-input-file %sample json->vulnerabilities))

(test-equal "vulnerabilities->lookup-proc"
  (list (list (third %expected-vulnerabilities))  ;ghostscript
        (list (third %expected-vulnerabilities))
        '()

        (list (fifth %expected-vulnerabilities))  ;gdb
        (list (fifth %expected-vulnerabilities))

        (list (fourth %expected-vulnerabilities)) ;nix
        '()

        (list (sixth %expected-vulnerabilities))  ;binutils
        '()
        (list (sixth %expected-vulnerabilities))
        '())
  (let* ((vulns  (call-with-input-file %sample json->vulnerabilities))
         (lookup (vulnerabilities->lookup-proc vulns)))
    (list (lookup "ghostscript")
          (lookup "ghostscript" "9.27")
          (lookup "ghostscript" "9.28")
          (lookup "gdb")
          (lookup "gdb" "42.0")
          (lookup "nix")
          (lookup "nix" "2.4")
          (lookup "binutils" "2.31.1")
          (lookup "binutils" "2.10")
          (lookup "binutils_gold" "1.11")
          (lookup "binutils" "2.32"))))

(test-end "cve")
Commit	Line	Data
0eef7551	1	;;; GNU Guix --- Functional package management for GNU
74afaa37	2	;;; Copyright © 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org>
0eef7551 LC	3	;;;
	4	;;; This file is part of GNU Guix.
	5	;;;
	6	;;; GNU Guix is free software; you can redistribute it and/or modify it
	7	;;; under the terms of the GNU General Public License as published by
	8	;;; the Free Software Foundation; either version 3 of the License, or (at
	9	;;; your option) any later version.
	10	;;;
	11	;;; GNU Guix is distributed in the hope that it will be useful, but
	12	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	13	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	;;; GNU General Public License for more details.
	15	;;;
	16	;;; You should have received a copy of the GNU General Public License
	17	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	18
	19	(define-module (test-cve)
	20	#:use-module (guix cve)
	21	#:use-module (srfi srfi-1)
74afaa37	22	#:use-module (srfi srfi-19)
0eef7551 LC	23	#:use-module (srfi srfi-64))
	24
	25	(define %sample
74afaa37	26	(search-path %load-path "tests/cve-sample.json"))
0eef7551 LC	27
0eef7551 LC	28	(define (vulnerability id packages)
79c03e55	29	(make-struct/no-tail (@@ (guix cve) <vulnerability>) id packages))
0eef7551 LC	30
	31	(define %expected-vulnerabilities
	32	;; What we should get when reading %SAMPLE.
	33	(list
74afaa37 LC	34	(vulnerability "CVE-2019-0001"
	35	;; Only the "a" CPE configurations are kept; the "o"
	36	;; configurations are discarded.
	37	'(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
	38	(vulnerability "CVE-2019-0005"
	39	'(("junos" (or "18.11" "18.1"))))
	40	;; CVE-2019-0005 has no "a" configurations.
	41	(vulnerability "CVE-2019-14811"
	42	'(("ghostscript" (< "9.28"))))
	43	(vulnerability "CVE-2019-17365"
	44	'(("nix" (<= "2.3"))))
	45	(vulnerability "CVE-2019-1010180"
	46	'(("gdb" _))) ;any version
	47	(vulnerability "CVE-2019-1010204"
	48	'(("binutils" (and (>= "2.21") (<= "2.31.1")))
	49	("binutils_gold" (and (>= "1.11") (<= "1.16")))))
	50	;; CVE-2019-18192 has no associated configurations.
0eef7551 LC	51	))
	52
	53	\f
	54	(test-begin "cve")
	55
74afaa37 LC	56	(test-equal "json->cve-items"
	57	'("CVE-2019-0001"
	58	"CVE-2019-0005"
	59	"CVE-2019-14811"
	60	"CVE-2019-17365"
	61	"CVE-2019-1010180"
	62	"CVE-2019-1010204"
	63	"CVE-2019-18192")
	64	(map (compose cve-id cve-item-cve)
	65	(call-with-input-file %sample json->cve-items)))
	66
	67	(test-equal "cve-item-published-date"
	68	'(2019)
	69	(delete-duplicates
	70	(map (compose date-year cve-item-published-date)
	71	(call-with-input-file %sample json->cve-items))))
	72
	73	(test-equal "json->vulnerabilities"
0eef7551	74	%expected-vulnerabilities
74afaa37	75	(call-with-input-file %sample json->vulnerabilities))
0eef7551	76
870bf71e	77	(test-equal "vulnerabilities->lookup-proc"
74afaa37 LC	78	(list (list (third %expected-vulnerabilities)) ;ghostscript
	79	(list (third %expected-vulnerabilities))
	80	'()
	81
	82	(list (fifth %expected-vulnerabilities)) ;gdb
	83	(list (fifth %expected-vulnerabilities))
	84
	85	(list (fourth %expected-vulnerabilities)) ;nix
0eef7551	86	'()
74afaa37 LC	87
74afaa37 LC	88	(list (sixth %expected-vulnerabilities)) ;binutils
0eef7551	89	'()
74afaa37 LC	90	(list (sixth %expected-vulnerabilities))
	91	'())
	92	(let* ((vulns (call-with-input-file %sample json->vulnerabilities))
0eef7551	93	(lookup (vulnerabilities->lookup-proc vulns)))
74afaa37 LC	94	(list (lookup "ghostscript")
	95	(lookup "ghostscript" "9.27")
	96	(lookup "ghostscript" "9.28")
	97	(lookup "gdb")
	98	(lookup "gdb" "42.0")
	99	(lookup "nix")
	100	(lookup "nix" "2.4")
	101	(lookup "binutils" "2.31.1")
	102	(lookup "binutils" "2.10")
	103	(lookup "binutils_gold" "1.11")
	104	(lookup "binutils" "2.32"))))
0eef7551 LC	105
0eef7551 LC	106	(test-end "cve")