| 1 | ;;; GNU Guix --- Functional package management for GNU |
| 2 | ;;; Copyright © 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org> |
| 3 | ;;; |
| 4 | ;;; This file is part of GNU Guix. |
| 5 | ;;; |
| 6 | ;;; GNU Guix is free software; you can redistribute it and/or modify it |
| 7 | ;;; under the terms of the GNU General Public License as published by |
| 8 | ;;; the Free Software Foundation; either version 3 of the License, or (at |
| 9 | ;;; your option) any later version. |
| 10 | ;;; |
| 11 | ;;; GNU Guix is distributed in the hope that it will be useful, but |
| 12 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of |
| 13 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 14 | ;;; GNU General Public License for more details. |
| 15 | ;;; |
| 16 | ;;; You should have received a copy of the GNU General Public License |
| 17 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. |
| 18 | |
| 19 | (define-module (test-cve) |
| 20 | #:use-module (guix cve) |
| 21 | #:use-module (srfi srfi-1) |
| 22 | #:use-module (srfi srfi-19) |
| 23 | #:use-module (srfi srfi-64)) |
| 24 | |
| 25 | (define %sample |
| 26 | (search-path %load-path "tests/cve-sample.json")) |
| 27 | |
| 28 | (define (vulnerability id packages) |
| 29 | (make-struct/no-tail (@@ (guix cve) <vulnerability>) id packages)) |
| 30 | |
| 31 | (define %expected-vulnerabilities |
| 32 | ;; What we should get when reading %SAMPLE. |
| 33 | (list |
| 34 | (vulnerability "CVE-2019-0001" |
| 35 | ;; Only the "a" CPE configurations are kept; the "o" |
| 36 | ;; configurations are discarded. |
| 37 | '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2"))))) |
| 38 | (vulnerability "CVE-2019-0005" |
| 39 | '(("junos" (or "18.11" "18.1")))) |
| 40 | ;; CVE-2019-0005 has no "a" configurations. |
| 41 | (vulnerability "CVE-2019-14811" |
| 42 | '(("ghostscript" (< "9.28")))) |
| 43 | (vulnerability "CVE-2019-17365" |
| 44 | '(("nix" (<= "2.3")))) |
| 45 | (vulnerability "CVE-2019-1010180" |
| 46 | '(("gdb" _))) ;any version |
| 47 | (vulnerability "CVE-2019-1010204" |
| 48 | '(("binutils" (and (>= "2.21") (<= "2.31.1"))) |
| 49 | ("binutils_gold" (and (>= "1.11") (<= "1.16"))))) |
| 50 | ;; CVE-2019-18192 has no associated configurations. |
| 51 | )) |
| 52 | |
| 53 | \f |
| 54 | (test-begin "cve") |
| 55 | |
| 56 | (test-equal "json->cve-items" |
| 57 | '("CVE-2019-0001" |
| 58 | "CVE-2019-0005" |
| 59 | "CVE-2019-14811" |
| 60 | "CVE-2019-17365" |
| 61 | "CVE-2019-1010180" |
| 62 | "CVE-2019-1010204" |
| 63 | "CVE-2019-18192") |
| 64 | (map (compose cve-id cve-item-cve) |
| 65 | (call-with-input-file %sample json->cve-items))) |
| 66 | |
| 67 | (test-equal "cve-item-published-date" |
| 68 | '(2019) |
| 69 | (delete-duplicates |
| 70 | (map (compose date-year cve-item-published-date) |
| 71 | (call-with-input-file %sample json->cve-items)))) |
| 72 | |
| 73 | (test-equal "json->vulnerabilities" |
| 74 | %expected-vulnerabilities |
| 75 | (call-with-input-file %sample json->vulnerabilities)) |
| 76 | |
| 77 | (test-equal "vulnerabilities->lookup-proc" |
| 78 | (list (list (third %expected-vulnerabilities)) ;ghostscript |
| 79 | (list (third %expected-vulnerabilities)) |
| 80 | '() |
| 81 | |
| 82 | (list (fifth %expected-vulnerabilities)) ;gdb |
| 83 | (list (fifth %expected-vulnerabilities)) |
| 84 | |
| 85 | (list (fourth %expected-vulnerabilities)) ;nix |
| 86 | '() |
| 87 | |
| 88 | (list (sixth %expected-vulnerabilities)) ;binutils |
| 89 | '() |
| 90 | (list (sixth %expected-vulnerabilities)) |
| 91 | '()) |
| 92 | (let* ((vulns (call-with-input-file %sample json->vulnerabilities)) |
| 93 | (lookup (vulnerabilities->lookup-proc vulns))) |
| 94 | (list (lookup "ghostscript") |
| 95 | (lookup "ghostscript" "9.27") |
| 96 | (lookup "ghostscript" "9.28") |
| 97 | (lookup "gdb") |
| 98 | (lookup "gdb" "42.0") |
| 99 | (lookup "nix") |
| 100 | (lookup "nix" "2.4") |
| 101 | (lookup "binutils" "2.31.1") |
| 102 | (lookup "binutils" "2.10") |
| 103 | (lookup "binutils_gold" "1.11") |
| 104 | (lookup "binutils" "2.32")))) |
| 105 | |
| 106 | (test-end "cve") |