1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org>
4 ;;; This file is part of GNU Guix.
6 ;;; GNU Guix is free software; you can redistribute it and/or modify it
7 ;;; under the terms of the GNU General Public License as published by
8 ;;; the Free Software Foundation; either version 3 of the License, or (at
9 ;;; your option) any later version.
11 ;;; GNU Guix is distributed in the hope that it will be useful, but
12 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
13 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 ;;; GNU General Public License for more details.
16 ;;; You should have received a copy of the GNU General Public License
17 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
19 (define-module (test-cve)
20 #:use-module (guix cve)
21 #:use-module (srfi srfi-1)
22 #:use-module (srfi srfi-19)
23 #:use-module (srfi srfi-64))
26 (search-path %load-path "tests/cve-sample.json"))
28 (define (vulnerability id packages)
29 (make-struct/no-tail (@@ (guix cve) <vulnerability>) id packages))
31 (define %expected-vulnerabilities
32 ;; What we should get when reading %SAMPLE.
34 (vulnerability "CVE-2019-0001"
35 ;; Only the "a" CPE configurations are kept; the "o"
36 ;; configurations are discarded.
37 '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
38 (vulnerability "CVE-2019-0005"
39 '(("junos" (or "18.11" "18.1"))))
40 ;; CVE-2019-0005 has no "a" configurations.
41 (vulnerability "CVE-2019-14811"
42 '(("ghostscript" (< "9.28"))))
43 (vulnerability "CVE-2019-17365"
44 '(("nix" (<= "2.3"))))
45 (vulnerability "CVE-2019-1010180"
46 '(("gdb" _))) ;any version
47 (vulnerability "CVE-2019-1010204"
48 '(("binutils" (and (>= "2.21") (<= "2.31.1")))
49 ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
50 ;; CVE-2019-18192 has no associated configurations.
56 (test-equal "json->cve-items"
64 (map (compose cve-id cve-item-cve)
65 (call-with-input-file %sample json->cve-items)))
67 (test-equal "cve-item-published-date"
70 (map (compose date-year cve-item-published-date)
71 (call-with-input-file %sample json->cve-items))))
73 (test-equal "json->vulnerabilities"
74 %expected-vulnerabilities
75 (call-with-input-file %sample json->vulnerabilities))
77 (test-equal "vulnerabilities->lookup-proc"
78 (list (list (third %expected-vulnerabilities)) ;ghostscript
79 (list (third %expected-vulnerabilities))
82 (list (fifth %expected-vulnerabilities)) ;gdb
83 (list (fifth %expected-vulnerabilities))
85 (list (fourth %expected-vulnerabilities)) ;nix
88 (list (sixth %expected-vulnerabilities)) ;binutils
90 (list (sixth %expected-vulnerabilities))
92 (let* ((vulns (call-with-input-file %sample json->vulnerabilities))
93 (lookup (vulnerabilities->lookup-proc vulns)))
94 (list (lookup "ghostscript")
95 (lookup "ghostscript" "9.27")
96 (lookup "ghostscript" "9.28")
101 (lookup "binutils" "2.31.1")
102 (lookup "binutils" "2.10")
103 (lookup "binutils_gold" "1.11")
104 (lookup "binutils" "2.32"))))