cve.scm 3.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107
  1. ;;; GNU Guix --- Functional package management for GNU
  2. ;;; Copyright © 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org>
  3. ;;;
  4. ;;; This file is part of GNU Guix.
  5. ;;;
  6. ;;; GNU Guix is free software; you can redistribute it and/or modify it
  7. ;;; under the terms of the GNU General Public License as published by
  8. ;;; the Free Software Foundation; either version 3 of the License, or (at
  9. ;;; your option) any later version.
  10. ;;;
  11. ;;; GNU Guix is distributed in the hope that it will be useful, but
  12. ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
  13. ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. ;;; GNU General Public License for more details.
  15. ;;;
  16. ;;; You should have received a copy of the GNU General Public License
  17. ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
  18. (define-module (test-cve)
  19. #:use-module (guix cve)
  20. #:use-module (srfi srfi-1)
  21. #:use-module (srfi srfi-19)
  22. #:use-module (srfi srfi-64))
  23. (define %sample
  24. (search-path %load-path "tests/cve-sample.json"))
  25. (define (vulnerability id packages)
  26. (make-struct/no-tail (@@ (guix cve) <vulnerability>) id packages))
  27. (define %expected-vulnerabilities
  28. ;; What we should get when reading %SAMPLE.
  29. (list
  30. (vulnerability "CVE-2019-0001"
  31. ;; Only the "a" CPE configurations are kept; the "o"
  32. ;; configurations are discarded.
  33. '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
  34. (vulnerability "CVE-2019-0005"
  35. '(("junos" (or "18.11" "18.1"))))
  36. ;; CVE-2019-0005 has no "a" configurations.
  37. (vulnerability "CVE-2019-14811"
  38. '(("ghostscript" (< "9.28"))))
  39. (vulnerability "CVE-2019-17365"
  40. '(("nix" (<= "2.3"))))
  41. (vulnerability "CVE-2019-1010180"
  42. '(("gdb" _))) ;any version
  43. (vulnerability "CVE-2019-1010204"
  44. '(("binutils" (and (>= "2.21") (<= "2.31.1")))
  45. ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
  46. ;; CVE-2019-18192 has no associated configurations.
  47. ))
  48. (test-begin "cve")
  49. (test-equal "json->cve-items"
  50. '("CVE-2019-0001"
  51. "CVE-2019-0005"
  52. "CVE-2019-14811"
  53. "CVE-2019-17365"
  54. "CVE-2019-1010180"
  55. "CVE-2019-1010204"
  56. "CVE-2019-18192")
  57. (map (compose cve-id cve-item-cve)
  58. (call-with-input-file %sample json->cve-items)))
  59. (test-equal "cve-item-published-date"
  60. '(2019)
  61. (delete-duplicates
  62. (map (compose date-year cve-item-published-date)
  63. (call-with-input-file %sample json->cve-items))))
  64. (test-equal "json->vulnerabilities"
  65. %expected-vulnerabilities
  66. (call-with-input-file %sample json->vulnerabilities))
  67. (test-equal "vulnerabilities->lookup-proc"
  68. (list (list (third %expected-vulnerabilities)) ;ghostscript
  69. (list (third %expected-vulnerabilities))
  70. '()
  71. (list (fifth %expected-vulnerabilities)) ;gdb
  72. (list (fifth %expected-vulnerabilities))
  73. (list (fourth %expected-vulnerabilities)) ;nix
  74. '()
  75. (list (sixth %expected-vulnerabilities)) ;binutils
  76. '()
  77. (list (sixth %expected-vulnerabilities))
  78. '())
  79. (let* ((vulns (call-with-input-file %sample json->vulnerabilities))
  80. (lookup (vulnerabilities->lookup-proc vulns)))
  81. (list (lookup "ghostscript")
  82. (lookup "ghostscript" "9.27")
  83. (lookup "ghostscript" "9.28")
  84. (lookup "gdb")
  85. (lookup "gdb" "42.0")
  86. (lookup "nix")
  87. (lookup "nix" "2.4")
  88. (lookup "binutils" "2.31.1")
  89. (lookup "binutils" "2.10")
  90. (lookup "binutils_gold" "1.11")
  91. (lookup "binutils" "2.32"))))
  92. (test-end "cve")