amaharaneko/guix-mirrors
1
1
Fork 0
mirror of https://codeberg.org/guix/guix.git synced 2025-10-02 02:15:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
guix-mirrors/tests/cve.scm
Nicolas Graves d431f4620a
cve: Upgrade to JSON 2.0 feeds. 
Fixes guix/guix#2213.  The 1.1-formatted-data is no longer available
from NIST.

* guix/cve.scm (string->date*, <cve-item>,
reference-data->cve-configuration, cpe-match->cve-configuration,
configuration-data->cve-configurations, json->cve-items,
yearly-feed-uri, cve-item->vulnerability): Upgrade to JSON 2.0 feeds
schema.
(<cve>): Remove uneeded record.
* tests/cve-sample.json: Update them. Remove CVE-2019-0005 (no value
added, lots of lines).
* tests/cve.scm (%expected-vulnerabilities): Upgrade accordingly.
(json->cve-items, vulnerabilities->lookup-proc tests): Update accordingly.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2025-08-31 12:39:24 +02:00

103 lines
3.7 KiB
Scheme
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (test-cve)
#:use-module (guix cve)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-19)
#:use-module (srfi srfi-64))
;; Generated from the 2019 database :
;; jq -M '.vulnerabilities |= map(select(.cve.id | IN("CVE-2019-14811", "CVE-2019-17365", "CVE-2019-1010180", "CVE-2019-1010204", "CVE-2019-18192", "CVE-2019-0001"))) | .totalResults = (.vulnerabilities | length) | .resultsPerPage = (.vulnerabilities | length)'
(define %sample
(search-path %load-path "tests/cve-sample.json"))
(define (vulnerability id packages)
(make-struct/no-tail (@@ (guix cve) <vulnerability>) id packages))
(define %expected-vulnerabilities
;; What we should get when reading %SAMPLE.
(list
(vulnerability "CVE-2019-1010204"
'(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
(vulnerability "CVE-2019-1010180"
'(("gnu" "gdb" (< "9.1"))))
(vulnerability "CVE-2019-14811"
'(("artifex" "ghostscript" (< "9.50"))))
(vulnerability "CVE-2019-17365"
'(("nixos" "nix" (<= "2.3"))))
(vulnerability "CVE-2019-18192"
'(("gnu" "guix" "1.0.1")))
;; Only the "a" CPE configurations are kept; the "o" configurations are discarded.
;; This is why CVE-2019-0001 doesn't appear here.
))
(test-begin "cve")
(test-equal "json->cve-items"
'("CVE-2019-0001"
"CVE-2019-1010204"
"CVE-2019-1010180"
"CVE-2019-14811"
"CVE-2019-17365"
"CVE-2019-18192")
(map cve-item-id
(call-with-input-file %sample json->cve-items)))
(test-equal "cve-item-published-date"
'(2019)
(delete-duplicates
(map (compose date-year cve-item-published-date)
(call-with-input-file %sample json->cve-items))))
(test-equal "json->vulnerabilities"
%expected-vulnerabilities
(call-with-input-file %sample json->vulnerabilities))
(test-equal "vulnerabilities->lookup-proc"
(list (list (first %expected-vulnerabilities)) ;binutils
'()
(list (first %expected-vulnerabilities))
'()
(list (second %expected-vulnerabilities)) ;gdb
(list (second %expected-vulnerabilities))
(list (third %expected-vulnerabilities)) ;ghostscript
(list (third %expected-vulnerabilities))
'()
(list (fourth %expected-vulnerabilities)) ;nix
'())
(let* ((vulns (call-with-input-file %sample json->vulnerabilities))
(lookup (vulnerabilities->lookup-proc vulns)))
(list (lookup "binutils" "2.31.1")
(lookup "binutils" "2.10")
(lookup "binutils_gold" "1.11")
(lookup "binutils" "2.32")
(lookup "gdb")
(lookup "gdb" "9.0")
(lookup "ghostscript")
(lookup "ghostscript" "9.27")
(lookup "ghostscript" "9.51")
(lookup "nix")
(lookup "nix" "2.4"))))
(test-end "cve")
Reference in a new issue View git blame Copy permalink