diff --git a/vmaas/reposcan/redhatcsaf/test/__init__.py b/vmaas/reposcan/redhatcsaf/test/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/vmaas/reposcan/redhatcsaf/test/cve-2023-0030.json b/vmaas/reposcan/redhatcsaf/test/cve-2023-0030.json new file mode 100644 index 000000000..098f659e6 --- /dev/null +++ b/vmaas/reposcan/redhatcsaf/test/cve-2023-0030.json @@ -0,0 +1,293 @@ +{ + "document": { + "aggregate_severity": { + "namespace": "https://access.redhat.com/security/updates/classification/", + "text": "moderate" + }, + "category": "csaf_vex", + "csaf_version": "2.0", + "distribution": { + "text": "Copyright © Red Hat, Inc. All rights reserved.", + "tlp": { + "label": "WHITE", + "url": "https://www.first.org/tlp/" + } + }, + "lang": "en", + "notes": [ + { + "category": "legal_disclaimer", + "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", + "title": "Terms of Use" + } + ], + "publisher": { + "category": "vendor", + "contact_details": "https://access.redhat.com/security/team/contact/", + "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", + "name": "Red Hat Product Security", + "namespace": "https://www.redhat.com" + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/data/csaf/beta/vex/2023/cve-2023-0030.json" + } + ], + "title": "kernel: Use after Free in nvkm_vmm_pfn_map", + "tracking": { + "current_release_date": "2023-12-05T15:28:18+00:00", + "generator": { + "date": "2023-12-05T15:28:18+00:00", + "engine": { + "name": "Red Hat SDEngine", + "version": "3.25.1" + } + }, + "id": "CVE-2023-0030", + "initial_release_date": "2023-01-01T00:00:00+00:00", + "revision_history": [ + { + "date": "2023-01-01T00:00:00+00:00", + "number": "1", + "summary": "Initial version" + }, + { + "date": "2023-07-31T08:29:51+00:00", + "number": "2", + "summary": "Current version" + }, + { + "date": "2023-12-05T15:28:18+00:00", + "number": "3", + "summary": "Last generated version" + } + ], + "status": "final", + "version": "3" + } + }, + "product_tree": { + "branches": [ + { + "branches": [ + { + "category": "product_name", + "name": "Red Hat Enterprise Linux 6", + "product": { + "name": "Red Hat Enterprise Linux 6", + "product_id": "red_hat_enterprise_linux_6", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:6" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux 7", + "product": { + "name": "Red Hat Enterprise Linux 7", + "product_id": "red_hat_enterprise_linux_7", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:7" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux 8", + "product": { + "name": "Red Hat Enterprise Linux 8", + "product_id": "red_hat_enterprise_linux_8", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:8" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux 9", + "product": { + "name": "Red Hat Enterprise Linux 9", + "product_id": "red_hat_enterprise_linux_9", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:9" + } + } + }, + { + "category": "product_version", + "name": "kernel", + "product": { + "name": "kernel", + "product_id": "kernel" + } + }, + { + "category": "product_version", + "name": "kernel-rt", + "product": { + "name": "kernel-rt", + "product_id": "kernel-rt" + } + } + ], + "category": "vendor", + "name": "Red Hat" + } + ], + "relationships": [ + { + "category": "default_component_of", + "full_product_name": { + "name": "kernel as a component of Red Hat Enterprise Linux 6", + "product_id": "red_hat_enterprise_linux_6:kernel" + }, + "product_reference": "kernel", + "relates_to_product_reference": "red_hat_enterprise_linux_6" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "kernel as a component of Red Hat Enterprise Linux 7", + "product_id": "red_hat_enterprise_linux_7:kernel" + }, + "product_reference": "kernel", + "relates_to_product_reference": "red_hat_enterprise_linux_7" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "kernel-rt as a component of Red Hat Enterprise Linux 7", + "product_id": "red_hat_enterprise_linux_7:kernel-rt" + }, + "product_reference": "kernel-rt", + "relates_to_product_reference": "red_hat_enterprise_linux_7" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "kernel as a component of Red Hat Enterprise Linux 8", + "product_id": "red_hat_enterprise_linux_8:kernel" + }, + "product_reference": "kernel", + "relates_to_product_reference": "red_hat_enterprise_linux_8" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "kernel-rt as a component of Red Hat Enterprise Linux 8", + "product_id": "red_hat_enterprise_linux_8:kernel-rt" + }, + "product_reference": "kernel-rt", + "relates_to_product_reference": "red_hat_enterprise_linux_8" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "kernel as a component of Red Hat Enterprise Linux 9", + "product_id": "red_hat_enterprise_linux_9:kernel" + }, + "product_reference": "kernel", + "relates_to_product_reference": "red_hat_enterprise_linux_9" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "kernel-rt as a component of Red Hat Enterprise Linux 9", + "product_id": "red_hat_enterprise_linux_9:kernel-rt" + }, + "product_reference": "kernel-rt", + "relates_to_product_reference": "red_hat_enterprise_linux_9" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-2023-0030", + "cwe": { + "id": "CWE-416", + "name": "Use After Free" + }, + "discovery_date": "2022-12-30T00:00:00+00:00", + "flags": [ + { + "label": "vulnerable_code_not_present", + "product_ids": [ + "red_hat_enterprise_linux_6:kernel", + "red_hat_enterprise_linux_7:kernel", + "red_hat_enterprise_linux_7:kernel-rt", + "red_hat_enterprise_linux_8:kernel", + "red_hat_enterprise_linux_8:kernel-rt", + "red_hat_enterprise_linux_9:kernel", + "red_hat_enterprise_linux_9:kernel-rt" + ] + } + ], + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2157270" + } + ], + "notes": [ + { + "category": "description", + "text": "A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "kernel: Use after Free in nvkm_vmm_pfn_map", + "title": "Vulnerability summary" + }, + { + "category": "other", + "text": "This issue is rated Moderate due to complexity, and a denial of service is only possible with the known attack scenario.\nThe Red Hat Enterprise Linux not affected, because commit 9211092b378 \"[drm] drm: Main backport to rebase from 4.18 to 5.1\" applied already.", + "title": "Statement" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "known_not_affected": [ + "red_hat_enterprise_linux_6:kernel", + "red_hat_enterprise_linux_7:kernel", + "red_hat_enterprise_linux_7:kernel-rt", + "red_hat_enterprise_linux_8:kernel", + "red_hat_enterprise_linux_8:kernel-rt", + "red_hat_enterprise_linux_9:kernel", + "red_hat_enterprise_linux_9:kernel-rt" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2023-0030" + }, + { + "category": "external", + "summary": "RHBZ#2157270", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2157270" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0030", + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0030" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0030", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0030" + } + ], + "release_date": "2018-12-11T10:00:00+00:00", + "title": "kernel: Use after Free in nvkm_vmm_pfn_map" + } + ] +} diff --git a/vmaas/reposcan/redhatcsaf/test/cve-2023-0049.json b/vmaas/reposcan/redhatcsaf/test/cve-2023-0049.json new file mode 100644 index 000000000..103db15ce --- /dev/null +++ b/vmaas/reposcan/redhatcsaf/test/cve-2023-0049.json @@ -0,0 +1,300 @@ +{ + "document": { + "aggregate_severity": { + "namespace": "https://access.redhat.com/security/updates/classification/", + "text": "low" + }, + "category": "csaf_vex", + "csaf_version": "2.0", + "distribution": { + "text": "Copyright © Red Hat, Inc. All rights reserved.", + "tlp": { + "label": "WHITE", + "url": "https://www.first.org/tlp/" + } + }, + "lang": "en", + "notes": [ + { + "category": "legal_disclaimer", + "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", + "title": "Terms of Use" + } + ], + "publisher": { + "category": "vendor", + "contact_details": "https://access.redhat.com/security/team/contact/", + "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", + "name": "Red Hat Product Security", + "namespace": "https://www.redhat.com" + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/data/csaf/beta/vex/2023/cve-2023-0049.json" + } + ], + "title": "out-of-bounds read in function build_stl_str_hl", + "tracking": { + "current_release_date": "2023-07-08T04:16:56+00:00", + "generator": { + "date": "2023-10-12T17:32:53+00:00", + "engine": { + "name": "Red Hat SDEngine", + "version": "3.23.0" + } + }, + "id": "CVE-2023-0049", + "initial_release_date": "2023-01-04T00:00:00+00:00", + "revision_history": [ + { + "date": "2023-01-04T00:00:00+00:00", + "number": "1", + "summary": "Initial version" + }, + { + "date": "2023-07-08T04:16:56+00:00", + "number": "2", + "summary": "Current version" + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "branches": [ + { + "branches": [ + { + "category": "product_name", + "name": "Red Hat Enterprise Linux 6", + "product": { + "name": "Red Hat Enterprise Linux 6", + "product_id": "red_hat_enterprise_linux_6", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:6" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux 7", + "product": { + "name": "Red Hat Enterprise Linux 7", + "product_id": "red_hat_enterprise_linux_7", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:7" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux 8", + "product": { + "name": "Red Hat Enterprise Linux 8", + "product_id": "red_hat_enterprise_linux_8", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:8" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux 9", + "product": { + "name": "Red Hat Enterprise Linux 9", + "product_id": "red_hat_enterprise_linux_9", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:9" + } + } + }, + { + "category": "product_version", + "name": "vim", + "product": { + "name": "vim", + "product_id": "vim" + } + } + ], + "category": "vendor", + "name": "Red Hat" + } + ], + "relationships": [ + { + "category": "default_component_of", + "full_product_name": { + "name": "vim as a component of Red Hat Enterprise Linux 6", + "product_id": "red_hat_enterprise_linux_6:vim" + }, + "product_reference": "vim", + "relates_to_product_reference": "red_hat_enterprise_linux_6" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "vim as a component of Red Hat Enterprise Linux 7", + "product_id": "red_hat_enterprise_linux_7:vim" + }, + "product_reference": "vim", + "relates_to_product_reference": "red_hat_enterprise_linux_7" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "vim as a component of Red Hat Enterprise Linux 8", + "product_id": "red_hat_enterprise_linux_8:vim" + }, + "product_reference": "vim", + "relates_to_product_reference": "red_hat_enterprise_linux_8" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "vim as a component of Red Hat Enterprise Linux 9", + "product_id": "red_hat_enterprise_linux_9:vim" + }, + "product_reference": "vim", + "relates_to_product_reference": "red_hat_enterprise_linux_9" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-2023-0049", + "cwe": { + "id": "CWE-122", + "name": "Heap-based Buffer Overflow" + }, + "discovery_date": "2023-01-04T00:00:00+00:00", + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2158269" + } + ], + "notes": [ + { + "category": "description", + "text": "A flaw was found in vim, which is vulnerable to an out-of-bounds read in the build_stl_str_hl function. This flaw allows a specially crafted file to cause information disclosure, data integrity corruption, or crash the software.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "out-of-bounds read in function build_stl_str_hl", + "title": "Vulnerability summary" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "known_affected": [ + "red_hat_enterprise_linux_6:vim", + "red_hat_enterprise_linux_7:vim", + "red_hat_enterprise_linux_8:vim", + "red_hat_enterprise_linux_9:vim" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2023-0049" + }, + { + "category": "external", + "summary": "RHBZ#2158269", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158269" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0049", + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0049" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0049", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0049" + }, + { + "category": "external", + "summary": "https://huntr.dev/bounties/5e6f325c-ba54-4bf0-b050-dca048fd3fd9/", + "url": "https://huntr.dev/bounties/5e6f325c-ba54-4bf0-b050-dca048fd3fd9/" + } + ], + "release_date": "2023-01-04T00:00:00+00:00", + "remediations": [ + { + "category": "workaround", + "details": "Do not run vim with -s [scriptin] on untrusted scripts.", + "product_ids": [ + "red_hat_enterprise_linux_6:vim", + "red_hat_enterprise_linux_7:vim", + "red_hat_enterprise_linux_8:vim", + "red_hat_enterprise_linux_9:vim" + ] + }, + { + "category": "no_fix_planned", + "details": "Out of support scope", + "product_ids": [ + "red_hat_enterprise_linux_6:vim" + ] + }, + { + "category": "no_fix_planned", + "details": "Will not fix", + "product_ids": [ + "red_hat_enterprise_linux_7:vim", + "red_hat_enterprise_linux_8:vim", + "red_hat_enterprise_linux_9:vim" + ] + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.3, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + "products": [ + "red_hat_enterprise_linux_6:vim", + "red_hat_enterprise_linux_7:vim", + "red_hat_enterprise_linux_8:vim", + "red_hat_enterprise_linux_9:vim" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Low", + "product_ids": [ + "red_hat_enterprise_linux_6:vim", + "red_hat_enterprise_linux_7:vim", + "red_hat_enterprise_linux_8:vim", + "red_hat_enterprise_linux_9:vim" + ] + } + ], + "title": "out-of-bounds read in function build_stl_str_hl" + } + ] +} diff --git a/vmaas/reposcan/redhatcsaf/test/cve-2023-1017.json b/vmaas/reposcan/redhatcsaf/test/cve-2023-1017.json new file mode 100644 index 000000000..443c170ef --- /dev/null +++ b/vmaas/reposcan/redhatcsaf/test/cve-2023-1017.json @@ -0,0 +1,321 @@ +{ + "document": { + "aggregate_severity": { + "namespace": "https://access.redhat.com/security/updates/classification/", + "text": "moderate" + }, + "category": "csaf_vex", + "csaf_version": "2.0", + "distribution": { + "text": "Copyright © Red Hat, Inc. All rights reserved.", + "tlp": { + "label": "WHITE", + "url": "https://www.first.org/tlp/" + } + }, + "lang": "en", + "notes": [ + { + "category": "legal_disclaimer", + "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", + "title": "Terms of Use" + } + ], + "publisher": { + "category": "vendor", + "contact_details": "https://access.redhat.com/security/team/contact/", + "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", + "name": "Red Hat Product Security", + "namespace": "https://www.redhat.com" + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/data/csaf/beta/vex/2023/cve-2023-1017.json" + } + ], + "title": "TCG TPM2.0 implementations vulnerable to memory corruption", + "tracking": { + "current_release_date": "2023-05-09T07:49:31+00:00", + "generator": { + "date": "2023-10-12T18:01:40+00:00", + "engine": { + "name": "Red Hat SDEngine", + "version": "3.23.0" + } + }, + "id": "CVE-2023-1017", + "initial_release_date": "2023-02-28T00:00:00+00:00", + "revision_history": [ + { + "date": "2023-02-28T00:00:00+00:00", + "number": "1", + "summary": "Initial version" + }, + { + "date": "2023-05-09T07:49:31+00:00", + "number": "2", + "summary": "Current version" + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "branches": [ + { + "branches": [ + { + "category": "product_name", + "name": "Red Hat Enterprise Linux 8", + "product": { + "name": "Red Hat Enterprise Linux 8", + "product_id": "red_hat_enterprise_linux_8", + "product_identification_helper": { + "cpe": "cpe:/o:redhat:enterprise_linux:8" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Enterprise Linux 8 Advanced Virtualization", + "product": { + "name": "Red Hat Enterprise Linux 8 Advanced Virtualization", + "product_id": "red_hat_enterprise_linux_8_advanced_virtualization", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:advanced_virtualization:8::el8" + } + } + }, + { + "branches": [ + { + "category": "product_name", + "name": "Red Hat Enterprise Linux AppStream (v. 9)", + "product": { + "name": "Red Hat Enterprise Linux AppStream (v. 9)", + "product_id": "AppStream-9.2.0.GA", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:enterprise_linux:9::appstream" + } + } + } + ], + "category": "product_family", + "name": "Red Hat Enterprise Linux" + }, + { + "branches": [ + { + "category": "product_name", + "name": "Red Hat Enterprise Linux AppStream EUS (v.8.6)", + "product": { + "name": "Red Hat Enterprise Linux AppStream EUS (v.8.6)", + "product_id": "AppStream-8.6.0.Z.EUS", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:rhel_eus:8.6::appstream" + } + } + }, + { + "category": "product_name", + "name": "Red Hat CodeReady Linux Builder EUS (v.8.6)", + "product": { + "name": "Red Hat CodeReady Linux Builder EUS (v.8.6)", + "product_id": "CRB-8.6.0.Z.EUS", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:rhel_eus:8.6::crb" + } + } + } + ], + "category": "product_family", + "name": "Red Hat Enterprise Linux" + }, + { + "category": "product_version", + "name": "virt:rhel/libtpms", + "product": { + "name": "virt:rhel/libtpms", + "product_id": "virt:rhel/libtpms" + } + }, + { + "category": "product_version", + "name": "virt:8.2/libtpms", + "product": { + "name": "virt:8.2/libtpms", + "product_id": "virt:8.2/libtpms" + } + }, + { + "category": "product_version", + "name": "virt:8.3/libtpms", + "product": { + "name": "virt:8.3/libtpms", + "product_id": "virt:8.3/libtpms" + } + }, + { + "category": "product_version", + "name": "virt:av/libtpms", + "product": { + "name": "virt:av/libtpms", + "product_id": "virt:av/libtpms" + } + }, + { + "branches": [ + { + "category": "product_version", + "name": "SLOF-0:20210217-1.module+el8.6.0+14480+c0a3aa0f.noarch", + "product": { + "name": "SLOF-0:20210217-1.module+el8.6.0+14480+c0a3aa0f.noarch", + "product_id": "SLOF-0:20210217-1.module+el8.6.0+14480+c0a3aa0f.noarch", + "product_identification_helper": { + "purl": "pkg:rpm/redhat/SLOF@20210217-1.module%2Bel8.6.0%2B14480%2Bc0a3aa0f?arch=noarch" + } + } + } + ], + "category": "architecture", + "name": "noarch" + } + ], + "category": "vendor", + "name": "Red Hat" + } + ], + "relationships": [ + { + "category": "default_component_of", + "full_product_name": { + "name": "SLOF-0:20210217-1.module+el8.6.0+14480+c0a3aa0f.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.8.6)", + "product_id": "AppStream-8.6.0.Z.EUS:SLOF-0:20210217-1.module+el8.6.0+14480+c0a3aa0f.noarch" + }, + "product_reference": "SLOF-0:20210217-1.module+el8.6.0+14480+c0a3aa0f.noarch", + "relates_to_product_reference": "AppStream-8.6.0.Z.EUS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "hivex-0:1.3.18-23.module+el8.6.0+14480+c0a3aa0f.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.6)", + "product_id": "AppStream-8.6.0.Z.EUS:hivex-0:1.3.18-23.module+el8.6.0+14480+c0a3aa0f.aarch64" + }, + "product_reference": "hivex-0:1.3.18-23.module+el8.6.0+14480+c0a3aa0f.aarch64", + "relates_to_product_reference": "AppStream-8.6.0.Z.EUS" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "virt:rhel/libtpms as a component of Red Hat Enterprise Linux 8", + "product_id": "red_hat_enterprise_linux_8:virt:rhel/libtpms" + }, + "product_reference": "virt:rhel/libtpms", + "relates_to_product_reference": "red_hat_enterprise_linux_8" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "virt:8.2/libtpms as a component of Red Hat Enterprise Linux 8 Advanced Virtualization", + "product_id": "red_hat_enterprise_linux_8_advanced_virtualization:virt:8.2/libtpms" + }, + "product_reference": "virt:8.2/libtpms", + "relates_to_product_reference": "red_hat_enterprise_linux_8_advanced_virtualization" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "virt:8.3/libtpms as a component of Red Hat Enterprise Linux 8 Advanced Virtualization", + "product_id": "red_hat_enterprise_linux_8_advanced_virtualization:virt:8.3/libtpms" + }, + "product_reference": "virt:8.3/libtpms", + "relates_to_product_reference": "red_hat_enterprise_linux_8_advanced_virtualization" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "virt:av/libtpms as a component of Red Hat Enterprise Linux 8 Advanced Virtualization", + "product_id": "red_hat_enterprise_linux_8_advanced_virtualization:virt:av/libtpms" + }, + "product_reference": "virt:av/libtpms", + "relates_to_product_reference": "red_hat_enterprise_linux_8_advanced_virtualization" + } + ] + }, + "vulnerabilities": [ + { + "cve": "CVE-2023-1017", + "cwe": { + "id": "CWE-787", + "name": "Out-of-bounds Write" + }, + "discovery_date": "2022-11-29T00:00:00+00:00", + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2149416" + } + ], + "notes": [ + { + "category": "description", + "text": "An out-of-bounds write vulnerability was found in the TPM 2.0's Module Library, which allows the writing of 2-byte data after the end of the TPM command. This flaw may lead to a denial of service or arbitrary code execution within the libtpms scope.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "TCG TPM2.0 implementations vulnerable to memory corruption", + "title": "Vulnerability summary" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "AppStream-8.6.0.Z.EUS:SLOF-0:20210217-1.module+el8.6.0+14480+c0a3aa0f.noarch" + ], + "known_affected": [ + "red_hat_enterprise_linux_8:virt:rhel/libtpms", + "red_hat_enterprise_linux_8_advanced_virtualization:virt:8.2/libtpms", + "red_hat_enterprise_linux_8_advanced_virtualization:virt:8.3/libtpms", + "red_hat_enterprise_linux_8_advanced_virtualization:virt:av/libtpms" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2023-1017" + }, + { + "category": "external", + "summary": "RHBZ#2149416", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149416" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2023-1017", + "url": "https://www.cve.org/CVERecord?id=CVE-2023-1017" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1017", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1017" + }, + { + "category": "external", + "summary": "https://kb.cert.org/vuls/id/782720", + "url": "https://kb.cert.org/vuls/id/782720" + } + ], + "release_date": "2023-02-28T00:00:00+00:00", + "title": "TCG TPM2.0 implementations vulnerable to memory corruption" + } + ] +} diff --git a/vmaas/reposcan/redhatcsaf/test/test_controller.py b/vmaas/reposcan/redhatcsaf/test/test_controller.py new file mode 100644 index 000000000..e2b7fca03 --- /dev/null +++ b/vmaas/reposcan/redhatcsaf/test/test_controller.py @@ -0,0 +1,59 @@ +"""Unit tests of csaf_controller.py.""" +import pathlib + +import pytest + +from vmaas.reposcan.redhatcsaf.csaf_controller import CsafController +from vmaas.reposcan.redhatcsaf.modeling import CsafCves +from vmaas.reposcan.redhatcsaf.modeling import CsafFile +from vmaas.reposcan.redhatcsaf.modeling import CsafProduct + + +EXPECTED_PARSE = ( + ("cve-2023-0030.json", CsafCves({"CVE-2023-0030": []})), + ( + "cve-2023-0049.json", + CsafCves( + { + "CVE-2023-0049": [ + CsafProduct("cpe:/o:redhat:enterprise_linux:6", "vim"), + CsafProduct("cpe:/o:redhat:enterprise_linux:7", "vim"), + CsafProduct("cpe:/o:redhat:enterprise_linux:8", "vim"), + CsafProduct("cpe:/o:redhat:enterprise_linux:9", "vim"), + ] + } + ), + ), + ( + "cve-2023-1017.json", + CsafCves( + { + "CVE-2023-1017": [ + CsafProduct("cpe:/o:redhat:enterprise_linux:8", "libtpms", "virt:rhel"), + CsafProduct("cpe:/a:redhat:advanced_virtualization:8::el8", "libtpms", "virt:8.2"), + CsafProduct("cpe:/a:redhat:advanced_virtualization:8::el8", "libtpms", "virt:8.3"), + CsafProduct("cpe:/a:redhat:advanced_virtualization:8::el8", "libtpms", "virt:av"), + ] + } + ), + ), +) + + +class TestCsafController: + """CsafController tests.""" + + @pytest.fixture + def csaf(self, db_conn): # pylint: disable=unused-argument + """Fixture returning CsafController obj with tmp_directory se to current directory.""" + csaf = CsafController() + csaf.tmp_directory = pathlib.Path(__file__).parent.resolve() + return csaf + + @pytest.mark.parametrize("data", EXPECTED_PARSE, ids=[x[0] for x in EXPECTED_PARSE]) + def test_parse_csaf_file(self, data, csaf): + """Test CSAF JSON file parsing.""" + csaf_json, expected = data + csaf_file = CsafFile(csaf_json, None) + parsed = csaf.parse_csaf_file(csaf_file) + assert parsed == expected diff --git a/vmaas/reposcan/redhatcsaf/test/test_modeling.py b/vmaas/reposcan/redhatcsaf/test/test_modeling.py new file mode 100644 index 000000000..55f766d64 --- /dev/null +++ b/vmaas/reposcan/redhatcsaf/test/test_modeling.py @@ -0,0 +1,226 @@ +"""Unit tests of CSAF models.""" +from collections.abc import Iterable +from datetime import datetime +from datetime import timedelta + +import pytest + +import vmaas.reposcan.redhatcsaf.modeling as model + + +# pylint: disable=too-many-public-methods +class TestModels: + """Test CSAF models.""" + + @pytest.fixture + def csaf_product(self): + """Returns CSAF product.""" + return model.CsafProduct("cpe", "package", "module") + + @pytest.fixture + def csaf_product_list(self, csaf_product): + """Returns list of CSAF products.""" + return [csaf_product] + + @pytest.fixture + def csaf_file(self): + """Returns CSAF file.""" + now = datetime.now() + now1d = now + timedelta(days=1) + return model.CsafFile("name", now1d, now) + + @pytest.fixture + def csaf_cves(self, csaf_product_list): + """Returns CSAF CVEs collection.""" + return model.CsafCves({"key1": csaf_product_list, "key2": csaf_product_list}) + + @pytest.fixture + def csaf_files(self, csaf_file): + """Returns CSAF files collection.""" + return model.CsafFiles({"key1": csaf_file, "key2": csaf_file}) + + @pytest.fixture + def csaf_product_updated(self): + """Returns CSAF product.""" + return model.CsafProduct("cpe_updated", "package_updated", "module_updated") + + @pytest.fixture + def csaf_product_list_updated(self, csaf_product_updated): + """Returns list of CSAF products.""" + return [csaf_product_updated] + + @pytest.fixture + def csaf_file_updated(self): + """Returns CSAF file.""" + now = datetime.now() + now1d = now + timedelta(days=1) + return model.CsafFile("name_updated", now1d, now) + + @pytest.fixture + def csaf_cves_updated(self, csaf_product_list_updated): + """Returns CSAF CVEs collection.""" + return model.CsafCves({"key2": csaf_product_list_updated}) + + @pytest.fixture + def csaf_files_updated(self, csaf_file_updated): + """Returns CSAF files collection.""" + return model.CsafFiles({"key2": csaf_file_updated}) + + @pytest.mark.parametrize("collection, expected", (("csaf_cves", "csaf_product_list"), ("csaf_files", "csaf_file"))) + def test_get(self, collection, expected, request): + """Test get()""" + collection = request.getfixturevalue(collection) + expected = request.getfixturevalue(expected) + + res = collection.get("key1") + assert res == expected + + res = collection.get("key99") + assert res is None + + res = collection.get("key99", "default") + assert res == "default" + + @pytest.mark.parametrize("collection, expected", (("csaf_cves", "csaf_product_list"), ("csaf_files", "csaf_file"))) + def test_getitem(self, collection, expected, request): + """Test __getitem__.""" + collection = request.getfixturevalue(collection) + res = collection["key1"] + assert res == request.getfixturevalue(expected) + + with pytest.raises(KeyError): + collection["key99"] # pylint: disable=pointless-statement + + @pytest.mark.parametrize( + "collection, expected", (("csaf_cves", "csaf_cves_updated"), ("csaf_files", "csaf_files_updated")) + ) + def test_setitem(self, collection, expected, request): + """Test __setitem__""" + collection = request.getfixturevalue(collection) + expected = request.getfixturevalue(expected) + collection["key2"] = expected["key2"] + assert collection["key2"] == expected["key2"] + + @pytest.mark.parametrize( + "collection, expected", (("csaf_cves", "csaf_cves_updated"), ("csaf_files", "csaf_files_updated")) + ) + def test_update(self, collection, expected, request): + """Test update()""" + collection = request.getfixturevalue(collection) + expected = request.getfixturevalue(expected) + collection.update(expected) + assert collection["key2"] == expected["key2"] + + @pytest.mark.parametrize("collection", ("csaf_cves", "csaf_files")) + def test_iter(self, collection, request): + """Test __iter__""" + collection = request.getfixturevalue(collection) + assert isinstance(collection, Iterable) + + @pytest.mark.parametrize("collection, expected", (("csaf_cves", "csaf_product_list"), ("csaf_files", "csaf_file"))) + def test_next(self, collection, expected, request): + """Test __next__""" + collection = request.getfixturevalue(collection) + expected = request.getfixturevalue(expected) + assert next(collection) == expected + + @pytest.mark.parametrize("collection", ("csaf_cves", "csaf_files")) + def test_contains(self, collection, request): + """Test __contains__""" + collection = request.getfixturevalue(collection) + assert "key1" in collection + assert "key99" not in collection + + @pytest.mark.parametrize( + "obj, expected", (("csaf_cves", "key1"), ("csaf_files", "key1"), ("csaf_product", "cpe"), ("csaf_file", "name")) + ) + def test_repr(self, obj, expected, request): + """Test __repr__""" + obj = request.getfixturevalue(obj) + res = repr(obj) + assert isinstance(res, str) + assert expected in res + + @pytest.mark.parametrize("collection", ("csaf_cves", "csaf_files")) + def test_len(self, collection, request): + """Test __len__""" + collection = request.getfixturevalue(collection) + res = len(collection) + assert res == 2 + + @pytest.mark.parametrize( + "class_name, args", + ( + ("CsafFile", ("x", "y")), + ("CsafFiles", None), + ("CsafProduct", ("x", "y", "z")), + ("CsafCves", None), + ("CsafData", None), + ), + ) + def test_instantiate(self, class_name, args): + """Test class instantiation""" + class_ = getattr(model, class_name) + if args: + class_(*args) + else: + class_() + + def test_csaf_file_out_of_date(self, csaf_file): + """Test CsafFile.out_of_date""" + assert csaf_file.out_of_date + + def test_csaf_files_out_of_date(self, csaf_file): + """Test CsafFiles.out_of_date""" + collection = model.CsafFiles({"x": csaf_file, "y": csaf_file}) + assert len(list(collection.out_of_date)) == 2 + + def test_from_table_map_and_csv(self, tmp_path): + """Test CsafFiles.from_table_map_and_csv""" + now = datetime.now() + csv_file = tmp_path / "test_csaf" / "test.csv" + csv_file.parent.mkdir(exist_ok=True) + csv_file.touch() + + table_map = {"file1": (1, now), "file2": (2, now)} + modified = datetime.now() + csv_file.write_text(f"file2,{str(modified)}\r\nfile3,{str(modified)}") + + collection = model.CsafFiles.from_table_map_and_csv(table_map, csv_file) + assert collection["file1"].csv_timestamp == collection["file1"].db_timestamp == now + assert collection["file2"].csv_timestamp > collection["file2"].db_timestamp + assert collection["file2"].csv_timestamp == modified + assert collection["file3"].csv_timestamp == modified + assert collection["file3"].db_timestamp is None + + out_of_date = list(collection.out_of_date) + assert len(out_of_date) == 2 + + @pytest.mark.parametrize( + "collection, attr_tuple, by_key", + (("csaf_cves", ("cpe", "package", "module"), "key1"), ("csaf_files", ("name",), None)), + ) + def test_to_tuples(self, collection, attr_tuple, by_key, request): + """Test collection.to_tuples()""" + collection = request.getfixturevalue(collection) + + def _assert_tuples(item): + assert len(item) == len(attr_tuple) + for attr in attr_tuple: + assert attr in item + + if by_key: + res, *_ = collection.to_tuples(by_key, attr_tuple) + _assert_tuples(res) + else: + res, *_ = collection.to_tuples(attr_tuple) + _assert_tuples(res) + + def test_to_tuples_exception(self, csaf_cves, csaf_files): + """Test exceptions from collection.to_tuples()""" + with pytest.raises(AttributeError): + csaf_files.to_tuples(("not_existing",)) + with pytest.raises(AttributeError): + csaf_cves.to_tuples("key1", ("not_existing",)) + with pytest.raises(KeyError): + csaf_cves.to_tuples("wrong_key", ("cpe",))