zot-wo-auth/test/blackbox/cve.bats

# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
#       Makefile target installs & checks all necessary tooling
#       Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()

load helpers_zot

function verify_prerequisites {
    if [ ! $(command -v curl) ]; then
        echo "you need to install curl as a prerequisite to running the tests" >&3
        return 1
    fi

    if [ ! $(command -v jq) ]; then
        echo "you need to install jq as a prerequisite to running the tests" >&3
        return 1
    fi

    return 0
}

function setup_file() {
    export REGISTRY_NAME=main
    # Verify prerequisites are available
    if ! $(verify_prerequisites); then
        exit 1
    fi

    # Download test data to folder common for the entire suite, not just this file
    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
    # Setup zot server
    local zot_root_dir=${BATS_FILE_TMPDIR}/zot
    local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
    mkdir -p ${zot_root_dir}
    zot_port=$(get_free_port)
    echo ${zot_port} > ${BATS_FILE_TMPDIR}/zot.port
    cat >${zot_config_file} <<EOF
{
    "distSpecVersion": "1.1.0",
    "storage": {
        "rootDirectory": "${zot_root_dir}"
    },
    "http": {
        "address": "0.0.0.0",
        "port": "${zot_port}"
    },
    "log": {
        "level": "debug",
        "output": "${BATS_FILE_TMPDIR}/zot.log"
    },
    "extensions": {
        "search": {
            "enable": true,
            "cve": {
                "updateInterval": "24h"
            }
        }
    }
}
EOF
    zot_serve ${ZOT_PATH} ${zot_config_file}
    wait_zot_reachable ${zot_port}

    # setup zli to add zot registry to configs
    local registry_url="http://127.0.0.1:${zot_port}/"
    zli_add_config ${REGISTRY_NAME} ${registry_url}
}

function teardown() {
    # conditionally printing on failure is possible from teardown but not from from teardown_file
    cat ${BATS_FILE_TMPDIR}/zot.log
}

function teardown_file() {
    zot_stop_all
}

@test "cve by image name and tag" {
    zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port`
    run skopeo --insecure-policy copy --dest-tls-verify=false \
        oci:${TEST_DATA_DIR}/golang:1.20 \
        docker://127.0.0.1:${zot_port}/golang:1.20
    [ "$status" -eq 0 ]
    run curl http://127.0.0.1:${zot_port}/v2/_catalog
    [ "$status" -eq 0 ]
    [ $(echo "${lines[-1]}" | jq '.repositories[]') = '"golang"' ]
    run curl http://127.0.0.1:${zot_port}/v2/golang/tags/list
    [ "$status" -eq 0 ]
    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.20"' ]
    run ${ZLI_PATH} cve list golang:1.20 --config ${REGISTRY_NAME}
    [ "$status" -eq 0 ]

    echo ${lines[@]}

    found=0
    for i in "${lines[@]}"
    do

        if [[ "$i" = *"CVE-2011-4915     LOW       fs/proc/base.c in the Linux kernel through 3..."* ]]; then
            found=1
        fi
    done
    [ "$found" -eq 1 ]
}
refactor(makefile): consolidate the make targets used for bats tests (#1746) New examples of running tests: 1. To run a specific bats file (with and without verbose output): make run-blackbox-tests BATS_TEST_FILE_PATH=test/blackbox/delete_images.bats make run-blackbox-tests BATS_TEST_FILE_PATH=test/blackbox/delete_images.bats BATS_VERBOSITY=2 2. To run the CI tests (with and without verbose output) make run-blackbox-ci make run-blackbox-ci BATS_VERBOSITY=2 BATS_TEST_FILE_PATH is used to pass on the test file to run using `run-blackbox-tests` BATS_VERBOSITY controls the verbosity of the bats framework output, if unspecified the output only contains test results and failure message in case of failures. If BATS_VERBOSITY is 1, then also show commands as they are executed. If BATS_VERBOSITY is 2, on top of the above it also shows output of passed tests. Other changes in this PR: - Update some of the tests to show logs after the run ends. - Run the linters before the tests, as it saves time on failures when running in GH Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-09-07 21:06:21 +03:00			`# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"`
fix: bats test refactoring (#1731) Signed-off-by: Alexei Dodon <adodon@cisco.com> 2023-08-30 22:24:28 +03:00			`# Makefile target installs & checks all necessary tooling`
			`# Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00
fix: bats test refactoring (#1731) Signed-off-by: Alexei Dodon <adodon@cisco.com> 2023-08-30 22:24:28 +03:00			`load helpers_zot`

			`function verify_prerequisites {`
			`if [ ! $(command -v curl) ]; then`
			`echo "you need to install curl as a prerequisite to running the tests" >&3`
			`return 1`
			`fi`

			`if [ ! $(command -v jq) ]; then`
			`echo "you need to install jq as a prerequisite to running the tests" >&3`
			`return 1`
			`fi`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00
fix: bats test refactoring (#1731) Signed-off-by: Alexei Dodon <adodon@cisco.com> 2023-08-30 22:24:28 +03:00			`return 0`
			`}`

			`function setup_file() {`
			`export REGISTRY_NAME=main`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`# Verify prerequisites are available`
fix: bats test refactoring (#1731) Signed-off-by: Alexei Dodon <adodon@cisco.com> 2023-08-30 22:24:28 +03:00			`if ! $(verify_prerequisites); then`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`exit 1`
			`fi`

			`# Download test data to folder common for the entire suite, not just this file`
chore(go.mod): fix dependabot alerts (#1210) * chore(go.mod): fix dependabot alerts Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> * chore(test): update image tags We have cleaned up older golang images in the project. Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> * ci(gqlgen): fix gql schema validation GH workflow after npm upgrade Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> --------- Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2023-02-17 13:54:49 -08:00			`skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`# Setup zot server`
			`local zot_root_dir=${BATS_FILE_TMPDIR}/zot`
			`local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json`
			`mkdir -p ${zot_root_dir}`
test(bats): fix CVE bats test failure if zot runs on different port than 8080 (#2072) resolves #2008 Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-11-21 16:31:12 +02:00			`zot_port=$(get_free_port)`
			`echo ${zot_port} > ${BATS_FILE_TMPDIR}/zot.port`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`cat >${zot_config_file} <<EOF`
			`{`
chore: update image-spec and dist spec to 1.1.0 (#2255) BREAKING CHANGE: the dist spec version in the config files needs to be bumped to 1.1.0 in order for the config verification to pass without warnings. Also fix 1 dependabot alert for helm. Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2024-02-20 13:27:21 +02:00			`"distSpecVersion": "1.1.0",`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`"storage": {`
			`"rootDirectory": "${zot_root_dir}"`
			`},`
			`"http": {`
			`"address": "0.0.0.0",`
test(bats): fix CVE bats test failure if zot runs on different port than 8080 (#2072) resolves #2008 Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-11-21 16:31:12 +02:00			`"port": "${zot_port}"`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`},`
			`"log": {`
refactor(makefile): consolidate the make targets used for bats tests (#1746) New examples of running tests: 1. To run a specific bats file (with and without verbose output): make run-blackbox-tests BATS_TEST_FILE_PATH=test/blackbox/delete_images.bats make run-blackbox-tests BATS_TEST_FILE_PATH=test/blackbox/delete_images.bats BATS_VERBOSITY=2 2. To run the CI tests (with and without verbose output) make run-blackbox-ci make run-blackbox-ci BATS_VERBOSITY=2 BATS_TEST_FILE_PATH is used to pass on the test file to run using `run-blackbox-tests` BATS_VERBOSITY controls the verbosity of the bats framework output, if unspecified the output only contains test results and failure message in case of failures. If BATS_VERBOSITY is 1, then also show commands as they are executed. If BATS_VERBOSITY is 2, on top of the above it also shows output of passed tests. Other changes in this PR: - Update some of the tests to show logs after the run ends. - Run the linters before the tests, as it saves time on failures when running in GH Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-09-07 21:06:21 +03:00			`"level": "debug",`
			`"output": "${BATS_FILE_TMPDIR}/zot.log"`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`},`
			`"extensions": {`
			`"search": {`
			`"enable": true,`
			`"cve": {`
			`"updateInterval": "24h"`
			`}`
			`}`
			`}`
			`}`
			`EOF`
fix: bats test refactoring (#1731) Signed-off-by: Alexei Dodon <adodon@cisco.com> 2023-08-30 22:24:28 +03:00			`zot_serve ${ZOT_PATH} ${zot_config_file}`
test(bats): fix CVE bats test failure if zot runs on different port than 8080 (#2072) resolves #2008 Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-11-21 16:31:12 +02:00			`wait_zot_reachable ${zot_port}`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00
			`# setup zli to add zot registry to configs`
test(bats): fix CVE bats test failure if zot runs on different port than 8080 (#2072) resolves #2008 Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-11-21 16:31:12 +02:00			`local registry_url="http://127.0.0.1:${zot_port}/"`
			`zli_add_config ${REGISTRY_NAME} ${registry_url}`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`}`

refactor(makefile): consolidate the make targets used for bats tests (#1746) New examples of running tests: 1. To run a specific bats file (with and without verbose output): make run-blackbox-tests BATS_TEST_FILE_PATH=test/blackbox/delete_images.bats make run-blackbox-tests BATS_TEST_FILE_PATH=test/blackbox/delete_images.bats BATS_VERBOSITY=2 2. To run the CI tests (with and without verbose output) make run-blackbox-ci make run-blackbox-ci BATS_VERBOSITY=2 BATS_TEST_FILE_PATH is used to pass on the test file to run using `run-blackbox-tests` BATS_VERBOSITY controls the verbosity of the bats framework output, if unspecified the output only contains test results and failure message in case of failures. If BATS_VERBOSITY is 1, then also show commands as they are executed. If BATS_VERBOSITY is 2, on top of the above it also shows output of passed tests. Other changes in this PR: - Update some of the tests to show logs after the run ends. - Run the linters before the tests, as it saves time on failures when running in GH Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-09-07 21:06:21 +03:00			`function teardown() {`
			`# conditionally printing on failure is possible from teardown but not from from teardown_file`
			`cat ${BATS_FILE_TMPDIR}/zot.log`
			`}`

Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`function teardown_file() {`
fix: bats test refactoring (#1731) Signed-off-by: Alexei Dodon <adodon@cisco.com> 2023-08-30 22:24:28 +03:00			`zot_stop_all`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`}`

			`@test "cve by image name and tag" {`
test(bats): fix CVE bats test failure if zot runs on different port than 8080 (#2072) resolves #2008 Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-11-21 16:31:12 +02:00			zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`run skopeo --insecure-policy copy --dest-tls-verify=false \`
chore(go.mod): fix dependabot alerts (#1210) * chore(go.mod): fix dependabot alerts Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> * chore(test): update image tags We have cleaned up older golang images in the project. Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> * ci(gqlgen): fix gql schema validation GH workflow after npm upgrade Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> --------- Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2023-02-17 13:54:49 -08:00			`oci:${TEST_DATA_DIR}/golang:1.20 \`
test(bats): fix CVE bats test failure if zot runs on different port than 8080 (#2072) resolves #2008 Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-11-21 16:31:12 +02:00			`docker://127.0.0.1:${zot_port}/golang:1.20`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`[ "$status" -eq 0 ]`
test(bats): fix CVE bats test failure if zot runs on different port than 8080 (#2072) resolves #2008 Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-11-21 16:31:12 +02:00			`run curl http://127.0.0.1:${zot_port}/v2/_catalog`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`[ "$status" -eq 0 ]`
			`[ $(echo "${lines[-1]}" \| jq '.repositories[]') = '"golang"' ]`
test(bats): fix CVE bats test failure if zot runs on different port than 8080 (#2072) resolves #2008 Signed-off-by: Andrei Aaron <aaaron@luxoft.com> 2023-11-21 16:31:12 +02:00			`run curl http://127.0.0.1:${zot_port}/v2/golang/tags/list`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`[ "$status" -eq 0 ]`
chore(go.mod): fix dependabot alerts (#1210) * chore(go.mod): fix dependabot alerts Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> * chore(test): update image tags We have cleaned up older golang images in the project. Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> * ci(gqlgen): fix gql schema validation GH workflow after npm upgrade Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> --------- Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2023-02-17 13:54:49 -08:00			`[ $(echo "${lines[-1]}" \| jq '.tags[]') = '"1.20"' ]`
refactor(cli): remove old cli commands (#1756) Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com> 2023-09-08 15:12:47 +03:00			`run ${ZLI_PATH} cve list golang:1.20 --config ${REGISTRY_NAME}`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`[ "$status" -eq 0 ]`
fix(cve): blackbox cve tests now verifying actual cves (#1300) Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com> 2023-03-23 20:11:29 +02:00
refactor(cli): remove old cli commands (#1756) Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com> 2023-09-08 15:12:47 +03:00			`echo ${lines[@]}`

			`found=0`
fix(cve): blackbox cve tests now verifying actual cves (#1300) Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com> 2023-03-23 20:11:29 +02:00			`for i in "${lines[@]}"`
			`do`

fix: replaced used CVE in blackbox test (#1519) Signed-off-by: Lisca Ana-Roberta <ana.kagome@yahoo.com> 2023-06-15 13:22:29 +03:00			`if [[ "$i" = "CVE-2011-4915 LOW fs/proc/base.c in the Linux kernel through 3..." ]]; then`
fix(cve): blackbox cve tests now verifying actual cves (#1300) Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com> 2023-03-23 20:11:29 +02:00			`found=1`
			`fi`
			`done`
			`[ "$found" -eq 1 ]`
Manage builds with different combinations of extensions Files were added to be built whether an extension is on or off. New build tags were added for each extension, while minimal and extended disappeared. added custom binary naming depending on extensions used and changed references from binary to binary-extended added automated blackbox tests for sync, search, scrub, metrics added contributor guidelines Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-04-27 09:00:20 +03:00			`}`