rpm-ostree/tests
Jonathan Lebon bdf3cda8db Print CVEs fixed in available updates
One question I often have when looking at the output of `status -a`:

```
AvailableUpdate:
        Version: 29.20181202.0 (2018-12-02T08:37:50Z)
         Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3
   GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
  SecAdvisories: FEDORA-2018-042156f164  Unknown    net-snmp-libs-1:5.8-3.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-4.19.5-300.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-core-4.19.5-300.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-modules-4.19.5-300.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-modules-extra-4.19.5-300.fc29.x86_64
                 FEDORA-2018-f467c36c2b  Moderate   git-core-2.19.2-1.fc29.x86_64
           Diff: 67 upgraded, 1 removed, 16 added
```

is "How serious and relevant are these advisories to me? How soon should
I reboot?". For the packages that I'm most familiar with, e.g. `kernel`
and `git-core`, I usually look up the advisory and check why it was
marked as a security update, mentioned CVEs, and how those affect me.

The updateinfo metadata includes a wealth of information that could be
useful here. In Fedora, CVEs treated by the security response team
result in RHBZs, which end up attached to the advisories and thus make
it into that metadata.

This patch tries to reduce friction in answering some of those questions
above by checking for those CVEs and printing a short description in the
output of `status -a`. Example:

```
AvailableUpdate:
        Version: 29.20181202.0 (2018-12-02T08:37:50Z)
         Commit: dece5737a087d5c6038efdb86cb4512f867082ccfc6eb0fa97b2734c1f6d99c3
   GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
  SecAdvisories: FEDORA-2018-042156f164  Unknown    net-snmp-libs-1:5.8-3.fc29.x86_64
                   CVE-2018-18065 CVE-2018-18066 net-snmp: various flaws [fedora-all]
                   https://bugzilla.redhat.com/show_bug.cgi?id=1637573
                 FEDORA-2018-87ba0312c2  Moderate   kernel-4.19.5-300.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-core-4.19.5-300.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-modules-4.19.5-300.fc29.x86_64
                 FEDORA-2018-87ba0312c2  Moderate   kernel-modules-extra-4.19.5-300.fc29.x86_64
                   CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes
                   https://bugzilla.redhat.com/show_bug.cgi?id=1649017
                   CVE-2018-19407 kernel: kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c
                   https://bugzilla.redhat.com/show_bug.cgi?id=1652656
                 FEDORA-2018-f467c36c2b  Moderate   git-core-2.19.2-1.fc29.x86_64
                   CVE-2018-19486 git: Improper handling of PATH allows for commands to executed from current directory
                   https://bugzilla.redhat.com/show_bug.cgi?id=1653143
           Diff: 67 upgraded, 1 removed, 16 added
```

Including the CVE name and RHBZ link also makes it easier to look for
more details if desired.

Closes: #1695
Approved by: rfairley
2018-12-05 18:56:49 +00:00
..
check tests: add test for sorting + conversion of sysuser 2018-08-30 17:37:27 +00:00
common Print CVEs fixed in available updates 2018-12-05 18:56:49 +00:00
compose-tests Move varsubst code into Rust, use it in treefile parsing 2018-11-02 20:36:28 +00:00
composedata compose: Support not specifying a ref 2018-10-09 19:47:25 +00:00
ex-container-tests Lower initial SELinux policy load from compose to core 2018-10-23 13:40:46 +00:00
gpghome daemon: start with one commit only when resolving versions 2016-12-24 12:28:48 +00:00
manual db: Remove query parameter to diff 2015-04-23 16:30:18 -04:00
utils Print CVEs fixed in available updates 2018-12-05 18:56:49 +00:00
vmcheck Print CVEs fixed in available updates 2018-12-05 18:56:49 +00:00
compose tests: Rename one libcomposetest.sh 2018-09-10 17:06:10 +00:00
ex-container tests: Rename one libcomposetest.sh 2018-09-10 17:06:10 +00:00
README.md tests: Add ./tests/compose 2016-12-06 19:05:05 +00:00

Tests are divided into three groups:

  • Tests in the check directory are non-destructive and uninstalled. Some of the tests require root privileges. Use make check to run these.

  • The composecheck tests currently require uid 0 capabilities - the default in Docker, or you can run them via a user namespace. They are non-destructive, but are installed.

    To use them, you might do a make && sudo make install inside a Docker container.

    Then invoke ./tests/compose. Alternatively of course, you can simply run the tests on a host system or in an existing container, without doing a build.

    Note: This is intentionally not a Makefile target because it doesn't require building and doesn't use uninstalled binaries.

  • Tests in the vmcheck directory are oriented around using Vagrant. Use make vmcheck to run them. See also HACKING.md in the top directory.

The common directory contains files used by multiple tests. The utils directory contains helper utilities required to run the tests.