pepelyaevip/vuln-list-update
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Updated logic to parse patches in ubuntu CVE file (#44)

Browse Source 
* Updated logic to parse patches in ubuntu CVE file

* test(ubuntu): add the test case

* test(ubuntu): add a new case causing a problem

* test(ubuntu): pending case

* test(ubuntu): multiple upstreams

* fix(ubuntu): handle corner cases

Co-authored-by: knqyf263 <knqyf263@gmail.com>
This commit is contained in:
rahul2393 2020-08-17 17:21:04 +05:30 committed by GitHub
parent 0692711618
commit 38108d7f2d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 775 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
ubuntu/testdata/empty_status_upstream vendored Normal file
View File

@ -0,0 +1,46 @@
PublicDate: 2007-01-16 23:28:00 UTC
Candidate: CVE-2007-0255
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0255
Description:
XINE 0.99.4 allows user-assisted remote attackers to cause a denial of
service (application crash) and possibly execute arbitrary code via a
certain M3U file that contains a long #EXTINF line and contains format
string specifiers in an invalid udp:// URI, possibly a variant of
CVE-2007-0017.
Ubuntu-Description:
Notes:
Bugs:
#sid_PKG:
#dapper_PKG:
#edgy_PKG:
#feisty_PKG:
#lucid_PKG:
#maverick_PKG:
#natty_PKG:
#oneiric_PKG:
#precise_PKG:
#quantal_PKG:
#raring_PKG:
#saucy_PKG:
#trusty_PKG:
#utopic_PKG:
#vivid_PKG:
#wily_PKG:
#xenial_PKG:
#yakkety_PKG:
#zesty_PKG:
#artful_PKG:
#bionic_PKG:
#cosmic_PKG:
#disco_PKG:
#eoan_PKG:
#focal_PKG:
#devel_PKG:
dapper_xine-ui: ignored (reached end-of-life)
edgy_xine-ui: needed (reached end-of-life)
vivid/stable-phone-overlay_xine-ui: DNE
vivid/ubuntu-core_xine-ui: DNE
wily_xine-ui: ignored (reached end-of-life)
xenial_xine-ui: needed
upstream_xine-ui:

28
ubuntu/testdata/include_pending vendored Normal file
View File

@ -0,0 +1,28 @@
Candidate: CVE-2020-0009
PublicDate: 2020-01-08 16:15:00 UTC
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0009
Description:
test
Ubuntu-Description:
Notes:
cascardo> possible fix is 6d67b0290b4b84c477e6a2fc6e005e174d3c7786
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Patches_linux-oem:
upstream_linux-oem: released (5.6~rc3)
precise/esm_linux-oem: DNE
trusty_linux-oem: DNE
trusty/esm_linux-oem: DNE
xenial_linux-oem: ignored (was needs-triage now end-of-life)
bionic_linux-oem: released (4.15.0-1080.90)
eoan_linux-oem: pending (4.15.0-1087.97)
focal_linux-oem: DNE
devel_linux-oem: DNE

34
ubuntu/testdata/line_break_between_patches vendored Normal file
View File

@ -0,0 +1,34 @@
Candidate: CVE-2017-7702
PublicDate: 2007-01-16 23:28:00 UTC
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7702
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13477
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2f322f66cbcca2fefdaa630494f9d6c97eb659b7
https://www.wireshark.org/security/wnpa-sec-2017-13.html
Description:
In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WBXML dissector could
go into an infinite loop, triggered by packet injection or a malformed
capture file. This was addressed in epan/dissectors/packet-wbxml.c by
adding length validation.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Otto Airamo and Antti Levomäki
Assigned-to:
CVSS:
nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Patches_wireshark:
upstream_wireshark: released (2.2.6, 2.0.12)
precise_wireshark: ignored (reached end-of-life)
precise/esm_wireshark: DNE (precise was needed)
trusty/esm_wireshark: released (2.6.3-1~ubuntu14.04.1)
vivid/stable-phone-overlay_wireshark: DNE
xenial_wireshark: released (2.6.3-1~ubuntu16.04.1)
yakkety_wireshark: released (2.2.6+g32dac6a-2ubuntu0.16.10)
bionic_wireshark: released (2.6.3-1~ubuntu18.04.1)
devel_wireshark: not-affected (2.6.3-1)

48
ubuntu/testdata/more_than_one_package_patches vendored Normal file
View File

@ -0,0 +1,48 @@
Candidate: CVE-2017-9228
PublicDate: 2007-01-16 23:28:00 UTC
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228
https://usn.ubuntu.com/usn/usn-3382-1
https://usn.ubuntu.com/usn/usn-3382-2
Description:
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds
write occurs in bitset_set_range() during regular expression compilation
due to an uninitialized variable from an incorrect state transition. An
incorrect state transition in parse_char_class() could create an execution
path that leaves a critical local variable uninitialized until it's used as
an index, resulting in an out-of-bounds write memory corruption.
Ubuntu-Description:
It was discovered that Oniguruma incorrectly handled certain regular
expressions. An attacker could possibly use this issue to obtain
sensitive information, cause a denial of service or execute arbitrary
code.
Notes:
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863316
https://github.com/kkos/oniguruma/issues/60
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Patches_libonig:
upstream: https://github.com/kkos/oniguruma/commit/3b63d12038c8d8fc278e81c942fa9bec7c704c8b
upstream_libonig: needs-triage
precise/esm_libonig: DNE
artful_libonig: ignored (reached end-of-life)
bionic_libonig: released (6.3.0-1)
Patches_php5:
upstream: https://github.com/php/php-src/commit/703be4f77e662837b64499b0d046a5c8d06a98b9
upstream_php5: needs-triage
precise/esm_php5: released (5.3.10-1ubuntu3.28)
devel_php5: DNE
Patches_php7.0:
upstream: https://github.com/php/php-src/commit/1c845d295037702d63097e2216b3c5db53f79273
upstream_php7.0: needs-triage
precise/esm_php7.0: DNE
zesty_php7.0: released (7.0.22-0ubuntu0.17.04.1)
artful_php7.0: DNE

34
ubuntu/testdata/multiple_upstreams vendored Normal file
View File

@ -0,0 +1,34 @@
PublicDateAtUSN: 2020-03-12 21:15:00 UTC
Candidate: CVE-2020-0556
PublicDate: 2020-03-12 21:15:00 UTC
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
https://www.openwall.com/lists/oss-security/2020/03/12/4
https://usn.ubuntu.com/usn/usn-4311-1
Description:
dummy
Ubuntu-Description:
Mitigation:
Bugs:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953770
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
nvd: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Patches_bluez:
upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=35d8d895cd0b724e58129374beb0bb4a2edf9519
upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f2778f5877d20696d68a452b26e4accb91bfb19e
upstream_bluez: released (5.54)
precise/esm_bluez: DNE
trusty_bluez: ignored (out of standard support)
trusty/esm_bluez: DNE
xenial_bluez: released (5.37-0ubuntu5.3)
bionic_bluez: released (5.48-0ubuntu3.4)
eoan_bluez: released (5.50-0ubuntu5.1)
devel_bluez: released (5.53-0ubuntu2)

45
ubuntu/testdata/no_space_before_status vendored Normal file
View File

@ -0,0 +1,45 @@
PublicDateAtUSN: 2019-09-04
Candidate: CVE-2019-15903
PublicDate: 2019-09-04 06:15:00 UTC
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
https://github.com/libexpat/libexpat/issues/317
https://github.com/libexpat/libexpat/pull/318
https://usn.ubuntu.com/usn/usn-4132-1
https://usn.ubuntu.com/usn/usn-4132-2
https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-15903
https://usn.ubuntu.com/usn/usn-4165-1
https://usn.ubuntu.com/usn/usn-4202-1
https://usn.ubuntu.com/usn/usn-4335-1
Description:
In libexpat before 2.2.8, crafted XML input could fool the parser into
changing from DTD parsing to document parsing too early; a consecutive call
to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted
in a heap-based buffer over-read.
Ubuntu-Description:
A heap overflow was discovered in the expat library in
XXX-PACKAGE-NAME-HERE-XXX. If a user were tricked into opening a specially
crafted XML file, an attacker could potentially exploit this to cause a denial
of service or execute arbitrary code.
Notes:
Mitigation:
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939394
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Patches_vnc4:
upstream_vnc4: needs-triage
precise/esm_vnc4: DNE
trusty_vnc4: ignored (out of standard support)
trusty/esm_vnc4:needed
xenial_vnc4: needed
bionic_vnc4: needed
disco_vnc4: not-affected (code not present)
eoan_vnc4: not-affected (code not present)
focal_vnc4: DNE
devel_vnc4: DNE

32
ubuntu/testdata/patches_with_status vendored Normal file
View File

@ -0,0 +1,32 @@
PublicDateAtUSN: 2020-07-29 00:00:00 UTC
Candidate: CVE-2020-9925
PublicDate: 2020-07-29 00:00:00 UTC
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9925
https://webkitgtk.org/security/WSA-2020-0007.html
https://usn.ubuntu.com/usn/usn-4444-1
Description:
A logic issue was addressed with improved state management. Processing
maliciously crafted web content may lead to universal cross site
scripting.
Ubuntu-Description:
Notes:
jdstrand> webkit receives limited support. For details, see
https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit
jdstrand> webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
Patches_qtwebkit-opensource-src: needs-triage
upstream_qtwebkit-opensource-src: needs-triage
precise/esm_qtwebkit-opensource-src: DNE
trusty_qtwebkit-opensource-src: ignored (out of standard support)
trusty/esm_qtwebkit-opensource-src: DNE
xenial_qtwebkit-opensource-src: needs-triage
bionic_qtwebkit-opensource-src: needs-triage
focal_qtwebkit-opensource-src: needs-triage
devel_qtwebkit-opensource-src: needs-triage

81
ubuntu/ubuntu.go
View File

@ -23,6 +23,19 @@ const (
ubuntuDir = "ubuntu"
)
var (
statuses = []string{
"released",
"needed",
"ignored",
"DNE",
"not-affected",
"needs-triage",
"deferred",
"pending",
}
)
type Vulnerability struct {
PublicDateAtUSN time.Time
CRD time.Time
@ -58,7 +71,7 @@ func Update() error {
return xerrors.Errorf("failed to clone or pull: %w", err)
}
log.Println("Walking Debian...")
log.Println("Walking Ubuntu...")
for _, target := range []string{"active", "retired"} {
if err := walkDir(filepath.Join(dir, target)); err != nil {
return err
@ -237,38 +250,55 @@ func parse(r io.Reader) (vuln *Vulnerability, err error) {
}
// Parse Patches
if strings.HasPrefix(line, "Patches_") {
suffix := strings.TrimPrefix(line, "Patches")
statuses := Statuses{}
var upstreamLinks []string
for lines[i+1] != "" {
i++
line = strings.TrimSpace(lines[i])
if strings.HasPrefix(line, "upstream:") {
line = strings.TrimPrefix(line, "upstream:")
upstreamLinks = append(upstreamLinks, strings.TrimSpace(line))
// e.g. trusty/esm_vnc4: needs-triage
s := strings.SplitN(line, ":", 2)
if len(s) < 2 {
continue
}
fields := strings.Fields(line)
status := strings.TrimSpace(s[1])
if len(fields) < 2 {
continue
}
// Some advisories have status with "Patches_" prefix and it should be skipped
// e.g. Patches_qtwebkit-opensource-src: needs-triage
if isPatch(status) && !strings.HasPrefix(s[0], "Patches_") {
pkgRel := strings.SplitN(s[0], "_", 2)
release := Release(pkgRel[0])
pkgName := Package(strings.Trim(pkgRel[1], ":"))
fields := strings.Fields(status)
status := Status{
Status: fields[1],
Status: fields[0],
}
if len(fields) > 2 {
note := strings.Join(fields[2:], " ")
if len(fields) > 1 {
note := strings.Join(fields[1:], " ")
status.Note = strings.Trim(note, "()")
}
release := Release(strings.TrimSuffix(fields[0], suffix))
if existingStatuses, ok := vuln.Patches[pkgName]; ok {
existingStatuses[release] = status
vuln.Patches[pkgName] = existingStatuses
} else {
statuses := Statuses{}
statuses[release] = status
vuln.Patches[pkgName] = statuses
}
}
// Parse UpstreamLinks
if strings.HasPrefix(line, "Patches_") {
suffix := strings.TrimPrefix(line, "Patches")
var upstreamLinks []string
j := i
for j < len(lines) && lines[j+1] != "" {
j++
line = strings.TrimSpace(lines[j])
if !strings.HasPrefix(line, "upstream:") {
break
}
line = strings.TrimPrefix(line, "upstream:")
upstreamLinks = append(upstreamLinks, strings.TrimSpace(line))
}
pkg := Package(strings.Trim(suffix, "_: "))
vuln.Patches[pkg] = statuses
if len(upstreamLinks) > 0 {
vuln.UpstreamLinks[pkg] = upstreamLinks
}
@ -277,3 +307,12 @@ func parse(r io.Reader) (vuln *Vulnerability, err error) {
}
return vuln, nil
}
func isPatch(s string) bool {
for _, status := range statuses {
if strings.HasPrefix(s, status) {
return true
}
}
return false
}

442
ubuntu/ubuntu_test.go Normal file
View File

@ -0,0 +1,442 @@
package ubuntu
import (
"os"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func Test_parse(t *testing.T) {
type args struct {
filePath string
}
testCases := []struct {
name string
args args
want *Vulnerability
wantErr error
}{
{
name: "when empty upstream patch is passed",
args: args{
filePath: "./testdata/empty_status_upstream",
},
want: &Vulnerability{
Candidate: "CVE-2007-0255",
References: []string{"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0255"},
Description: "XINE 0.99.4 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain M3U file that contains a long #EXTINF line and contains format string specifiers in an invalid udp:// URI, possibly a variant of CVE-2007-0017.",
PublicDate: time.Date(2007, 1, 16, 23, 28, 0, 0, time.UTC),
Patches: map[Package]Statuses{
Package("xine-ui"): {
"dapper": Status{
Status: "ignored",
Note: "reached end-of-life",
},
"edgy": Status{
Status: "needed",
Note: "reached end-of-life",
},
"vivid/stable-phone-overlay": Status{
Status: "DNE",
},
"vivid/ubuntu-core": Status{
Status: "DNE",
},
"wily": Status{
Status: "ignored",
Note: "reached end-of-life",
},
"xenial": Status{
Status: "needed",
},
},
},
UpstreamLinks: map[Package][]string{},
},
},
{
name: "when line break is present between patch",
args: args{
filePath: "./testdata/line_break_between_patches",
},
want: &Vulnerability{
Candidate: "CVE-2017-7702",
References: []string{
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7702",
"https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13477",
"https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2f322f66cbcca2fefdaa630494f9d6c97eb659b7",
"https://www.wireshark.org/security/wnpa-sec-2017-13.html",
},
Description: "In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WBXML dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-wbxml.c by adding length validation.",
Priority: "medium",
DiscoveredBy: "Otto Airamo and Antti Levomäki",
PublicDate: time.Date(2007, 1, 16, 23, 28, 0, 0, time.UTC),
Patches: map[Package]Statuses{
Package("wireshark"): {
"upstream": Status{
Status: "released",
Note: "2.2.6, 2.0.12",
},
"precise": Status{
Status: "ignored",
Note: "reached end-of-life",
},
"precise/esm": Status{
Status: "DNE",
Note: "precise was needed",
},
"trusty/esm": Status{
Status: "released",
Note: "2.6.3-1~ubuntu14.04.1",
},
"vivid/stable-phone-overlay": Status{
Status: "DNE",
},
"xenial": Status{
Status: "released",
Note: "2.6.3-1~ubuntu16.04.1",
},
"yakkety": Status{
Status: "released",
Note: "2.2.6+g32dac6a-2ubuntu0.16.10",
},
"bionic": Status{
Status: "released",
Note: "2.6.3-1~ubuntu18.04.1",
},
"devel": Status{
Status: "not-affected",
Note: "2.6.3-1",
},
},
},
UpstreamLinks: map[Package][]string{},
},
},
{
name: "more than one package patches",
args: args{
filePath: "./testdata/more_than_one_package_patches",
},
want: &Vulnerability{
Candidate: "CVE-2017-9228",
References: []string{
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228",
"https://usn.ubuntu.com/usn/usn-3382-1",
"https://usn.ubuntu.com/usn/usn-3382-2",
},
Description: "An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.",
UbuntuDescription: "It was discovered that Oniguruma incorrectly handled certain regular expressions. An attacker could possibly use this issue to obtain sensitive information, cause a denial of service or execute arbitrary code.",
Priority: "medium",
Bugs: []string{
"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863316",
"https://github.com/kkos/oniguruma/issues/60"},
PublicDate: time.Date(2007, 1, 16, 23, 28, 0, 0, time.UTC),
Patches: map[Package]Statuses{
Package("libonig"): {
"upstream": Status{
Status: "needs-triage",
},
"precise/esm": Status{
Status: "DNE",
},
"artful": Status{
Status: "ignored",
Note: "reached end-of-life",
},
"bionic": Status{
Status: "released",
Note: "6.3.0-1",
},
},
Package("php5"): {
"upstream": Status{
Status: "needs-triage",
},
"precise/esm": Status{
Status: "released",
Note: "5.3.10-1ubuntu3.28",
},
"devel": Status{
Status: "DNE",
},
},
Package("php7.0"): {
"upstream": Status{
Status: "needs-triage",
},
"precise/esm": Status{
Status: "DNE",
},
"zesty": Status{
Status: "released",
Note: "7.0.22-0ubuntu0.17.04.1",
},
"artful": Status{
Status: "DNE",
},
},
},
UpstreamLinks: map[Package][]string{
"libonig": {"https://github.com/kkos/oniguruma/commit/3b63d12038c8d8fc278e81c942fa9bec7c704c8b"},
"php5": {"https://github.com/php/php-src/commit/703be4f77e662837b64499b0d046a5c8d06a98b9"},
"php7.0": {"https://github.com/php/php-src/commit/1c845d295037702d63097e2216b3c5db53f79273"},
},
},
},
{
name: "no space before status",
args: args{
filePath: "./testdata/no_space_before_status",
},
want: &Vulnerability{
Candidate: "CVE-2019-15903",
References: []string{
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903",
"https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43",
"https://github.com/libexpat/libexpat/issues/317",
"https://github.com/libexpat/libexpat/pull/318",
"https://usn.ubuntu.com/usn/usn-4132-1",
"https://usn.ubuntu.com/usn/usn-4132-2",
"https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-15903",
"https://usn.ubuntu.com/usn/usn-4165-1",
"https://usn.ubuntu.com/usn/usn-4202-1",
"https://usn.ubuntu.com/usn/usn-4335-1",
},
Description: "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.",
UbuntuDescription: "A heap overflow was discovered in the expat library in XXX-PACKAGE-NAME-HERE-XXX. If a user were tricked into opening a specially crafted XML file, an attacker could potentially exploit this to cause a denial of service or execute arbitrary code.",
Priority: "medium",
Bugs: []string{
"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939394",
},
PublicDateAtUSN: time.Date(2019, 9, 4, 0, 0, 0, 0, time.UTC),
PublicDate: time.Date(2019, 9, 4, 6, 15, 0, 0, time.UTC),
Patches: map[Package]Statuses{
Package("vnc4"): {
"upstream": Status{
Status: "needs-triage",
},
"precise/esm": Status{
Status: "DNE",
},
"trusty": Status{
Status: "ignored",
Note: "out of standard support",
},
"trusty/esm": Status{
Status: "needed",
},
"xenial": Status{
Status: "needed",
},
"bionic": Status{
Status: "needed",
},
"disco": Status{
Status: "not-affected",
Note: "code not present",
},
"eoan": Status{
Status: "not-affected",
Note: "code not present",
},
"focal": Status{
Status: "DNE",
},
"devel": Status{
Status: "DNE",
},
},
},
UpstreamLinks: map[Package][]string{},
},
},
{
name: "Patches with status",
args: args{
filePath: "./testdata/patches_with_status",
},
want: &Vulnerability{
Candidate: "CVE-2020-9925",
References: []string{
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9925",
"https://webkitgtk.org/security/WSA-2020-0007.html",
"https://usn.ubuntu.com/usn/usn-4444-1",
},
Description: "A logic issue was addressed with improved state management. Processing maliciously crafted web content may lead to universal cross site scripting.",
Priority: "medium",
PublicDateAtUSN: time.Date(2020, 7, 29, 0, 0, 0, 0, time.UTC),
PublicDate: time.Date(2020, 7, 29, 0, 0, 0, 0, time.UTC),
Notes: []string{
"jdstrand> webkit receives limited support. For details, see",
"https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit",
"jdstrand> webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8",
},
Patches: map[Package]Statuses{
Package("qtwebkit-opensource-src"): {
"upstream": Status{
Status: "needs-triage",
},
"precise/esm": Status{
Status: "DNE",
},
"trusty": Status{
Status: "ignored",
Note: "out of standard support",
},
"trusty/esm": Status{
Status: "DNE",
},
"xenial": Status{
Status: "needs-triage",
},
"bionic": Status{
Status: "needs-triage",
},
"focal": Status{
Status: "needs-triage",
},
"devel": Status{
Status: "needs-triage",
},
},
},
UpstreamLinks: map[Package][]string{},
},
},
{
name: "include pending",
args: args{
filePath: "./testdata/include_pending",
},
want: &Vulnerability{
Candidate: "CVE-2020-0009",
References: []string{
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0009",
},
Description: "test",
Priority: "low",
PublicDate: time.Date(2020, 1, 8, 16, 15, 0, 0, time.UTC),
Notes: []string{
"cascardo> possible fix is 6d67b0290b4b84c477e6a2fc6e005e174d3c7786",
},
Patches: map[Package]Statuses{
Package("linux-oem"): {
"upstream": Status{
Status: "released",
Note: "5.6~rc3",
},
"precise/esm": Status{
Status: "DNE",
},
"trusty": Status{
Status: "DNE",
},
"trusty/esm": Status{
Status: "DNE",
},
"xenial": Status{
Status: "ignored",
Note: "was needs-triage now end-of-life",
},
"bionic": Status{
Status: "released",
Note: "4.15.0-1080.90",
},
"eoan": Status{
Status: "pending",
Note: "4.15.0-1087.97",
},
"focal": Status{
Status: "DNE",
},
"devel": Status{
Status: "DNE",
},
},
},
UpstreamLinks: map[Package][]string{},
},
},
{
name: "multiple upstreams",
args: args{
filePath: "./testdata/multiple_upstreams",
},
want: &Vulnerability{
Candidate: "CVE-2020-0556",
References: []string{
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556",
"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html",
"https://www.openwall.com/lists/oss-security/2020/03/12/4",
"https://usn.ubuntu.com/usn/usn-4311-1",
},
Description: "dummy",
Priority: "medium",
PublicDateAtUSN: time.Date(2020, 3, 12, 21, 15, 0, 0, time.UTC),
PublicDate: time.Date(2020, 3, 12, 21, 15, 0, 0, time.UTC),
Bugs: []string{
"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953770",
},
AssignedTo: "mdeslaur",
Patches: map[Package]Statuses{
Package("bluez"): {
"upstream": Status{
Status: "released",
Note: "5.54",
},
"precise/esm": Status{
Status: "DNE",
},
"trusty": Status{
Status: "ignored",
Note: "out of standard support",
},
"trusty/esm": Status{
Status: "DNE",
},
"xenial": Status{
Status: "released",
Note: "5.37-0ubuntu5.3",
},
"bionic": Status{
Status: "released",
Note: "5.48-0ubuntu3.4",
},
"eoan": Status{
Status: "released",
Note: "5.50-0ubuntu5.1",
},
"devel": Status{
Status: "released",
Note: "5.53-0ubuntu2",
},
},
},
UpstreamLinks: map[Package][]string{
Package("bluez"): {
"https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1",
"https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787",
"https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=35d8d895cd0b724e58129374beb0bb4a2edf9519",
"https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f2778f5877d20696d68a452b26e4accb91bfb19e",
},
},
},
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
f, err := os.Open(tc.args.filePath)
require.NoError(t, err)
defer f.Close()
got, gotErr := parse(f)
assert.Equal(t, tc.wantErr, gotErr)
assert.Equal(t, tc.want, got)
})
}
}