Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/pkg
 Path: blob/main/tests/frontend/audit.sh
4743 views
1
#! /usr/bin/env atf-sh

2


3
. $(atf_get_srcdir)/test_environment.sh

4


5
tests_init \

6
	audit_vulnerable \

7
	audit_not_vulnerable \

8
	audit_empty_db \

9
	audit_out_of_range \

10
	audit_quiet \

11
	audit_recursive \

12
	audit_raw_json \

13
	audit_raw_ucl \

14
	audit_pattern \

15
	audit_multiple_vulns \

16
	audit_multiple_packages \

17
	audit_glob_name \

18
	audit_no_db

19


20
# Helper: install test packages

21
setup_packages() {

22
	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg "test" "test" "1.5" "/usr/local"

23
	atf_check -o ignore pkg register -M test.ucl

24
}

25


26
# Helper: create a vuln XML with a vulnerability affecting test >=1.0 <2.0

27
create_vuln_db() {

28
	cat > vuln.xml << 'EOF'

29
<?xml version="1.0" encoding="utf-8"?>

30
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">

31
  <vuln vid="test-vuln-001">

32
    <topic>Test vulnerability in test package</topic>

33
    <affects>

34
      <package>

35
        <name>test</name>

36
        <range>

37
          <ge>1.0</ge>

38
          <lt>2.0</lt>

39
        </range>

40
      </package>

41
    </affects>

42
    <references>

43
      <cvename>CVE-2024-00001</cvename>

44
    </references>

45
  </vuln>

46
</vuxml>

47
EOF

48
}

49


50
audit_vulnerable_body() {

51
	setup_packages

52
	create_vuln_db

53


54
	# test-1.5 is in range [1.0, 2.0) -> vulnerable

55
	atf_check \

56
		-o match:"test-1.5 is vulnerable" \

57
		-o match:"Test vulnerability in test package" \

58
		-o match:"CVE-2024-00001" \

59
		-o match:"1 problem" \

60
		-s exit:1 \

61
		pkg audit -f vuln.xml

62
}

63


64
audit_not_vulnerable_body() {

65
	# Install a package outside the vulnerable range

66
	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg "test" "test" "3.0" "/usr/local"

67
	atf_check -o ignore pkg register -M test.ucl

68
	create_vuln_db

69


70
	# test-3.0 is NOT in range [1.0, 2.0) -> safe

71
	atf_check \

72
		-o match:"0 problem" \

73
		-s exit:0 \

74
		pkg audit -f vuln.xml

75
}

76


77
audit_empty_db_body() {

78
	setup_packages

79


80
	cat > vuln.xml << 'EOF'

81
<?xml version="1.0" encoding="utf-8"?>

82
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">

83
</vuxml>

84
EOF

85


86
	# Empty vuln db -> no problems

87
	atf_check \

88
		-o match:"0 problem" \

89
		-s exit:0 \

90
		pkg audit -f vuln.xml

91
}

92


93
audit_out_of_range_body() {

94
	setup_packages

95


96
	# Vulnerability only affects versions < 1.0

97
	cat > vuln.xml << 'EOF'

98
<?xml version="1.0" encoding="utf-8"?>

99
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">

100
  <vuln vid="old-vuln">

101
    <topic>Old vulnerability</topic>

102
    <affects>

103
      <package>

104
        <name>test</name>

105
        <range>

106
          <lt>1.0</lt>

107
        </range>

108
      </package>

109
    </affects>

110
    <references>

111
      <cvename>CVE-2020-99999</cvename>

112
    </references>

113
  </vuln>

114
</vuxml>

115
EOF

116


117
	# test-1.5 >= 1.0, so not affected

118
	atf_check \

119
		-o match:"0 problem" \

120
		-s exit:0 \

121
		pkg audit -f vuln.xml

122
}

123


124
audit_quiet_body() {

125
	setup_packages

126
	create_vuln_db

127


128
	# -q: quiet mode shows only package name-version

129
	atf_check \

130
		-o inline:"test-1.5\n" \

131
		-s exit:1 \

132
		pkg audit -qf vuln.xml

133
}

134


135
audit_recursive_body() {

136
	setup_packages

137
	create_vuln_db

138


139
	# Create a package that depends on the vulnerable one

140
	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg "rdep" "rdep" "1.0" "/usr/local"

141
	cat << EOF >> rdep.ucl

142
deps: {

143
    test: {

144
        origin: test,

145
        version: "1.5"

146
    }

147
}

148
EOF

149
	atf_check -o ignore pkg register -M rdep.ucl

150


151
	# -r: show reverse dependencies of vulnerable packages

152
	atf_check \

153
		-o match:"test-1.5 is vulnerable" \

154
		-o match:"rdep" \

155
		-s exit:1 \

156
		pkg audit -rf vuln.xml

157
}

158


159
audit_raw_json_body() {

160
	atf_require python3 "Requires python3 to run this test"

161
	setup_packages

162
	create_vuln_db

163


164
	# -Rjson: raw JSON output

165
	atf_check \

166
		-o save:out.json \

167
		-s exit:1 \

168
		pkg audit -f vuln.xml -Rjson

169


170
	# Must be valid JSON

171
	atf_check -o ignore -e empty python3 -m json.tool out.json

172


173
	# Check content

174
	atf_check \

175
		-o inline:"1\n" \

176
		python3 -c "import json; d=json.load(open('out.json')); print(d['pkg_count'])"

177


178
	atf_check \

179
		-o inline:"1.5\n" \

180
		python3 -c "import json; d=json.load(open('out.json')); print(d['packages']['test']['version'])"

181


182
	atf_check \

183
		-o inline:"CVE-2024-00001\n" \

184
		python3 -c "import json; d=json.load(open('out.json')); print(d['packages']['test']['issues'][0]['cve'][0])"

185
}

186


187
audit_raw_ucl_body() {

188
	setup_packages

189
	create_vuln_db

190


191
	# -R: raw UCL output (default format)

192
	atf_check \

193
		-o match:"pkg_count = 1" \

194
		-o match:"version.*1.5" \

195
		-o match:"CVE-2024-00001" \

196
		-s exit:1 \

197
		pkg audit -f vuln.xml -R

198
}

199


200
audit_pattern_body() {

201
	setup_packages

202


203
	# Also install a safe package

204
	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg "safe" "safe" "1.0" "/usr/local"

205
	atf_check -o ignore pkg register -M safe.ucl

206


207
	create_vuln_db

208


209
	# Audit only the vulnerable package by name

210
	atf_check \

211
		-o match:"1 problem" \

212
		-s exit:1 \

213
		pkg audit -f vuln.xml test

214


215
	# Audit only the safe package by name

216
	atf_check \

217
		-o match:"0 problem" \

218
		-s exit:0 \

219
		pkg audit -f vuln.xml safe

220
}

221


222
audit_multiple_vulns_body() {

223
	setup_packages

224


225
	# Two vulnerabilities affecting the same package

226
	cat > vuln.xml << 'EOF'

227
<?xml version="1.0" encoding="utf-8"?>

228
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">

229
  <vuln vid="vuln-001">

230
    <topic>First vulnerability</topic>

231
    <affects>

232
      <package>

233
        <name>test</name>

234
        <range>

235
          <ge>1.0</ge>

236
          <lt>2.0</lt>

237
        </range>

238
      </package>

239
    </affects>

240
    <references>

241
      <cvename>CVE-2024-00001</cvename>

242
    </references>

243
  </vuln>

244
  <vuln vid="vuln-002">

245
    <topic>Second vulnerability</topic>

246
    <affects>

247
      <package>

248
        <name>test</name>

249
        <range>

250
          <ge>1.0</ge>

251
          <le>1.5</le>

252
        </range>

253
      </package>

254
    </affects>

255
    <references>

256
      <cvename>CVE-2024-00002</cvename>

257
    </references>

258
  </vuln>

259
</vuxml>

260
EOF

261


262
	# Both vulnerabilities should be reported

263
	atf_check \

264
		-o match:"CVE-2024-00001" \

265
		-o match:"CVE-2024-00002" \

266
		-o match:"2 problem" \

267
		-s exit:1 \

268
		pkg audit -f vuln.xml

269
}

270


271
audit_multiple_packages_body() {

272
	# Install two packages, only one vulnerable

273
	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg "vuln" "vuln" "1.0" "/usr/local"

274
	atf_check -o ignore pkg register -M vuln.ucl

275


276
	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg "safe" "safe" "1.0" "/usr/local"

277
	atf_check -o ignore pkg register -M safe.ucl

278


279
	cat > vuln.xml << 'EOF'

280
<?xml version="1.0" encoding="utf-8"?>

281
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">

282
  <vuln vid="vuln-pkg-001">

283
    <topic>Vulnerability in vuln package</topic>

284
    <affects>

285
      <package>

286
        <name>vuln</name>

287
        <range>

288
          <le>2.0</le>

289
        </range>

290
      </package>

291
    </affects>

292
    <references>

293
      <cvename>CVE-2024-99999</cvename>

294
    </references>

295
  </vuln>

296
</vuxml>

297
EOF

298


299
	# Only vuln package should be flagged

300
	atf_check \

301
		-o match:"vuln-1.0 is vulnerable" \

302
		-o match:"1 problem.*1 package" \

303
		-s exit:1 \

304
		pkg audit -f vuln.xml

305


306
	# Quiet mode should only list the vulnerable one

307
	atf_check \

308
		-o inline:"vuln-1.0\n" \

309
		-s exit:1 \

310
		pkg audit -qf vuln.xml

311
}

312


313
audit_glob_name_body() {

314
	# Vuln DB uses a glob pattern for package name

315
	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg "perl5-DBI" "perl5-DBI" "1.5" "/usr/local"

316
	atf_check -o ignore pkg register -M perl5-DBI.ucl

317


318
	cat > vuln.xml << 'EOF'

319
<?xml version="1.0" encoding="utf-8"?>

320
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">

321
  <vuln vid="perl-vuln-001">

322
    <topic>Vulnerability in perl DBI</topic>

323
    <affects>

324
      <package>

325
        <name>perl5*-DBI</name>

326
        <range>

327
          <lt>2.0</lt>

328
        </range>

329
      </package>

330
    </affects>

331
    <references>

332
      <cvename>CVE-2024-55555</cvename>

333
    </references>

334
  </vuln>

335
</vuxml>

336
EOF

337


338
	# Glob pattern in vuln DB should match perl5-DBI

339
	atf_check \

340
		-o match:"perl5-DBI-1.5 is vulnerable" \

341
		-o match:"CVE-2024-55555" \

342
		-s exit:1 \

343
		pkg audit -f vuln.xml

344
}

345


346
audit_no_db_body() {

347
	setup_packages

348


349
	# No vuln DB file -> error

350
	atf_check \

351
		-e match:"does not exist" \

352
		-s exit:1 \

353
		pkg audit -f /nonexistent/vuln.xml

354
}

355


356