From 788305dced6ee4325c5b855b8de73629c8df84c8 Mon Sep 17 00:00:00 2001 From: William Murphy Date: Wed, 18 Oct 2023 12:48:17 -0400 Subject: [PATCH] chore: add snapshot tests to Amazon provider (#337) Also sort previously non-deterministic parts of the output so that the snapshot comparison can be deterministic. Signed-off-by: Will Murphy --- src/vunnel/providers/amazon/parser.py | 8 +++---- .../snapshots/amzn:2/alas-2018-939.json | 1 + .../snapshots/amzn:2022/alas-2021-001.json | 1 + .../snapshots/amzn:2023/alas-2023-126.json | 1 + tests/unit/providers/amazon/test_amazon.py | 24 +++++++++++++++++++ 5 files changed, 31 insertions(+), 4 deletions(-) create mode 100644 tests/unit/providers/amazon/test-fixtures/snapshots/amzn:2/alas-2018-939.json create mode 100644 tests/unit/providers/amazon/test-fixtures/snapshots/amzn:2022/alas-2021-001.json create mode 100644 tests/unit/providers/amazon/test-fixtures/snapshots/amzn:2023/alas-2023-126.json diff --git a/src/vunnel/providers/amazon/parser.py b/src/vunnel/providers/amazon/parser.py index 32d32ecb..f35204c6 100644 --- a/src/vunnel/providers/amazon/parser.py +++ b/src/vunnel/providers/amazon/parser.py @@ -89,7 +89,7 @@ def _parse_rss(self, file_path): if not processing and event == "end": element.clear() - return alas_summaries + return sorted(alas_summaries) @utils.retry_with_backoff() def _get_alas_html(self, alas_url, alas_file, skip_if_exists=True): @@ -164,12 +164,12 @@ def get(self, skip_if_exists=False): class JsonifierMixin: def json(self): jsonified = {} - for k, v in vars(self).items(): + for k, v in sorted(vars(self).items()): if k[0] != "_": if isinstance(v, (list, set)): jsonified[k] = [x.json() if hasattr(x, "json") and callable(x.json) else x for x in v] elif isinstance(v, dict): - jsonified[k] = {x: y.json() if hasattr(y, "json") and callable(y.json) else y for x, y in v.items()} + jsonified[k] = {x: y.json() if hasattr(y, "json") and callable(y.json) else y for x, y in sorted(v.items())} elif hasattr(v, "json"): jsonified[k] = v.json() else: @@ -281,7 +281,7 @@ def map_to_vulnerability(version, alas, fixed_in, description): v.Metadata["CVE"] = [{"Name": cve} for cve in alas.cves] v.Link = alas.url - for item in fixed_in: + for item in sorted(fixed_in): f = FixedIn() f.Name = item.pkg f.NamespaceName = v.NamespaceName diff --git a/tests/unit/providers/amazon/test-fixtures/snapshots/amzn:2/alas-2018-939.json b/tests/unit/providers/amazon/test-fixtures/snapshots/amzn:2/alas-2018-939.json new file mode 100644 index 00000000..6a592b4a --- /dev/null +++ b/tests/unit/providers/amazon/test-fixtures/snapshots/amzn:2/alas-2018-939.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"amzn:2/alas-2018-939","item":{"Vulnerability":{"Description":"An updated kernel release for Amazon Linux has been made available which prevents speculative execution of indirect branches within the kernel. This release incorporates latest stable open source Linux security improvements to address CVE-2017-5715 within the kernel and builds upon previously incorporated Kernel Page Table Isolation (KPTI) that addressed CVE-2017-5754. Customers must upgrade to the latest Amazon Linux kernel or AMI to effectively mitigate the impact of both CVE-2017-5754 and CVE-2017-5715 on MMU privilege separation (kernel mode vs. user mode) within their instance.Customers with existing Amazon Linux AMI instances should run the following command to ensure they receive the updated package:sudo yum update kernelAs is standard per any update of the Linux kernel, after the yum update is complete, a reboot is required for updates to take effect.Please refer to https://aws.amazon.com/security/security-bulletins/AWS-2018-013/ for additional information regarding CVE-2017-5754.Updated on 2018-01-06: Additional KPTI improvements.Updated on 2018-01-09: Updated detailsUpdated on 2018-01-13: Additional fixes for CVE-2017-5715","FixedIn":[{"Name":"kernel","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"},{"Name":"kernel-debuginfo","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"},{"Name":"kernel-debuginfo-common-x86_64","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"},{"Name":"kernel-devel","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"},{"Name":"kernel-doc","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"},{"Name":"kernel-headers","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"},{"Name":"kernel-tools","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"},{"Name":"kernel-tools-debuginfo","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"},{"Name":"kernel-tools-devel","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"},{"Name":"perf","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"},{"Name":"perf-debuginfo","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"},{"Name":"python-perf","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"},{"Name":"python-perf-debuginfo","NamespaceName":"amzn:2","Version":"4.9.76-38.79.amzn2","VersionFormat":"rpm"}],"Link":"https://alas.aws.amazon.com/AL2/ALAS-2018-939.html","Metadata":{"CVE":[{"Name":"CVE-2017-5715"},{"Name":"CVE-2017-5754"}]},"Name":"ALAS-2018-939","NamespaceName":"amzn:2","Severity":"Critical"}}} diff --git a/tests/unit/providers/amazon/test-fixtures/snapshots/amzn:2022/alas-2021-001.json b/tests/unit/providers/amazon/test-fixtures/snapshots/amzn:2022/alas-2021-001.json new file mode 100644 index 00000000..780af0c3 --- /dev/null +++ b/tests/unit/providers/amazon/test-fixtures/snapshots/amzn:2022/alas-2021-001.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"amzn:2022/alas-2021-001","item":{"Vulnerability":{"Description":"A flaw was found in vim. A possible heap-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3778)A use-after-free vulnerability in vim could allow an attacker to input a specially crafted file leading to memory corruption and a potentially exploitable crash or code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3796)An out-of-bounds write flaw was found in vim's drawscreen.c win_redr_status() function. This flaw allows an attacker to trick a user to open a crafted file with specific arguments in vim, triggering an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, and system availability. (CVE-2021-3872)There's an out-of-bounds read flaw in Vim's ex_docmd.c. An attacker who is capable of tricking a user into opening a specially crafted file could trigger an out-of-bounds read on a memmove operation, potentially causing an impact to application availability. (CVE-2021-3875)","FixedIn":[{"Name":"vim","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"},{"Name":"vim-X11","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"},{"Name":"vim-X11-debuginfo","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"},{"Name":"vim-common","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"},{"Name":"vim-common-debuginfo","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"},{"Name":"vim-debuginfo","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"},{"Name":"vim-debugsource","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"},{"Name":"vim-default-editor","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"},{"Name":"vim-enhanced","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"},{"Name":"vim-enhanced-debuginfo","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"},{"Name":"vim-filesystem","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"},{"Name":"vim-minimal","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"},{"Name":"vim-minimal-debuginfo","NamespaceName":"amzn:2022","Version":"8.2.3512-1.amzn2022","VersionFormat":"rpm"}],"Link":"https://alas.aws.amazon.com/AL2022/ALAS-2021-001.html","Metadata":{"CVE":[{"Name":"CVE-2021-3778"},{"Name":"CVE-2021-3796"},{"Name":"CVE-2021-3872"},{"Name":"CVE-2021-3875"}]},"Name":"ALAS-2021-001","NamespaceName":"amzn:2022","Severity":"Medium"}}} diff --git a/tests/unit/providers/amazon/test-fixtures/snapshots/amzn:2023/alas-2023-126.json b/tests/unit/providers/amazon/test-fixtures/snapshots/amzn:2023/alas-2023-126.json new file mode 100644 index 00000000..e0d3a88d --- /dev/null +++ b/tests/unit/providers/amazon/test-fixtures/snapshots/amzn:2023/alas-2023-126.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"amzn:2023/alas-2023-126","item":{"Vulnerability":{"Description":"A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root. (CVE-2022-3787)A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root. (CVE-2022-41973)multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR. (CVE-2022-41974)","FixedIn":[{"Name":"device-mapper-multipath","NamespaceName":"amzn:2023","Version":"0.8.7-16.amzn2023.0.1","VersionFormat":"rpm"},{"Name":"device-mapper-multipath-debuginfo","NamespaceName":"amzn:2023","Version":"0.8.7-16.amzn2023.0.1","VersionFormat":"rpm"},{"Name":"device-mapper-multipath-debugsource","NamespaceName":"amzn:2023","Version":"0.8.7-16.amzn2023.0.1","VersionFormat":"rpm"},{"Name":"device-mapper-multipath-devel","NamespaceName":"amzn:2023","Version":"0.8.7-16.amzn2023.0.1","VersionFormat":"rpm"},{"Name":"device-mapper-multipath-libs","NamespaceName":"amzn:2023","Version":"0.8.7-16.amzn2023.0.1","VersionFormat":"rpm"},{"Name":"device-mapper-multipath-libs-debuginfo","NamespaceName":"amzn:2023","Version":"0.8.7-16.amzn2023.0.1","VersionFormat":"rpm"},{"Name":"kpartx","NamespaceName":"amzn:2023","Version":"0.8.7-16.amzn2023.0.1","VersionFormat":"rpm"},{"Name":"kpartx-debuginfo","NamespaceName":"amzn:2023","Version":"0.8.7-16.amzn2023.0.1","VersionFormat":"rpm"},{"Name":"libdmmp","NamespaceName":"amzn:2023","Version":"0.8.7-16.amzn2023.0.1","VersionFormat":"rpm"},{"Name":"libdmmp-debuginfo","NamespaceName":"amzn:2023","Version":"0.8.7-16.amzn2023.0.1","VersionFormat":"rpm"},{"Name":"libdmmp-devel","NamespaceName":"amzn:2023","Version":"0.8.7-16.amzn2023.0.1","VersionFormat":"rpm"}],"Link":"https://alas.aws.amazon.com/AL2023/ALAS-2023-126.html","Metadata":{"CVE":[{"Name":"CVE-2022-3787"},{"Name":"CVE-2022-41973"},{"Name":"CVE-2022-41974"}]},"Name":"ALAS-2023-126","NamespaceName":"amzn:2023","Severity":"High"}}} diff --git a/tests/unit/providers/amazon/test_amazon.py b/tests/unit/providers/amazon/test_amazon.py index 7e75eaeb..4437df6d 100644 --- a/tests/unit/providers/amazon/test_amazon.py +++ b/tests/unit/providers/amazon/test_amazon.py @@ -103,3 +103,27 @@ def mock_download(self, *args, **kwargs): assert 3 == workspace.num_result_entries() assert workspace.result_schemas_valid(require_entries=True) + + +def test_provider_via_snapshot(helpers, disable_get_requests, monkeypatch): + workspace = helpers.provider_workspace_helper( + name=Provider.name(), + input_fixture="test-fixtures/input", + ) + + c = Config() + # keep all of the default values for the result store, but override the strategy + c.runtime.result_store = result.StoreStrategy.FLAT_FILE + p = Provider( + root=workspace.root, + config=c, + ) + + def mock_download(_url, _file): + return None + + monkeypatch.setattr(p.parser, "_download_rss", mock_download) + + p.update(None) + + workspace.assert_result_snapshots()