feat(cve/mitre): support go-cve-dictionary:mitre (#1978)

* feat(cve/mitre): support go-cve-dictionary:mitre * chore: adopt reviewer comment * refactor(models): refactor CveContents method
2024-06-29 16:35:06 +09:00
parent 9beb5fc9f0
commit d8173cdd42
15 changed files with 1005 additions and 212 deletions
--- a/models/cvecontents_test.go
+++ b/models/cvecontents_test.go
@@ -7,26 +7,37 @@ import (
 	"github.com/future-architect/vuls/constant"
 )

-func TestExcept(t *testing.T) {
-	var tests = []struct {
-		in  CveContents
-		out CveContents
-	}{{
-		in: CveContents{
-			RedHat: []CveContent{{Type: RedHat}},
-			Ubuntu: []CveContent{{Type: Ubuntu}},
-			Debian: []CveContent{{Type: Debian}},
+func TestCveContents_Except(t *testing.T) {
+	type args struct {
+		exceptCtypes []CveContentType
+	}
+	tests := []struct {
+		name       string
+		v          CveContents
+		args       args
+		wantValues CveContents
+	}{
+		{
+			name: "happy",
+			v: CveContents{
+				RedHat: []CveContent{{Type: RedHat}},
+				Ubuntu: []CveContent{{Type: Ubuntu}},
+				Debian: []CveContent{{Type: Debian}},
+			},
+			args: args{
+				exceptCtypes: []CveContentType{Ubuntu, Debian},
+			},
+			wantValues: CveContents{
+				RedHat: []CveContent{{Type: RedHat}},
+			},
 		},
-		out: CveContents{
-			RedHat: []CveContent{{Type: RedHat}},
-		},
-	},
 	}
 	for _, tt := range tests {
-		actual := tt.in.Except(Ubuntu, Debian)
-		if !reflect.DeepEqual(tt.out, actual) {
-			t.Errorf("\nexpected: %v\n  actual: %v\n", tt.out, actual)
-		}
+		t.Run(tt.name, func(t *testing.T) {
+			if gotValues := tt.v.Except(tt.args.exceptCtypes...); !reflect.DeepEqual(gotValues, tt.wantValues) {
+				t.Errorf("CveContents.Except() = %v, want %v", gotValues, tt.wantValues)
+			}
+		})
 	}
 }

@@ -84,14 +95,14 @@ func TestSourceLinks(t *testing.T) {
 					Type:  Nvd,
 					Value: "https://nvd.nist.gov/vuln/detail/CVE-2017-6074",
 				},
-				{
-					Type:  RedHat,
-					Value: "https://access.redhat.com/security/cve/CVE-2017-6074",
-				},
 				{
 					Type:  Jvn,
 					Value: "https://jvn.jp/vu/JVNVU93610402/",
 				},
+				{
+					Type:  RedHat,
+					Value: "https://access.redhat.com/security/cve/CVE-2017-6074",
+				},
 			},
 		},
 		// lang: en
@@ -162,6 +173,294 @@ func TestSourceLinks(t *testing.T) {
 	}
 }

+func TestCveContents_PatchURLs(t *testing.T) {
+	tests := []struct {
+		name     string
+		v        CveContents
+		wantUrls []string
+	}{
+		{
+			name: "happy",
+			v: CveContents{
+				Nvd: []CveContent{
+					{
+						References: []Reference{
+							{
+								Link:   "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c52873e5a1ef72f845526d9f6a50704433f9c625",
+								Source: "cve@mitre.org",
+								Tags:   []string{"Patch", "Vendor Advisory"},
+							},
+							{
+								Link:   "https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html",
+								Source: "cve@mitre.org",
+								Tags:   []string{"Mailing List", "Third Party Advisory"},
+							},
+						},
+					},
+					{
+						References: []Reference{
+							{
+								Link: "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c52873e5a1ef72f845526d9f6a50704433f9c625",
+								Tags: []string{"Patch", "Vendor Advisory"},
+							},
+						},
+					},
+				},
+			},
+			wantUrls: []string{"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c52873e5a1ef72f845526d9f6a50704433f9c625"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if gotUrls := tt.v.PatchURLs(); !reflect.DeepEqual(gotUrls, tt.wantUrls) {
+				t.Errorf("CveContents.PatchURLs() = %v, want %v", gotUrls, tt.wantUrls)
+			}
+		})
+	}
+}
+
+func TestCveContents_Cpes(t *testing.T) {
+	type args struct {
+		myFamily string
+	}
+	tests := []struct {
+		name       string
+		v          CveContents
+		args       args
+		wantValues []CveContentCpes
+	}{
+		{
+			name: "happy",
+			v: CveContents{
+				Nvd: []CveContent{{
+					Cpes: []Cpe{{
+						URI:             "cpe:/a:microsoft:internet_explorer:8.0.6001:beta",
+						FormattedString: "cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*",
+					}},
+				}},
+			},
+			args: args{myFamily: "redhat"},
+			wantValues: []CveContentCpes{{
+				Type: Nvd,
+				Value: []Cpe{{
+					URI:             "cpe:/a:microsoft:internet_explorer:8.0.6001:beta",
+					FormattedString: "cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*",
+				}},
+			}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if gotValues := tt.v.Cpes(tt.args.myFamily); !reflect.DeepEqual(gotValues, tt.wantValues) {
+				t.Errorf("CveContents.Cpes() = %v, want %v", gotValues, tt.wantValues)
+			}
+		})
+	}
+}
+func TestCveContents_References(t *testing.T) {
+	type args struct {
+		myFamily string
+	}
+	tests := []struct {
+		name       string
+		v          CveContents
+		args       args
+		wantValues []CveContentRefs
+	}{
+		{
+			name: "happy",
+			v: CveContents{
+				Mitre: []CveContent{{CveID: "CVE-2024-0001"}},
+				Nvd: []CveContent{
+					{
+						References: []Reference{
+							{
+								Link:   "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c52873e5a1ef72f845526d9f6a50704433f9c625",
+								Source: "cve@mitre.org",
+								Tags:   []string{"Patch", "Vendor Advisory"},
+							},
+							{
+								Link:   "https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html",
+								Source: "cve@mitre.org",
+								Tags:   []string{"Mailing List", "Third Party Advisory"},
+							},
+						},
+					},
+					{
+						References: []Reference{
+							{
+								Link: "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c52873e5a1ef72f845526d9f6a50704433f9c625",
+								Tags: []string{"Patch", "Vendor Advisory"},
+							},
+						},
+					},
+				},
+			},
+			wantValues: []CveContentRefs{
+				{
+					Type: Nvd,
+					Value: []Reference{
+						{
+							Link:   "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c52873e5a1ef72f845526d9f6a50704433f9c625",
+							Source: "cve@mitre.org",
+							Tags:   []string{"Patch", "Vendor Advisory"},
+						},
+						{
+							Link:   "https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html",
+							Source: "cve@mitre.org",
+							Tags:   []string{"Mailing List", "Third Party Advisory"},
+						},
+					},
+				},
+				{
+					Type: Nvd,
+					Value: []Reference{
+						{
+							Link: "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c52873e5a1ef72f845526d9f6a50704433f9c625",
+							Tags: []string{"Patch", "Vendor Advisory"},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if gotValues := tt.v.References(tt.args.myFamily); !reflect.DeepEqual(gotValues, tt.wantValues) {
+				t.Errorf("CveContents.References() = %v, want %v", gotValues, tt.wantValues)
+			}
+		})
+	}
+}
+
+func TestCveContents_CweIDs(t *testing.T) {
+	type args struct {
+		myFamily string
+	}
+	tests := []struct {
+		name       string
+		v          CveContents
+		args       args
+		wantValues []CveContentStr
+	}{
+		{
+			name: "happy",
+			v: CveContents{
+				Mitre: []CveContent{{CweIDs: []string{"CWE-001"}}},
+				Nvd: []CveContent{
+					{CweIDs: []string{"CWE-001"}},
+					{CweIDs: []string{"CWE-001"}},
+				},
+			},
+			args: args{myFamily: "redhat"},
+			wantValues: []CveContentStr{
+				{
+					Type:  Mitre,
+					Value: "CWE-001",
+				},
+				{
+					Type:  Nvd,
+					Value: "CWE-001",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if gotValues := tt.v.CweIDs(tt.args.myFamily); !reflect.DeepEqual(gotValues, tt.wantValues) {
+				t.Errorf("CveContents.CweIDs() = %v, want %v", gotValues, tt.wantValues)
+			}
+		})
+	}
+}
+
+func TestCveContents_UniqCweIDs(t *testing.T) {
+	type args struct {
+		myFamily string
+	}
+	tests := []struct {
+		name string
+		v    CveContents
+		args args
+		want []CveContentStr
+	}{
+		{
+			name: "happy",
+			v: CveContents{
+				Mitre: []CveContent{{CweIDs: []string{"CWE-001"}}},
+				Nvd: []CveContent{
+					{CweIDs: []string{"CWE-001"}},
+					{CweIDs: []string{"CWE-001"}},
+				},
+			},
+			args: args{myFamily: "redhat"},
+			want: []CveContentStr{
+				{
+					Type:  Nvd,
+					Value: "CWE-001",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.v.UniqCweIDs(tt.args.myFamily); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("CveContents.UniqCweIDs() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestCveContents_SSVC(t *testing.T) {
+	tests := []struct {
+		name string
+		v    CveContents
+		want []CveContentSSVC
+	}{
+		{
+			name: "happy",
+			v: CveContents{
+				Mitre: []CveContent{
+					{
+						Type:     Mitre,
+						CveID:    "CVE-2024-5732",
+						Title:    "Clash Proxy Port improper authentication",
+						Optional: map[string]string{"source": "CNA"},
+					},
+					{
+						Type:  Mitre,
+						CveID: "CVE-2024-5732",
+						Title: "CISA ADP Vulnrichment",
+						SSVC: &SSVC{
+							Exploitation:    "none",
+							Automatable:     "no",
+							TechnicalImpact: "partial",
+						},
+						Optional: map[string]string{"source": "ADP:CISA-ADP"},
+					},
+				},
+			},
+			want: []CveContentSSVC{
+				{
+					Type: "mitre(ADP:CISA-ADP)",
+					Value: SSVC{
+						Exploitation:    "none",
+						Automatable:     "no",
+						TechnicalImpact: "partial",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.v.SSVC(); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("CveContents.SSVC() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestCveContents_Sort(t *testing.T) {
 	tests := []struct {
 		name string
@@ -241,6 +540,48 @@ func TestCveContents_Sort(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "sort CVSS v4.0",
+			v: CveContents{
+				Mitre: []CveContent{
+					{Cvss40Score: 0},
+					{Cvss40Score: 6.9},
+				},
+			},
+			want: CveContents{
+				Mitre: []CveContent{
+					{Cvss40Score: 6.9},
+					{Cvss40Score: 0},
+				},
+			},
+		},
+		{
+			name: "sort CVSS v4.0 and CVSS v3",
+			v: CveContents{
+				Mitre: []CveContent{
+					{
+						Cvss40Score: 0,
+						Cvss3Score:  7.3,
+					},
+					{
+						Cvss40Score: 0,
+						Cvss3Score:  9.8,
+					},
+				},
+			},
+			want: CveContents{
+				Mitre: []CveContent{
+					{
+						Cvss40Score: 0,
+						Cvss3Score:  9.8,
+					},
+					{
+						Cvss40Score: 0,
+						Cvss3Score:  7.3,
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -252,6 +593,47 @@ func TestCveContents_Sort(t *testing.T) {
 	}
 }

+func TestCveContent_Empty(t *testing.T) {
+	type fields struct {
+		Type    CveContentType
+		CveID   string
+		Title   string
+		Summary string
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   bool
+	}{
+		{
+			name: "empty",
+			fields: fields{
+				Summary: "",
+			},
+			want: true,
+		},
+		{
+			name: "not empty",
+			fields: fields{
+				Summary: "summary",
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := (CveContent{
+				Type:    tt.fields.Type,
+				CveID:   tt.fields.CveID,
+				Title:   tt.fields.Title,
+				Summary: tt.fields.Summary,
+			}).Empty(); got != tt.want {
+				t.Errorf("CveContent.Empty() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestNewCveContentType(t *testing.T) {
 	tests := []struct {
 		name string
@@ -309,3 +691,31 @@ func TestGetCveContentTypes(t *testing.T) {
 		})
 	}
 }
+
+func TestCveContentTypes_Except(t *testing.T) {
+	type args struct {
+		excepts []CveContentType
+	}
+	tests := []struct {
+		name         string
+		c            CveContentTypes
+		args         args
+		wantExcepted CveContentTypes
+	}{
+		{
+			name: "happy",
+			c:    CveContentTypes{Ubuntu, UbuntuAPI},
+			args: args{
+				excepts: []CveContentType{Ubuntu},
+			},
+			wantExcepted: CveContentTypes{UbuntuAPI},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if gotExcepted := tt.c.Except(tt.args.excepts...); !reflect.DeepEqual(gotExcepted, tt.wantExcepted) {
+				t.Errorf("CveContentTypes.Except() = %v, want %v", gotExcepted, tt.wantExcepted)
+			}
+		})
+	}
+}