guix-devel/tests/cve.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-cve)
  #:use-module (guix cve)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-64))

(define %sample
  (search-path %load-path "tests/cve-sample.xml"))

(define (vulnerability id packages)
  (make-struct (@@ (guix cve) <vulnerability>) 0 id packages))

(define %expected-vulnerabilities
  ;; What we should get when reading %SAMPLE.
  (list
   ;; CVE-2003-0001 has no "/a" in its product list so it is omitted.
   ;; CVE-2004-0230 lists "tcp" as an application, but lacks a version number.
   (vulnerability "CVE-2008-2335" '(("phpvid" "1.2" "1.1")))
   (vulnerability "CVE-2008-3522" '(("enterprise_virtualization" "3.5")
                                    ("jasper" "1.900.1")))
   (vulnerability "CVE-2009-3301" '(("openoffice.org" "2.3.0" "2.2.1" "2.1.0")))
   ;; CVE-2015-8330 has no software list.
   ))


(test-begin "cve")

(test-equal "xml->vulnerabilities"
  %expected-vulnerabilities
  (call-with-input-file %sample xml->vulnerabilities))

(test-equal "vulnerabilities->lookup-proc"
  (list (list (first %expected-vulnerabilities))
        '()
        '()
        (list (second %expected-vulnerabilities))
        (list (third %expected-vulnerabilities)))
  (let* ((vulns  (call-with-input-file %sample xml->vulnerabilities))
         (lookup (vulnerabilities->lookup-proc vulns)))
    (list (lookup "phpvid")
          (lookup "jasper" "2.0")
          (lookup "foobar")
          (lookup "jasper" "1.900.1")
          (lookup "openoffice.org" "2.3.0"))))

(test-end "cve")
-												Add (guix cve).

* guix/cve.scm, tests/cve-sample.xml, tests/cve.scm: New files.
* Makefile.am (MODULES): Add guix/cve.scm.
(SCM_TESTS): Add tests/cve.scm.
(EXTRA_DIST): Add tests/cve-sample.scm.

											
										
										
											2015-11-26 21:52:25 +01:00
+								;;; GNU Guix --- Functional package management for GNU
-												cve: Use a more compact format for the list of package/versions.

On a warm cache, "guix lint -c cve vorbis-tools" goes down
from 6.5s to 2.4s.

* guix/cve.scm (cpe->package-name): Change to return two values instead
of a pair.
(cpe->product-alist): New procedure.
(%parse-vulnerability-feed): Use it instead of 'filter-map'.
(fetch-vulnerabilities): Bump sexp format version to 1.
(vulnerabilities->lookup-proc): Adjust accordingly.  When #:version is
omitted, return a list of vulnerabilities instead of a list of
version/vulnerability pairs.
* tests/cve.scm (%expected-vulnerabilities)
("vulnerabilities->lookup-proc): Adjust accordingly.

											
										
										
											2016-05-28 00:44:36 +02:00
+								;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org>
-												Add (guix cve).

* guix/cve.scm, tests/cve-sample.xml, tests/cve.scm: New files.
* Makefile.am (MODULES): Add guix/cve.scm.
(SCM_TESTS): Add tests/cve.scm.
(EXTRA_DIST): Add tests/cve-sample.scm.

											
										
										
											2015-11-26 21:52:25 +01:00
+								;;;
 								;;; This file is part of GNU Guix.
 								;;;
 								;;; GNU Guix is free software; you can redistribute it and/or modify it
 								;;; under the terms of the GNU General Public License as published by
 								;;; the Free Software Foundation; either version 3 of the License, or (at
 								;;; your option) any later version.
 								;;;
 								;;; GNU Guix is distributed in the hope that it will be useful, but
 								;;; WITHOUT ANY WARRANTY; without even the implied warranty of
 								;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 								;;; GNU General Public License for more details.
 								;;;
 								;;; You should have received a copy of the GNU General Public License
 								;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 								(define-module (test-cve)
 								  #:use-module (guix cve)
 								  #:use-module (srfi srfi-1)
 								  #:use-module (srfi srfi-64))
 								(define %sample
 								  (search-path %load-path "tests/cve-sample.xml"))
 								(define (vulnerability id packages)
 								  (make-struct (@@ (guix cve) <vulnerability>) 0 id packages))
 								(define %expected-vulnerabilities
 								  ;; What we should get when reading %SAMPLE.
 								  (list
 								   ;; CVE-2003-0001 has no "/a" in its product list so it is omitted.
 								   ;; CVE-2004-0230 lists "tcp" as an application, but lacks a version number.
-												cve: Use a more compact format for the list of package/versions.

On a warm cache, "guix lint -c cve vorbis-tools" goes down
from 6.5s to 2.4s.

* guix/cve.scm (cpe->package-name): Change to return two values instead
of a pair.
(cpe->product-alist): New procedure.
(%parse-vulnerability-feed): Use it instead of 'filter-map'.
(fetch-vulnerabilities): Bump sexp format version to 1.
(vulnerabilities->lookup-proc): Adjust accordingly.  When #:version is
omitted, return a list of vulnerabilities instead of a list of
version/vulnerability pairs.
* tests/cve.scm (%expected-vulnerabilities)
("vulnerabilities->lookup-proc): Adjust accordingly.

											
										
										
											2016-05-28 00:44:36 +02:00
+								   (vulnerability "CVE-2008-2335" '(("phpvid" "1.2" "1.1")))
 								   (vulnerability "CVE-2008-3522" '(("enterprise_virtualization" "3.5")
 								                                    ("jasper" "1.900.1")))
 								   (vulnerability "CVE-2009-3301" '(("openoffice.org" "2.3.0" "2.2.1" "2.1.0")))
-												Add (guix cve).

* guix/cve.scm, tests/cve-sample.xml, tests/cve.scm: New files.
* Makefile.am (MODULES): Add guix/cve.scm.
(SCM_TESTS): Add tests/cve.scm.
(EXTRA_DIST): Add tests/cve-sample.scm.

											
										
										
											2015-11-26 21:52:25 +01:00
+								   ;; CVE-2015-8330 has no software list.
 								   ))
 								(test-begin "cve")
 								(test-equal "xml->vulnerabilities"
 								  %expected-vulnerabilities
 								  (call-with-input-file %sample xml->vulnerabilities))
-												cve: Use a more compact format for the list of package/versions.

On a warm cache, "guix lint -c cve vorbis-tools" goes down
from 6.5s to 2.4s.

* guix/cve.scm (cpe->package-name): Change to return two values instead
of a pair.
(cpe->product-alist): New procedure.
(%parse-vulnerability-feed): Use it instead of 'filter-map'.
(fetch-vulnerabilities): Bump sexp format version to 1.
(vulnerabilities->lookup-proc): Adjust accordingly.  When #:version is
omitted, return a list of vulnerabilities instead of a list of
version/vulnerability pairs.
* tests/cve.scm (%expected-vulnerabilities)
("vulnerabilities->lookup-proc): Adjust accordingly.

											
										
										
											2016-05-28 00:44:36 +02:00
+								(test-equal "vulnerabilities->lookup-proc"
 								  (list (list (first %expected-vulnerabilities))
-												Add (guix cve).

* guix/cve.scm, tests/cve-sample.xml, tests/cve.scm: New files.
* Makefile.am (MODULES): Add guix/cve.scm.
(SCM_TESTS): Add tests/cve.scm.
(EXTRA_DIST): Add tests/cve-sample.scm.

											
										
										
											2015-11-26 21:52:25 +01:00
+								        '()
 								        '()
 								        (list (second %expected-vulnerabilities))
 								        (list (third %expected-vulnerabilities)))
 								  (let* ((vulns  (call-with-input-file %sample xml->vulnerabilities))
 								         (lookup (vulnerabilities->lookup-proc vulns)))
 								    (list (lookup "phpvid")
 								          (lookup "jasper" "2.0")
 								          (lookup "foobar")
 								          (lookup "jasper" "1.900.1")
 								          (lookup "openoffice.org" "2.3.0"))))
 								(test-end "cve")