gnutls test and improved no cves error messages in TestScanner

Signed-off-by: John Andersen <john.s.andersen@intel.com>
intel · Oct 30, 2019 · ff14b13 · ff14b13
1 parent d2777d8
commit ff14b13
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 19 deletions.
diff --git a/cve_bin_tool/checkers/gnutls.py b/cve_bin_tool/checkers/gnutls.py
@@ -4,29 +4,33 @@
 References:
 https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-4433/GNU-Gnutls.html
 """
+import os
 from ..util import regex_find
 
+
 def get_version(lines, filename):
     """
     returns version information for gnutls found in given file.
-    Verfies using the tools gnutls-cli 
+    Verfies using the tools gnutls-cli
     Verifies using the libraries libgnutls.so and libgnutls-dane.so
 
+    VPkg: gnu, gnutls
     VPkg: gnutls, gnutls
     """
-    regex = [r"gnutls-cli ([3]+\.[0-9]+\.[0-9]+)"]
-    version_info = dict()
-    if filename[::-1].startswith(("gnutls-cli")[::-1]):
-        version_info["is_or_contains"] = "is"
-    if filename[::-1].startswith(("gnutls-serv")[::-1]):
-        version_info["is_or_contains"] = "is"
+    regex = [r"gnutls-cli ([0-9]+\.[0-9]+\.[0-9]+)"]
 
-    if "is_or_contains" in version_info:
-        version_info["modulename"] = "gnutls-cli"
-        version_info["version"] = regex_find(lines, *regex)
-    elif "libgnutls.so" in filename:
-        version_info["is_or_contains"] = "is"
-    elif "libgnutls-dane.so" in filename:
-        version_info["is_or_contains"] = "is"
+    for modulename, binary_names in (
+        {
+            "gnutls-serv": ["gnutls-serv"],
+            "gnutls-cli": ["gnutls-cli", "libgnutls.so", "libgnutls-dane.so"],
+        }
+    ).items():
+        for check in binary_names:
+            if check in os.path.split(filename)[-1]:
+                return {
+                    "is_or_contains": "is",
+                    "modulename": modulename,
+                    "version": regex_find(lines, *regex),
+                }
 
-    return version_info
+    return {}
diff --git a/test/binaries/test-gnutls-cli-2.3.11.c b/test/binaries/test-gnutls-cli-2.3.11.c
@@ -0,0 +1,11 @@
+#include <stdio.h>
+
+int main() {
+	printf("This program is designed to test the cve-bin-tool checker.");
+	printf("It outputs a few strings normally associated with gnutls-cli 2.3.11");
+	printf("They appear below this line.");
+	printf("------------------");
+	printf("gnutls-cli 2.3.11");
+
+	return 0;
+}
diff --git a/test/binaries/test-gnutls-serv-2.3.11.c b/test/binaries/test-gnutls-serv-2.3.11.c
@@ -0,0 +1,11 @@
+#include <stdio.h>
+
+int main() {
+	printf("This program is designed to test the cve-bin-tool checker.");
+	printf("It outputs a few strings normally associated with gnutls-serv 2.3.11");
+	printf("They appear below this line.");
+	printf("------------------");
+	printf("gnutls-serv 2.3.11");
+
+	return 0;
+}
diff --git a/test/test_scanner.py b/test/test_scanner.py
@@ -91,14 +91,14 @@ def _binary_test(self, binary, package, version, are_in, not_in):
         # Run the scan
         cves = self.scan_file(binary)
         # Make sure the package and version are in the results
-        self.assertIn(package, cves)
-        self.assertIn(version, cves[package])
+        self.assertIn(package, list(cves.keys()))
+        self.assertIn(version, list(cves[package].keys()))
         # Test for CVEs known in this version
         for ensure_in in are_in:
-            self.assertIn(ensure_in, cves[package][version])
+            self.assertIn(ensure_in, list(cves[package][version].keys()))
         # Test for a CVE that is not in this version
         for ensure_out in not_in:
-            self.assertNotIn(ensure_out, cves[package][version])
+            self.assertNotIn(ensure_out, list(cves[package][version].keys()))
 
     def _file_test(self, url, filename, package, version):
         """ Helper function to get a file (presumed to be a real copy
@@ -245,6 +245,28 @@ def test_ffmpeg_4_1_4(self):
             ],
         )
 
+    def test_gnutls_2_3_11(self):
+        """Scanning test-gnutls-{binary}-2.3.11.out"""
+        for binary in ["cli", "serv"]:
+            with self.subTest(binary=binary):
+                self._binary_test(
+                    "test-gnutls-{}-2.3.11.out".format(binary),
+                    "gnutls-cli",
+                    "2.3.11",
+                    [
+                        # known cves in 2.3.11
+                        "CVE-2008-1948",
+                        "CVE-2008-1949",
+                        "CVE-2008-1950",
+                    ],
+                    [
+                        # an older cve from before 2.3.11
+                        "CVE-2004-2531",
+                        # an newer cve from after 2.3.11
+                        "CVE-2017-7869",
+                    ],
+                )
+
     def test_jpeg_2_0_1(self):
         """Scanning test-libjpeg-turbo-2.0.1"""
         self._binary_test(