aboutsummaryrefslogtreecommitdiff
path: root/tests/cve.scm
blob: 3fbb22d3c666675659d284a45129b42da5f9e6e5 (about) (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-cve)
  #:use-module (guix cve)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-64))

(define %sample
  (search-path %load-path "tests/cve-sample.xml"))

(define (vulnerability id packages)
  (make-struct (@@ (guix cve) <vulnerability>) 0 id packages))

(define %expected-vulnerabilities
  ;; What we should get when reading %SAMPLE.
  (list
   ;; CVE-2003-0001 has no "/a" in its product list so it is omitted.
   ;; CVE-2004-0230 lists "tcp" as an application, but lacks a version number.
   (vulnerability "CVE-2008-2335" '(("phpvid" "1.2" "1.1")))
   (vulnerability "CVE-2008-3522" '(("enterprise_virtualization" "3.5")
                                    ("jasper" "1.900.1")))
   (vulnerability "CVE-2009-3301" '(("openoffice.org" "2.3.0" "2.2.1" "2.1.0")))
   ;; CVE-2015-8330 has no software list.
   ))


(test-begin "cve")

(test-equal "xml->vulnerabilities"
  %expected-vulnerabilities
  (call-with-input-file %sample xml->vulnerabilities))

(test-equal "vulnerabilities->lookup-proc"
  (list (list (first %expected-vulnerabilities))
        '()
        '()
        (list (second %expected-vulnerabilities))
        (list (third %expected-vulnerabilities)))
  (let* ((vulns  (call-with-input-file %sample xml->vulnerabilities))
         (lookup (vulnerabilities->lookup-proc vulns)))
    (list (lookup "phpvid")
          (lookup "jasper" "2.0")
          (lookup "foobar")
          (lookup "jasper" "1.900.1")
          (lookup "openoffice.org" "2.3.0"))))

(test-end "cve")
generated by cgit
(let ((template (string-append (or (getenv "TMPDIR") "/tmp") "/guix-pypi-test-XXXXXX"))) (mkdtemp! template))) (define (pypi-tarball name specs) "Return a PyPI tarball called NAME suffixed with '.tar.gz' and containing the files specified in SPECS. Return its file name." (let ((directory (in-vicinity sample-directory name)) (tarball (in-vicinity sample-directory (string-append name ".tar.gz")))) (false-if-exception (delete-file tarball)) (mkdir-p directory) (for-each (match-lambda ((file content) (mkdir-p (in-vicinity directory (dirname file))) (call-with-output-file (in-vicinity directory file) (lambda (port) (display content port))))) specs) (parameterize ((current-output-port (%make-void-port "w0"))) (system* "tar" "-C" sample-directory "-czvf" tarball (basename directory))) (delete-file-recursively directory) tarball)) (define (wheel-file name specs) "Return a Wheel file called NAME suffixed with '.whl' and containing the files specified by SPECS. Return its file name." (let* ((directory (in-vicinity sample-directory (string-append name ".dist-info"))) (zip-file (in-vicinity sample-directory (string-append name ".zip"))) (whl-file (in-vicinity sample-directory (string-append name ".whl")))) (false-if-exception (delete-file whl-file)) (mkdir-p directory) (for-each (match-lambda ((file content) (mkdir-p (in-vicinity directory (dirname file))) (call-with-output-file (in-vicinity directory file) (lambda (port) (display content port))))) specs) ;; zip always adds a "zip" extension to the file it creates, ;; so we need to rename it. (with-directory-excursion (dirname directory) (system* "zip" "-qr" zip-file (basename directory))) (rename-file zip-file whl-file) (delete-file-recursively directory) whl-file)) (define (file-dump file) "Return a procedure that dumps FILE to the given port." (lambda (output) (call-with-input-file file (lambda (input) (dump-port input output))))) (define-syntax-rule (with-pypi responses body ...) (with-http-server responses (parameterize ((%pypi-base-url (%local-url #:path "/"))) body ...))) (test-begin "pypi") (test-equal "guix-package->pypi-name, old URL style" "psutil" (guix-package->pypi-name (dummy-package "foo" (source (dummy-origin (uri "https://pypi.org/packages/source/p/psutil/psutil-4.3.0.tar.gz")))))) (test-equal "guix-package->pypi-name, new URL style" "certbot" (guix-package->pypi-name (dummy-package "foo" (source (dummy-origin (uri "https://pypi.org/packages/a2/3b/4756e6a0ceb14e084042a2a65c615d68d25621c6fd446d0fc10d14c4ce7d/certbot-0.8.1.tar.gz")))))) (test-equal "guix-package->pypi-name, several URLs" "cram" (guix-package->pypi-name (dummy-package "foo" (source (dummy-origin (uri (list "https://bitheap.org/cram/cram-0.7.tar.gz" (pypi-uri "cram" "0.7")))))))) (test-equal "guix-package->pypi-name, honor 'upstream-name'" "bar-3" (guix-package->pypi-name (dummy-package "foo" (properties '((upstream-name . "bar-3")))))) (test-equal "specification->requirement-name" '("Fizzy" "PickyThing" "SomethingWithMarker" "requests" "pip") (map specification->requirement-name test-specifications)) (test-equal "parse-requires.txt" (list '("foo" "bar") '("pytest")) (mock ((ice-9 ports) call-with-input-file call-with-input-string) (parse-requires.txt test-requires.txt))) (test-equal "parse-requires.txt - Beaker" (list '() '("Mock" "coverage")) (mock ((ice-9 ports) call-with-input-file call-with-input-string) (parse-requires.txt test-requires.txt-beaker))) (test-equal "parse-wheel-metadata, with extras" (list '("wrapt" "bar") '("tox" "bumpversion")) (mock ((ice-9 ports) call-with-input-file call-with-input-string) (parse-wheel-metadata test-metadata-with-extras))) (test-equal "parse-wheel-metadata, with extras - Jedi" (list '("parso") '("pytest")) (mock ((ice-9 ports) call-with-input-file call-with-input-string) (parse-wheel-metadata test-metadata-with-extras-jedi))) (test-equal "find-project-url, with numpy" "numpy" (find-project-url "numpy" "https://files.pythonhosted.org/packages/0a/c8/a62767a6b374a0dfb02d2a0456e5f56a372cdd1689dbc6ffb6bf1ddedbc0/numpy-1.22.1.zip")) (test-equal "find-project-url, uWSGI" "uwsgi" (find-project-url "uWSGI" "https://files.pythonhosted.org/packages/24/fd/93851e4a076719199868d4c918cc93a52742e68370188c1c570a6e42a54f/uwsgi-2.0.20.tar.gz")) (test-equal "find-project-url, flake8-array-spacing" "flake8_array_spacing" (find-project-url "flake8-array-spacing" "https://files.pythonhosted.org/packages/a4/21/ff29b901128b681b7de7a2787b3aeb3e1f3cba4a8c0cffa9712cbff016bc/flake8_array_spacing-0.2.0.tar.gz")) (test-equal "find-project-url, foo/goo" "foo" (find-project-url "foo" "https://files.pythonhosted.org/packages/f0/f00/goo-0.0.0.tar.gz")) (test-assert "pypi->guix-package, no wheel" (let ((tarball (pypi-tarball "foo-1.0.0" `(("src/bizarre.egg-info/requires.txt" ,test-requires.txt)))) (twice (lambda (lst) (append lst lst)))) (with-pypi (twice `(("/foo-1.0.0.tar.gz" 200 ,(file-dump tarball)) ("/foo-1.0.0-py2.py3-none-any.whl" 404 "") ("/foo/json" 200 ,(lambda (port) (display (foo-json) port))))) (match (pypi->guix-package "foo") (`(package (name "python-foo") (version "1.0.0") (source (origin (method url-fetch) (uri (pypi-uri "foo" version)) (sha256 (base32 ,(? string? hash))))) (build-system pyproject-build-system) (propagated-inputs (list python-bar python-foo)) (native-inputs (list python-pytest)) (home-page "http://example.com") (synopsis "summary") (description "summary.") (license license:lgpl2.0)) (and (string=? default-sha256/base32 hash) (equal? (pypi->guix-package "foo" #:version "1.0.0") (pypi->guix-package "foo")) (guard (c ((error? c) #t)) (pypi->guix-package "foo" #:version "42")))) (x (pk 'fail x #f)))))) (test-skip (if (which "zip") 0 1)) (test-assert "pypi->guix-package, wheels" (let ((tarball (pypi-tarball "foo-1.0.0" '(("foo-1.0.0/foo.egg-info/requires.txt" "wrong data \ to make sure we're testing wheels")))) (wheel (wheel-file "foo-1.0.0" `(("METADATA" ,test-metadata))))) (with-pypi `(("/foo-1.0.0.tar.gz" 200 ,(file-dump tarball)) ("/foo-1.0.0-py2.py3-none-any.whl" 200 ,(file-dump wheel)) ("/foo/json" 200 ,(lambda (port) (display (foo-json) port)))) ;; Not clearing the memoization cache here would mean returning the value ;; computed in the previous test. (invalidate-memoization! pypi->guix-package) (match (pypi->guix-package "foo") (`(package (name "python-foo") (version "1.0.0") (source (origin (method url-fetch) (uri (pypi-uri "foo" version)) (sha256 (base32 ,(? string? hash))))) (build-system pyproject-build-system) (propagated-inputs (list python-bar python-baz)) (native-inputs (list python-pytest)) (home-page "http://example.com") (synopsis "summary") (description "summary.") (license license:lgpl2.0)) (string=? default-sha256/base32 hash)) (x (pk 'fail x #f)))))) (test-assert "pypi->guix-package, no usable requirement file." (let ((tarball (pypi-tarball "foo-1.0.0" '(("foo.egg-info/.empty" ""))))) (with-pypi `(("/foo-1.0.0.tar.gz" 200 ,(file-dump tarball)) ("/foo-1.0.0-py2.py3-none-any.whl" 404 "") ("/foo/json" 200 ,(lambda (port) (display (foo-json) port)))) ;; Not clearing the memoization cache here would mean returning the ;; value computed in the previous test. (invalidate-memoization! pypi->guix-package) (match (pypi->guix-package "foo") (`(package (name "python-foo") (version "1.0.0") (source (origin (method url-fetch) (uri (pypi-uri "foo" version)) (sha256 (base32 ,(? string? hash))))) (build-system pyproject-build-system) (home-page "http://example.com") (synopsis "summary") (description "summary.") (license license:lgpl2.0)) (string=? default-sha256/base32 hash)) (x (pk 'fail x #f)))))) (test-assert "pypi->guix-package, package name contains \"-\" followed by digits" (let ((tarball (pypi-tarball "foo-99-1.0.0" `(("src/bizarre.egg-info/requires.txt" ,test-requires.txt))))) (with-pypi `(("/foo-99-1.0.0.tar.gz" 200 ,(file-dump tarball)) ("/foo-99-1.0.0-py2.py3-none-any.whl" 404 "") ("/foo-99/json" 200 ,(lambda (port) (display (foo-json #:name "foo-99") port)))) (match (pypi->guix-package "foo-99") (`(package (name "python-foo-99") (version "1.0.0") (source (origin (method url-fetch) (uri (pypi-uri "foo-99" version)) (sha256 (base32 ,(? string? hash))))) (properties (quote (("upstream-name" . "foo-99")))) (build-system pyproject-build-system) (propagated-inputs (list python-bar python-foo)) (native-inputs (list python-pytest)) (home-page "http://example.com") (synopsis "summary") (description "summary.") (license license:lgpl2.0)) (string=? default-sha256/base32 hash)) (x (pk 'fail x #f)))))) (test-equal "package-latest-release" (list '("foo-1.0.0.tar.gz") '("foo-1.0.0.tar.gz.asc") (list (upstream-input (name "bar") (downstream-name "python-bar") (type 'propagated)) (upstream-input (name "foo") (downstream-name "python-foo") (type 'propagated)) (upstream-input (name "pytest") (downstream-name "python-pytest") (type 'native)))) (let ((tarball (pypi-tarball "foo-1.0.0" `(("src/bizarre.egg-info/requires.txt" ,test-requires.txt))))) (with-pypi `(("/foo-1.0.0.tar.gz" 200 ,(file-dump tarball)) ("/foo-1.0.0-py2.py3-none-any.whl" 404 "") ("/foo/json" 200 ,(lambda (port) (display (foo-json) port)))) (define source (package-latest-release (dummy-package "python-foo" (version "0.1.2") (source (dummy-origin (method url-fetch) (uri (pypi-uri "foo" version)))) (build-system python-build-system)) (list %pypi-updater))) (list (map basename (upstream-source-urls source)) (map basename (upstream-source-signature-urls source)) (upstream-source-inputs source))))) (test-end "pypi") (delete-file-recursively sample-directory) ;; Local Variables: ;; eval: (put 'with-pypi 'scheme-indent-function 1) ;; End:
generated by cgit