// This file is part of the happyDomain (R) project. // Copyright (c) 2020-2026 happyDomain // Authors: Pierre-Olivier Mercier, et al. // // This program is offered under a commercial and under the AGPL license. // For commercial licensing, contact us at . // // For AGPL licensing: // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU Affero General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU Affero General Public License for more details. // // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see . package checker import "testing" func hasIssue(issues []Issue, code string) bool { for _, i := range issues { if i.Code == code { return true } } return false } func TestVendorFixSuppressesRegreSSHion(t *testing.T) { const code = "cve_2024_6387_regreSSHion" cases := []struct { name string soft string vendor string flagged bool }{ // Vanilla upstream in the affected window: must flag. {"upstream 9.2p1", "OpenSSH_9.2p1", "", true}, // Debian bookworm before / at / after the fix. {"debian unpatched", "OpenSSH_9.2p1", "Debian-2+deb12u2", true}, {"debian patched", "OpenSSH_9.2p1", "Debian-2+deb12u3", false}, {"debian later point release", "OpenSSH_9.2p1", "Debian-2+deb12u10", false}, // Ubuntu jammy: numeric ".10" must beat ".2" (dpkg numeric run). {"ubuntu jammy unpatched", "OpenSSH_8.9p1", "Ubuntu-3ubuntu0.2", true}, {"ubuntu jammy patched", "OpenSSH_8.9p1", "Ubuntu-3ubuntu0.10", false}, // Ubuntu noble. {"ubuntu noble patched", "OpenSSH_9.6p1", "Ubuntu-3ubuntu13.3", false}, {"ubuntu noble unpatched", "OpenSSH_9.6p1", "Ubuntu-3ubuntu13.2", true}, // A fix recorded for a different upstream version must not apply. {"vendor mismatch upstream", "OpenSSH_9.3p1", "Debian-2+deb12u3", true}, // Not affected at all (below 8.5p1): never flagged regardless. {"debian bullseye", "OpenSSH_8.4p1", "Debian-5+deb11u1", false}, } for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { banner := "SSH-2.0-" + tc.soft if tc.vendor != "" { banner += " " + tc.vendor } issues := analyseBannerVulns("host:22", banner, tc.soft, tc.vendor) if got := hasIssue(issues, code); got != tc.flagged { t.Fatalf("regreSSHion flagged=%v, want %v (issues=%v)", got, tc.flagged, issues) } }) } } func TestDpkgVerCmp(t *testing.T) { cases := []struct { a, b string want int // sign }{ {"2+deb12u3", "2+deb12u2", 1}, {"2+deb12u3", "2+deb12u3", 0}, {"2+deb12u3", "2+deb12u10", -1}, {"3ubuntu0.10", "3ubuntu0.2", 1}, {"3ubuntu13.3", "3ubuntu13.2", 1}, {"1.0", "1.0~rc1", 1}, // tilde sorts before everything } for _, tc := range cases { got := dpkgVerCmp(tc.a, tc.b) if (got > 0) != (tc.want > 0) || (got < 0) != (tc.want < 0) { t.Errorf("dpkgVerCmp(%q,%q)=%d, want sign %d", tc.a, tc.b, got, tc.want) } } }