checker-ssh/checker/vulns_vendorfix_test.go
Pierre-Olivier Mercier fb2ae7d903
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/tag Build is passing
checker: suppress CVE warnings for vendor-backported OpenSSH fixes
Distributions backport security fixes without bumping the upstream
OpenSSH version, so a banner like "OpenSSH_9.2p1 Debian-2+deb12u3" was
wrongly flagged for regreSSHion despite carrying the fix.

Thread the banner vendor comment into analyseBannerVulns and add a
per-CVE VendorFixes table recording the earliest patched package
revision per distro/upstream version. Revisions are compared with a
faithful port of dpkg's verrevcmp ordering. Populated for CVE-2024-6387
from DSA-5724-1 (Debian) and USN-6859-1 (Ubuntu).
2026-06-18 16:55:19 +09:00

92 lines
3.2 KiB
Go

// This file is part of the happyDomain (R) project.
// Copyright (c) 2020-2026 happyDomain
// Authors: Pierre-Olivier Mercier, et al.
//
// This program is offered under a commercial and under the AGPL license.
// For commercial licensing, contact us at <contact@happydomain.org>.
//
// For AGPL licensing:
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package checker
import "testing"
func hasIssue(issues []Issue, code string) bool {
for _, i := range issues {
if i.Code == code {
return true
}
}
return false
}
func TestVendorFixSuppressesRegreSSHion(t *testing.T) {
const code = "cve_2024_6387_regreSSHion"
cases := []struct {
name string
soft string
vendor string
flagged bool
}{
// Vanilla upstream in the affected window: must flag.
{"upstream 9.2p1", "OpenSSH_9.2p1", "", true},
// Debian bookworm before / at / after the fix.
{"debian unpatched", "OpenSSH_9.2p1", "Debian-2+deb12u2", true},
{"debian patched", "OpenSSH_9.2p1", "Debian-2+deb12u3", false},
{"debian later point release", "OpenSSH_9.2p1", "Debian-2+deb12u10", false},
// Ubuntu jammy: numeric ".10" must beat ".2" (dpkg numeric run).
{"ubuntu jammy unpatched", "OpenSSH_8.9p1", "Ubuntu-3ubuntu0.2", true},
{"ubuntu jammy patched", "OpenSSH_8.9p1", "Ubuntu-3ubuntu0.10", false},
// Ubuntu noble.
{"ubuntu noble patched", "OpenSSH_9.6p1", "Ubuntu-3ubuntu13.3", false},
{"ubuntu noble unpatched", "OpenSSH_9.6p1", "Ubuntu-3ubuntu13.2", true},
// A fix recorded for a different upstream version must not apply.
{"vendor mismatch upstream", "OpenSSH_9.3p1", "Debian-2+deb12u3", true},
// Not affected at all (below 8.5p1): never flagged regardless.
{"debian bullseye", "OpenSSH_8.4p1", "Debian-5+deb11u1", false},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
banner := "SSH-2.0-" + tc.soft
if tc.vendor != "" {
banner += " " + tc.vendor
}
issues := analyseBannerVulns("host:22", banner, tc.soft, tc.vendor)
if got := hasIssue(issues, code); got != tc.flagged {
t.Fatalf("regreSSHion flagged=%v, want %v (issues=%v)", got, tc.flagged, issues)
}
})
}
}
func TestDpkgVerCmp(t *testing.T) {
cases := []struct {
a, b string
want int // sign
}{
{"2+deb12u3", "2+deb12u2", 1},
{"2+deb12u3", "2+deb12u3", 0},
{"2+deb12u3", "2+deb12u10", -1},
{"3ubuntu0.10", "3ubuntu0.2", 1},
{"3ubuntu13.3", "3ubuntu13.2", 1},
{"1.0", "1.0~rc1", 1}, // tilde sorts before everything
}
for _, tc := range cases {
got := dpkgVerCmp(tc.a, tc.b)
if (got > 0) != (tc.want > 0) || (got < 0) != (tc.want < 0) {
t.Errorf("dpkgVerCmp(%q,%q)=%d, want sign %d", tc.a, tc.b, got, tc.want)
}
}
}