wazuh-qa icon indicating copy to clipboard operation
wazuh-qa copied to clipboard

Published 20 hours ago verified publisher icon wazuh

upgrade_package_maintain_add_vulnerability and upgrade_package_add_vulnerability cases use the same packages for macOS agent.

Open Rebits opened this issue 9 months ago • 4 comments

Description

macOS tests cases upgrade_package_maintain_add_vulnerability and upgrade_package_add_vulnerability for Vulnerability Detection E2E tests make use of the same packages leading to test case failure:

Tests Case

case: 'Upgrade: New vulnerability '
  id: upgrade_package_add_vulnerability
  description: |
    Upgrade of a vulnerable package which include a new vulnerability
  body:
    operation: update_package
    package:
      from:
        centos:
          amd64: grafana-8.5.6-1
          arm64v8: grafana-8.5.6-1
        ubuntu:
          amd64: grafana-8.5.6
          arm64v8: grafana-8.5.6
        windows:
          amd64: node-v17.1.0
        macos:
          amd64: systeminformation-4.34.23
          arm64v8: systeminformation-4.34.23
      to:
        centos:
          amd64: grafana-9.1.1-1
          arm64v8: grafana-9.1.1-1
        ubuntu:
          amd64: grafana-9.1.1
          arm64v8: grafana-9.1.1
        windows:
          amd64: node-v18.0.0
        macos:
          amd64: systeminformation-5.0.0
          arm64v8: systeminformation-5.0.0

- case: 'Upgrade: Maintain and new vulnerability '
  id: upgrade_package_maintain_add_vulnerability
  description: >
    Upgrade of a vulnerable package which maintain vulnerabilities
    and include new ones
  body:
    operation: update_package
    package:
      from:
        centos:
          amd64: grafana-9.1.1-1
          arm64v8: grafana-9.1.1-1
        ubuntu:
          amd64: grafana-9.1.1
          arm64v8: grafana-9.1.1
        windows:
          amd64: node-v18.0.0
        macos:
          amd64: systeminformation-4.34.23
          arm64v8: systeminformation-4.34.23
      to:
        centos:
          amd64: grafana-9.2.0-1
          arm64v8: grafana-9.2.0-1
        ubuntu:
          amd64: grafana-9.2.0
          arm64v8: grafana-9.2.0
        windows:
          amd64: node-v18.1.0
        macos:
          amd64: systeminformation-5.0.0
          arm64v8: systeminformation-5.0.0

Rebits avatar Apr 30 '24 13:04 Rebits

Update

They have been looking for other vulnerable packages to replace in the test cases. Packages such as axios, lodash, firebase, etc. have been found. It remains to decide which one is appropriate for the respective case and to check the test functionality.

MARCOSD4 avatar May 03 '24 14:05 MARCOSD4

Moved to On hold in favor of 4.8.0 - RC 1 testing.

MARCOSD4 avatar May 06 '24 06:05 MARCOSD4

Update

Finally, it has been decided to use the Axios package so that, in the upgrade_package_add_vulnerability case Axios 0.6.0 (3 vulnerabilities) will be installed and upgraded to Axios 0.10.0 (4 vulnerabilities), and in the upgrade_package_maintain_add_vulnerability case Systeminformation will be kept but it will be necessary to add a precondition for the package to be installed before. The test has been launched to test this but has failed due to an error which needs to be further investigated.

MARCOSD4 avatar May 07 '24 15:05 MARCOSD4

Update

Tests have been launched with the changes made. The results and the conclusion can be seen here

MARCOSD4 avatar May 08 '24 15:05 MARCOSD4

LGTM

santipadilla avatar May 09 '24 06:05 santipadilla