search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
61 stars 30 forks source link

upgrade_package_maintain_add_vulnerability and upgrade_package_add_vulnerability cases use the same packages for macOS agent. #5333

Closed Rebits closed 1 week ago

Rebits commented 2 weeks ago

Description

macOS tests cases upgrade_package_maintain_add_vulnerability and upgrade_package_add_vulnerability for Vulnerability Detection E2E tests make use of the same packages leading to test case failure:

Tests Case

case: 'Upgrade: New vulnerability '
  id: upgrade_package_add_vulnerability
  description: |
    Upgrade of a vulnerable package which include a new vulnerability
  body:
    operation: update_package
    package:
      from:
        centos:
          amd64: grafana-8.5.6-1
          arm64v8: grafana-8.5.6-1
        ubuntu:
          amd64: grafana-8.5.6
          arm64v8: grafana-8.5.6
        windows:
          amd64: node-v17.1.0
        macos:
          amd64: systeminformation-4.34.23
          arm64v8: systeminformation-4.34.23
      to:
        centos:
          amd64: grafana-9.1.1-1
          arm64v8: grafana-9.1.1-1
        ubuntu:
          amd64: grafana-9.1.1
          arm64v8: grafana-9.1.1
        windows:
          amd64: node-v18.0.0
        macos:
          amd64: systeminformation-5.0.0
          arm64v8: systeminformation-5.0.0

- case: 'Upgrade: Maintain and new vulnerability '
  id: upgrade_package_maintain_add_vulnerability
  description: >
    Upgrade of a vulnerable package which maintain vulnerabilities
    and include new ones
  body:
    operation: update_package
    package:
      from:
        centos:
          amd64: grafana-9.1.1-1
          arm64v8: grafana-9.1.1-1
        ubuntu:
          amd64: grafana-9.1.1
          arm64v8: grafana-9.1.1
        windows:
          amd64: node-v18.0.0
        macos:
          amd64: systeminformation-4.34.23
          arm64v8: systeminformation-4.34.23
      to:
        centos:
          amd64: grafana-9.2.0-1
          arm64v8: grafana-9.2.0-1
        ubuntu:
          amd64: grafana-9.2.0
          arm64v8: grafana-9.2.0
        windows:
          amd64: node-v18.1.0
        macos:
          amd64: systeminformation-5.0.0
          arm64v8: systeminformation-5.0.0
MARCOSD4 commented 2 weeks ago

Update

They have been looking for other vulnerable packages to replace in the test cases. Packages such as axios, lodash, firebase, etc. have been found. It remains to decide which one is appropriate for the respective case and to check the test functionality.

MARCOSD4 commented 1 week ago

Moved to On hold in favor of 4.8.0 - RC 1 testing.

MARCOSD4 commented 1 week ago

Update

Finally, it has been decided to use the Axios package so that, in the upgrade_package_add_vulnerability case Axios 0.6.0 (3 vulnerabilities) will be installed and upgraded to Axios 0.10.0 (4 vulnerabilities), and in the upgrade_package_maintain_add_vulnerability case Systeminformation will be kept but it will be necessary to add a precondition for the package to be installed before. The test has been launched to test this but has failed due to an error which needs to be further investigated.

MARCOSD4 commented 1 week ago

Update

Tests have been launched with the changes made. The results and the conclusion can be seen here

santipadilla commented 1 week ago

LGTM