Modify OvalElement class __lt__ method and create test #1079

Reference: #1079

Signed-off-by: John M. Horan <johnmhoran@gmail.com>

vulnerabilities/lib_oval.py

@@ -62,8 +62,8 @@
 
 Available exceptions:
     - None at this time
-    
-    
+
+
 :Usage:
 
 1. Create an OvalDocument:
@@ -80,21 +80,21 @@
 
 3. Read an XML file with a single OVAL Definition (error checking omitted for brevity):
 
-    >>> tree = ElementTree()    
+    >>> tree = ElementTree()
     >>> tree.parse('test-definition.xml')
-    >>> root = tree.getroot()    
+    >>> root = tree.getroot()
     >>> definition = lib_oval.OvalDefinition(root)
-    
+
 4. Change information in the definition from #3 and write the changes
 
     >>> meta = definition.getMetadata()
     >>> repo = meta.getOvalRepositoryInformation()
     >>> repo.setMinimumSchemaVersion("5.9")
     >>> tree.write("outfilename.xml", UTF-8", True)
-        
 
 
-  
+
+
 
 TODO:
     - Add exceptions that give more detail about why a value of None is sometimes returned
@@ -253,7 +253,6 @@ def writeToFile(self, filename):
             return False
 
     def to_string(self):
-
         if not self.tree:
             return None
 
@@ -767,6 +766,9 @@ def setVersion(self, version):
         self.element.set("version", version)
         return True
 
+    def __lt__(self, other):
+        return int(self.element.get("version")) < int(other.element.get("version"))
+
     def incrementVersion(self):
         version = self.getVersion()
         if not version:

vulnerabilities/oval_parser.py

@@ -91,8 +91,6 @@ def get_tests_of_definition(self, definition: OvalDefinition) -> List[OvalTest]:
                     ):
                         matching_tests.append(self.oval_document.getElementByID(ref))
 
-        # return list(set(matching_tests))
-        # FIXME: 2023-12-13 Wednesday 10:00:57.  This change currently throws an error: FAILED vulnerabilities/tests/test_data_source.py::test__collect_pkgs - TypeError: '<' not supported between instances of 'OvalTest' and 'OvalTest'.  Waiting for response to my 2023-12-12 GH comments.
         return sorted(set(matching_tests))
 
     def get_object_state_of_test(self, test: OvalTest) -> Tuple[OvalObject, OvalState]:

vulnerabilities/tests/test_data/suse_oval/org.opensuse.CVE-2008-5679-modified-versions.xml

@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd"
+    xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
+    xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <generator>
+        <oval:product_name>Marcus OVAL Generator</oval:product_name>
+        <oval:schema_version>5.5</oval:schema_version>
+        <oval:timestamp>2009-01-14T09:08:29.480-05:00</oval:timestamp>
+    </generator>
+    <definitions>
+
+        <definition id="oval:org.opensuse.security:def:2009030400" version="1" class="patch">
+            <metadata>
+                <title>CVE-2008-5679</title>
+                <affected family="unix">
+                </affected>
+                <reference ref_id="CVE-2008-5679" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5679" source="CVE"/>
+                <description>
+	The HTML parsing engine in Opera before 9.63 allows remote attackers to execute arbitrary code via crafted web pages that trigger an invalid pointer calculation and heap corruption.
+                </description>
+            </metadata>
+            <criteria operator="OR">
+                <criteria operator="AND">
+                    <criteria operator="OR">
+                        <criterion test_ref="oval:org.opensuse.security:tst:2009030401" comment="suse103 is installed"/>
+                        <criterion test_ref="oval:org.opensuse.security:tst:2009030402" comment="suse110 is installed"/>
+                        <criterion test_ref="oval:org.opensuse.security:tst:2009030403" comment="suse111 is installed"/>
+                    </criteria>
+                    <criterion test_ref="oval:org.opensuse.security:tst:2009030400" comment="oval:org.opensuse.security:tst:2009030400 is installed"/>
+                </criteria>
+                <criteria operator="AND">
+                    <criterion test_ref="oval:org.opensuse.security:tst:2009030403" comment="suse111-debug is installed"/>
+                    <criterion test_ref="oval:org.opensuse.security:tst:2009030400" comment="oval:org.opensuse.security:tst:2009030400 is installed"/>
+                </criteria>
+            </criteria>
+        </definition>
+    </definitions>
+    <tests>
+        <rpminfo_test id="oval:org.opensuse.security:tst:2009030400" version="11" comment="oval:org.opensuse.security:obj:2009030400 is version oval:org.opensuse.security:ste:2009030400" check="at least one"
+            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+            <object object_ref="oval:org.opensuse.security:obj:2009030400"/>
+            <state state_ref="oval:org.opensuse.security:ste:2009030400"/>
+        </rpminfo_test>
+        <rpminfo_test id="oval:org.opensuse.security:tst:2009030401" version="1" comment="oval:org.opensuse.security:obj:2009030401 is version oval:org.opensuse.security:ste:2009030401" check="at least one"
+            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+            <object object_ref="oval:org.opensuse.security:obj:2009030401"/>
+            <state state_ref="oval:org.opensuse.security:ste:2009030401"/>
+        </rpminfo_test>
+        <rpminfo_test id="oval:org.opensuse.security:tst:2009030402" version="9" comment="oval:org.opensuse.security:obj:2009030401 is version oval:org.opensuse.security:ste:2009030402" check="at least one"
+            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+            <object object_ref="oval:org.opensuse.security:obj:2009030401"/>
+            <state state_ref="oval:org.opensuse.security:ste:2009030402"/>
+        </rpminfo_test>
+        <rpminfo_test id="oval:org.opensuse.security:tst:2009030403" version="4" comment="oval:org.opensuse.security:obj:2009030401 is version oval:org.opensuse.security:ste:2009030403" check="at least one"
+            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+            <object object_ref="oval:org.opensuse.security:obj:2009030401"/>
+            <state state_ref="oval:org.opensuse.security:ste:2009030403"/>
+        </rpminfo_test>
+    </tests>
+    <objects>
+        <rpminfo_object id="oval:org.opensuse.security:obj:2009030400" version="1"
+            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+            <name>opera</name>
+        </rpminfo_object>
+        <rpminfo_object id="oval:org.opensuse.security:obj:2009030401" version="1"
+            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+            <name>openSUSE-release</name>
+        </rpminfo_object>
+    </objects>
+    <states>
+        <rpminfo_state id="oval:org.opensuse.security:ste:2009030400" version="1"
+            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+            <evr datatype="evr_string" operation="less than">0:9.63-1.1</evr>
+        </rpminfo_state>
+        <rpminfo_state id="oval:org.opensuse.security:ste:2009030401" version="1"
+            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+            <version operation="pattern match">^10.3$</version>
+        </rpminfo_state>
+        <rpminfo_state id="oval:org.opensuse.security:ste:2009030402" version="1"
+            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+            <version operation="pattern match">^11.0$</version>
+        </rpminfo_state>
+        <rpminfo_state id="oval:org.opensuse.security:ste:2009030403" version="1"
+            xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+            <version operation="pattern match">^11.1$</version>
+        </rpminfo_state>
+    </states>
+</oval_definitions>

vulnerabilities/tests/test_data_source.py

@@ -30,6 +30,7 @@
 
 BASE_DIR = os.path.dirname(os.path.abspath(__file__))
 TEST_DATA = os.path.join(BASE_DIR, "test_data/")
+TEST_DATA_01 = os.path.join(BASE_DIR, "test_data/suse_oval")
 
 
 def load_oval_data():
@@ -74,7 +75,6 @@ def test_create_purl():
 
 
 def test__collect_pkgs():
-
     xmls = load_oval_data()
 
     expected_suse_pkgs = {"cacti-spine", "apache2-mod_perl", "cacti", "apache2-mod_perl-devel"}
@@ -134,3 +134,36 @@ def test_git_importer_clone():
                 list(git_importer().advisory_data())
                 mock_fetch.assert_called_once()
                 mock_delete.assert_called_once()
+
+
+# Here we use a modified copy of org.opensuse.CVE-2008-5679.xml -- the test versions are modified to illustrate sort order.
+def test_ovaltest_sorting():
+    xml_doc = ET.parse(
+        os.path.join(TEST_DATA_01, "org.opensuse.CVE-2008-5679-modified-versions.xml")
+    )
+    translations = {"less than": "<", "equals": "=", "greater than or equal": ">="}
+    parsed_oval = OvalParser(translations, xml_doc)
+
+    # Get the list of all tests and check the total number of tests.
+    get_all_tests = parsed_oval.oval_document.getTests()
+    assert len(get_all_tests) == 4
+
+    # Check the order of the four tests in the sorted `get_all_tests` list.  (Testing suggests that the
+    # original list of tests, `get_all_tests`, is unsorted and is ordered in the same order as the test
+    # elements appear in the .xml file.)
+    for test in sorted(get_all_tests):
+        if test.getId() == "oval:org.opensuse.security:tst:2009030400":
+            assert test.getVersion() == "11"
+            assert test == sorted(get_all_tests)[3]
+
+        if test.getId() == "oval:org.opensuse.security:tst:2009030401":
+            assert test.getVersion() == "1"
+            assert test == sorted(get_all_tests)[0]
+
+        if test.getId() == "oval:org.opensuse.security:tst:2009030402":
+            assert test.getVersion() == "9"
+            assert test == sorted(get_all_tests)[2]
+
+        if test.getId() == "oval:org.opensuse.security:tst:2009030403":
+            assert test.getVersion() == "4"
+            assert test == sorted(get_all_tests)[1]